Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Their current propagation statistics was next to non-existent, said Sunbelt, and added that being less in number doesn’t exactly equate to “safe”.

    The MBR (Master Boot Record) rootkit threat — perhaps a perfect product of recycling — had been making waves in the Internet for days, seemingly making an entry to the modern security scene as a new Web threat. TrendLabs researchers have analyzed it and came up with the following technical findings.

    This rootkit arrives when certain URLs/Web sites are accessed:

    http://%bad domain%/ld/mat{any number from 2-20}/index.php?b=3

    where %bad domain% can be one of the following:

    • BFF1TWE.COM
    • IMM2TWE.COM
    • FTT3TWE.COM
    • GUUATWE.COM
    • GFEPTWE.COM
    • ANOPLEV.COM
    • HGFDTWE.COM

    After successful infiltration using the exploits of Web threats that we’ve come to know, malicious codes are downloaded and executed and the rootkit is installed via the MBR.

    The Trojan, detected by Trend Micro as TROJ_SINOWAL.AD, then creates a mutex to ensure that only one instance of itself is running on the affected system.

    It then looks for the bootable partition of the affected system. Once found, this Trojan creates a new malicious MBR that loads the rootkit component of this Trojan.

    Writing to the MBR may look like the following:

    Writing to the MBR

    Modified sectors 61, 62 and 63 of the physical disk are shown below:

    Modified certain sectors of the MBR

    The modified MBR may look like the following:

    Modified MBR

    The rootkit component, which is detected as RTKT_AGENT.CAV, is then saved in an arbitrary sector within the bootable partition. After performing its malicious routines, this Trojan restarts the affected system.

    Trend Micro advises users to scan systems using the latest pattern file versions to remove the Trojan. The content security feature of our products can block all related domains, as well.

    More information at:

    Update courtesy of Senior Escalation Engineers Joseph Cepe and Marvin Cruz





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice