• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   MBR Rootkit: A Web Threat?

MBR Rootkit: A Web Threat?

  • Posted on:January 9, 2008 at 8:08 pm
  • Posted in:Bad Sites, Malware
  • Author:
    Ivan Macalintal (Threat Research Manager)
1

Their current propagation statistics was next to non-existent, said Sunbelt, and added that being less in number doesn’t exactly equate to “safe”.

The MBR (Master Boot Record) rootkit threat — perhaps a perfect product of recycling — had been making waves in the Internet for days, seemingly making an entry to the modern security scene as a new Web threat. TrendLabs researchers have analyzed it and came up with the following technical findings.

This rootkit arrives when certain URLs/Web sites are accessed:

http://%bad domain%/ld/mat{any number from 2-20}/index.php?b=3

where %bad domain% can be one of the following:

  • BFF1TWE.COM
  • IMM2TWE.COM
  • FTT3TWE.COM
  • GUUATWE.COM
  • GFEPTWE.COM
  • ANOPLEV.COM
  • HGFDTWE.COM

After successful infiltration using the exploits of Web threats that we’ve come to know, malicious codes are downloaded and executed and the rootkit is installed via the MBR.

The Trojan, detected by Trend Micro as TROJ_SINOWAL.AD, then creates a mutex to ensure that only one instance of itself is running on the affected system.

It then looks for the bootable partition of the affected system. Once found, this Trojan creates a new malicious MBR that loads the rootkit component of this Trojan.

Writing to the MBR may look like the following:

Writing to the MBR

Modified sectors 61, 62 and 63 of the physical disk are shown below:

Modified certain sectors of the MBR

The modified MBR may look like the following:

Modified MBR

The rootkit component, which is detected as RTKT_AGENT.CAV, is then saved in an arbitrary sector within the bootable partition. After performing its malicious routines, this Trojan restarts the affected system.

Trend Micro advises users to scan systems using the latest pattern file versions to remove the Trojan. The content security feature of our products can block all related domains, as well.

More information at:

  • http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/
  • http://www2.gmer.net/mbr/

Update courtesy of Senior Escalation Engineers Joseph Cepe and Marvin Cruz

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: MBRrootkitTrojan

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.