Their current propagation statistics was next to non-existent, said Sunbelt, and added that being less in number doesn’t exactly equate to “safe”.
The MBR (Master Boot Record) rootkit threat — perhaps a perfect product of recycling — had been making waves in the Internet for days, seemingly making an entry to the modern security scene as a new Web threat. TrendLabs researchers have analyzed it and came up with the following technical findings.
This rootkit arrives when certain URLs/Web sites are accessed:
http://%bad domain%/ld/mat{any number from 2-20}/index.php?b=3
where %bad domain% can be one of the following:
- BFF1TWE.COM
- IMM2TWE.COM
- FTT3TWE.COM
- GUUATWE.COM
- GFEPTWE.COM
- ANOPLEV.COM
- HGFDTWE.COM
After successful infiltration using the exploits of Web threats that we’ve come to know, malicious codes are downloaded and executed and the rootkit is installed via the MBR.
The Trojan, detected by Trend Micro as TROJ_SINOWAL.AD, then creates a mutex to ensure that only one instance of itself is running on the affected system.
It then looks for the bootable partition of the affected system. Once found, this Trojan creates a new malicious MBR that loads the rootkit component of this Trojan.
Writing to the MBR may look like the following:
Modified sectors 61, 62 and 63 of the physical disk are shown below:
The modified MBR may look like the following:
The rootkit component, which is detected as RTKT_AGENT.CAV, is then saved in an arbitrary sector within the bootable partition. After performing its malicious routines, this Trojan restarts the affected system.
Trend Micro advises users to scan systems using the latest pattern file versions to remove the Trojan. The content security feature of our products can block all related domains, as well.
More information at:
- http://www.antirootkit.com/blog/2008/01/03/security-flaw-in-vista-and-xp-rootkit-exploit-in-the-wild/
- http://www2.gmer.net/mbr/
Update courtesy of Senior Escalation Engineers Joseph Cepe and Marvin Cruz
