Botnets have become more prevalent as malware writers becomes more sophisticated. One of the trickier pieces of malware that showed up back in 2008 is named Mebroot. This virus, which is still in the wild today, is a rootkit that replaces a machines Master Boot Record permitting it to run prior to the operating system of the machine installs, allowing it to hide itself from desktop protection software.
When prioritizing elements of enterprise network security, stopping malware like a rootkit that conceals itself and allows for total control of the computer is right at the top. Mebroot by itself is mostly harmless in that it does not have any specific applications but instead is a enabler for other malware. The most prevalent of these is Torpig, a very large botnet.
Torpig has multiple data stealing elements of malware that look through the infected system for credentials, accounts and passwords as well as purportedly allowing attackers full control of the machine. In 2009 a group of researchers took control of the Torpig botnet for a period of ten days. During that period, they took in over 70GB of stolen data from infected systems.
Mebroot gets onto computers by a user going to a website using a web browser that is older and has not been patched to repair the weaknesses that Mebroot uses to add itself to the user’s machine. A good way to detect Mebroot is with a network based detector, because the virus hides itself on the machine on which it is installed which can make it undetectable.
Only some anti-virus applications can find and remove Mebroot. If a system is rebooting or acting infected, yet no virus shows up in a scan, repairing the Master Boot Record on the computer will remove Mebroot if it installed. Doing a web search for “Fix MBR” will turn up some different ways to fix the Master Boot Record. After that is accomplished, run a complete virus scan on the computer again to find anything else that was hidden.
The best course of action is to stop system infestation is by keeping browsers updated, and operating both host and network based malware detection systems that are constantly updated with real time information to stop any infection before it starts.
Get more information to help develop your network security policy and defend against network security threats from your local IT Value Added Reseller that specializes in security.
Authors: Mike Lundy and Rolf Versluis
Posted at Adcap Tech Tips
Related posts:
Last Updated: August 6th, 2010 |
