Botnets are becoming more prevalent as malware technology becomes more sophisticated. One of the more diabolical pieces of Malware that hit the scene back in 2008 is called Mebroot. Mebroot, which is still around, is a rootkit that replaces a machines master boot record allowing it to install even before the operating system of the machine installs effectively protecting it from desktop protection software.
When planning for enterprise network security, preventing malware like a rootkit that hides itself and allows for total control of the computer is right at the top. Mebroot alone is rather benign in that it does not contain any specific applications but becomes a platform for other malware. The most prevalent of these is Torpig, a massive botnet.
Torpig contains multiple information stealing pieces of malware that scan the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer. In 2009 a team of researchers were able to take control of the botnet for a period of ten days. During that period, they extracted over 70GB of stolen data.
If you have Mebroot on your computer, you will definitely want to remove it. The best way to do that is to restore the Master Boot Record on your machine. You can do this with your original operating system installation disk or with a program that you can load onto a USB drive. Just do a web search for “Fix MBR” and you will find a few different ways to fix the Master Boot Record.
After that is done, run a complete virus scan on your computer. Since Mebroot is now no longer able to hide itself, your virus scanner will be able to find and remove it.
Now you should plan on taking steps to prevent getting infected by malware, whether it be worms, viruses, or trojans, especially if you have many computers for which you are responsible. It is best to have both host and network based malware detection applications that are constantly updated with real time information.
The reason real-time updates is so important is that many of the botnet distributors bring up a website, infect a bunch of hosts with a new malware variant, then take down the website, all within three days or so. Any detection mechanism that is signature based, or url based, and is not constantly updated, will fail to detect this type of practice.
Get more information to help develop your network security policy and defend against network security threats.
____________________________________
Adcap Network Systems – Atlanta and Miami
Great Local Engineers Creating Systems that Work!
Posted at Adcap Tech Tips
No related posts.
Last Updated: July 27th, 2010 |
