Fresh Version of Mebroot Appears in the Wild

Security Company Prevx has found that a new version of rootkit 'Mebroot' is widely striking users' computers. This variant, according to the company's security researchers, is more difficult to spot and annihilate.

Also, virus researcher Marco Giuliani at Prevx said that the latest MBR (Mebroot) version could create enough troubles for researchers with its improved spaghetti code and hooking techniques. SCMagazine published this on April 14, 2009. Giuliani added that the malware continued to use I/O Request Packet (IRP) hooks, although much more smartly.

According to him, the latest variant is not designed to seize disk.sys driver, rather it does more to search the lower tools, which have the device appended to them so that it can hook itself onto that.

Meanwhile, director of malware research Jacques Erasmus at Prevx said that Mebroot's earlier version employed the same tactic although at later stages that made it easier to spot and eradicate, reports SCMagazine on April 14, 2009.

Additionally Erasmus said that although the new variant appears fine, it uses the rootkit technique that enables insertion of malicious code into an active process that captures banking information and passwords. He explained that since no related file is constructed on the computer's hard disk, the variant is difficult to detect, and it reruns itself whenever the computer is booted.

Moreover, investigators at Prevx stated, even though some anti-virus providers have still not been able to detect the earliest MBR variant, the rootkit's creators have gone ahead with crafting a fresh variant of it. This variant virtually eludes nearly all security software and the manner in which it keeps itself away from being detected is rather remarkable, Giuliani pointed out.

Meanwhile, the security company began getting reports of the new Mebroot infection since the commencement of April 2009. State the security experts that many infections due to the new MBR rootkit have already been detected, while they hope to find a lot more soon as in the case of previous MBR rootkit in 2008.

Notably, in January 2008, the first Mebroot version was discovered that had infected a nearly thousands of computers all over the globe.

Related article: Fark.com Files Suit against Suspected Hacker from Fox13

» SPAMfighter News - 4/20/2009