New Mebroot Variant Detected, but Security Vendors Fail to Respond
According to the news from SCMagazine published on June 3, 2009, there is widespread criticism against security vendors for not adequately responding to a new threat involving the latest version of MBR (Mebroot) rootkit and providing the necessary defense against it. Reportedly, it was in April 2009 that Prevx detected the MBR variant.
Marco Giuliani malware technology expert at Prevx stated that during the span of two months following the detection and quarantine of the latest MBR variant, there has been little reaction to count on. Giuliani wrote this in his blog published on May 29, 2009.
Giuliani added that such a lack of response was not good, particularly if one was to cite the same exploit, which had infected several thousand computers worldwide during 2008, stealing bank accounts, passwords and other personal information.
Giuliani further said that in fact, as he wrote in an earlier post, the creators of the 1st variant of MBR rootkit could continue to use it with an enormous success rate. Actually the attackers' key problem was the dropper due to anti-virus detections. Nonetheless, MBR rootkit droppers effectively escaped heuristic and signature detections by a majority of AV software, as their creators knew pretty well the techniques of evasion, Giuliani explained.
Moreover, the security researchers said that post the infection of a system by a dropper, just a tiny fraction of anti-rootkit program could spot it.
Prevx in general also says that MBR rootkit's new version has been spotted and that it contains a very strong filter that can filter out any of the security programs' attempts at intercepting the Master Boot Record. The variant makes its detection and annihilation more difficult, the experts at Prevx elucidated.
Meanwhile according to Giuliani, his security agency had checked the number of anti-rootkits that were already successful in detecting the latest variant of MBR rootkit quarantined in April 2009 and it found that just five could do the detection.
Hence, the researchers stated, security companies should tackle the threat now rather than wait till 2009 ends to name MBR rootkit as the year's worst threat, just like what happened in 2008.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 08-06-2009