Stealthy Trojan Infects From Behind Windows, Escapes Detection

Security experts have discovered a new variety of attacks in which malicious program is attached to the hard drive's bowels making detection and removal of the malware extremely difficult.

The program, Trojan.Mebroot, as Symantec calls it, attaches itself to the computer hard drive's first part to appear whenever the system starts up. After that it modifies the Windows kernel that makes its detection by any security software nearly impossible.

According to the iDefense Intelligence Team of VeriSign, online criminals have been dropping Trojan.Mebroot, also referred to as the 'master boot record rootkit' since the middle of December 2007. With its installation they managed to infect almost 5,000 computers in two distinct attacks launched on December 12 and December 19, 2007 respectively. Attackers attempting to install the malicious program onto a victim's PC, first trick the user to visit a hijacked website from where different attacks execute the rootkit on the system.

Director Matthew Richard of the rapid response group for iDefense, a security vendor under the ownership of VeriSign said these 'master boot record rootkits' are capable of corrupting the Windows kernel before installation, which makes them better equipped over rootkits that get installed in a Windows-running system. The Register published this in news on January 9, 2008. According to Richard the malware is characterized with such high stealth that it continues to survive even after the operating system is reinstalled.

Richard also described the rootkit as more sophisticated than any other found on the Internet during the entire 2007, according to Washingtonpost.com in its news on January 8, 2008. VeriSign said indications suggest that the developers of the malware first started experimenting with it in October 2007.

Richard also said that the rootkit containing a plug-in architecture makes it possible for its author to inject another Trojan program onto the infected computer any time he wishes. The entire process takes place silently and in hiding, he said.

Meanwhile it is believed that Criminals behind the new rootkit are the same people who authored Trojan Torpig and who by now have installed over 250,000 Trojan viruses, iDefense said in its report.

Related article: Stealthy Spam Cause for Greater Annoyance

» SPAMfighter News - 1/18/2008