Mebroot / Rootkit – The New challenge to the Security experts.

Internet security experts are warning Windows users about a new Rootkit that steals login details for online bank accounts.

These are then sent back to the criminals for either selling to the highest bidder, or for use by themselves to drain the victim’s funds!

What is a Rootkit?

A rootkit is a malicious program (or combination of several programs) designed to take control ("Administrator" access) of a computer, without authorization by the owners.

Typically, rootkits act to obscure their presence on the computer through "subversion" or "evasion" of the operating system security mechanisms. A rootkit will conceal running processes from monitoring programs, or hiding files or system data from the operating system.

Sometimes, they are also Trojans as well, thus fooling users into believing they are safe to run on their systems!

Why is Mebroot Different?

The Memboot rootkit (first called this by security firm Symantec) is unusual in that it tries to overwrite part of a computer's hard drive called the Master Boot Record (MBR).

This is where a computer looks when it is switched on for information about the operating system it will be running.

"If you can control the MBR, you can control the operating system and therefore the computer it resides on!" wrote Elia Florio on security company Symantec's blog.

How Does Mebroot Infect a Computer?

Mebroot has been deliberately installed at websites controlled by the criminals and targets those website visitors who have not patched their computers with the latest security updates from Microsoft.

Once it installs itself on the vulnerable computer, it then contacts a remote server on the internet and downloads additional nasty software called "key loggers".

These special software programs are designed to capture all your passwords and login information and send it back to the criminal gang.

Analysis of Mebroot has shown that it uses its hidden position on the MBR as a beachhead so it can reinstall these associated programs if they are deleted by anti-virus software!!!

Most of these key logger programs lie in wait on a machine until its owner logs in to the online banking systems of one of more than 900 financial institutions it has been programmed to recognize.

Leading security firm iDefense has said that Mebroot was discovered in October 2007, but only started to be used in a series of attacks in early December 2007.

The Russian virus-writing group behind Mebroot is are specialists in stealing bank login information.

What Can a Computer User Do - Some Notes:

# Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are NOT fully patched are all vulnerable to the virus. Make sure you have Automatic Updates turned on!

# Make sure you have an up to date security suite installed! If you don't then consider:

# CA Internet Security Suite PLUS 2008 which is 15% off until 31st March 2008 if you enter coupon code CAISS15 during checkout process.

# Although the password-stealing programs that Mebroot installs can be found by security software, such as CA Internet Security Suite, few commercial anti-virus packages currently detect its presence. Although this will change in the coming months now they know what to look for. (At least for now they will block the key logger Trojans from stealing data.)

# Mebroot cannot be removed while a operating system is running. However running the "fixmbr" command from within the Windows Recovery Console successfully removes the malicious MBR entry.

# Independent security firm GMER has produced a utility that will scan and remove the Mebroot stealth program! Please note that this is an advanced tool and not to be used without some caution:

# It seems that so far Windows XP is the most vulnerable operating system so far.

# In ADDITION to running your normal security software, consider running Threat Fire along side for better protection. By constantly monitoring the activity on your PC ThreatFire’s ActiveDefense technology is able to hunt down and paralyze threats that are too new or too clever to be recognized by traditional security software.

...and stay safe!