MBR rootkit – here’s some references

Prevx Blog has a good writeup located at prevx.com/blog/75/Master-Boot-Record-Rootkit…

SANS Internet Storm Center has released an interesting timeline story – link here.

From the post based to Verisign iDefense data:

….

  • Oct. 30, 2007 – Original version of MBR rootkit written and tested by attackers
  • Dec. 12, 2007 – First known attacks installing MBR code
    about 1,800 users infected in four days.

McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.

10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.

Print Friendly, PDF & Email

Published by

Juha-Matti

Security consultant from Finland

Comments are closed.