Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Master Boot Record rootkit - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Master Boot Record rootkit

Matt Richard from Verisign sent us some information regarding the Master Boot Record (MBR) rookit that's been found in the wild in the past weeks.

The first interesting part is the timeline:

The next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan.

The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

  • Microsoft JVM ByteVerify (MS03-011)
  • Microsoft MDAC (MS06-014) (two versions)
  • Microsoft Internet Explorer Vector Markup Language (MS06-055)
  • Microsoft XML CoreServices (MS06-071)

But that can change at any moment to something more recent.

The different files involved had rather spurious detection in the anti-virus world.

Swa Frantzen -- Gorilla Security


760 Posts
Jan 8th 2008

Sign Up for Free or Log In to start participating in the conversation!