- CNET NETWORKS UK BUSINESS SITES:
- atlarge.com
- BNET UK
- silicon.com
- SmartPlanet.com
- ZDNet.co.uk
To print: Click here or Select File and then Print from your browser's menu
This story was printed from silicon.com, located at http://www.silicon.com/
Story URL: http://software.silicon.com/malware/0,3800003100,39169612,00.htm
Rootkit to protect Trojans goes live
5,000 infections in one month…
By Liam Tung
Published: Thursday 10 January 2008
A gang that specialises in the theft of banking information through Trojans is attempting to protect its work by spreading a rootkit that veils malware.
Until late in December 2007, the Master Boot Record (MBR) rootkit had been a proof of concept but it is now being used by criminals. However, director of intelligence at VeriSign's iDefense division, Rick Howard, said since 12 December, 5,000 infections have now occurred.
The rootkit, which is being hosted on seemingly innocent websites and transmitted via malicious iFrames, can hide numerous other dangerous Trojans, according to VeriSign.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
MBR delivers its payload by modifying an infected computer's master boot record, allowing the program to run before Windows boots.
VeriSign said: "This rootkit is especially damaging due to the difficulty involved in removing it… [and] contains several exploits used to install the rootkit on unpatched victim computers."
Exploits include Microsoft JVM ByteVerify, two versions of Microsoft MDAC to cater for multiple Windows systems, Microsoft Internet Explorer Vector Markup Language, and Microsoft XML CoreServices.
The MBR rootkit does not appear as a single file, which means the code can be spread across different sectors of a disk and therefore cannot be deleted as a usual file, according to research by GMER - a company that produces software that detects and removes rootkits - which has developed a fix that is available through Microsoft.
VeriSign said: "The most effective defence against the rootkit installation is to maintain patches for Windows and all third-party applications. The GMER anti-rootkit tool is able to detect the current variants of this rootkit."
The group using MBR has also been known to use the information-stealing banking Trojan, Torpig, which has infected over 200,000 victims.
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
