Tuesday, January 29, 2008
Monday, January 21, 2008
Just found some useful information on MBR rootkit. Below is the timeline.
- Aug 1, 2005 - eEye publishes PoC code
- Aug. 3, 2007 - Vbootkit presentation at Black Hat USA
- Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
- Dec. 12, 2007 – First known attacks installing MBR code
about 1,800 users infected in four days.
- Dec. 19, 2007 - Second wave of attacks installing MBR code
about 3,000 users infected in four days
- Dec. 22, 2007 – Malware Research Form members discover rootkit in the wild
- Jan. 2, 2008 - GMER research and analysis of MBR Rootkit code
- Jan. 5, 2008 - Prevx Blog has a good writeup located at http://www.prevx.com/blog/75/Master-Boot-Record-Rootkitis-here-and-ITW.html
- Jan. 7, 2008 – First anti-virus vendors detect MBR rootkit components
- McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.
- 10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
- 12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.
According to SANS, the next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan. The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities: