- Aug 1, 2005 - eEye publishes PoC code
http://research.eeye.com/html/tools/RT20060801-7.html - Aug. 3, 2007 - Vbootkit presentation at Black Hat USA
http://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf - Oct. 30, 2007 - Original version of MBR rootkit written and tested by attackers
- Dec. 12, 2007 – First known attacks installing MBR code
about 1,800 users infected in four days. - Dec. 19, 2007 - Second wave of attacks installing MBR code
about 3,000 users infected in four days - Dec. 22, 2007 – Malware Research Form members discover rootkit in the wild
- Jan. 2, 2008 - GMER research and analysis of MBR Rootkit code
http://www2.gmer.net/mbr/ - Jan. 5, 2008 - Prevx Blog has a good writeup located at http://www.prevx.com/blog/75/Master-Boot-Record-Rootkitis-here-and-ITW.html
- Jan. 7, 2008 – First anti-virus vendors detect MBR rootkit components
- McAfee detects the Trojan as StealthMBR (DAT 5204 or above) and Symantec as Trojan.Mebroot. Sophos uses name Troj/Mbroot-A, in turn. There are names like Trojan.Win32.Agent.dsj and TROJ_AGENT.APA assigned too.
- 10th Jan: Trend Micro uses the name TROJ_SINOWAL.AD
- 12th Jan: Symantec sees the infected MBR as Boot.Mebroot. McAfee uses the name StealthMBR!rootkit too.
According to SANS, the next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan. The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities: