Bad Behavior

Infecting PCs. Harvesting sensitive online information. Transmitting stolen data in order to land large profits.

This month’s threat pick, the Mebroot Trojan, is guilty of all these acts. While it may sound like the typical bad behavior of any given malware application, what makes this threat particularly ruthless is the longevity of the attacks and the widespread number of victims left in its wake.

Understanding the Threat
Most computer users are familiar with the term “Trojan” – a program that appears to do one thing but actually does another – due to the prevalence of these threats on the Web. What’s unique about this particular Trojan? According to a recent ComputerWorld report, the Mebroot Trojan has been employed by a sophisticated cyber crime group for the past three years, allowing it to con a large and growing number of victims by maintaining the same basic strategy. The Mebroot Trojan, which is also known as Sinowal and Torpig, is responsible for stealing almost half a million bank account and credit card numbers, according to research from security firm RSA.1

The Bad Behavior
How, specifically, do the scammers pull off the ploy? According to Lavasoft researchers, the Trojan itself uses an unusual and effective, yet relatively old technique which goes back to the days of DOS. It replaces the original master boot record (MBR) with its own code. The MBR is the first sector of a partitioned data storage device; in simpler terms, it’s where the computer goes to look for the operating system when your machine is first switched on. This means that Mebroot runs before Windows even starts.

Once a user’s system is infected, the Trojan is able to steal sensitive information, like login details and passwords, and send the pilfered data to a remote server.

Winning Strategies
The MBR is the staging point for the malware, giving it the ability to install its payload within Windows. The payload is detectable by anti-malware programs – Lavasoft detects it as “Win32.Trojan-PSW.Sinowal” – although the MBR where Mebroot resides is not. When Windows restarts, the malware within the MBR is able to re-install its payload if it has been removed.

If you’ve been infected, you can replace the master boot record by using the 'fixmbr' command within the Recovery Console, which can be done by following the steps below. Before attempting to use the Recovery Console, it is highly recommended that users read the Microsoft article "How to Install and Use the Recovery Console in Windows XP" at the Microsoft Help and Support site.

1. Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
   
   
2. Click to select any options that are required to start the computer from the CD-ROM drive if prompted.
   
   
3. Press R to start the Recovery Console.
   
   
4. If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
   
   
5. Enter the Administrator password. If the administrator password is blank, just press Enter.
   
   
6. At the command prompt, type “fixmbr” then press enter.
   
   
7. Follow the prompts to repair the MBR.
   
   
8. Type “exit” at the prompt and press Enter.

To learn specific tips on safeguarding your PC from malware attacks before your system is compromised, visit the Lavasoft Security Center.

-------------------------------

1 http://www.pcworld.idg.com.au