'Mebroot' rootkit slides further under the security radar, researcher says

IDG News Service - Thousands of Web sites have been rigged to deliver an updated version of a rootkit that many data security tools may be unprepared to handle, according to U.K.-based security software vendor Prevx Ltd.

The new malware is a variant of a rootkit known as Mebroot, said Jacques Erasmus, Prevx's director of research. Mebroot first appeared in late 2007 and was given its name by researchers at Symantec Corp. Unlike traditional rootkits that install themselves on systems as drivers, it hides deep inside Windows and can be hard to detect.

Mebroot overwrites the master boot record (MBR) on a PC's hard drive. After the system BIOS does its start-up checks, the MBR is the first code that a computer activates when booting up Windows — a fact that effectively makes it invisible to the operating system as well as security software.

And if the MBR on a system falls under a hacker's control, so does the entire computer and all of the data that's stored on it or transmitted via the Internet, Erasmus said.

Since Mebroot was discovered, security vendors have refined their software to detect it. But Erasmus said that the latest version uses much more sophisticated techniques to stay hidden.

For instance, the updated rootkit inserts program hooks into various functions of the Windows kernel. Once Mebroot has taken hold, the malware then makes it appear that the MBR hasn't been tampered with. "When something is trying to scan the MBR, it displays a perfectly good-looking MBR to any security software," Erasmus said.

Each time the computer is booted, he added, Mebroot injects itself into a Windows process in memory, such as svc.host. That means nothing is written to the hard disk, another evasive technique. The rootkit can then steal information and send it to a remote server via HTTP, according to Erasmus. He said that network analysis tools won't notice the data leaking out since Mebroot hides the traffic.

Prevx spotted the new variant of Mebroot after one of the company's consumer customers became infected. It took security analysts at the firm a few days to nail down exactly how the new variant was managing to embed itself in the operating system. "I think everyone at the moment is working on modifying their [anti-malware] engines to find it," Erasmus said.

And security vendors may need to act fast. Erasmus said it appears that thousands of Web sites have been hacked to deliver Mebroot to vulnerable computers that don't have the proper security patches for their Web browsers.

The infection mechanism is known as a drive-by download. It can be activated when a user visits a legitimate Web site that has been hacked to launch an invisible IFrame loaded with an exploit framework, which begins testing to see if the user's browser contains a certain vulnerability. If so, Mebroot is installed on the system, unbeknownst to the user.

"It's pretty wild out there now," Erasmus said. "Everywhere you go, you have a chance to be infected." It's unknown who created Mebroot, but it appears that one aim of the hackers is to simply infect as many computers as possible, he added.