Mebroot - How Does This Security Threat Concern Me?

Article Published by Marc Liron - Microsoft MVP

Internet security experts are warning Windows users about a new Rootkit that steals login details for online bank accounts.

These are then sent back to the criminals for either selling to the highest bidder, or for use by themselves to drain the victims funds! 

What is a Rootkit?

A rootkit is a malicious program (or combination of several programs) designed to take control ("Administrator" access) of a computer, without authorization by the owners.

Typically, rootkits act to obscure their presence on the computer through "subversion" or "evasion" of the operating system security mechanisms. A rootkit will conceal running processes from monitoring programs, or hiding files or system data from the operating system.

Sometimes, they are also Trojans as well, thus fooling users into believing they are safe to run on their systems!

Why is Mebroot Different?

The Memboot rootkit (first called this by security firm Symantec) is unusual in that it tries to overwrite part of a computer's hard drive called the Master Boot Record (MBR).

This is where a computer looks when it is switched on for information about the operating system it will be running.

"If you can control the MBR, you can control the operating system and therefore the computer it resides on!" wrote Elia Florio on security company Symantec's blog.

How Does Mebroot Infect a Computer?

Mebroot has been deliberately installed at websites controlled by the criminals and targets those website visitors who have not patched their computers with the latest security updates from Microsoft.

Once it installs itself on the vulnerable computer, it then contacts a remote server on the internet and downloads additional nasty software called "key loggers".

These special software programs are designed to capture all your passwords and login information and send it back to the criminal gang. 

Analysis of Mebroot has shown that it uses its hidden position on the MBR as a beachhead so it can reinstall these associated programs if they are deleted by anti-virus software!!!

Most of these key logger programs lie in wait on a machine until its owner logs in to the online banking systems of one of more than 900 financial institutions it has been programmed to recognize. 

Leading security firm iDefense has said that Mebroot was discovered in October 2007, but only started to be used in a series of attacks in early December 2007. 

The Russian virus-writing group behind Mebroot is are specialists in stealing bank login information. 

What Can a Computer User Do - Some Notes:

# Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are NOT fully patched are all vulnerable to the virus. Make sure you have Automatic Updates turned on!

# Make sure you have an up to date security suite installed! If you don't then consider:

# CA Internet Security Suite PLUS 2008  - More Here.

# Although the password-stealing programs that Mebroot installs can be found by security software, such as CA Internet Security Suite, few commercial anti-virus packages currently detect its presence. Although this will change in the coming months now they know what to look for. (At least for now they will block the key logger Trojans from stealing data.)

# Mebroot cannot be removed while a operating system is running.  However running the "fixmbr" command from within the Windows Recovery Console successfully removes the malicious MBR entry.

# Independent security firm GMER has produced a utility that will scan and remove the Mebroot stealth program! Please note that this is an advanced tool and not to be used without some caution: Click Here

#  It seems that so far Windows XP is the most vulnerable operating system so far.

# In ADDITION to running your normal security software, consider running Threat Fire along side for better protection. By constantly monitoring the activity on your PC ThreatFire’s ActiveDefense technology is able to hunt down and paralyze threats that are too new or too clever to be recognized by traditional security software. Click Here.

...and stay safe!

-----------------------------------------------------------------------------------------------------------

Want to play DVD's in Windows Media Player 9, 10 or 11?

Then grab the COREL DVD XPack Plug-in TODAY!

(The above link not working? Click Here)

-----------------------------------------------------------------------------------------------------------

>>> More Than Just A Newsletter!

Claim YOUR FREE 37 Page Special Report that reveals 17 of the
Microsoft Windows Live Services that you can start using TODAY!!!

Visit the free newsletter website for more information! Click Here...

I hope you got something useful out of visiting this website today?

Make sure you sign up for the FREE Newsletter and checkout the Main Index for a growing list of articles you are going to find informative!

Kind Regards

Marc Liron - Microsoft MVP
http://www.marcliron.com

Take the Video Tour Today and discover how I have built a profitable business online talking about my passion...  

Couldn't you do the same?

YES..  Watch the online video tour NOW!  Click Here.

(NB - may take a few moments to load)