Botnets have become more prevalent as malware creators becomes more capable. One of the more diabolical pieces of malware that showed up back in 2008 is called Mebroot. This virus, which is still in the wild today, is a rootkit that changes a machines Master Boot Record allowing it to run prior to the operating system of the machine installs, allowing it to hide itself from desktop protection applications.
When prioritizing elements of enterprise network security, stopping malware like a rootkit that conceals itself and allows for total control of the machine is right at the top. Mebroot alone is mostly harmless in that it does not contain any specific applications but instead is a platform for other malware. The most prevalent of these is Torpig, a huge botnet.
Torpig has a number of different information stealing pieces of malware that search the infected machine for credentials, accounts and passwords as well as purportedly allowing attackers full control of the system. In 2009 a group of researchers were able to take control of the Torpig botnet for a period of ten days. During that time, they got over 70GB of stolen data from botnet client computers.
Mebroot gets onto machines by a user going to a website using a web browser that is older and has not been patched to repair the weaknesses that Mebroot uses to add itself to the user’s computer. A good way to find Mebroot is with a network based detector, since the virus hides itself on the system it is installed on which might make it undetectable.
Only some anti-virus applications can find and remove Mebroot. If a machine is rebooting or acting infected, yet no virus appears in a scan, repairing the Master Boot Record on the machine will remove Mebroot if it installed. Doing a web search for “Fix MBR” will turn up a few different ways to fix the Master Boot Record. After that is accomplished, run a complete virus scan on the computer again to find anything additional that was hidden.
The best way to go is to prevent machine infection by keeping browsers patched, and operating both host and network based malware detection applications that are constantly updated with real time information to stop any infection before it starts.
Get more information to help create your network security policy and defend against network security threats from your local IT Value Added Reseller that specializes in security.
