Home Malware Programs Trojans Trojan.Mebroot

Trojan.Mebroot

Posted: February 29, 2008

Mebroot (AKA Sinowal or StealthMBR) is a banking Trojan and rootkit that collects bank account information and creates other security vulnerabilities that Mebroot could use for illicit financial gain. Despite its wide availability, and including victim lists of up to thousands of banking websites, Mebroot also shows an exceptional level of sophistication for a Trojan of its distribution. You should use proper anti-malware procedures for identifying or removing Mebroot, which has no explicit symptoms of notable visibility and may vary some of its behavior according to any backdoor commands.

Surveying the Root of a Multitude of Bank Problems

Mebroot is a Trojan whose primary purpose is enabling illicit financial gain from the infected Windows computer while its presence is concealed by various rootkit functions. Mebroot may be rented out to third parties outside of its primary development team, which may allow its means of distribution, behavior and choices of targets to vary considerably. Some Mebroot campaigns target over a thousand separate banking institutions, with Mebroot installations occurring through methods that malware experts found including scripts, fraudulent software updates and even mislabeled torrents.

After its distribution, Mebroot makes Master Boot Record changes that enable Mebroot to launch automatically, even before Windows loads. Malware experts also have seen the following security risks from typical Mebroot infections:

  • Mebroot may implement a backdoor connection to a remote server, which may receive collected information, issue commands or provide other threats for Mebroot to install. Malware researchers sometimes saw Mebroot using advanced methods of circumventing firewalls to implement this backdoor.
  • Threats related to Mebroot may be injected directly into the memory process of other programs. A frequent use of this procedure is to enable the interception of information, such as passwords you enter into your browser.
  • Mebroot also may install Anserin, a keylogger that records your keyboard input to capture typed text for future theft. Websites associated with various banking companies are prominent targets for the spyware functions related to both Mebroot and Anserin.

Some variants of Mebroot also incorporate behavior reminiscent of the TDSS family of rootkits.

How You can Uproot a Modern Bank Robber

While the days of 'holding up' banks are, by and large, extinct, Mebroot is more of a challenge to detect in its harmful actions than any ordinary robber. Except for watching for its default, unusual network activities, symptoms of a Mebroot infection worth identifying may be minimal or nonexistent. Rootkits like Mebroot also can be assumed to take steps to prevent their detection by relevant security programs from within a standard Windows environment.

However, following standard routines for removing high-level threats, such as using a USB device to restart your machine and initiate anti-malware scans, should allow you to delete Mebroot and related threats. The high variability in Mebroot's distribution models also makes preventative security procedures particularly useful, and malware experts especially would place emphasis on using browser-based security features, along with safe downloading behavior.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 cln2.tmp

Related Posts

Loading...