|
| |
|
Security Intelligence Operations
Trojan: Trojan.Mebroot |
| |
| Malicious Code Alert | Powered by  |
|
|
| Threat Type: | Malicious Code: Backdoor Trojan |
|
| IntelliShield ID: | 14911 |
| Version: | 4 |
| First Published: | January 10, 2008 05:11 PM EST |
| Last Published: | November 07, 2008 11:11 AM EST |
| Port: |
Not Available
|
| |
 | Urgency: |
Possible Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Moderate Damage
|  |
|
|
| |
| Version Summary: | Additional details have been released for Trojan.Mebroot, including specific information regarding the large numbers of bank accounts compromised by this trojan. Panda, Sophos, and Trend Micro have also released virus definitions to detect aliases of Trojan.Mebroot. |
| |
| |
| Aliases/Variants |
|
Variants are unavailable. |
| |
| Virus Name: | Trojan.Mebroot (Aliases include Win-Trojan/MBRtool (AhnlLab), Win32/Mebroot.A (CA), StealMBR (McAfee), StealthMBR!rootkit (McAfee), Sinowal.VPB, Sinowal.VTJ, Sinowal.VUW (Panda), Troj/Sinowal-A, Troj/Sinowal-B, and Troj/Sinowal-C, Troj/Mbroot-A (Sophos), Boot.Mebroot (Symantec), TROJ_SINOWAL.AD (Trend Micro), and TROJ_SINOWAL.CI (Trend Micro).) |
| |
|
Description |
|
|
| Trojan.Mebroot is a trojan that infects the Master Boot Record (MBR) code. This trojan installs a rootkit to hide its actions and may allow an attacker to access the system to control the machine. The trojan is most widely known for its ability to steal online banking information, such as bank account numbers, credit and debit card numbers, and other confidential information.
When executed, the trojan creates a mutex to ensure only one instance of the trojan is running at a time. Trojan.Mebroot scans for the bootable drive on the computer, copies the original MBR to another location, and infects the MBR by inserting malicious code. During this process, some of the data saved in this portion of the drive will likely be overwritten.
The trojan may create cln5.tmp in the \%Temp% directory and the following files in the \%Windows% directory:
00000219.tmp
ldo6.dll
ldo6.tmp
Trojan.Mebroot may reboot the system and display a message stating the need for a restart. Once rebooted, the newly modified MBR installs a rootkit during the bootup process, which hides the trojan's presence on the system.
The trojan attempts to open a back door on the system by connecting to the http://dkfhchkb.com domain and communicating with the attacker. The trojan may also inject additional malicious code into processes that are currently in user mode.
Virus definitions are available. |
|
Impact |
|
|
| Trojan.Mebroot infects the MBR and installs a rootkit on the machine. The trojan also opens a back door that could allow an attacker to control the affected system remotely. The trojan also has the ability to steal the following information:
FTP credentials
e-mail client passwords
system name
IP address
open ports
account credentials
user financial information
geographic area |
|
Warning Indicators |
|
|
| The existence of the following files may indicate an infection; however, these filenames may vary:
cln5.tmp
00000219.tmp
ldo6.dll
ldo6.tmp
2.tmp
3.tmp
4.tmp
Trojan.Mebroot restarts the system and may display the following message during this process:
Some updates require you to restart your computer to complete the update process. Be sure to save any work prior to the scheduled time.
Personal firewalls may display a notification message when Trojan.Mebroot attempts connect to the Internet and communicate with the attacker.
Host intrusion detection/prevention system software may display a notification when the trojan attempts to execute or make modifications to the system. |
|
Technical Information |
|
|
| Trojan.Mebroot creates the following mutex to ensure only one instance of the trojan is running at a time:
Global\7BC8413E-DEF5-4BF6-9530-9EAD7F45338B
The trojan then scans the MBR for the partition table to locate an active boot partition of the drive. The trojan injects malicious code into this bootable section and copies the original MBR to sector 62 of the hard drive. The trojan installs a kernel loader to sectors 60 and 61 of the hard drive and a rootkit driver close to the end of the partition. While installing the driver, the trojan overwrites approximately 1149 sectors of the hard drive that may contain user data.
Trojan.Mebroot creates a DLL file in the folder in which the trojan was originally executed and then executes the command regsvr32 /s %trojan file name%.dll
Next, the trojan restarts the system and the infected MBR will load the kernel loader in sectors 60 and 61, which patches the Windows kernel in memory to load the rootkit. The rootkit driver hooks the following Windows kernel routines, allowing the trojan to perform some of its actions:
IRP_MJ_READ
IRP_MJ_WRITE
The trojan returns the original MBR backup stored in sector 62 if sector 0 is read from the hard drive. The trojan attempts to prevent sector 0 from being written to in order to avoid removal of the trojan.
The trojan may add the value {DEF85C80-216A-43ab-AF70-1665EDBE2780}ImagePath = "\??\%Temp%\%Random Number%/.tmp" to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ |
|
| |
| IntelliShield Analysis |
|
Security researchers have recently performed analysis on this trojan and uncovered astonishing data. Trojan.Mebroot, also known as Sinowal or Torpig, has been effective since 2006. The trojan's primary objective is to steal banking details and other confidential information, such as credit and debit card information and credentials for various types of accounts. One reason the trojan has been so successful is that it employs the older tactic of infecting the MBR. Because this tactic is no longer commonly used by malicious code authors, the trojan may have a better chance at bypassing detection. This tactic makes detection very difficult and remediation efforts nearly impossible because
users may need to completely reformat their hard drives to remove the trojan. When it is installed on the system, the trojan just sits dormant until the user accesses certain finance-related URLs. Reports indicate the trojan can be triggered by over 2700 URLs. If one of these URLs is accessed, Trojan.Mebroot performs an HTML injection attack by injecting a new web page or information field into the user's browser, which would appear legitimate to the user. The attacker could use this field or page to request sensitive information from the user, such as a Social Security number. The malicious web page or form is controlled by the attacker, so if the user enters any information into the page, the data is sent to an attacker-controlled database.
Trojan.Mebroot is reported to have infected nearly 300,000 machines and successfully stolen 270,000 bank account numbers and details for 240,000 credit and debit cards. Nearly one-third of the compromised accounts have occurred within the last 6 months, from May 2008 through November 2008. These statistics indicate the trojan is a serious and ongoing threat. Attackers are providing updates to the trojan on a regular basis to evade detection. The trojan has also been suspected to have ties with the Russian Business Network (RBN). More information about this malicious group is in IntelliShield Alert 14457.
Trojan.Mebroot does not contain a method of self-propagation and requires some type of user interaction to spread. Users may download this trojan over P2P networks, IRC servers, FTP servers, or in an e-mail attachment sent from the attacker.
Reports indicate that the trojan has been installed from the http://gfeptwe.com domain using browser exploits.
Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan. Rule-based firewalls are typically set up by an administrator for an entire network. These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production. Application-based firewalls are often found on client systems and can be configured to allow certain services and process to access the Internet or local network. These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network. Both types of firewalls may prevent malicious code from downloading updates or additional files. The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.
Most host intrusion detection/prevention system software can be configured to warn users when suspicious activity occurs on their systems. This software can be configured to prevent this trojan from attempting to execute its infection routines. Host intrusion detection/prevention system software may also be configured to prompt a user when suspicious activity occurs. Often users can choose whether to allow or deny the activity in question. These factors will limit the infection rate and impact on most systems.
Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network. User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance. |
| |
| Safeguards |
|
Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.
Block all file attachments except those specifically required for business purposes.
Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.
Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high risk malicious code outbreaks.
Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.
Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations.
Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.
Provide initial and continuing education to all levels of users throughout the organization. |
| |
| Patches/Software |
|
| Ahnlab has released virus definitions to detect Win-TrojanMBRtool.
The CA Virus Threat for Win32/Mebroot.A, as well as the signature and engine information, is available at the following link: CA
The McAfee Virus Description for StealthMBR is available at the following link: Virus Description. DAT files 5204 and later are available at the following link: McAfee
The McAfee Virus Description for StealthMBR!rootkit is available at the following link: Virus Description. DAT files 5204 and later are available at the following link: McAfee
Panda Software has also released virus signature files that detect the following: Sinowal.VUW, Sinowal.VTJ, and Sinowal.VPB
Sophos has also released identity files that detect the following: Troj/Sinowal-A, Troj/Sinowal-B, and Troj/Sinowal-C
The Sophos Virus Analysis for Troj/Mbroot-A is available at the following link: Virus Analysis. The latest identity files are available at the following link: Sophos
The Symantec Security Response for Boot.Mebroot is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Symantec Security Response for Trojan.Mebroot is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Trend Micro Virus Advisory for TROJ_SINOWAL.AD is available at the following link: Virus Advisory. The latest pattern files are available at the following link: Trend Micro
The Trend Micro Virus Advisory for TROJ_SINOWAL.CI is available at the following link: Virus Advisory. The latest pattern files are available at the following link: Trend Micro |
| |
| Alert History |
| |
Version 3, January 17, 2008, 7:51 AM: AhnLab and CA have released virus definitions to detect aliases of Trojan.Mebroot.
Version 2, January 14, 2008, 1:05 PM: IntelliShield has released the Trojan.Mebroot malicious code alert on the Cisco Security Center.
Version 1, January 10, 2008, 5:11 PM: Trojan.Mebroot infects the Master Boot Record and could allow an attacker to execute arbitrary commands. Virus definitions are available. |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
