Orange County Security SIG

Notes and comments of a Special Interest Group on computer security.

January 13, 2008

 

meboot

This trojan horse or virus hides like a rootkit using some of the old techniques used by MBR viruses 10-20 years ago.
The main purpose is to steal any login information of 900 different financial institutions and all unpatched versions of the NT OS are vulnerable including XP servie pack 2 and VISTA.
Once it installs from a web site it will download keyloggers and other malware. Those files can be detected and cleaned by your AV but the MEBOOT infection will will reinstall the malware. So you have to snuff the main part of the infection which can't be seen or tampered with from the OS.
To see the infection you need an Anti-RootKit program to compare what Windows claims the hard disk says to what is actually on the hard disk. To fix the problem you need to run from the recovery console (see references below).

vulnerableOS
any NT family OS (including Windows XPsp2 and VISTA)

vector
web page

requirements Prevention Detection Correction Researchers references actions:
  1. alter the MBR
    1. write the content of malicious kernel driver (244 736 bytes) to the last sectors of the disk
    2. copy original MBR to sector 62
    3. modify sector 0 with the new MBR
    4. modify sector 60
    5. modify sector 61 with the kernel part of the loader
  2. patch kernel
    1. changes kernel to call nt!IoInitSystem
  3. boot system
    1. read altered kernel code from sector 61
    2. hook INT13
  4. cloak system
  5. API (IRP_MJ_READ) is modified to return sector 62 instead of 0

Comments: Post a Comment



<< Home

Experience the computer club and all it's SIG group that meet at Chapman university, California on the 1st Sunday of every month.

SECSIG meets in the Science building 203 at 11:15 am.

By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.

The RSS feed address is http://ocsecsig.blogspot.com/atom.xml

Dave Keays, SIG leader

This page is powered by Blogger. Isn't yours?