User Tools

Site Tools



This shows you the differences between two versions of the page.

Link to this comparison view

rootkit [2013/01/27 21:29] (current)
Line 1: Line 1:
 +====== Torpig/​Sinowal/​Mebroot ======
 +This has been around for awhile now, but I'm just getting around to looking into it.  This moved up on my priority list with realizing a half dozen machines were infected. Basically, Mebroot is a rootkit that resides in the Master Boot Record (MBR) of the file system. This downloads the Torpig files that enable it to steal personal information.
 +===== Detection =====
 +This is easy to see when watching network traffic on another machine. ​ Generally you will see a lot of DNS requests when idle.  If the requests are going to DNS servers that you didn't specify and are for random looking, recently registered domains, you're probably infected.
 +===== Removal =====
 +I recommend using the UBCD4Windows.
 +  - Run FixMBR
 +  - Delete all system restore points
 +  - Scan with each AntiSpyware and AntiVirus tool
 +  - Boot to safe mode with networking
 +  - Update all AntiSpyware and AntiVirus tools
 +  - Scan with each
 +  - Boot to normal mode and monitor network traffic
 +http://​​wiki/​Torpig<​br />
 +http://​​threats/​bootmebroot/<​br />
 +http://​​~seclab/​projects/​torpig/<​br />
 +http://​​blog/​2009/​04/​04/​new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/<​br />
 +http://​​homeusers/​security-info/​about-malware/​encyclopedia/​overview.aspx?​lst''​sol&​idvirus''​89223&​sitepanda''​particulares<​br />
 +http://​​security/​analyses/​viruses-and-spyware/​trojtorpiga.html<​br />
 +http://​​weblog/​archives/​00001393.html<​br />
 +http://​​blog/​blog_entry.aspx?​id''​1378<​br />
 +http://​​index.php?​page''​analysis-of-sinowal<​br />
 +http://​​index.php?​page''​advanced-analysis-of-sinowal<​br />
 +-- Main.FredPettis - 23 Apr 2009
rootkit.txt ยท Last modified: 2013/01/27 21:29 (external edit)