KnowledgeBase

User Tools

Site Tools

Trace:
rootkit
no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


rootkit [2013/01/28 04:29] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Torpig/Sinowal/Mebroot ======
 +This has been around for awhile now, but I'm just getting around to looking into it.  This moved up on my priority list with realizing a half dozen machines were infected. Basically, Mebroot is a rootkit that resides in the Master Boot Record (MBR) of the file system. This downloads the Torpig files that enable it to steal personal information.
  
 +===== Detection =====
 +This is easy to see when watching network traffic on another machine.  Generally you will see a lot of DNS requests when idle.  If the requests are going to DNS servers that you didn't specify and are for random looking, recently registered domains, you're probably infected.
 +
 +===== Removal =====
 +I recommend using the UBCD4Windows.
 +  - Run FixMBR
 +  - Delete all system restore points
 +  - Scan with each AntiSpyware and AntiVirus tool
 +  - Boot to safe mode with networking
 +  - Update all AntiSpyware and AntiVirus tools
 +  - Scan with each
 +  - Boot to normal mode and monitor network traffic
 +
 +<hr>
 +
 +http://en.wikipedia.org/wiki/Torpig<br />
 +http://www.precisesecurity.com/threats/bootmebroot/<br />
 +http://www.cs.ucsb.edu/~seclab/projects/torpig/<br />
 +http://www.trustdefender.com/blog/2009/04/04/new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/<br />
 +http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?lst''sol&idvirus''89223&sitepanda''particulares<br />
 +http://www.sophos.com/security/analyses/viruses-and-spyware/trojtorpiga.html<br />
 +http://www.f-secure.com/weblog/archives/00001393.html<br />
 +http://www.rsa.com/blog/blog_entry.aspx?id''1378<br />
 +http://web17.webbpro.de/index.php?page''analysis-of-sinowal<br />
 +http://web17.webbpro.de/index.php?page''advanced-analysis-of-sinowal<br />
 +http://www.windowssecrets.com/2008/11/20/03-Dont-be-a-victim-of-Sinowal-the-super-Trojan
 +
 +
 +
 +-- Main.FredPettis - 23 Apr 2009
rootkit.txt · Last modified: 2013/01/28 04:29 by 127.0.0.1