User Tools

Site Tools


rootkit

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rootkit [2013/01/27 21:29] (current)
Line 1: Line 1:
 +====== Torpig/​Sinowal/​Mebroot ======
 +This has been around for awhile now, but I'm just getting around to looking into it.  This moved up on my priority list with realizing a half dozen machines were infected. Basically, Mebroot is a rootkit that resides in the Master Boot Record (MBR) of the file system. This downloads the Torpig files that enable it to steal personal information.
  
 +===== Detection =====
 +This is easy to see when watching network traffic on another machine. ​ Generally you will see a lot of DNS requests when idle.  If the requests are going to DNS servers that you didn't specify and are for random looking, recently registered domains, you're probably infected.
 +
 +===== Removal =====
 +I recommend using the UBCD4Windows.
 +  - Run FixMBR
 +  - Delete all system restore points
 +  - Scan with each AntiSpyware and AntiVirus tool
 +  - Boot to safe mode with networking
 +  - Update all AntiSpyware and AntiVirus tools
 +  - Scan with each
 +  - Boot to normal mode and monitor network traffic
 +
 +<hr>
 +
 +http://​en.wikipedia.org/​wiki/​Torpig<​br />
 +http://​www.precisesecurity.com/​threats/​bootmebroot/<​br />
 +http://​www.cs.ucsb.edu/​~seclab/​projects/​torpig/<​br />
 +http://​www.trustdefender.com/​blog/​2009/​04/​04/​new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/<​br />
 +http://​www.pandasecurity.com/​homeusers/​security-info/​about-malware/​encyclopedia/​overview.aspx?​lst''​sol&​idvirus''​89223&​sitepanda''​particulares<​br />
 +http://​www.sophos.com/​security/​analyses/​viruses-and-spyware/​trojtorpiga.html<​br />
 +http://​www.f-secure.com/​weblog/​archives/​00001393.html<​br />
 +http://​www.rsa.com/​blog/​blog_entry.aspx?​id''​1378<​br />
 +http://​web17.webbpro.de/​index.php?​page''​analysis-of-sinowal<​br />
 +http://​web17.webbpro.de/​index.php?​page''​advanced-analysis-of-sinowal<​br />
 +http://​www.windowssecrets.com/​2008/​11/​20/​03-Dont-be-a-victim-of-Sinowal-the-super-Trojan
 +
 +
 +
 +-- Main.FredPettis - 23 Apr 2009
rootkit.txt ยท Last modified: 2013/01/27 21:29 (external edit)