January 13, 2008

Warning on stealthy Windows virus - "Mebroot"

BBC on Friday reported that a stealthy Windows virus "Mebroot" that steals login details for online bank accounts have been detected by Security firms.

Many systems are getting infected through vulnerabilities in Microsoft's Browsers while visiting booby-trapped websites.

Experts says that the virus buries itself deep inside Windows Operating system to avoid detection.
It is a type of root-kit and it tries to overwrite Master Boot Record (MBR).

Once installed the virus usually downloads other malicious programs, such as keyloggers, to do the work of stealing confidential information.

The Russian virus-writing group behind Mebroot is thought to have created the torpig family of viruses that are known to have been installed on more than 200,000 systems. This group specializes in stealing bank login information.

Security firm iDefense said Mebroot was discovered in October but started to be used in a series of attacks in early December.

Between 12 December and 7 January, iDefense detected more than 5,000 machines that had been infected with the program.

Analysis of Mebroot has shown that it uses its hidden position on the MBR as a beachhead so it can re-install these associated programs if they are deleted by anti-virus software.

Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect its presence. Mebroot cannot be removed while a computer is running.

Independent security firm GMER has produced a utility that will scan and remove the stealthy program.

Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are not fully patched are all vulnerable to the virus.

No comments: