Back in final weeks of 2007 the GMER team discovered the emergence of a new rootkit that hooked into the Windows master boot record (MBR) in order to take control of a compromised computer. The people responsible for this threat kept busy cranking out newly compiled versions of this Trojan in the weeks following its discovery. However, near the beginning of January the output of new variants mysteriously halted. Taking a quick look at the following table of Trojan.Mebroot sample data it appears as though a massive QA plan was performed by the gang, starting back in November 2007.

This is also confirmed by many clues found in the rootkit code. For example, there were many debug strings and even some routines designed to gather hardware and software information from the compromised computer, including crash dumps in case of blue screen errors of the rootkit driver!

For some reason the test plan was halted in first week of January, probably due to the unexpected popularity it gained once the rootkit was found by antivirus researchers, but we expected that the flow of new variants would resume again once the creators had refined their “product”. So, today we received word (big thanks to Michael!) that new variants have been seen in the wild. So far we have discovered three samples with different MD5 signatures, which were already detected by our current Trojan.Mebroot antivirus definitions.

The rootkit is currently being propagated by drive-by downloads from compromised Web pages with embedded IFRAME tags or vulnerabilities, causing vulnerable browsers to download an executable file. The file name downloaded is currently mat25.exe and the hosts involved in the distribution are currently resolving to 67.228.126.3. Could this be the second-stage test plan?

During the last few weeks we have also performed some extra tests on this malware and we can provide some interesting new details.

Multiple hard-drives infection

The rootkit tries to infect the MBR of the first 16 physical drives found on the computer, from “\.PhysicalDrive0” up to 15. (So should this eventually be considered a worm?) Why is this fact important? Because a USB stick or an external drive is considered a “PhysicalDrive” by Windows, so there are chances that they could be potentially infected by this threat as well. In our lab we have seen Mebroot infecting the MBR of an external USB drive, formatted with an NTFS partition. External drives are rarely used to boot computers, so in most cases these infected MBRs will not be “active” infections of the threat.

What if I have Linux and Windows?

We decided to test this situation in the lab, using an internal hard disk with two partitions and LILO (or Grub) as boot loader. If your MBR is infected by Mebroot while in Windows (the threat will not run within Linux), the computer will still be able to boot up normally into both operating systems. While Linux is totally unaffected by this threat, and will work as normal, Windows XP will continue to run the rootkit when it finishes booting up. This was something expected, since the threat stores a backup copy of the old MBR to boot up correctly. However, this fact raises an interesting consideration: if the MBR is the weakest point in the chain, it could eventually be possible to create the first multi-platform malware targeting both the Windows and Linux kernels during the boot process.

It’s all about money!

The motivation driving the people behind Trojan.Mebroot is money. They’re not bored teenagers with programming skills looking for media attention, they’re professional malware programmers with criminal intent. The programming skills of the Mebroot authors are above average in comparison to other malware authors and the connection with the banking Trojan, Trojan.Anserin (a.k.a. Sinowal, Torpig), is now really obvious. We have seen computers infected by Mebroot downloading some DLL modules that are injected by the rootkit into other processes, such as services.exe and winlogon.exe. The injected DLL then downloads an additional configuration file with information about targeted bank Web sites. Communications with remote servers and encryption are exactly the same as those seen in Trojan.Anserin, so at this stage it is clear that Mebroot is just a platform to install and run stealthy bank malware modules. Here an example of the encrypted and decrypted configuration file downloaded:

We can consider this rootkit to be at a kind of “release candidate” stage. The number of infections is very limited at the moment and depending on the results of this massive test plan, the gang will probably decide whether or not they will continue their nasty development cycle in order to compromise more computers.