During these days we have talked a lot about the TDL3 rootkit infection, a nice example of how malware writers can make security vendors's work harder. We will continue writing about TDL3 to update our readers about the status of both the rootkit and defensive techniques.
However today we want to take a step back and talk about an old friend called the MBR rootkit, or Mebroot, or yet Torpig. The fact that we haven't talked about it for a while doesn't mean it has been defeated. Instead, the MBR rootkit is still actively spreading throughout the web, mostly through compromised websites.
During the last two days we have cleaned hundreds of infected machines, a quite impressive number that shows how the threat is still hitting hard.
System Manufacturer/Model Number Bruce ... somewhere in his 40's OS Windows 7 Ultimate 32bit SP1 CPU Intel(R) Core(TM)2 Quad CPU @ 2.40GHz, 2400 MHz Motherboard INTEL/D975XBX2 Memory 4 GB Graphics Card ATI Radeon HD 2600 Pro Monitor(s) Displays Samsung SyncMaster 914v Screen Resolution 1280 x 1024
Keyboard Standard PS/2 Keyboard Mouse Microsoft PS/2 Mouse PSU Rocketfish 700 W Case G.Skill Gigabyte Chassis Hard Drives 2/500GB each ... ST3500630AS ATA Device.
One is not connected Internet Speed DSL Antivirus Avira Internet Security Browser IE 9 Other Info ATI HDMI Audio
Has the MBR rootkit disappeared? Not really. problems?