Re: Report: boot sector viruses and rootkits poised for comeback

Author	All Replies
Elite join:2002-10-03 Orange, CT ·Optimum Online	reply to antdude Re: Report: boot sector viruses and rootkits poised for comeback MBRKit is the only rootkit ITW right now that's doing this. It re-writes the MBR (sector 0) on all physical volumes with it's own malicious MBR, then places a loader for it's driver in sectors 60 and 61. It re-writes the original MBR to sector 62. It then places it's device driver towards the end of the active partition. During bootup the MBR calls the loader which loads the device driver into NTOSKRNL, and does a few other interesting things. This rootkit is easily defeated though, if you know what you're doing. -- QUAD!!!!
Elite join:2002-10-03 Orange, CT ·Optimum Online	to forum · permalink · · 2008-04-03 05:07:16 ·
dontsleep join:2006-08-26 Astoria, NY	said by Elite : This rootkit is easily defeated though, if you know what you're doing. Care to elaborate for us?
dontsleep join:2006-08-26 Astoria, NY	to forum · permalink · · 2008-04-03 11:57:27 ·
Elite join:2002-10-03 Orange, CT ·Optimum Online	Yeah sure. The current GMER beta, at »www2.gmer.net/beta, can detect and remove all variants of MBRKit at the moment. Prevx's "Prevx CSI" can at least detect, and I believe remove, all variants of MBRKit. A number of other antirootkit tools and AVs have varying levels of detection and removal, depending on variants. -- QUAD!!!!
Elite join:2002-10-03 Orange, CT ·Optimum Online	to forum · permalink · · 2008-04-03 22:35:27 ·
mysec Premium join:2005-11-29 4 edits	said by Elite : A number of other antirootkit tools and AVs have varying levels of detection and removal, depending on variants. Also, easy to prevent from installing: 1) Patching »www.updatexp.com/mebroot.html Mebroot has been deliberately installed at websites controlled by the criminals and targets those website visitors who have not patched their computers with the latest security updates from Microsoft. Mebroot Spreading through High-Traffic, Compromised Web Sites »msmvps.com/blogs/donna/archive/2···tes.aspx Today the Italian Web site emule-italia.it had been compromised and was hosting an obfuscated script. The script, when deobfuscated, was showing an iframe pointing to ... which was redirecting users to a server hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot. 2) White List Protection for Zero-day exploits Ongoing IFrame attack proving difficult to kill http://arstechnica.com/news.ars/post/20080318-ongoing-iframe-attack-proving-difficult-to-kill.html Over the past 12 days, an IFrame injection attack that originally focused on ZDNet Asia has been spreading across the 'Net, changing targets and payloads on an almost daily basis. An iFrame (short for inline frame) is an element of HTML that's used to embed HTML from another source into a webpage. from 2006 iframe src="wmf_exp.wmf" iframe ___________________________________________________ ___________________________________________________ ___________________________________________________ ---- rich
mysec Premium join:2005-11-29 4 edits	to forum · permalink · · 2008-04-03 23:40:47 ·


Sunday, 29-Nov 05:44:49	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF