A notorious gang that specialises in the theft of banking information through trojans is attempting to protect its work by spreading a rootkit that veils malware.
Until late in December 2007, the Master Boot Record (MBR) rootkit had been a proof of concept but it is now being used by criminals. However director of intelligence at VeriSign's iDefense division, Rick Howard, said that since 12 December, 5,000 infections have now occurred.
The rootkit, which is being hosted on seemingly innocent Web sites and transmitted via malicious iFrames, can hide numerous other dangerous Trojans, according to VeriSign.
MBR delivers its payload by modifying an infected computer's Master Boot Record, allowing the program to run before Windows boots.
Want to know more?
-
For all the latest news, analysis and opinion on security, click here
"This rootkit is especially damaging due to the difficulty involved in removing it… [and] contains several exploits used to install the rootkit on unpatched victim computers," warns VeriSign.
Exploits include Microsoft JVM ByteVerify, two versions of Microsoft MDAC to cater for multiple Windows systems, Microsoft Internet Explorer Vector Markup Language, and Microsoft XML CoreServices.
The MBR rootkit does not appear as a single file, which means the code can be spread across different sectors of a disk and therefore cannot be deleted as a usual file, according to research by GMER, which has developed a fix that is available through Microsoft.
"The most effective defence against the rootkit installation is to maintain patches for Windows and all third-party applications. The GMER anti-rootkit tool is able to detect the current variants of this rootkit," said VeriSign.
The group using MBR has also been known to use the information-stealing banking trojan, Torpig, which has infected over 200,000 victims.
