Transcript Malware Trojan.Mebromi

(CPSC620)
Sanjay Tibile
Vinay Deore
Agenda :







Computer Trojan
What is rootkit
Different type of rootkit
Trojan Mebromi
Symptoms
How Mebromi Attacks
How to remove
Summary
What is Trojan ?



A Trojan is a program that may appear to
be legitimate, but in fact does something
malicious.
Destructive program
-steals information or harms the system
Does not replicate
Rootkit?
Software that allows continued privilege
access to a computer system without the
system users knowledge.
 Detection is difficult.
 Types
User-mode, Kernel-mode, Bootkits,
Hypervisor level, Hardware/Firmware

Mebromi





Discovered on 6 Sept 2011
Trojan that infects BIOS and MBR
Systems Affected :Windows 2000, WIndows95, Windows98,
Windows Me, Windows NT, Windows Server
2003, Windows Vista, Windows XP
Capability to edit Windows Registry
Symptoms






constantly redirect your internet
connection
Slow startup , shutdown, surfing web
Homepage and desktop settings changed
Shuts down all antiviruses
annoying pop up
corrupt your registry, leaving your
computer totally unsafe.
BIOS and MBR



The BIOS software is built into the PC, and
is the first code run by a PC when
powered on.
BIOS is responsible for booting of
computer and managing communication
between machine and attached devices.
Master Boot Record is program that
initialized when PC is started.
How Mebromi Attacks


First malware which attacks BIOS
Trojan.Mebromi drops a tool under
Temporary directory of Windows to
identify BIOS status on the compromised
PC. It attacks system with Award BIOS
only. If not Award BIOS then it attacks
MBR only.
Continued…

The Trojan then infects the following files,
depending on the operating system:
•
•

%System%\winlogon.exe (if the operating
system is Windows XP or 2003)
%System%\winnt.exe (if the operating system is
Win2000)
MBR get reloaded by BIOS at time of next
system start up. If BIOS itself got infected
then the malicious MBR is loaded every
time.
Prevention

Keep all programs updated, patch the
vulnerabilities

Download from authorized websites

Activate real-time, auto scan scanning

Not to open files as vbs, bat, exe. These
files are often used to spread trojan.
Removal
Auto- Removal
 System Restore
Manual Removal
 Update antivirus definition
 Reboot windows in safe mode
 Run full system scan and delete infected
files.
 Restart windows
Summary

We have seen what is Rootkits,
Trojan.Membromi , how they work, how
can they be detected and removed and
also prevention mechanisms.
References : http://forums.malwarebytes.org/index.ph
p?showtopic=95371
 http://en.wikipedia.org/wiki/Rootkit
 http://www.symantec.com/security_respo
nse/writeup.jsp?docid=2011-0906094557-99
 http://www.precisesecurity.com/trojan/tr
ojan-mebromi
 http://www.theregister.co.uk/2011/09/14
/bios_rootkit_discovered/
Question??
Contact :[email protected]
[email protected]