Malware Trojan.Mebromi
Download
Report
Transcript Malware Trojan.Mebromi
(CPSC620)
Sanjay Tibile
Vinay Deore
Agenda :
Computer Trojan
What is rootkit
Different type of rootkit
Trojan Mebromi
Symptoms
How Mebromi Attacks
How to remove
Summary
What is Trojan ?
A Trojan is a program that may appear to
be legitimate, but in fact does something
malicious.
Destructive program
-steals information or harms the system
Does not replicate
Rootkit?
Software that allows continued privilege
access to a computer system without the
system users knowledge.
Detection is difficult.
Types
User-mode, Kernel-mode, Bootkits,
Hypervisor level, Hardware/Firmware
Mebromi
Discovered on 6 Sept 2011
Trojan that infects BIOS and MBR
Systems Affected :Windows 2000, WIndows95, Windows98,
Windows Me, Windows NT, Windows Server
2003, Windows Vista, Windows XP
Capability to edit Windows Registry
Symptoms
constantly redirect your internet
connection
Slow startup , shutdown, surfing web
Homepage and desktop settings changed
Shuts down all antiviruses
annoying pop up
corrupt your registry, leaving your
computer totally unsafe.
BIOS and MBR
The BIOS software is built into the PC, and
is the first code run by a PC when
powered on.
BIOS is responsible for booting of
computer and managing communication
between machine and attached devices.
Master Boot Record is program that
initialized when PC is started.
How Mebromi Attacks
First malware which attacks BIOS
Trojan.Mebromi drops a tool under
Temporary directory of Windows to
identify BIOS status on the compromised
PC. It attacks system with Award BIOS
only. If not Award BIOS then it attacks
MBR only.
Continued…
The Trojan then infects the following files,
depending on the operating system:
•
•
%System%\winlogon.exe (if the operating
system is Windows XP or 2003)
%System%\winnt.exe (if the operating system is
Win2000)
MBR get reloaded by BIOS at time of next
system start up. If BIOS itself got infected
then the malicious MBR is loaded every
time.
Prevention
Keep all programs updated, patch the
vulnerabilities
Download from authorized websites
Activate real-time, auto scan scanning
Not to open files as vbs, bat, exe. These
files are often used to spread trojan.
Removal
Auto- Removal
System Restore
Manual Removal
Update antivirus definition
Reboot windows in safe mode
Run full system scan and delete infected
files.
Restart windows
Summary
We have seen what is Rootkits,
Trojan.Membromi , how they work, how
can they be detected and removed and
also prevention mechanisms.
References : http://forums.malwarebytes.org/index.ph
p?showtopic=95371
http://en.wikipedia.org/wiki/Rootkit
http://www.symantec.com/security_respo
nse/writeup.jsp?docid=2011-0906094557-99
http://www.precisesecurity.com/trojan/tr
ojan-mebromi
http://www.theregister.co.uk/2011/09/14
/bios_rootkit_discovered/
Question??
Contact :[email protected]
[email protected]