New variant of mebroot detected, as vendors criticised for inaction

Prevx malware technology specialist Marco Giuliani claimed in his blog that in the two months since a new variant of the MBR rootkit was detected and isolated there has been hardly any response.

Giuliani said: “Unfortunately only a couple of security vendors and independent researchers implemented a working detector for it. This is not good, especially if we are talking about the same threat that has infected tens of thousands of PC around the globe last year, stealing password, bank accounts and personal information.

“Actually, as written in one of my previous posts, first version of MBR rootkit could have still been used with a large success by its creators. In fact, the main problem for the attacker is the dropper because of anti-virus detections. Anyway MBR rootkit droppers have been able to evade signature and heuristic detections of most of anti-virus softwares - their creators know quite well how to do their dirty job.”

He further claimed that after a dropper infected the system, only a small amount of anti-rootkit software is able to detect it.

Prevx has also claimed that a new variant has been detected that includes a much stronger filtering engine and is able to filter out more in depth every attempt done by security software to read the Master Boot Record.

Giuliani claimed that the company had checked how many anti-rootkits are already able to detect the new version of MBR rootkit isolated two months ago, and only five were fully able to detect the threat.

“As written before, we started seeing this new MBR rootkit quickly spreading on internet as it is dropped by compromised websites that host malicious iframes and obfuscated javascripts. Security vendors should take care of this threat instead of waiting until the end of 2009 and claiming that MBR rootkit has been the worst threat of the year, as happened last year”, said Giuliani.