Mebroot, spotted by F-Secure in December, has developed into a malicious malware program that is difficult to detect and tricky to remove. “PC World reports”:http://www.pcworld.com/article/id,143105-pg,1/article.html that Mikko Hypponen, F-Secure’s chief research officer, points to the nature of the rootkit as a main aspect of the malware’s viability. The malware has progressed through alpha and beta versions and now reached “RTMed”:http://www.google.com/url?sa=t&ct=res&cd=2&url=http%3A%2F%2Fwww.buslab.org%2Findex2.php%3Foption%3Dcom_content%26do_pdf%3D1%26id%3D211738&ei=LMDOR5zlCZzSednOqBo&usg=AFQjCNEe4Trb0DW2B_rlVqdjXeXuenYJPw&sig2=QwFF0jNk7xu1keCXoyHArg, a status usually reserved for legitimate software development. He states, “You can’t execute any earlier than that” and the malware runs discretely under the radar of most security software.
Rootkit viruses aim to overwrite a part of the computer’s Master Boot Record (MBR). Elia Florio of Symantec, “summed up the execution”:http://news.bbc.co.uk/2/hi/technology/7183008.stm for the BBC: “If you can control the MBR, you can control the operating system and therefore the computer it resides on.” Rootkit viruses have been around since early MS DOS days, but targeting the MBR was previously “considered uncommon”:http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html according to Symantec.
Mebroot installs a number of processes through different parts of the computer, making it difficult to detect completely. It is also impossible to purge the infection while the computer is running the rootkit. Hypponen says that booting with the F-Secure “security disk”:http://www.pcworld.com/article/id,143105-pg,1/article.html will implement detection and removal. Symantec suggests running the “fixmbr” command from within the Windows Recovery Console is another means to remove the MBR, called “Mebroot.Trojan”:http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-010718-3448-99 from a Windows XP.
