The creators of the virus are after bank logins and personal data

Security experts are warning about a stealthy Windows virus that steals login details for online bank accounts. In the last month, the malicious program has racked up about 5,000 victims - most of whom are in Europe.
Many are falling victim via booby-trapped websites that use vulnerabilities in Microsoft's browser to install the attack code.
Experts say the virus is dangerous because it buries itself deep inside Windows to avoid detection.
Old tricks
The malicious program is a type of virus known as a rootkit and it tries to overwrite part of a computer's hard drive called the Master Boot Record (MBR).
This is where a computer looks when it is switched on for information about the operating system it will be running.
"If you can control the MBR, you can control the operating system and therefore the computer it resides on," wrote Elia Florio on security company Symantec's blog.
Mr Florio pointed out that many viruses dating from the days before Windows used the Master Boot Record to get a grip on a computer.
Once installed the virus, dubbed Mebroot by Symantec, usually downloads other malicious programs, such as keyloggers, to do the work of stealing confidential information.
Most of these associated programs lie in wait on a machine until its owner logs in to the online banking systems of one of more than 900 financial institutions.
The Russian virus-writing group behind Mebroot is thought to have created the torpig family of viruses that are known to have been installed on more than 200,000 systems. This group specialises in stealing bank login information.
Security firm iDefense said Mebroot was discovered in October but started to be used in a series of attacks in early December.
Between 12 December and 7 January, iDefense detected more than 5,000 machines that had been infected with the program.
Analysis of Mebroot has shown that it uses its hidden position on the MBR as a beachhead so it can re-install these associated programs if they are deleted by anti-virus software.
Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect its presence. Mebroot cannot be removed while a computer is running.
Independent security firm GMER has produced a utility that will scan and remove the stealthy program.
Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are not fully patched are all vulnerable to the virus.

1: why isnt this in the tech / computer section?
2: never ever click on links to websites that want personal data, always go there yourself via your browser, making sure you trype it correctly
3: never ever use internet explorer it has way too many security holes.
4: if it infects the MBR wouldnt fdisk /mbr at the command prompt help?

look im just posting the Warning this is all the info i have if the mods feel the need to move it feel free i tri to help and this is the thanks i get :roll:

no no im not moaning, far from it...ive given extra info to help :)
just itd be more helpful there i think

no no im not moaning, far from it...ive given extra info to help :)
just itd be more helpful there i think

ok then thanks for the info:)

no no im not moaning, far from it...ive given extra info to help :)
just itd be more helpful there i think

If it's genuine, then if it's buried in the Tech section, not many people will see it.

Someone suggested on the tech forum, that a way of avoiding a lot of these viruses is to stop using the internet explorer browser and use Opera instead (I don't think firefox is much safer).

I am not sure how much safer Opera is (they say they are but then they would, wouldn't they). What I can say is I have changed to Opera and so far, touch wood (touches head) I have not suffered an attack since changing to Opera.

Someone suggested on the tech forum, that a way of avoiding a lot of these viruses is to stop using the internet explorer browser and use Opera instead (I don't think firefox is much safer).

I am not sure how much safer Opera is (they say they are but then they would, wouldn't they). What I can say is I have changed to Opera and so far, touch wood (touches head) I have not suffered an attack since changing to Opera.

firefox has its problems BUT it has about 10 exploits to internet explorers 100
no browsers 100% secure and the more popular a browser the harder they work on cracking them, the thing with internet explorer tho isnt just that.........it IS badly made. theres that many holes.
and allowing activex controls and javascript to run willy nilly by default is just madness.
i use opera now, have done for a while.........i really love the way you can close it and when you reopen it all your tabs are still there with the sites you visited last, handy feature :D

satman...and its not going to get buried more and quicker in general?? :huh:

Ensuring you have downloaded and installed the latest Window Update will also keep you safe (ish) and far less hassle than worrying about which buggy browser you are using. www.windowsupdate.com

The latest update has this vulnerability closed apparently.

[QUOTE=melthebell;3019284]1: why isnt this in the tech / computer section.

Cos, it's a closet for geeky types ,the info was invaluable thanks.

Ensuring you have downloaded and installed the latest Window Update will also keep you safe (ish) and far less hassle than worrying about which buggy browser you are using. www.windowsupdate.com

The latest update has this vulnerability closed apparently.
sorry but thats a way ignorant and dangerous attitude tbh and one of the reasons why these viruses flourish.

yes you should install the latest security patches...however, a security update is completely useless if you continue to use "buggy browsers" cos the virus can get through the holes, bypassing the patches.
using means such as buffer overflows / underuns / activex controls etc etc etc

sorry but thats a way ignorant and dangerous attitude tbh and one of the reasons why these viruses flourish.

yes you should install the latest security patches...however, a security update is completely useless if you continue to use "buggy browsers" cos the virus can get through the holes, bypassing the patches.
using means such as buffer overflows / underuns / activex controls etc etc etc

Not really. We all have to use browsers to surf and the vast majority of browsers have vulnerabilities that can be exploited. Some are patched, some are not - some are not known about but of course they are there waiting to be exploited. You can of course be careful, keep your computer up to date etc and it's prudent to be a little paranoid, but ultimately what I stated is hardly an "ignorant and dangerous attitude" now is it?

http://news.bbc.co.uk/1/hi/technology/7183008.stm and I quote "Computers running Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 that are not fully patched are all vulnerable to the virus."

So, I shall repeat - patch your systems :roll:

This exploit isn't browser specific.
Once your PC is root kitted you're completely vulnerable. You will most likely have every mouse operation and keystroke logged, so any browser would be vulnerable.

Technical details
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-010718-3448-99

And some analysis
http://www.symantec.com/enterprise/security_response/weblog/2008/01/from_bootroot_to_trojanmebroot.html

Note that number of infections is 0 - 49, risk is low and geographical distribution is low.

firefox has its problems BUT it has about 10 exploits to internet explorers 100
no browsers 100% secure and the more popular a browser the harder they work on cracking them, the thing with internet explorer tho isnt just that.........it IS badly made. theres that many holes.
and allowing activex controls and javascript to run willy nilly by default is just madness.
i use opera now, have done for a while.........i really love the way you can close it and when you reopen it all your tabs are still there with the sites you visited last, handy feature :D

satman...and its not going to get buried more and quicker in general?? :huh:

I use firefox and I think i have downloaded activex controls and javascript - how do i regulate their use?

[QUOTE=melthebell;3019284]1: why isnt this in the tech / computer section.

Cos, it's a closet for geeky types ,the info was invaluable thanks.

Too late - it's been dispatched to the geek closet..................

Someone suggested on the tech forum, that a way of avoiding a lot of these viruses is to stop using the internet explorer browser and use Opera instead (I don't think firefox is much safer).

I am not sure how much safer Opera is (they say they are but then they would, wouldn't they). What I can say is I have changed to Opera and so far, touch wood (touches head) I have not suffered an attack since changing to Opera.

Wildcat you'll be pleased to learn that Opera has the best security track record of all the major windows browsers, the results can be checked via the Secunia website.
Speaking from personal experience I've used Opera as my primary browser for about 5 years now.
Not one single spyware or trojan or indeed any malware has come through whilst using Opera.
I've manage to catch a trojan via Firefox and plenty of virus and spyware via IE.
You want security?
It's a no brainer!
Opera has been and remains the best when it comes to security, no question!

I use firefox and I think i have downloaded activex controls and javascript - how do i regulate their use?

To my knowledge Firefox doesn't use "active x".

If you want peace if mind then you should perhaps download and install and then run the Free AntiRootKit from AVG, it's design to detect hiden programs such as the one highlighted in this thread.

http://free.grisoft.com/doc/downloads-products/us/frt/0?prd=arw

This exploit isn't browser specific.


According to the BBC report it seems to be. Microsoft's browser is Internet Explorer.

"Many are falling victim via booby-trapped websites that use vulnerabilities in Microsoft's browser to install the attack code.

http://news.bbc.co.uk/1/hi/technology/7183008.stm

According to the BBC report it seems to be. Microsoft's browser is Internet Explorer.

"Many are falling victim via booby-trapped websites that use vulnerabilities in Microsoft's browser to install the attack code.

http://news.bbc.co.uk/1/hi/technology/7183008.stm

I think I'd trust the symantec technical report over BBC news.

This is taken from Symantec's own website:-
=================================================
Discovered: January 8, 2008
Updated: January 8, 2008 8:02:24 PM
Type: Trojan
Infection Length: 512 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000

Boot.Mebroot is a detection for a Master Boot Record infected by Trojan.Mebroot.

ProtectionInitial Rapid Release version January 8, 2008 revision 025
Latest Rapid Release version January 8, 2008 revision 025
Initial Daily Certified version January 8, 2008 revision 039
Latest Daily Certified version January 8, 2008 revision 039
Initial Weekly Certified release date January 9, 2008
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat AssessmentWildWild Level: Low
Number of Infections: 0 - 49
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Removal: Easy
DamageDamage Level: Low
DistributionDistribution Level: Low

Writeup By: Elia Florio
==============================================

Story at El Reg is HERE (http://www.theregister.co.uk/2008/01/09/mbr_rootkit/).

You can get the AVG Free Anti-Rootkit HERE (http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0).
Or the Sophos Anti-Rootkit is available HERE (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html).
Or the F-Secure's Blacklight Anti-Rootkit is available HERE (http://www.f-secure.com/security_center/).


.

I think I'd trust the symantec technical report over BBC news.

Symantec, those lovely people that gave us Norton!:hihi:

The Symantec report doesn't say it's not browser specific.
I'd be fairly confident that anybody that has been affected by this have probably been using IE or an IE based browser.
It's likely that this root kit has exploited a vunerabilty in IE, so the Windows patches are likely to patch up this vunerability in the browser.
If you can show me any evidence that this root kit has affected any other browser apart from, IE or IE based browsers then you might have an argument.

Story at El Reg is HERE (http://www.theregister.co.uk/2008/01/09/mbr_rootkit/).

You can get the AVG Free Anti-Rootkit HERE (http://free.grisoft.com/doc/download-free-anti-rootkit/us/frt/0).
Or the Sophos Anti-Rootkit is available HERE (http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html).
Or the F-Secure's Blacklight Anti-Rootkit is available HERE (http://www.f-secure.com/security_center/).


.

Moonlight I beat you to it on the AVG Anti-Root Kit;) (Post 17)

Moonlight I beat you to it on the AVG Anti-Root Kit;) (Post 17)

I know, i know... but i was going to post the other links anyway so thought i'd go for completeness.

You know how people manage to overlook things on here...
:)


.