Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, June 13, 2013

MBR-wiping malware targets German victims

A new MBR-based hack is now targeting German users, who are at risk of having their systems rendered unusable by malware being sent via spam messages. Trend Micro recently uncovered what it terms a “noteworthy backdoor” as an attached file in certain spam variants sent to German recipients. The spam sample the security firm found tells recipients they have to pay a certain debt, the details of which are contained in the attachment. Like any backdoor, it (BKDR_MATSNU.MCB) performs certain malicious commands, which include gathering machine-related information sent to its command-and-control (C&C) server. “This particular malware, on top of its ability to remotely control an affected system, is able to wipe out the Master Boot Record – a routine that had previously caused a great crisis in South Korea,” noted Lenart Bermejo, threat response tech lead at Trend Micro.


McAfee’s latest Quarterly Threats Report noted a surge in MBR attacks, where the goal is to infect a machine’s storage system, and from there take control of the entire device.

The German-targeted malware doesn’t stop at wreaking of MBR havoc though: another feature is the backdoor’s capability to lock and unlock a screen. “This locking of screen is definitely a direct copy from ransomware’s playbook, in which the system remains completely or partially inaccessible unless the victim pays for the ransom,” Bermejo said.

Another possible scenario is a version of the MBR exploit that is integrated with the screen blocking routine, which will make the screen locking command easier to execute.



Posted on 06/13