Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Saturday, April 20, 2013

New version of Gozi financial malware bundles MBR rootkit

Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer’s Master Boot Record (MBR) in order to achieve persistence. Some malware authors have leveraged the MBR in order to give their malicious programs a head start over antivirus programs installed on the computer. Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8.


The Master Boot Record (MBR) is a boot sector that resides at the beginning of a storage drive and contains information about how that drive is partitioned. “Even though MBR rootkits are considered highly effective they haven’t been integrated into a lot of financial malware,” Trusteer researcher Etay Maor said Thursday in a blog post.

The fact that a new variant of Gozi was discovered shows that cybercriminals continue to use this threat despite the fact that its main developer and some of his accomplices were arrested and indicted.


While some dedicated tools for removing MBR rootkits do exist, many experts recommend wiping the entire hard drive and recreating the partitions in order to ensure a clean start if the computer has been infected with such a threat, Maor said. Since cleaning such malware might require advanced technical knowledge, it’s probably best to contact the technical support department of your antivirus provider in order to get expert help.


Link: http://www.computerworld.com/s/article/9238526/New_version_of_Gozi_financial_malware_bundles_MBR_rootkit?source=CTWNLE_nlt_pm_2013-04-19

 

Posted on 04/20
MalwarePermalink