During these days we have talked a lot about the TDL3 rootkit infection, a nice example of how malware writers can make security vendors's work harder. We will continue writing about TDL3 to update our readers about the status of both the rootkit and defensive techniques.

However today we want to take a step back and talk about an old friend called the MBR rootkit, or Mebroot, or yet Torpig. The fact that we haven't talked about it for a while doesn't mean it has been defeated. Instead, the MBR rootkit is still actively spreading throughout the web, mostly through compromised websites.

During the last two days we have cleaned hundreds of infected machines, a quite impressive number that shows how the threat is still hitting hard.

As said before, compromised websites are the primary vehicle of infection. Injected iframes and obfuscated javascripts have become a serious threat during the last years, showing how often websites are not protected.

For instance, during the last months we have received a number of reports from Italy about massive attacks against hundreds of websites which have been compromised by infected code. After some analysis, injected code was dropping MBR rootkit through some exploits.

This could happen in several ways: weak website login credentials, flaw in the hosting servers, flaw in third party hosted applications (SQL injection, for instance).

Bad news is that authors of MBR rootkit are very active in the underground, they are just less noisy than TDL3 writers.

MBR rootkit has been improved during the last months, and it has added another trick to block security applications from cleaning its infection code.

As written in a previous blog post, MBR rootkit is using self defense routines which prevent security softwares from cleaning up the Master Boot Record. So, to clean the system, some security software is forcing the system to restart immediately after they have cleaned the infection. To do this, they are crashing the system, calling a specified system bugcheck.

MBR rootkit's response is that now it's using a BugCheck callback notify routine, which alerts the rootkit a bug check has been called. By doing so, it's able to rewrite its code in the MBR immediately before the system restarts.

Prevx is still able to detects the infection active in the system. Cleanup is under internal testing and we should release an update soon. In the meanwhile, if Prevx customers are infected by the MBR rootkit and they are not able to clean their machines, they can contact our technical support. We will help you fix the issue.

If you haven't installed Prevx and you want to check if your system is infected by MBR rootkit, it's possible to check inside Windows directory, under the Temp subdirectory (%windir%\Temp) for the presence of a hidden file with its name starting with "$$$". If there is such fle, your PC could be affected by the MBR rootkit.