Something to worry about?

Hi

http://www.theregister.co.uk/2008/01/09/mbr_rootkit/

I wonder... is this something to worry about... or does Nod32 take care of it?

Kind regards
Itsme

 

"About 30,000 websites, mostly located in Europe, are actively trying to install the rootkit by exploiting users who have failed to install Windows updates"

 

It suggests enabling the mbr scan in your bios. So do that and you should be fine.

 

Thanks for the reply...

But.. does NOD32 prevent the rootkit from installing and if installed.. does Nod32 find it and clean it?

Kind regards.
Itsme

 

Where does it say that?
Is this option available in all BIOSes?

 

Is it known which sites are involved?

 

I don't know where you could find that information and I don't know where they got that figure from. Sorry.

Some more reading here...

http://isc.sans.org/diary.html?storyid=3820

The next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan.

The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

* Microsoft JVM ByteVerify (MS03-011)
* Microsoft MDAC (MS06-014) (two versions)
* Microsoft Internet Explorer Vector Markup Language (MS06-055)
* Microsoft XML CoreServices (MS06-071)

But that can change at any moment to something more recent.

The different files involved had rather spurious detection in the anti-virus world.

 

Indeed something to worry about then, especially because practically no AV/AS program picks this variant up.

 

I edited my post above with a link.

 

Great, thanks!
So if I understand it correctly you are 'safe' if you have the patches for those MS leaks installed or if you haven't got those MS components on your system?

 

I noticed this definition in the 2788 update file: JS/Exploit.MS06-014
Is this the 'solution' to one of the exploits as explained above (for the MBR rootkit problem)?

Can someone also comment on this?:
If I understand it correctly you are 'safe' if you have the patches for those MS leaks installed or if you haven't got those MS components on your system (for example, the patch for MS06-014 is KB911562)?

 

I don't think so. That signature detects the MDAC exploit, so it will be mainly used by the web scanner. Probably, it's a re-release of a existing signature to workaround obfuscated JS and the such.
Per this thread, ESET's name for the MBR rootkit is "Win32/Agent.DSJ"

 

Thanks for the info Lucas!

 

You're welcome
EDIT:
In update 2793, ESET has added this signature: Win32/Mebroot.A . It's probably for the boot component. The other signature (Win32/Agent.DSJ) is for the dropper, I guess.