MBR Rooted

~removed virus total result....Bubba~

Lool. Just watch your ethernet leds and unplug if too suspicious... lool, last chance.

@cretemonster: Do you still have this HTM? But could also be false alarm.

 

Think Ill trust what I can see better than what someone else sees.

 

Looks like the new version is out:
http://www.prevx.com/freescan.asp

 

Dito that 4 sure
http://rbnexploit.blogspot.com/

This fits the bill too,matching urls result in trackback rbn.

 

They split the traffic, looks beasty.

 

The infection of MBR is their way of survival. They can be spambots, PSW trojans, RATs, DDoS tools, ad-clickers, etc

 

Exactly.

 

So what's the big deal this is all old hat with a rootkit twist.

 

I would like to see the client of the hackers that control MBR, do they use console or Gui to control their little Matrix. Probably either nice Gui like Shark.

 

Reckon this bugger will wander over to the host?

Symantec is blogging again.

 

Nothing to host yet but folks best be updating,seems dw is the only one to find and remove the new addition so far but others are just recieving samples as we speak.

A big thanks to Alexey and PG for the excellent information and keen eye on the only way to really tell if its there,will allways be that unknown traffic and if your up on domain names and such,this will toss a red flag quick.

I will say this,they are using an odd form of HWD Acceleration not seen by me before,this is where I get lost in virtualization.

 

@Cretemonster

Whats your take on this latest intruder and how it will fair with the likes of SandboxIE specifically speaking? Or HIPS like ssm or eqs.

Thanks

 

This one is a little more interesting,I had a chance to get more personal with it allready.

It will honestly depend on how well the system activity is monitored,everything that happens in that "Less than a minute" portal is totally malicious and quite obvious,Id be happy to test what I can today but im running outa machines and IPs to work with.

Cheers to Gmer,update in progress,

Cheers to Marco and his gang as well the folks at DrWeb.

Since Symantec did the write up,cheers for that too but Ill never install your 20 Ton app onto 2 ton machine again....I have had roots that were easier to rip out!

 

Seems so and side effects like downloader junk. Type III Malware.

HWD sounds like handle window

 

Hey thanks for the pointer.Some the original urls are still dispencing the MAT.. file

 

Did you know why they call it mat?
I guess because of this russian mat slang.

 

Hello,
mat files are Matlab files.
Mrk