Thread: Windows reality - The Torpig botnet and LOTS of others out here
View Single Post
  #5  
Old May 7th 09, 02:12 PM posted to microsoft.public.win98.gen_discussion
98 Guy
External Usenet User
  
Posts: 2,951
Default Windows reality - The Torpig botnet and LOTS of others out here
MEB wrote:

Yet another botnet is hacked from the outside, this one uses the
boot record/MBR to store the hack to take over Windows computers.

I find the name somewhat ironic. Mebroot. MEB root.

Based on this technical analysis:

http://www.trustdefender.com/blog/20...ous-than-ever/

1) Mebroot is mainly deployed through a drive-by download when
you visit “everyday” websites - sometimes (or usually)
delivered via recent pdf file exploits (which we know windows-98/
adobe acrobat 6 are not vulnerable to).

2) after infecting the Master-Boot-Record, it employs a complicated
mechanism to inject itself into the ATAPI Harddrive Driver.
Presumably the XP ATAPI driver (atapi.sys) operates or
is constructed differently than the windows-98 ATAPI driver.
In fact, there is no such file (atapi.sys) on a typical win-98
system (at least not on my system).

3) Once it's made itself part of the ATAPI driver, it uses that
position to then alter core windows components (svchost.exe
and services.exe). Since Windows 98 does not have those files
or provide "services" the same way that NT-based OS's do,
Mebroot must either have additional code to support operation
on win-9x platforms, or it simply abort itself and not function
if it finds itself on those platforms.

Analysis of Sinowal
http://web17.webbpro.de/index.php?pa...sis-of-sinowal

Thanks for the link MEB.

If you go to this section: Runtime Execution of Sinowal

you'll see that Mebroot (Sinowal) is heavily dependent on running on and
finding (hooking) NT kernel files (ntldr and ntoskrnl). Again, more
evidence that Mebroot can't run or function as intended on win-9x
systems.

MEB NOTE: this hack has changed over time [its been around for
around four years or so], thinking it works in only one OS or
group of OSs is NOT a reasonable approach to inhibiting its
expansion. The reason WHY is it happens to be extremely successful
and extremely difficult to detect and remove. Numerous variants
now exist.

I'm surprised that NT-based systems will allow reading or writing to the
MBR, or that AV programs don't catch and prevent that sort of activity.
Even if they don't detect the Mebroot infector file or exploit, they
should at least be able to detect and prevent MBR tampering. Mebroot
analysis doesn't indicate that AV software is scanned for and disabled
as part of it's functionality.

But the take-home message is that Windows 98 is most likely not
vulnerable to Mebroot by virtue of it's design.