Why Stopping Modern Malware Isn't Working - Fighting Torpig, Sinoval, and Mebroot

Those of us who have been in the IT world for a while recall when viruses were transferred by floppy disks, creating infection patterns that could be easily handled by simply cleaning up a lab or a small group of friends who used the same PCs. Over time, we became used network based infections as Code Red and Nimda hit our networks.

Since then, we've seen far fewer heavy hitting worms as our systems and our networks have been armored against such exploits. Over the past few years, we've begun to see a transition to malware that relies on users to spread. This malware such as the broad family of Fake AV products require a user to click, and are usually aimed at the user themselves. Fake AV, for example, typically seeks to get users to provide their credit card number to remove the fake malware it lists.

Nastier malware is out there, however. Mebroot, a particularly nasty specimen, is often the first step in a hard to handle infection. Mebroot is often spread through web based ad networks - so called "drive-by downloads" or "drive-by infections" targeting browser plugin and browser vulnerabilities. Once there, it injects itself into the PC's master boot record. As F-Secure puts it, "In the competition between rootkits and rootkit detectors, the first to execute has the upper hand."

Once Mebroot is on a system, Torpig, a botnet client often follows. Torpig, like Mebroot, comes in many flavors, but most attempt to steal user credentials, credit card information, and bank account details, which they send to central servers. One group of researchers observed 70 GB of stolen data in a 10 day exercise conducted against a Torpig botnet. The same researchers observed 180,000 infections during that time.

The Torpig botnet is well protected - it uses domain flux to keep the controller nodes moving, and when paired with a Mebroot infection, Torpig itself can be both very hard to find, and extremely hard to remove. Thus far, my own work with it has shown that manual capture and analysis of the MBR using tools like Virustotal and Norman Sandbox is somewhat successful, although the quick changes that the malware authors make mean that most mainstream antivirus is useless, and the more targeted tools like GMER can't always keep up.

There's not a silver bullet for these infections yet, other than running an OS that is not targeted by the malware. Thus, MacOS and Linux users remain safe, although that may change over time. If you're stuck in a Windows environment, particularly if you're using Windows XP, you're in much greater danger. Those users running Windows Vista and Windows 7 are likely to have a better chance of avoiding infection thanks to UAC.

For those looking for a solution, sandbox technologies like Sandboxie may be a good option. As always, patching your browser and all of its plugins is still a reasonable best practice, but many plugins have unpatched holes for weeks or months at a time.

In the meantime, show your senior management this New Zealand Herald article - it provides one of the better mainstream media writeups I've seen.