Torpig is a Master Boot Record virus that has yet to be detectable by any known antivirus publishers once a new variant has been released. Torpig, also known as Sinowal or Mebroot became an active virus near the end of 2007. Torpig’s authors have gone out of their way to write a virus that is almost completely undetectable. Since the MBR is loaded prior to that of Windows, the MBR itself is the launching point, being able to control any aspect of system processes to which it is directed.
Method of infection
Through research, I have found that it is put on the system through a Drive-by-Download from a hijacked website. It is not currently known what site has been hijacked with a script injection to drop Toprig on to the system.
Once the user attaches to the hijacked site, Torpig will over write the MBR with its own code thus taking control of the system at boot. Once the MBR has been over written, Torpig will reboot the system to hook system processes to evade detection, join it to the zombie network and begin transmitting data. Once the system is infected with Torpig, it will hook the system files ATAPI.sys driver and SVChost.exe to keep itself hidden from scans while it controls internet traffic while maintaining its stealth. This method makes this type of virus virtually impossible to detect. Since the virus hooks processes out of the MBR and contains no other files in the file system, there is nothing for an on access file scan to detect. This is done by storing data at the sector level, instead of the file level of the harddrive.
Indications of Infection
Torpig's initial infectious stages have not been observed.
The initial infection report was given to us by our ISP, which indicated Torpig was contacting the zombie network. None of our automated antivirus/malware detection software was able to detect the existence of Torpig. System utilization will occasionally spike to 100% also indicating a possible infection of a virus.
Actions
Steal authentication information and personal information for online banking sites.
Inject HTML content on to websites visited by the user with out detection, including those encrypted with EV-SSL.
Can be loaded with CAPCHA key logger and compromise virtual keyboards.
Uses real time information to defeat one time password schemes.
Has built in configuration data for several banking sites.
System wide vulnerability affecting any browser.
Removal of infection
The infected system was located through a manual cross reference of internal IP address connection report and the destination IP address associated with Torpig given to us by our ISP, we were able to locate the infected systems.
Attempts to use MalwareBytes, Prex, Mcafee, Security Essentials, and TrustDefender were only partially successful. TrustDefender was the only package that was able to detect AIT hooks in SVChost.exe and ATAPI.sys giving any indication of a possible infection; though doesn't state the infection source or have the ability to remove the infection. The previous 4 gave no return on a scan to indicate any infection was present.
Through my research, it has been indicated that Torpig may be removed from the system by rewriting the Master Boot Record. Since the virus hooks processes out of the MBR and contains no other files in the file system, overwriting the MBR should remove the infection. This has not been attempted at this point. Currently, the only method employed to guarantee removal of Torpig is a low level format of the drive to destroy all data. Two utilities that have been utilized are DBAN and ERD Commander. Both will destroy all data, over writing the entire disk with 0’s.
Conclusions
With current detection methods on our network unable to locate Torpig, it will continue to be a laborious search by cross referencing internal IP address connection reports with the destination IP address given to us by our ISP. Also, we will not be able to determine if a system on our network is infected with virus with our notification from our ISP. No tested antivirus platforms were able to detect the existence of Torpig on our systems.
Sources
http://www.trustdefender.com/blog/2009/04/04/new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/
http://www.cs.ucsb.edu/~seclab/projects/torpig/
http://www.f-secure.com/weblog/archives/00001393.html
http://www.virusbtn.com/pdf/conference_slides/2008/Kasslin-Florio-VB2008.pdf
No comments:
Post a Comment