Back in January 2008, we looked at how the TrustDefender Kernel Forensics Engine can detect the Silentbanker Trojan and the Master Boot Record (MBR) virus.

Since then, many new variants of te same rootkits have been released and we thought we have a more detailed look into a new variant of the MBR Rootkit (Torpig)

Alarmingly we found that the wider Antirivus products do not pick up this variant (and possibly also earlier ones) more or less at all (!)

Almost not a single Antivirus Engine was detected the MBR/Torpig-Dropper when we got a sample. When we checked it first, 2 out of 33 (6%) of the Antivirus Engines detected some suspicious behavior (see Attachment 1).

The next day, only 11 out of 33 (33%) detected the threat with some of the big names still not protecting their customers like CA, McAfee, Sophos or Symantec. (see Attachment 2).”
This variant of the MBR/Torpig trojan is installed as a drive-by download which is triggered by some highly obscusfated Javascript Code. So, innocent users won’t even notice any download or installation, especially If they haven’t kept their Windows up-to-date. Even for those who are up-to-date or if they have accidently allowed the program to run, it’s game over.

 
Attachment 1 – Virustotal Result

 
Attachment 2 – Virustotal result next day

Attachment 3 – TrustDefender Kernel Forensics Dialog