Mebroot

The Trojan infects the MBR to allow itself to start even before the operating system starts. This allows it to bypass some safeguards and embed itself deep within the operating system. It is known that the Trojan can intercept read/write operations, embed itself deep within network drivers. This allows it the ability to bypass some firewalls and communicate securely, using a custom encrypted tunnel, to the command and control server. This allows the attacker to install other malware, viruses, or other applications. The Trojan most commonly steals information from the victim's computer, in an attempt for small financial gain. Mebroot is linked to Anserin, which is another Trojan that logs keystrokes and steals banking information. This gives further evidence showing that financial motive is most likely behind Mebroot.^[2]

The Trojan tries to avoid detection by hooking itself into atapi.sys.^[3] It also embeds itself in the Ntoskrnl.exe.^[4] Mebroot has no executable files, no registry keys, and no driver modules, which makes it harder to detect without antivirus software. In addition to running antivirus software, one can also remove the Trojan by wiping or repairing the master boot record, the hard drive, and the operating system.^[5]