NEWS FROM THE LAB - Friday, October 3, 2008

The 15th Posted by Mikko @ 13:08 GMT

Greetings from Ottawa.


The antivirus industry's most important annual conference — Virus Bulletin — is in full swing.


It seems incredible but this is my 15th VB — and I have the card to prove it!


Pretty much everybody is here — as can be seen from this excellent video shot by the Sophos gang. The video was shown in the annual gala dinner last night — be sure to check it out.

This year, we had our Kimmo Kasslin deliver a presentation on the opening day of the conference.

Kimmo Kasslin

The audience seemed quite astonished to hear the full story behind the most advanced malware we've seen so far: Mebroot. Kimmo characterized it as a "Commercial-grade framework" and as a "Malware Operating system".

The research needed to fully understand this malware was done as a joint operation between F-Secure and Symantec. Our fellow, Kimmo, worked together with Elia Florio from Symantec Security Response in this great example of cross-industry co-operation.

Details of Mebroot functionality uncovered in the presentation included:

  • Mebroot is the most advanced and stealthiest malware seen so far
  • It operates at the lowest level of the Windows operating system
  • Mebroot writes its startup code to the first physical sector on the hard drive
  • When an infected machine is started, Mebroot loads first and survives through the Windows boot
  • Mebroot hides all changes made to the infected system
  • It heavily uses undocumented features of Windows
  • It creates a complex network communication system, involving pseudo random domain names
  • Large parts of the code is highly obfuscated
  • Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder
  • All botnet communication is encrypted with advanced encryption mechanism
  • The malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level
  • The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs
  • The botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modules
  • As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines

The authors of Mebroot remain unknown at this time. However, it's obvious they are well organized and well funded.

To download the slide set prepared by Kimmo and Elia, click on the image below.

Kimmo Kasslin & Elia Florio

Signing off,

P.S. This would seem like a great opportunity to plug another conference: T2 will be held in Helsinki later this month and Kimmo will be talking there as well, on the Evolution of Kernel-Mode Malware. The agenda as a whole looks very good, take a look.