NEWS FROM THE LAB - Thursday, February 19, 2009

Mebroot Posted by Kimmo @ 08:22 GMT

One of 2008's most interesting research cases proved to be the Mebroot rootkit.

Mebroot has been characterized as possessing a "commercial-grade framework" and as being a "malware Operating System". The most notable of its features is the fact that the rootkit replaces the infected computer's Master Boot Record (MBR). Mebroot therefore compromises the computer at a very low level.

The malware has apparently gone through some extensive quality assurance. It rarely ever crashes the systems it infects, even though it runs at the kernel level. It's even been designed to send crash dumps back to its authors, so that they can improve upon their code if required.

Mebroot VBPaper

We contributed our first bit of Mebroot analysis last March. While the post is quite technical, it only scratched the surface.

Elia Florio of Symantec is another researcher that has analyzed Mebroot in depth. I collaborated with Elia and our efforts produced a paper for the Virus Bulletin: VB2008 conference. I delivered a presentation on the opening day of the conference. You can find our VB2008 post with PowerPoint slides here.

Mebroot VBPaper

We can now make the paper itself available. Click the link below to download the PDF file.

Your Computer is Now Stoned (...Again!). The Rise of MBR Rootkits (3169KB PDF).

Signing off,