Newsfeed
Nachrichtenbote
Greetings from Ottawa.
The antivirus industry's most important annual conference - Virus Bulletin - is in full swing.
It seems incredible but this is my 15th VB - and I have the card to prove it!
Pretty much everybody is here - as can be seen from this excellent video shot by the Sophos gang. The video was shown in the annual gala dinner last night - be sure to check it out.
This year, we had our Kimmo Kasslin deliver a presentation on the opening day of the conference.
The audience seemed quite astonished to hear the full story behind the most advanced malware we've seen so far: Mebroot. Kimmo characterized it as a "Commercial-grade framework" and as a "Malware Operating system".
The research needed to fully understand this malware was done as a joint operation between F-Secure and Symantec. Kimmo from us worked together with Elia Florio from Symantec Security Response in this great example of cross-industry co-operation.
Details of Mebroot functionality uncovered in the presentation included:
Authors of Mebroot remain unknown at this time. However, it's obvious they are well organised and well funded.
You can download the slide set prepared by Kimmo and Elia from below.
Signing off,
Mikko
PS. This would seem like a great opportunity to plug another conference: T2 will be held in Helsinki later this month and Kimmo will be talking there as well, on Evolution of Kernel-Mode Malware. The agenda as a whole looks very good, take a look.
On 03/10/08 At 01:08 PM
Weiterlesen...
The antivirus industry's most important annual conference - Virus Bulletin - is in full swing.
It seems incredible but this is my 15th VB - and I have the card to prove it!
Pretty much everybody is here - as can be seen from this excellent video shot by the Sophos gang. The video was shown in the annual gala dinner last night - be sure to check it out.
This year, we had our Kimmo Kasslin deliver a presentation on the opening day of the conference.
The audience seemed quite astonished to hear the full story behind the most advanced malware we've seen so far: Mebroot. Kimmo characterized it as a "Commercial-grade framework" and as a "Malware Operating system".
The research needed to fully understand this malware was done as a joint operation between F-Secure and Symantec. Kimmo from us worked together with Elia Florio from Symantec Security Response in this great example of cross-industry co-operation.
Details of Mebroot functionality uncovered in the presentation included:
- Mebroot is the most advanced and stealthiest malware seen so far
- it operates at the lowest level of the Windows operating system
- Mebroot writes it's startup code to the first physical sector on the hard drive
- When an infected machine is started, Mebroot loads first and survives through the Windows boot
- Mebroot hides all changes done to the infected system
- it heavily uses undocumented features of Windows
- it creates a complex network communication system, involving pseudorandom domain names
- large parts of the code is highly obfuscated
- Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder
- all botnet communication is encrypted with advanced encryption mechanism
- the malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level
- the Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs
- the botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modulesas a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do online banking on infected machines
Authors of Mebroot remain unknown at this time. However, it's obvious they are well organised and well funded.
You can download the slide set prepared by Kimmo and Elia from below.
Signing off,
Mikko
PS. This would seem like a great opportunity to plug another conference: T2 will be held in Helsinki later this month and Kimmo will be talking there as well, on Evolution of Kernel-Mode Malware. The agenda as a whole looks very good, take a look.
On 03/10/08 At 01:08 PM
Weiterlesen...