One of 2008's most interesting research cases proved to be the Mebroot rootkit.
Mebroot has been characterized as possessing a "commercial-grade framework" and as being a "malware Operating System". The most notable of its features is the fact that the rootkit replaces the infected computer's Master Boot Record (MBR). Mebroot therefore compromises the computer at a very low level.
The malware has apparently gone through some extensive quality assurance. It rarely ever crashes the systems it infects, even though it runs at the kernel level. It's even been designed to send crash dumps back to its authors, so that they can improve upon their code if required.
We contributed our first bit of Mebroot analysis last March. While the post is quite technical, it only scratched the surface.
Elia Florio of Symantec is another researcher that has analyzed Mebroot in depth. I collaborated with Elia and our efforts produced a paper for the Virus Bulletin: VB2008 conference. I delivered a presentation on the opening day of the conference. You can find our VB2008 post with PowerPoint slides here.
We can now make the paper itself available. Click the link below to download the PDF file.
