The antivirus industry's most important annual conference — Virus Bulletin — is in full swing.
It seems incredible but this is my 15th VB — and I have the card to prove it!
Pretty much everybody is here — as can be seen from this excellent video shot by the Sophos gang. The video was shown in the annual gala dinner last night — be sure to check it out.
This year, we had our Kimmo Kasslin deliver a presentation on the opening day of the conference.
The audience seemed quite astonished to hear the full story behind the most advanced malware we've seen so far: Mebroot. Kimmo characterized it as a "Commercial-grade framework" and as a "Malware Operating system".
The research needed to fully understand this malware was done as a joint operation between F-Secure and Symantec. Our fellow, Kimmo, worked together with Elia Florio from Symantec Security Response in this great example of cross-industry co-operation.
Details of Mebroot functionality uncovered in the presentation included:
Mebroot is the most advanced and stealthiest malware seen so far
It operates at the lowest level of the Windows operating system
Mebroot writes its startup code to the first physical sector on the hard drive
When an infected machine is started, Mebroot loads first and survives through the Windows boot
Mebroot hides all changes made to the infected system
It heavily uses undocumented features of Windows
It creates a complex network communication system, involving pseudo random domain names
Large parts of the code is highly obfuscated
Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder
All botnet communication is encrypted with advanced encryption mechanism
The malware has apparently gone through extensive quality assurance. It never seems to crash the systems it infects, even though it runs at the kernel level
The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs
The botnet backdoor functionality is very powerful, even allowing the upload and execution of arbitrary kernel-mode modules
As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines
The authors of Mebroot remain unknown at this time. However, it's obvious they are well organized and well funded.
To download the slide set prepared by Kimmo and Elia, click on the image below.
Signing off, Mikko
P.S. This would seem like a great opportunity to plug another conference: T2 will be held in Helsinki later this month and Kimmo will be talking there as well, on the Evolution of Kernel-Mode Malware. The agenda as a whole looks very good, take a look.
