Kaspersky Lab, a leading developer of secure content management systems, has released a report entitled “Bootkit: the challenge of 2008”. This article presents a detailed analysis of one of the incidents of 2008 which most clearly demonstrate the threat posed by Malware 2.0.
The evolution of MalWare 2.0 causes a range of problems for the antivirus industry. One of the most serious is that traditional antivirus solutions, which are based exclusively on the use of signature or heuristic analysis of files, are unable to reliably combat Malware 2.0 attacks (and this even without addressing the problem of curing infected systems.)
The bootkit has been a technological breakthrough for the virus writing industry and it is now equipped with a range of technologies enabling it to spread and function as part of a botnet. It also uses a range of methods to prevent the program from being detected during the early stages of infection, attempts to infect as many users as possible, and also hinders attempts to take the botnet down.
The highly organized approach and the technologies used in the bootkit are striking; low-level programming; the exploitation of dozens of vulnerabilities in other applications; the shift from the OS boot mode to the zero, third ring and back again; the creation of applications in C++ for *nix operating systems; the cryptographic protocols; the methods used to authorize bots in the system etc.
The history of the bootkit reflects just how broadly information security issues affect the rank and file user. All the technologies examined above are currently actively being used in the vast majority of malicious programs. The browser as an infection vector; rootkit technologies; botnets; theft of user data; cryptography; obfuscation; anti-antivirus solution technologies – all of these have appeared separately, and are now implemented together in the bootkit.
A broad range of technologies is needed to defend against such complex threats: a web antivirus, traffic filtration, a behaviour analyzer, a sandbox, network traffic analysis and a firewall. A modern antivirus solution should be able not only to combat rootkits, but also to neutralize ‘subspecies’ such as bootkits.
You can read the full version of this article on viruslist.com. A summary is available on kaspersky.com.
You do not need permission to republish this material as long as full attribution (author, company, source) is give. If you wish to publish a shortened, rewritten or modified version, please contact Kaspersky Lab’s PR department.