Kaspersky Lab presents “Bootkit 2009”, an analytical article devoted to a new modification of last year’s most dangerous malicious program, Backdoor.Win32.Sinowal. The article from Sergey Golovanov, senior malware analyst at Kaspersky Lab and Vyacheslav Rusakov, lead developer of the complex threat analysis group at Kaspersky Lab, is available at www.viruslist.com/en.
The new version of the bootkit, identified at the end of March 2009, is spread via compromised sites, porn resources and sites where pirated software can be downloaded. Almost all the servers, which are part of the infection process, have a Russian language connection: they work within the framework of so-called partner programs, in which site owners work with the authors of crimeware.
The bootkit, as before, uses a method based on infecting the MBR in order to load its driver before the operating system starts. In comparison with previous variants, this version of the rootkit uses a more advanced technology in order to hide its presence in the system. The driver code has also undergone significant modification and the majority of key functions, which install hooks for operating system functions or hooks themselves, have been morphed. This complicates the procedure of analysing the malicious code significantly.
The work of the most recent modification of the bootkit demonstrates the need to improve current antivirus technologies which are able to effectively combat not only attempts to infect computers, but to detect complex threats which operate at the very deepest levels of the operating system.
The article is available at www.viruslist.com/en. Kaspersky Lab analysts provided details on previous version of the bootkit during last year in Malware Evolution: January – March 2008 and in an article entitled Bootkit: the challenge of 2008.
The article may be reproduced, provided the author, company name and original source are cited. Reproduction of this material in re-written form requires the express consent of the Kaspersky Lab press office.