Kaspersky Lab publishes the analytical article "Bootkit 2009"

09 Jun 2009
Virus News

Kaspersky Lab, a leading producer of secure content management systems, presents an analytical article by Sergey Golovanov, senior malware analyst at Kaspersky Lab and Vyacheslav Rusakov, lead developer of the complex threat analysis group at Kaspersky Lab. The article, entitled “Bootkit 2009” is devoted to a new modification of last year’s most dangerous malicious programs, Backdoor.Win32.Sinowal.

The new version of the bootkit, identified at the end of March, is spread via compromised sites, porn resources and sites where pirated software can be downloaded. Almost all the servers which are part of the infection process have a Russian language connection: they work within the framework of so-called partner programs, in which site owners work with the authors of malicious programs.

The mechanism for creating domain names for the site which exploits which will be spread from can also be classed as a relatively new technology. This method makes it almost impossible to use blacklisting in order to block access to sites with exploits.

The bootkit, as before, uses a method based on infecting the MBR in order to load its driver before the operating system starts. In comparison with previous variants, this version of the rootkit uses a more advanced technology in order to hide its presence in the system. The driver code has also undergone significant modification, The majority of key functions, which install hooks for operating system system functions or which are hooks themselves, have been morphed, which significantly complicate the procedure of analysing the malicious code.

A comparison of detection data for the bootkit from products of other antivirus companies shows that each time the malicious users modify the algorithm for creating domain names and change the methods used to pack exploits with the body of the bootkit, not one of these solutions can prevent the bootkit from penetrating the computer and then rapidly disinfect the infected system.

Kaspersky Lab provides users with reliable protection against the new modification of the bootkit at all stages of its work. When an infected site is visited, Kaspersky Internet Security blocks access to the site which will download exploits, to scripts which create and download exploits, and the most dangerous and recent exploits.

The work of the most recent modification of the bootkit demonstrates the need to improve current antivirus technologies which are able to effectively combat not only attempts to infect computers, but to detect complex threats which operate at the very deepest levels of the operating system.

The full version of the article is available on www.viruslist.com/en. Kaspersky Lab analysts provided details on previous version of the bootkit during last year in Malware Evolution: January – March 2008 and in an article entitled Bootkit: the challenge of 2008.

This material can be reproduced provided the author, company name and original source are cited. Reproduction of this material in re-written form requires the express consent of the Kaspersky Lab PR department.