Reversing Trojan.Mebroot's Obfuscation

Presented at REcon 2010, July 11, 2010, 3:20 p.m. (60 minutes).

Trojan.Mebroot is one of the most complex malware we've seen in the past years. It infects the MBR, leaves no trace on disk, does everything in kernel-mode, and uses a complex obfuscation method to conceal key driver routines from analysts' eyes. In this presentation, I focus on the obfuscation scheme and present a way (using static analysis and partial emulation) to reverse-engineer it in order to restore obfuscated functions back or close to their original form.


Presenters:

  • Nicolas Falliere
    I studied at INSA in Toulouse, France, in the Computer Science department; after a few trips abroad (internship, exchange program), and graduating my MSc in 2006, I moved to Dublin, Ireland to work for Symantec Security Response. I relocated to Paris, France a few years ago, where I've been working as a malware analyst/software engineer for Response. Always been interested in computer security and low-level topics, Symantec blog at http://www.symantec.com/connect/blogs/nicolas-falliere and I also have a personal blog at http://0x5a4d.blogspot.com.

Links:

Similar Presentations: