Reversing Trojan.Mebroot's Obfuscation presented at REcon 2010

by Nicolas Falliere,


Summary : Trojan.Mebroot is one of the most complex malware we've seen in the past years. It infects the MBR, leaves no trace on disk, does everything in kernel-mode, and uses a complex obfuscation method to conceal key driver routines from analysts' eyes.
In this presentation, I focus on the obfuscation scheme and present a way (using static analysis and partial emulation) to reverse-engineer it in order to restore obfuscated functions back or close to their original form.