TrendMicro Virus Alert: BKDR_BREPLIBOT.A

Trojans Utilize Kernel-mode Rootkit - BKDR_BREPLIBOT.A​

In the past week, much attention has been given to the BREPLIBOT family of backdoor-trojans. This Trojan exploits the Sony Digital Rights Management rootkit-and this new malware also targets a specific audience – the business community. Arriving as an attachment in an email, the malware pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" (apparently attached to the email) to be used for the December issue. However, rather than presenting a picture, executing the attachment installs the Trojan.

According to Raimund Genes, Chief Technologist of Anti-Malware for antivirus and content security firm Trend Micro, the issue is less about the Trojan than it is about the underlying rootkit technology utilized by them. This is because the rootkit utilized by the BKDR_REPLIBOT Trojans is a 'kernel-mode' program, which can be used for more dramatic malicious purposes than 'user-mode' programs.

“We don’t blame Sony for attempting to exercise its right to manage its digital property” says Genes. “However, what’s important to understand is that this technology can now be used by malicious malware writers to hide and spread their creations. These writers include those who might not know how to write their own rootkits – but now they don’t have to.”

Genes adds a strong recommendation that businesses with the need to protect their intellectual property look into other possible solutions, such as building a level of security commitment into contractual agreements with technology partners, especially when those partners are developing additional DRM (digital rights management) tools.

"The protection of Corporate Intellectual Property in the digital age is a complex and serious matter for any business. This situation emphasizes the growing complexity of corporate security, both from an IT and business continuity standpoint. It makes clear the need for a consolidation of business and security as one unified initiative."

According to experts at Trend Micro, the primary danger of kernel-mode drivers is that they have the capability to modify or destroy any other data structure in the memory including the operating system code, itself. This is due to the fact that kernel-mode has inherently been granted the highest level of access in a system, and therefore can be utilized to perform nearly any task, including overwriting any other program or data in the system. They add that the objective of rootkits is to conceal the existence of other programs. Instead, they are frequently used to conceal spyware or other malware. And since rootkits are readily available, we expect to see rootkit detection numbers rise.

Trend Micro is reminding users to remain vigilant. As a precautionary measure, every email should be scrutinized, especially those containing attachments, or those from unexpected or unknown sources, and additionally, they should ensure their security solutions are fully updated. Trend Micro also recommends that technical users and IT staff educate themselves regarding the growing rootkit threat.

For more information on BKDR_BREPLIBOT.D, please visit
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_BREPLIBOT.D