Bootkits, What is Bootkit and why should it concern you?

Before the days of mass inter-connectivity “before everyone was connected to the internet”, malicious code traveled on portable storage media, like a CD-ROM or floppy disk. The malware, usually a virus hidden in the

boot sector of a disk, acted as a digital parasite, infecting the host PC when introduced at the boot process. The infection would corrupt the machine by altering a hard drive’s Master Boot Record, the boot sector code of any boot disk, or the disk partition table (DPT).Terminal-128

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows Kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the Master Boot Record is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive.

  • Bootkits are rootkits in which first point of control is during the boot process such MBR , VBR etc
  • Bootkits are almost impossible to detect
  • Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.
  • Customized MBR/boot sectors are used  for both to keep themselves in control and also to spread
  • Age-old boot sector attacks are back.

The curious incident of the rebooting computers “hint, hint…”

What happens

Once it has been loaded to the system, the Trojan dropper program launches via the vulnerable application, extracts the bootkit installation program from itself and transmits the unique user ID to it.

The installer then modifies the boot sector and places the main body of the malicious program on hard disk sectors.

If all these actions are successfully executed on the system, then the dropper transmits the command to reboot to the computer. And it’s this – the unexpected reboot of the system while the user is on the Internet – that caused suspicion among users, leading them to write about the experience on forums in an attempt to understand what had taken place.

side note

I trawl the net for information that I find interesting & noteworthy, when I first heard about this on a pod-cast from pauldotcom, I thought “…and that is why I use Linux.” You will not find to much on-line in the search-engines, you have to dig deep into the web to find any information on the subject. I have found that most of the “stuff” out there can be avoided with a bit of proactive hardening of your browser. Don’t use a browser that is integrated so hard into the OS (IE), use browser add-on’s like “no-script” & “ad-block Plus”. Keep up on your system security updates. Or you could just quit worrying about all of these Windows exploits and switch to Linux.

Resources

If you want to hear more check out Peter Kleissner @ Blackhat this year.

http://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Kleissner

http://www.viruslist.com/en/analysis?pubid=204792044

http://web17.webbpro.de/index.php?page=the-magic-of-bootkits

http://www.pauldotcom.com/wiki/index.php/Episode155#Interview:_Peter_Kleissner

About these ads
This entry was posted in Linux, Security, Windows and tagged , , , , , , , . Bookmark the permalink.

One Response to Bootkits, What is Bootkit and why should it concern you?

  1. Pingback: Viruses, Trojans and Worms – Oh, My! « Vipre News « VIPRE Security News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s