Before the days of mass inter-connectivity “before everyone was connected to the internet”, malicious code traveled on portable storage media, like a CD-ROM or floppy disk. The malware, usually a virus hidden in the
boot sector of a disk, acted as a digital parasite, infecting the host PC when introduced at the boot process. The infection would corrupt the machine by altering a hard drive’s Master Boot Record, the boot sector code of any boot disk, or the disk partition table (DPT).
A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows Kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the Master Boot Record is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive.
- Bootkits are rootkits in which first point of control is during the boot process such MBR , VBR etc
- Bootkits are almost impossible to detect
- Bootkits can be used to avoid all protections of an OS, because OS consider that the system was in trusted stated at the moment the OS boot loader took control.
- Customized MBR/boot sectors are used for both to keep themselves in control and also to spread
- Age-old boot sector attacks are back.
The curious incident of the rebooting computers “hint, hint…”
Once it has been loaded to the system, the Trojan dropper program launches via the vulnerable application, extracts the bootkit installation program from itself and transmits the unique user ID to it.
The installer then modifies the boot sector and places the main body of the malicious program on hard disk sectors.
If all these actions are successfully executed on the system, then the dropper transmits the command to reboot to the computer. And it’s this – the unexpected reboot of the system while the user is on the Internet – that caused suspicion among users, leading them to write about the experience on forums in an attempt to understand what had taken place.
I trawl the net for information that I find interesting & noteworthy, when I first heard about this on a pod-cast from pauldotcom, I thought “…and that is why I use Linux.” You will not find to much on-line in the search-engines, you have to dig deep into the web to find any information on the subject. I have found that most of the “stuff” out there can be avoided with a bit of proactive hardening of your browser. Don’t use a browser that is integrated so hard into the OS (IE), use browser add-on’s like “no-script” & “ad-block Plus”. Keep up on your system security updates. Or you could just quit worrying about all of these Windows exploits and switch to Linux.
If you want to hear more check out Peter Kleissner @ Blackhat this year.