Bootkit



In addition to patching the three Project Zero vulnerabilities disclosed last week, Apple is apparently readying a fix for the Thunderstrike boot attack as well, something that will purportedly rid all Macs running Yosemite of the issue.

Stealthy malware that can sneak onto machines during the boot process and remain undetected indefinitely is one of the brass rings of security research. There have been a number of tools developed over the years that aimed to accomplish this goal, with Joanna Rutkowska’s Evil Maid attack being perhaps the most famous. Now a developer in Canada has produced a similar tool that  impersonates the CHKDSK utility and can grab a user’s password and then exit without the user’s knowledge.

HED: Symantec: Boot Sector Malware Back In StyleDEK: Malware writers are turning to boot record malware to infect systems – a throwback to earlier forms of malware. What’s old is new again. This time it’s boot sector malware – fashionable around the turn of the Millenium – that’s making a comeback, according to Symantec Corp. Writing on the Symantec Connect blog (http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion-infographic), researcher Hon Lau notes that researchers there have a doubling of master boot record (or MBR) malware between 2009 and 2010, with 2011 on track to double it again. The increase may be due to the release of open source code for the BootRoot MBR malware, Symantec said. Admittedly, the “explosion” in MBR malware is hardly that – especially compared with the global malware population. We’re talking small numbers here: two instances of MBR malware in 2009, four in 2010 and five already in 2011. New families of MBR malware include CIDOX, FISPBOOT, ALWORO and  SMITNYL, in addition to variants of known MBR malware families like TIDSERV. The new variants are mostly one-off creations and are being used as ransomware – software that’s used to hijack a victim’s PC in exchange for payment. The master boot record is the first sector of a storage device, such as a hard drive, and is accessed first by a computer when it is booting. The MBR contains code that allows the device to locateand loand an operating system or other application that has been stored on the system. Master boot record malware infects that area of the storage device, allowing it to load before the operating system. That makes it easier for MBR malware to evade detection and removal, Symantec said. Unlike MBR malware of a decade ago, the newest MBR malware is feature rich, with data stealing and remote control functionality built in, Hon writes. Researchers at other firms have also seen a spike in MBR malware. In April, Kaspersky researcher Vyacheslav Zakorzhevsky reported that a rootkit, FISP.A, was being installed on systems infected by NSIS.Agent.jd, an MBR rootkit (or bootkit) that was being pushed by phony Chinese pornography sites. (http://threatpost.com/en_us/blogs/virus-watch-chinese-bootkit-040511)What’s old is new again. This time it’s boot sector malware – fashionable around the turn of the Millenium – that’s making a comeback, according to Symantec Corp.

Researchers from Kaspersky Labs claim to have discovered the most sophisticated piece of malware available on the Web. Detected by their antivirus product as TDSS, the Trojan employs a number of methods to avoid detection, including the use of encryption between the botnet command and control server and its zombies and a powerful rootkit component that conceals the presence other types of malware in a given system.

By Vyacheslav ZakorzhevskyWe recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a. The bootkit is distributed by Trojan-Downloader.NSIS.Agent.jd. The Trojan infects the computers of users who try to download a video clip from a fake Chinese porn site.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.