In this connection, they may have read about a new name that has been doing a lot of noise from the last BlackHat: Bootkit. But ... what is it?
A bootkit is basically a type of rootkit designed to infect the boot sector of Windows operating systems, commonly known as the Master Boot Records (MBR).
While the rootkit concept dates back almost to the very existence of UNIX platforms and malicious code that abuse this feature isn't new, we could say that the concept of bootkit refers to a new family of malware to circumvent any system developed threat detection hosting its harmful instructions in the boot sector.
In fact there are several names that have made noise throughout history:
- Stoned in 1987 (it was taken as the basis for the development of Michelangelo) showing different messages on the screen.
- BootRoot first presented in 2005 during the BlackHat and designed to run on Windows XP.
- Kon-Bot makes a baypass on Windows authentication scheme, jumping and the authentication process.
- Vbootkit in 2007, which runs on Windows Vista and its second version appeared this year, designed to exploit in Windows 7 (including 64-bit). Both versions presented at the BlackHat.
- MebRoot, whose first version appeared in 2007, is designed to steal bank details and nature of which we see a screenshot presented in the paper "Now Your Computer is Stoned (... Again!). The Rise of MBR Rootkits" jointly developed by Symantec and F-Secure showing its evolution.
Now ... where is the most important point of all this. I think Mebroot marked the turning point adding to the illicit sphere a new methodology together with a concept that has direct relation to the crime in terms of using malware attacks that seek not only information that can be exploited even do intelligence or espionage, but also to fuel the economy of its developers, and continues with Vbootkit v2 now prepared to exploit Windows 7.
Under this scenario, the thing is heavy, since it is in complete professionalization of the evidence increasingly malware developers.
Stoned bootkit, is also designed to skip the security structures that offer products as TruCrypt by encrypting the entire volume of a unit, causing a direct attack on TrueCrypt. That is, has the ability to infect a computer even when encrypted, gaining access to the entire system regardless of safety precautions around the credentials with administrative permissions.
Ironically, the author uses a legend similar to the one that showed the old Stoned (Your PC is now Stoned!), Display each time you boot your system:
Your PC is now Stoned! ... again
Also unlike other rootkits to infect the boot sector of a specific operating system, the new Stoned has the ability to infect all versions from Windows XP to the highly anticipated Windows 7.
Given this, perhaps to become an essential module for malware writers seeking to break the security barriers of Windows 7.
Despite the absence of a significant amount of malicious code with these characteristics (bootkits) every time you receive one makes noise in the environment. Are we talking about resurrection? I think not. Especially after trying something he did not think possible at present: the Stoned 1897, still operates on Windows Vista.
# Jorge Mieres
No comments:
Post a Comment