Sunday, September 13, 2009

The danger of a new generation of bootkits

While both the rootkits as bootkit part of the same concept and end up being the ultimate goals remain the same, there are certain patterns that differentiate and make bootkit the inevitable evolution of rootkit conventional state of the art by adding more complex actions.

By definition, a rootkit is designed to conceal certain activities that an attacker can take on a vulnerable system, precisely this characteristic being exploited by malware writers to hide the activities of the (handling registry keys, processes, files, etc.) at the time of infecting a system. That is, the primary objective of a rootkit is to prevent an attacker's activities are discovered.

This situation represents a serious potential danger to the security of any computer system and that depending on the type of rootkit can quietly go unnoticed because they generally have the ability to run a low level (kernel level).

Therefore, antivirus companies are characterized as hazardous or extremely hazardous, even, perhaps this is one of the responses on the efforts of securing the core operating system.

In this regard, earlier this year (2009) we witnessed the emergence of a type of rootkit that infects the MBR (Master Boot Record) of equipment, but unlike conventional rootkits of this style, this new variant is much more harmful and aggressive. His name is Stoned bootkit (based on the famous Stoned virus), was developed by Peter Kleissner and presented at BlackHat 2009.

When activated from the MBR, the infection bootkit ensures the equipment before starting the operating system can run from any storage device (USB, CD, DVD, etc.).. This means that no trace will be operating systems (processes in memory for example) because the bootkit no direct change on this.

Despite being considered a tool for handling a system (like the rootkit) as is its name suggests (toolkit boot sector) can, without doubt, be used for malicious purposes, and taking into Stoned Bootkit account that is designed to work well on Windows 7, regardless of their architecture (32-bit or 64-bit), may represent the most exploited malicious code during 2010.

Related information
Bootkit multiplataforma al ataque...
RootkitAnalytics

Jorge Mieres

No comments: