Bootkits are kernel-mode rootkits used to attack full disk encryption systems. “Bootkits attack at a much lower level than most rootkits. They normally sit in the master book record [MBR] or the volume boot record [VBR]; they take control before the system is fully booted so that it is harder for security software or the operating system [OS] to actually spot that something has inserted itself into the kernel”, Harley told Infosecurity.
Some examples of bootkits targeting the Windows 64-bit platform seen in 2011 include the TDL4, Win32/Olmasco, and Rovnix bootkits, Harley explained in a blog.
The TDL4 (Win32/Olmarik) bootkit, the first widely spread bootkit to target 64-bit systems, has been evolving to bypass security updates that address a vulnerability allowing abuse of WinPE mode, Harley wrote.
In order to gain control before the OS loader does, TDL4 overwrites the MBR code, while leaving the partition table untouched. When the malicious boot code gains control, it locates TDL4’s hidden storage and continues the boot process using the malware’s components, Harley explained.
Win32/Olmasco (MaxSS), an enhanced version of the TDL4 family of malware, first appeared in the wild in 2011. However, unlike its cousin, Win32/Olmasco modifies the partition table of the disk rather than patching MBR code, Harley noted.
Win32/Olmasco looks for an empty entry in the partition table and free space at the end of the hard drive in order to create a new partition containing payload and configuration information. The VBR of the malicious partition mimics the VBR of the legitimate partition, which makes Win 32/Olmasco more difficult to detect, the ESET researcher noted.
Last year, a new bootkit called Win32/Rovnix was discovered. It modifies the VBR and bootstrap code and is able to bypass many security and antivirus programs, the blog noted.
Although not a rootkit, a new 64-bit ZeroAccess (Win32/Sirefef) modification appeared in the wild in 2011. Since there is no kernel-mode 64-bit driver, ZeroAccess drops the consrv.dll library into the “systemroot\system32” directory and registers it as part of the Windows subsystem, which the session manager subsystem (smss.exe) process (trusted system process) has to load during system startup, Harley explained.
The list of subsystems that need to be loaded is stored under the “required” value of the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems registry key. If one of the components of the “required” subsystems is missing, the system is rendered unbootable. Harley advised that this issue be taken into account while removing the threat from the system. “Deleting consrv.dll without applying corresponding changes to the registry key will break the system”, he wrote.
ESET researchers also observed that bootkits are using their own hidden storage, thereby avoiding relying on services provided by the OS. This allows the bootkits to keep their payload and configuration data secret where antivirus and security software is less likely to find them.
Harley predicted that bootkits will continue to evolve in complexity and stealth. Bootkits are no longer the realm of hacker hobbyists; “they are now being used by professional criminals”, he said.