August 1, 2013
The phantom of the boot sector.
My power over you
grows stronger yet
(с) Andrew Lloyd Webber – Phantom Of The Opera
In the ongoing battle between malware and anti-malware technologies, there’s an interesting game that keeps getting played over and over – king of the castle.
The rules are simple: the winner is the one who loads itself into the computer memory first, seizes control of the ‘levers’, and protects itself from other applications. And from the top of the castle you can calmly survey all around and guard the order in the system (or, if you’re malicious, on the contrary – you can cause chaos, which goes both unnoticed and unpunished).
In short, the winner takes all, i.e., control over the computer.
And the list of applications wanting to do the boot process first begins with (as the name might suggest) the boot sector – a special section of the disk that stores all the instructions for what, when and where to load. And, terror of terrors, even the operating system sticks to this list! No wonder cybercriminals have long taken an unhealthy interest in this sector, since abusing it is the ideal way to get first out of the blocks while completely hiding the fact that the computer is infected. And the cybercriminals are helped in this by a particular class of malware – bootkits.
How your computer loads
To find out what bootkits are and how we protect you against them – read on…
In actual fact bootkits have been around quite a while.
As early as the mid-eighties they were one of the most popular strains of viruses. The very first DOS virus, Brain, was a bootkit. But the virus hunters learned how to deal with them fairly quickly, so the virus writers lost interest in them almost as swiftly, and moved on to other more effective (for them!) methods like macro-viruses for MS Office and Internet worms.
Bootkits got their second wind at the end of 2007, when a new version of the Trojan-spyware Sinowal appeared, which was able to infect boot sectors. This came as quite a shock to some antivirus companies, which had considered it a thing of the past (since the end of the nineties) – so much so that some products were absolutely unable to protect the boot sector.
Although bootkits by no means represent a world-scale pandemic, our reports do show that they’re a stable background (but still noticeable) nuisance. And the computer underground is always coming up with new tricks…
But if bootkits are so cunning and undetectable, you may wonder why they aren’t more widespread. Are they really worth all the effort, as in – do we need to worry about developing protection from them at all?
Well, first of all, we estimate the number of computers in the world infected with various bootkits at about 10 million – hardly a small quantity representing a limited problem against which defenses can be overlooked.
Secondly, this method of infection is actively used in sophisticated state-sponsored targeted attacks (for instance, the infamous FinSpy). You’ll surely agree that becoming a victim of cyberwar or special ops is also not the most attractive of prospects.
And thirdly, to create a bootkit demands a very deep knowledge of system programming, which by far from every cyber-baddie possesses. Bootkits are indeed cunning and undetectable – but not invincible. To defend against such things is also far from simple. Still, we manage it – and rather successfully. Here’s how…
Bootkit infections, 2013
(based on Kaspersky Lab product users’ data only)
First a few words about the life cycle of a bootkit.
Usually a bootkit attack starts with a vulnerability in the operating system or software installed on your computer. You simply visit a website, it probes the computer and, if any weak points are found, it attacks. Specifically: a file is surreptitiously loaded onto the computer, which starts the infection.
Upon infection the bootkit writes itself onto the boot sector and moves the boot sector’s original contents to a well-sheltered spot on the hard drive and encrypts them. From then on each time the computer is switched on the bootkit loads into the memory its modules, which contain various malicious payloads (like a banking Trojan) and their means of concealment – a rootkit. The rootkit is necessary to hide the fact that the computer is infected; it recognizes later attempts by the operating system or other applications (including antivirus) to check the contents of the boot sector and simply slips the original contents back into the boot sector from the cozy shelter! And lo and behold – it looks as if everything is okay!
It would appear that with this monopoly of control over the system such a cyber-infection could only be removed by booting from another disk with a clean operating system and a good antivirus. That’s certainly one option. But we’ve developed a technology that can help fight active bootkits (including unknown ones!) without such surgery – curing the computer automatically.
In both our corporate and personal products there’s a boot emulator. Like our emulator for the operating system or browser, it creates an artificial environment replicating the process of booting the computer. Then the emulator intelligently goes round all the intercepted disk functions, collects all the necessary sectors, forms a special bootable container and launches it in this environment. The bootkit thinks it’s time to spring into action and starts its standard procedure… and it’s at that point we pounce on it! The suspicious object is sent to our virus analysts via our cloud-based anti-malware service KSN to develop the appropriate protection and update the databases; from then on it’s a matter of the technology doing its stuff: the antivirus deciphers the original boot sector, deletes the bootkit and all its modules, and restores the system. If you cannot wait, it’s possible to try and cure the comp with our free KVRT utility.
What’s reeaally cool about this tech is how it helps protect against unknown bootkits.
First, we use local heuristic analysis and detect suspicious activity during the boot emulation. Second, we use our KSN-cloud, which uses statistical methods on those same containers to detect bootkit anomalies.
Like any other emulator, virtually booting the computer is a terribly resource-intensive process. But then, why would you frequently conduct in-depth analysis of the boot sector? In short, we went for the best of both worlds – so that scanning the boot sector is done on demand, can be scheduled (for instance for at night), or done when the computer is idle. Job done and everybody happy :).
So what’s next?
Without a doubt bootkits will evolve further and become more advanced. One obvious example of just how is the polymorphic malware XPAJ, which easily gets round even the recently introduced Windows defense feature to mask its bootkit module. Also on the agenda we have bioskits – which get even deeper into the system level…
It’s also clear that this class of malware will remain a weapon of choice for just a small number of cybercrime groups – to logically attract less attention to themselves by staying in the shade.
There’ll also be another kind of shade for them – that provided by a number of popular antivirus products that have simply forgotten about protection against bootkits. And here’s the proof: below are the results of a recent comparative test of various antiviruses’ capability to cure active infections with various common bootkits. The picture is gloomy, but with glints of optimism…
All in all, things are going to get interesting. Meantime, we’re not standing idle either. We’re thinking, working, inventing, introducing, detecting, curing… and saving the world!