2 ESET research articles on new MBR/VBR bootkit infection vector

Eset researchers Aleksandr Matrosov and Eugene Rodionov have published some research info on the 'Eset Threat blog' describing a new VBR infection technique and a new method for injecting a malicious payload into user-mode system processes.
'Win32/Gapz doesn’t have a malicious driver and all the bootkit functionality is loaded with the operating system boot process as shellcode sequences.'
-Win32/Gapz: steps of evolution link

'The latest modification of the Win32/Gapz bootkit infects the VBR of the active partition. What is remarkable about this technique is that only a few bytes of the original VBR are affected.
This makes the threat stealthier. The essence of this approach is that Win32/Gapz modifies the “Hidden Sectors” field of the VBR while all the other data and code of the VBR and IPL remain untouched.'
-Win32/Gapz: New Bootkit Technique link

 

Thanks for this.

 

Thanks for the links, Berserk, haven't been checking Eset blogs for some time, mainly because of a mountain of school projects...

 

Thanks for the info.

 

Thanks for sharing!

 

Thanks for sharing