2 ESET research articles on new MBR/VBR bootkit infection vector

Discussion in 'malware problems & news' started by Baserk, Dec 27, 2012.

Thread Status:
Not open for further replies.
  1. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Eset researchers Aleksandr Matrosov and Eugene Rodionov have published some research info on the 'Eset Threat blog' describing a new VBR infection technique and a new method for injecting a malicious payload into user-mode system processes.
    'Win32/Gapz doesn’t have a malicious driver and all the bootkit functionality is loaded with the operating system boot process as shellcode sequences.'
    -Win32/Gapz: steps of evolution link

    'The latest modification of the Win32/Gapz bootkit infects the VBR of the active partition. What is remarkable about this technique is that only a few bytes of the original VBR are affected.
    This makes the threat stealthier. The essence of this approach is that Win32/Gapz modifies the “Hidden Sectors” field of the VBR while all the other data and code of the VBR and IPL remain untouched.
    '
    -Win32/Gapz: New Bootkit Technique link
     
  2. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Thanks for this.
     
  3. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
    Thanks for the links, Berserk, haven't been checking Eset blogs for some time, mainly because of a mountain of school projects...
     
  4. encus

    encus Registered Member

    Joined:
    Nov 2, 2009
    Posts:
    535
    Thanks for the info.
     
  5. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Thanks for sharing! :thumb:
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Thanks for sharing :thumb:
     
Loading...
Thread Status:
Not open for further replies.