Boot-time Malware Comeback

Security researchers Nitin Kumar and Vipin Kumar announced and demoed at HITB Dubai 2009 the second version of Vbootkit, a boot-time rootkit that is designed to crack open Windows 7.

The operating principle is quite simple – while the bootloader only loads signed binaries, there is nothing in Windows 7 (or in any other version of Windows, for that matter) to check that what was loaded in memory is actually what is being executed, which provides the boot-time rootkit with a way to load and run unsigned code with kernel privileges.

Running the bootkit itself is quite another matter – to do so, an attacker would have to have physical access to the attacked machine, so that a disk containing the kit is inserted – at least, if Vbootkit 2.0 works anything like 1.0.

It’s either that, or tricking the user into booting from an infected disk. Not impossible, but not easy either.

About the author


Razvan Stoica is a journalist turned teacher turned publicist and
technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking.

Razvan Stoica started off writing for a science monthly and was the chief
editor of a science fiction magazine for a short while before moving on to
the University of Medicine in Bucharest where he lectured on the English
language. Recruited by Bitdefender in 2004 to add zest to the company's
online presence, he has fulfilled a bevy of roles within the company since.

In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.