Boot-time Malware Comeback

The operating principle is quite simple – while the bootloader only loads signed binaries, there is nothing in Windows 7 (or in any other version of Windows, for that matter) to check that what was loaded in memory is actually what is being executed, which provides the boot-time rootkit with a way to load and run unsigned code with kernel privileges.

Running the bootkit itself is quite another matter – to do so, an attacker would have to have physical access to the attacked machine, so that a disk containing the kit is inserted – at least, if Vbootkit 2.0 works anything like 1.0.

It’s either that, or tricking the user into booting from an infected disk. Not impossible, but not easy either.