Tips and Tricks

New Bitdefender Tool Allows Bootkit Disinfection

Bootkits are the ultimate e-threats to one

It goes without saying that bootkit infection can dramatically impact users’security. Bootkit removal is extremely delicate, as bootkits live outside the file system and can manipulate security checks by returning a copy of the pristine master boot record whenever an antivirus or forensic utility is run atop of the compromised OS.

That is why we developed a tool that can detect and remove all known variants of bootkits. The tool is available for free on the Malware City Downloads section and can be used on both 32- and 64-bits of Windows.

Download the Bootkit Removal Tool

Bootkits, rootkits – what is all this about?

Rootkits are specially crafted to hide the presence of other files or processes on the system by manipulating normal methods of detection. Since kernel-mode drivers run with higher privileges on the compromised system, they are also used to allow regular malware access to critical areas of the operating system.

Although extremely powerful, rootkits have limitations. One is the fact that security measures on 64-bit operating systems prevent them from installing themselves unless they have a valid digital signature. In short, upon the early stages of the operating system initialization, security checks filters benign (i.e. antivirus defense mechanisms) and malicious rootkits and stops the latter from infecting 64-bit machines.

The bootkit –a rootkit on steroids

Here is where bootkits get into the spotlight. Bootkits are special rootkits that load their code from a special area of the system, known as the Master Boot Record, that gets full control right after the BIOS has delegated the appropriate boot device. The MBR is responsible for initializing the operating system loader, which would subsequently load the kernel that checks whether a 64-bit kernel-mode driver is digitally signed. If it’s not, it is prevented from loading, blocking the rootkit infection at a very early stage. However, if the MBR gets compromised, the bootkit is able to patch the kernel digital signature validation checks, the final barrier that would prevent an unauthorized kernel-mode rootkit from loading. This is the case with the notorious TDL-4 rootkit that can easily compromise 32- and 64-bit of operating systems alike.

All your data “are belong”to us

Full HDD encryption has been touted as the de-facto norm for safely storing highly sensitive information, such as sales reports, intellectual property, prototypes and other critical assets of a business. However, most HDD decryption modules are stored unencrypted in the master Boot Record area, which means that all the data stored on the affected disk can be transparently decrypted by the rootkit.

This tool is available courtesy of the Bitdefender Antirootkit Team.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment
  • Wow that’s a good news :D. Thanks Bogdan. Anyway new layout looks cool. Regards,


  • Every time I try using that link it takes me to a new webpage that stays partially blank. Nothing gets downloaded nor is there an option for a download of any sort. Please help.

  • I suggest to buy a boot disk with an antivirus for bootkit/rootkit directly from antivirus makers. If this option is not available than you can try to keep it under control with downloads and techniques for removal. It won’t be long until rootkit/bootkit viruses take full control of computer machines. They know how to hide themselves, they infect any new disk you create with your downloads, they trick antivirus programs and they are or will be able to change their routines from remote connection according to what the antivirus program is doing, they detect many antivirus names, they prevent connections to antivirus sites and you will never know if a machine where you do your boot disk is infected or not unless it’s brand new and it has a factory CD for the format. Keep in mind that if a virus hides itself into the BIOS it will come up again. It does not take long for a virus to send your BIOS information and infect your BIOS. Let’s keep busy.

    • @Roberto: Why buy a boot disk when you can get the Bitdefender Rescue CD for free from Just burn it on the disk, boot from it and launch a system scan. Don’t forget to grab some popcorn while you watch the malware die.

      One more thing, there’s no known virus that can hide in BIOS to date. There are some experimental pieces of malware that reside in BIOS, but they are exclusively proof-of-concept tools built by researchers and kept under wraps in labs.