It goes without saying that bootkit infection can dramatically impact usersâ€™security. Bootkit removal is extremely delicate, as bootkits live outside the file system and can manipulate security checks by returning a copy of the pristine master boot record whenever an antivirus or forensic utility is run atop of the compromised OS.
That is why we developed a tool that can detect and remove all known variants of bootkits. The tool is available for free on the Malware City Downloads section and can be used on both 32- and 64-bits of Windows.
Bootkits, rootkits – what is all this about?
Rootkits are specially crafted to hide the presence of other files or processes on the system by manipulating normal methods of detection. Since kernel-mode drivers run with higher privileges on the compromised system, they are also used to allow regular malware access to critical areas of the operating system.
Although extremely powerful, rootkits have limitations. One is the fact that security measures on 64-bit operating systems prevent them from installing themselves unless they have a valid digital signature. In short, upon the early stages of the operating system initialization, security checks filters benign (i.e. antivirus defense mechanisms) and malicious rootkits and stops the latter from infecting 64-bit machines.
The bootkit â€“a rootkit on steroids
Here is where bootkits get into the spotlight. Bootkits are special rootkits that load their code from a special area of the system, known as the Master Boot Record, that gets full control right after the BIOS has delegated the appropriate boot device. The MBR is responsible for initializing the operating system loader, which would subsequently load the kernel that checks whether a 64-bit kernel-mode driver is digitally signed. If itâ€™s not, it is prevented from loading, blocking the rootkit infection at a very early stage. However, if the MBR gets compromised, the bootkit is able to patch the kernel digital signature validation checks, the final barrier that would prevent an unauthorized kernel-mode rootkit from loading. This is the case with the notorious TDL-4 rootkit that can easily compromise 32- and 64-bit of operating systems alike.
All your data â€œare belongâ€to us
Full HDD encryption has been touted as the de-facto norm for safely storing highly sensitive information, such as sales reports, intellectual property, prototypes and other critical assets of a business. However, most HDD decryption modules are stored unencrypted in the master Boot Record area, which means that all the data stored on the affected disk can be transparently decrypted by the rootkit.
This tool is available courtesy of the Bitdefender Antirootkit Team.