New Bitdefender Tool Allows Bootkit Disinfection

December 22, 2011

Bootkits are the ultimate e-threats to one’s PC. They have been around since Windows 2000 and have undergone consistent development to circumvent the security mechanisms of operating systems ever since. No doubt, bootkits are the most dangerous and powerful breeds of malware, as they subvert the system at the most basic level possible.

It goes without saying that bootkit infection can dramatically impact users’security. Bootkit removal is extremely delicate, as bootkits live outside the file system and can manipulate security checks by returning a copy of the pristine master boot record whenever an antivirus or forensic utility is run atop of the compromised OS.

That is why we developed a tool that can detect and remove all known variants of bootkits. The tool is available for free on the Malware City Downloads section and can be used on both 32- and 64-bits of Windows.

Bootkits, rootkits - what is all this about?

Rootkits are specially crafted to hide the presence of other files or processes on the system by manipulating normal methods of detection. Since kernel-mode drivers run with higher privileges on the compromised system, they are also used to allow regular malware access to critical areas of the operating system.

Although extremely powerful, rootkits have limitations. One is the fact that security measures on 64-bit operating systems prevent them from installing themselves unless they have a valid digital signature. In short, upon the early stages of the operating system initialization, security checks filters benign (i.e. antivirus defense mechanisms) and malicious rootkits and stops the latter from infecting 64-bit machines.

The bootkit –a rootkit on steroids

Here is where bootkits get into the spotlight. Bootkits are special rootkits that load their code from a special area of the system, known as the Master Boot Record, that gets full control right after the BIOS has delegated the appropriate boot device. The MBR is responsible for initializing the operating system loader, which would subsequently load the kernel that checks whether a 64-bit kernel-mode driver is digitally signed. If it’s not, it is prevented from loading, blocking the rootkit infection at a very early stage. However, if the MBR gets compromised, the bootkit is able to patch the kernel digital signature validation checks, the final barrier that would prevent an unauthorized kernel-mode rootkit from loading. This is the case with the notorious TDL-4 rootkit that can easily compromise 32- and 64-bit of operating systems alike.

All your data “are belong”to us

Full HDD encryption has been touted as the de-facto norm for safely storing highly sensitive information, such as sales reports, intellectual property, prototypes and other critical assets of a business. However, most HDD decryption modules are stored unencrypted in the master Boot Record area, which means that all the data stored on the affected disk can be transparently decrypted by the rootkit.

This tool is available courtesy of the Bitdefender Antirootkit Team.

Download 32 bit version:

http://www.malwarecity.com/community/index.php?app=downloads&module=display&section=download&do=confirm_download&hash=271585ed188b6e5d2a0ad99f6b887fa7

Download 64 bit version:

http://www.malwarecity.com/community/index.php?app=downloads&module=display&section=download&do=confirm_download&hash=efe17b1e1a0a035856345602bc0752cd