Hi malware fighters,

Two programmers from India developed a boot-sector rootkit that can take over Windows Vista at startup. Nitin and Vipin Kumar describe their Vbootkit as a “shortcut” into the Vista kernel. A bootkit is a rootkit that can be loaded from boot-sectors (master boot record, CD, PXE, floppies etc), and stays in memory until the OS starts up.

Normalr rootkits are being installed while the OS is running, because it uses software features to load (for which it should have admin rights to be installed). Where a bootkit is concerned bootmedia are being used to attack the operational system. Vbootkit is a bootkit specifically developed for Windows Vista,but there are also versions for Windows 2000, XP and Server 2003.

Despite the danger of a bootkit, a lot of AV-vendors don’t scan for boot malware any longer. The pair of developers forwarded the binairies to various vendors but never got an official reaction. This software could also mean a “boot sector virus revival”, but circumventing DRM is also possible. Only 1500 bytes strong this bootkit can be easily hidden inside the flashmemory of the BIOS, as the developers let us know in an interview: http://www.securityfocus.com/columnists/442/1

polonus

Potentially Very Nasty. Though how it would get into the bios flash memory is the thing.

I mean even with drive imaging software to restore infected partitions, if this is loaded into BIOS flash memory and can live there restoring the partition wouldn’t resolve it.

Flash memory if it requires no power source, how do you clear the BIOS flash memory, not by powering off, nor removal of the CMOS battery ?

Does Avast detect this ??

Thanks

Al968

I would strongly doubt it as potentially it would be installed before avast was even running and the same would be true of the majority of AVs.

The article mentions it could be hidden in the BIOS Flash Memory and that could be running immediately on boot.