Stealthy Bootkit Discovered

Thursday, November 10, 2011 @ 09:11 PM gHale

One of the first discovered malicious pieces of software that could be a bootkit can slip unnoticed through anti-virus solutions.

In the past months the malware identified as Rootkit.MBR.Whistler.B is infecting master boot records thanks to its new evasion techniques, said researchers at Bitdefender.

Zeus Now Using Autorun
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors
Beware of Printers Spreading Malware

The bootkit keeps its data after the last partition on the disk, but if it doesn’t find enough unpartitioned space it will shrink the partition until at least 400 sectors are available.

The first sector responsible for defining the components of the Whistler under goes different encryption with the aid of an additional key specific to the infected system, the key ends up hardcoded into the malware’s code.

To make sure security products don’t detect it as easily as before, the new variant comes with all its components encrypted, unlike the previous version which had only the malicious code encrypted, the rest left in plain text. The encryption key consists of the absolute sector’s LBA.

The analysis of this bootkit is highly difficult since after the dropper does its task infecting the MBR, it removes itself. The driver loaded while the machine boots up injects the payload into processes that will later make sure other malicious components will land on the system.

Since it doesn’t hide its MBR code like other such bootkits and because its payload remains fairly well hidden, Whistler is much harder to detect by anti-virus programs. Another thing that helps it hide is the fact it doesn’t keep any files on the hard disk of the infected device.

“It is almost certain that this bootkit will continue its evolution, improving and adding new components. It was built to be just a layer under which other malware are stealthy loaded so it is possible it would gain more diverse payloads in the near future, hosting different kinds of malware,” a bitdefender researcher said.

Leave a Reply

You must be logged in to post a comment.