Skip to main content
SpringerLink
Log in

“Nice Boots!” - A Large-Scale Analysis of Bootkits and New Ways to Stop Them

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9148))

Abstract

Bootkits are among the most advanced and persistent technologies used in modern malware. For a deeper insight into their behavior, we conducted the first large-scale analysis of bootkit technology, covering 2,424 bootkit samples on Windows 7 and XP over the past 8 years. From the analysis, we derive a core set of fundamental properties that hold for all bootkits on these systems and result in abnormalities during the system’s boot process. Based on those abnormalities we developed heuristics allowing us to detect bootkit infections. Moreover, by judiciously blocking the bootkit’s infection and persistence vector, we can prevent bootkit infections in the first place. Furthermore, we present a survey on their evolution and describe how bootkits can evolve in the future.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Plite bootkit. http://labs.bitdefender.com/2012/05/plite-rootkit-spies-on-gamers/

  2. BIOS Rootkit: Welcome home, my Lord! (2007). http://blog.csdn.net/icelord/article/details/1604884

  3. Backdoor.pihar, (2011). http://www.symantec.com/security_response/writeup.jsp?docid=2011-120817-1417-99& tabid=2

  4. Finfisher malware dropper analysis, (2014). https://www.codeandsec.com/FinFisher-Malware-Dropper-Analysis

  5. Aditya, S., Rohit, B.: Prosecting the citadel botnet revealing the dominance of the zeus descendent. In: VB (2014)

    Google Scholar 

  6. Bacs, A., Vermeulen, R., Slowinska, A., Bos, H.: System-level support for intrusion recovery. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 144–163. Springer, Heidelberg (2013)

    Google Scholar 

  7. Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: USENIX LEET (2009)

    Google Scholar 

  8. Bayer, U., Kirda, E., Kruegel, C.: Improving the efficiency of dynamic malware analysis. In: ACM SAC (2010)

    Google Scholar 

  9. Bayer, U., Kruegel, C., Kirda, E.: Ttanalyze: A tool for analyzing malware. In: EICAR 2006 (2006)

    Google Scholar 

  10. Dela Paz, R.: ZeuS Source Code Leaked, Now What? (2013). http://blog.trendmicro.com/trendlabs-security-intelligence/the-zeus-source-code-leaked-now-what/

  11. Eugene Rodionov, D.H., Matrosov, A.: Bootkits: Past, Present and Future. In: VB Conference (2014)

    Google Scholar 

  12. Gao, H., Li, Q., Zhu, Y., Wang, W., Zhou, L.: Research on the working mechanism of bootkit. In: ICIDT (2012)

    Google Scholar 

  13. Giuliani, M.: Mebromi: the first bios rootkit in the wild, (2011). http://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/

  14. Grill, B., Platzer, C., Eckel, J.: A practical approach for generic bootkit detection and prevention. In: EUROSEC (2014)

    Google Scholar 

  15. Haukli, L.: Exposing bootkits with bios emulation. Black Hat US (2014)

    Google Scholar 

  16. Hu, X., Chiueh, T.-C., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: ACM CCS (2009)

    Google Scholar 

  17. Kaspersky Lab. Equation group: Questions and answers, (2015). https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

  18. King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: Implementing malware with virtual machines. In: IEEE S&P (2006)

    Google Scholar 

  19. Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: USENIX Security (2014)

    Google Scholar 

  20. Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: ACM CCS (2011)

    Google Scholar 

  21. Krebs, B.: Carberp source code leak, (2013). https://krebsonsecurity.com/tag/carberp-source-code-leak/

  22. Lanzi, A., Sharif, M.I., Lee, W.: K-tracer: A system for extracting kernel malware behavior. In: NDSS (2009)

    Google Scholar 

  23. Li, X., Wen, Y., Huang, M., Liu, Q.: An overview of bootkit attacking approaches. In: MSN (2011)

    Google Scholar 

  24. Matrosov, A.: ESET - Rovnix bootkit framework updated, (2012). http://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated

  25. Microsoft. Kernel Patch Protection. http://msdn.microsoft.com/en-us/library/windows/hardware/Dn613955

  26. MSDN. Driver Signing. http://msdn.microsoft.com/en-us/library/windows/hardware/ff544865(v=vs.85).aspx

  27. Neugschwandtner, M., Platzer, C., Comparetti, M., Bayer, U.: Danubis-dynamic device driver analysis based on virtual machine introspection. In: DIMVA (2010)

    Google Scholar 

  28. Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: EuroSys (2006)

    Google Scholar 

  29. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007)

    Google Scholar 

  30. Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)

    Google Scholar 

  31. Ross, S.: Overview of bios rootkits, (2013). https://tuftsdev.github.io/DefenseOfTheDarkArts/students_works/final_project/rschlaikjer.pdf

  32. Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE S&P (2013)

    Google Scholar 

  33. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., Van Steen, M., Freiling, F.C. , Pohlmann, N.: Sandnet: Network traffic analysis of malicious software. In: BADGERS (2011)

    Google Scholar 

  34. Rossow, C., Dietrich, C.J., Kreibich, C., Grier, C., Paxson, V., Pohlmann, N., Bos, H., van Steen, M.: Prudent Practices for Designing Malware Experiments: Status Quo and Outlook. In: IEEE S&P (2012)

    Google Scholar 

  35. Rusakov, V., Golovanov, S.: Attacks before startup, (2014). http://securelist.com/blog/research/63725/attacks-before-system-startup/

  36. Sean, B.: First zeus, now spyeye. https://www.damballa.com/first-zeus-now-spyeye-look-the-source-code-now/

  37. White, S.R., Kephart, J.O., Chess, D.M.: Computer viruses: A global perspective. In: Virus Bulletin International Conference (1995)

    Google Scholar 

  38. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. In: IEEE S&P (2007)

    Google Scholar 

  39. Wojtczuk, R., Tereshkin, A.: Attacking intel bios. In: BlackHat US (2009)

    Google Scholar 

Download references

Acknowledgements

The research was partly funded by the COMET K1 program by the Austrian Research Funding Agency (FFG). Sponsored by the ERC StG “Rosetta” and NWO VICI “Dowsing” projects.

Author information

Authors and Affiliations

  1. SBA Research, Vienna, Austria

    Bernhard Grill

  2. VU University Amsterdam, Amsterdam, The Netherlands

    Andrei Bacs & Herbert Bos

  3. Secure Systems Lab, Vienna University of Technology, Vienna, Austria

    Christian Platzer

Authors
  1. Bernhard Grill
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andrei Bacs
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christian Platzer
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Herbert Bos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bernhard Grill .

Editor information

Editors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Magnus Almgren

  2. Chalmers University of Technology, Gothenburg, Sweden

    Vincenzo Gulisano

  3. Politecnico di Milano, Milan, Italy

    Federico Maggi

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Grill, B., Bacs, A., Platzer, C., Bos, H. (2015). “Nice Boots!” - A Large-Scale Analysis of Bootkits and New Ways to Stop Them. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-20550-2_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-20549-6

  • Online ISBN: 978-3-319-20550-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation