Abstract
Bootkits are among the most advanced and persistent technologies used in modern malware. For a deeper insight into their behavior, we conducted the first large-scale analysis of bootkit technology, covering 2,424 bootkit samples on Windows 7 and XP over the past 8 years. From the analysis, we derive a core set of fundamental properties that hold for all bootkits on these systems and result in abnormalities during the system’s boot process. Based on those abnormalities we developed heuristics allowing us to detect bootkit infections. Moreover, by judiciously blocking the bootkit’s infection and persistence vector, we can prevent bootkit infections in the first place. Furthermore, we present a survey on their evolution and describe how bootkits can evolve in the future.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Plite bootkit. http://labs.bitdefender.com/2012/05/plite-rootkit-spies-on-gamers/
BIOS Rootkit: Welcome home, my Lord! (2007). http://blog.csdn.net/icelord/article/details/1604884
Backdoor.pihar, (2011). http://www.symantec.com/security_response/writeup.jsp?docid=2011-120817-1417-99& tabid=2
Finfisher malware dropper analysis, (2014). https://www.codeandsec.com/FinFisher-Malware-Dropper-Analysis
Aditya, S., Rohit, B.: Prosecting the citadel botnet revealing the dominance of the zeus descendent. In: VB (2014)
Bacs, A., Vermeulen, R., Slowinska, A., Bos, H.: System-level support for intrusion recovery. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 144–163. Springer, Heidelberg (2013)
Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., Kruegel, C.: A view on current malware behaviors. In: USENIX LEET (2009)
Bayer, U., Kirda, E., Kruegel, C.: Improving the efficiency of dynamic malware analysis. In: ACM SAC (2010)
Bayer, U., Kruegel, C., Kirda, E.: Ttanalyze: A tool for analyzing malware. In: EICAR 2006 (2006)
Dela Paz, R.: ZeuS Source Code Leaked, Now What? (2013). http://blog.trendmicro.com/trendlabs-security-intelligence/the-zeus-source-code-leaked-now-what/
Eugene Rodionov, D.H., Matrosov, A.: Bootkits: Past, Present and Future. In: VB Conference (2014)
Gao, H., Li, Q., Zhu, Y., Wang, W., Zhou, L.: Research on the working mechanism of bootkit. In: ICIDT (2012)
Giuliani, M.: Mebromi: the first bios rootkit in the wild, (2011). http://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
Grill, B., Platzer, C., Eckel, J.: A practical approach for generic bootkit detection and prevention. In: EUROSEC (2014)
Haukli, L.: Exposing bootkits with bios emulation. Black Hat US (2014)
Hu, X., Chiueh, T.-C., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: ACM CCS (2009)
Kaspersky Lab. Equation group: Questions and answers, (2015). https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.: Subvirt: Implementing malware with virtual machines. In: IEEE S&P (2006)
Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: USENIX Security (2014)
Kolbitsch, C., Kirda, E., Kruegel, C.: The power of procrastination: detection and mitigation of execution-stalling malicious code. In: ACM CCS (2011)
Krebs, B.: Carberp source code leak, (2013). https://krebsonsecurity.com/tag/carberp-source-code-leak/
Lanzi, A., Sharif, M.I., Lee, W.: K-tracer: A system for extracting kernel malware behavior. In: NDSS (2009)
Li, X., Wen, Y., Huang, M., Liu, Q.: An overview of bootkit attacking approaches. In: MSN (2011)
Matrosov, A.: ESET - Rovnix bootkit framework updated, (2012). http://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated
Microsoft. Kernel Patch Protection. http://msdn.microsoft.com/en-us/library/windows/hardware/Dn613955
MSDN. Driver Signing. http://msdn.microsoft.com/en-us/library/windows/hardware/ff544865(v=vs.85).aspx
Neugschwandtner, M., Platzer, C., Comparetti, M., Bayer, U.: Danubis-dynamic device driver analysis based on virtual machine introspection. In: DIMVA (2010)
Portokalidis, G., Slowinska, A., Bos, H.: Argos: an emulator for fingerprinting zero-day attacks. In: EuroSys (2006)
Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 1–18. Springer, Heidelberg (2007)
Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008)
Ross, S.: Overview of bios rootkits, (2013). https://tuftsdev.github.io/DefenseOfTheDarkArts/students_works/final_project/rschlaikjer.pdf
Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE S&P (2013)
Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., Van Steen, M., Freiling, F.C. , Pohlmann, N.: Sandnet: Network traffic analysis of malicious software. In: BADGERS (2011)
Rossow, C., Dietrich, C.J., Kreibich, C., Grier, C., Paxson, V., Pohlmann, N., Bos, H., van Steen, M.: Prudent Practices for Designing Malware Experiments: Status Quo and Outlook. In: IEEE S&P (2012)
Rusakov, V., Golovanov, S.: Attacks before startup, (2014). http://securelist.com/blog/research/63725/attacks-before-system-startup/
Sean, B.: First zeus, now spyeye. https://www.damballa.com/first-zeus-now-spyeye-look-the-source-code-now/
White, S.R., Kephart, J.O., Chess, D.M.: Computer viruses: A global perspective. In: Virus Bulletin International Conference (1995)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. In: IEEE S&P (2007)
Wojtczuk, R., Tereshkin, A.: Attacking intel bios. In: BlackHat US (2009)
Acknowledgements
The research was partly funded by the COMET K1 program by the Austrian Research Funding Agency (FFG). Sponsored by the ERC StG “Rosetta” and NWO VICI “Dowsing” projects.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Grill, B., Bacs, A., Platzer, C., Bos, H. (2015). “Nice Boots!” - A Large-Scale Analysis of Bootkits and New Ways to Stop Them. In: Almgren, M., Gulisano, V., Maggi, F. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2015. Lecture Notes in Computer Science(), vol 9148. Springer, Cham. https://doi.org/10.1007/978-3-319-20550-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-20550-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20549-6
Online ISBN: 978-3-319-20550-2
eBook Packages: Computer ScienceComputer Science (R0)