Comments on: Win32/Gapz: New Bootkit Technique http://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: David Harley http://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/#comment-3835 Tue, 01 Jan 2013 19:46:27 +0000 http://blog.eset.com/?p=16288#comment-3835 It’s not really like that. ESET products include elements of behaviour blocking and HIPS. What’s more you can simply use the default ruleset for HIPS.

]]>
By: Sagar Sehwag http://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/#comment-3834 Tue, 01 Jan 2013 14:38:08 +0000 http://blog.eset.com/?p=16288#comment-3834 Hiiiii, I would like to suggest you to add Behaviour Blocker in ESET as HIPS is for Advanced user.

]]>
By: David Harley http://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/#comment-3833 Fri, 28 Dec 2012 08:48:50 +0000 http://blog.eset.com/?p=16288#comment-3833 I asked Eugene about this, Andrea. He said “Thanks for the interesting remark but we haven’t encountered such a bootkit technique in the wild so far.

]]>
By: Slim_d0g http://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/#comment-3832 Fri, 28 Dec 2012 05:46:33 +0000 http://blog.eset.com/?p=16288#comment-3832 Thanks for awsome article! A lot of interesting information, as usual! =)

]]>
By: mike http://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/#comment-3831 Thu, 27 Dec 2012 17:17:09 +0000 http://blog.eset.com/?p=16288#comment-3831 Thank you for this well written article. The diagrams are really helpful. I’m not from the AV industry, but it’s always interesting to read about the insights of the current malware threats and also about the OS low-level specifics.

]]>
By: Andrea http://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/#comment-3830 Thu, 27 Dec 2012 14:35:32 +0000 http://blog.eset.com/?p=16288#comment-3830 Very interesting article. Btw there are anothers possible infection vectors: for example the modification of "NTLDR" compatible boot loader string found in NTFS Boot startup code version 6 sector at offset 0x5C. In this way boot program loads another real mode program. I tested it and it works, but actually I don't see any rootkit that uses this method because of file creation constriction.

]]>