Bootkits, Windigo, and Virus Bulletin

Bootkits, Windigo, and Virus Bulletin

ESET research on Operation Windigo received an award at Virus Bulletin 2014. Our research on bootkits was also well received, and is now available publicly.

ESET research on Operation Windigo received an award at Virus Bulletin 2014. Our research on bootkits was also well received, and is now available publicly.

So another Virus Bulletin has come and gone.

First of all, congratulations to Pierre-Marc Bureau and his colleagues Olivier Bilodeau, Joan Calvet, Alexis Dorais-Joncas, Marc-Etienne Léveillé and Benjamin Vanheuverzwijn, who were the first recipients of Virus Bulletin’s Péter Szőr award, in memory of the much-missed researcher who died last year.  Péter was not only an accomplished researcher and presenter, but a fine author whose The Art of Computer Virus Research and Defense is one of the classic books on malware. The team from ESET received the award in recognition of their research (blogged here by Pierre-Marc and available as a white paper here) on Operation Windigo, the credential-stealing Linux server-side malware.

Secondly, the paper by Eugene Rodionov, Alexander Matrosov (now with Intel) and myself on Bootkits: Past, Present and Future is now available from the Virus Bulletin site. (And will in due course be available along with most of ESET’s other conference papers here.) The slide deck from the presentation is also available from the Virus Bulletin site here.

Here’s the abstract for the bootkits paper:

Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish a persistent and stealthy presence in their victims’ systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits are not effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?

The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. First, we will summarize what we have learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (the one used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.

Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author as UEFI becomes a target of choice for researchers in offensive security. Proof-of-concept bootkits targeting Windows 8 using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.

The paper is actually partly based on a book on advanced malware analysis of bootkits and rootkits by Alex and Eugene (with a little help from me) scheduled for publication by No Starch press in 2015.

I hope to have news of other ESET research presented at VB2014 in due course.

David Harley
ESET Senior Research Fellow