MalwareTech SBK – A Bootkit Capable of Surviving Reformat

Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a proof of concept for many reasons (people have even contacted me just to tell me not to post it), so instead I’ve written a presentation overviewing and explaining the rootkit, which I’ve dubbed MT-SBK.

The general purpose of MT-SBK is to provide a “framework” for my previous project, TinyXPB, A windows XP bootkit. This framework enables TinyXPB to be stored and loaded from within the hard disk firmware, preventing it from being removed by: antiviruses, operating system re-installs, or even full disk reformats. This rootkit is designed for a major brand of hard disk and can infect the firmware from within the operating system (no physical access required), it’s also completely undetectable to software running on the host computer. 
The only way to remove MT-SBK is by replacing that hard disk’s PCB or connecting an SPI programmer directly to the flash chip and flashing it with the original firmware. 
Uncategorized
9
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Uncategorized
1
Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Uncategorized
1
Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …