Uncategorized
2

MalwareTech SBK – A Bootkit Capable of Surviving Reformat

Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a proof of concept for many reasons (people have even contacted …

Uncategorized
4

Bootkit Disk Forensics – Part 3

Getting Original Pointers XP is a little more complicated than newer systems due to the use of a single driver for both port and miniport; however, getting the original pointers is fairly straight forward depending on how you do it. IRP_MJ_SCSI & DriverStartIo – Method 1 (Windows XP) A common …

Uncategorized
10

Bootkit Disk Forensics – Part 2

DriverStartIo As I explained in the previous article: DriverStartIo is used by older miniports to actually perform the disk I/O, it takes 2 parameters (a device object and an IRP), exactly the same as IoCallDriver does. The call to DriverStartIo is done with IoStartPacket; however, the device object passed is …

Uncategorized
9

Bootkit Disk Forensics – Part 1

Recently I got the idea to play around with bypassing bootkit disk filters from an email i received, which highlighted that my MBR spoofing code was able to get underneath the driver of a popular forensics tool, preventing it from reading the real disk sectors. Although I believe disk forensics …

Uncategorized
6

Using Kernel Rootkits to Conceal Infected MBR

If you’ve look at any of the major bootkits such as TDL4 and Rovnix, you’ve probably noticed they employ certain self defense features to prevent removal; specifically, intercepting read/write requests to the boot sectors. While these defense mechanisms can fool some software, they may, in some cases, make infections even …

Uncategorized
1

Rovnix new “evolution”

Rovnix is an advanced VBR (Volume Boot Record) rootkit best known for being the bootkit component of Carberp. The kit operates in kernel mode, uses a custom TCP/IP stack to bypass firewalls, and stores components on a virtual filesystem outside of the partition. Yesterday Microsoft posted an update explaining a …

Uncategorized
6

Coding Malware for Fun and Not for Profit (Because that would be illegal)

A while ago some of you may remember me saying that I was so bored of there being no decent malware to reverse, that I might as well write some. Well, I decided to give it a go and I’ve spent some of my free time developing a Windows XP …

Uncategorized
10

Carberp source code now leaked

The Bootpocalypse While security blogs are still flooding the internet with the old news of the carberp source going on sale for $50k, I’d like to take some time to give you some slightly more recent news and a recap.  Towards the end of last month it became apparent to …

Uncategorized

Carberp source code, days away from full leak

Brief history Carberp was a banking bot that first came up on researchers’ radars in the last part of 2010. By the end of 2011 the bot had been spotted in the wild, testing with bootkit functionality. Come the end of 2012 the full kit, including the bootkit, were put …