Bootkit, the latest in a long line of stealthy malware to target system partitions, can remain on computers even after they reinstall their operating systems; only physical wiping of disk can fully remove this threat.
Master Boot Record
The Master Boot Record resides on the first sector of any hard disk drive and contains important information needed to start up your computer. Additionally, it stores information about which partitions exist on your disk as well as where to find its system boot loader.
If the MBR becomes corrupted, your computer won't boot correctly. Paid software such as Active@ Partition Recovery can help backup and restore it as well as repair any accidental deletion or overwriting by an application.
However, certain viruses can actually delete the MBR. Such viruses frequently target this part of the disk because that's where programs start up every time you boot up your PC - this type of threat is extremely dangerous.
Boot sector viruses can be highly hazardous; to protect against their danger, many antivirus (AV) programs have been designed to detect and remove them. To make sure that your program remains up to date, virus definition files containing information necessary for its effective detection must be downloaded regularly in order for it to identify each virus type detected by it.
Some virus programs can infiltrate the Master Boot Record (MBR), injecting their own code that gets loaded every time you reboot your computer and executed by it. This may allow the virus to do anything from display a message or destroy your hard drive.
Bootkits can be very dangerous as they load as early as possible in the boot process, giving them access to system code and drivers before anti-virus and other security components are activated. In addition, bootkits may introduce kernel-level rootkits which evade anti-virus tools.
Newly observed bootkit techniques use an innovative technique to execute their code prior to OS loader takeover, using only small changes (4 bytes) in VBR code and IPL (Initial Program Loader). Malware then loads onto victim CPU in user mode - such as Win32/Gapz which employs this approach combined with its advanced dropper and makes one of the most sophisticated bootkits currently seen in the wild.
UEFI
Modern PCs have replaced BIOS with an enhanced system known as Unified Extensible Firmware Interface (UEFI), which serves as an intermediary between firmware and operating systems. UEFI features many benefits not available through BIOS such as user-friendly features and increased security, yet may be vulnerable to attack from hackers.
Traditional BIOS has its limitations, such as 16-bit mode and its inability to boot from drives larger than 2.2 TB; UEFI offers numerous advantages that may make it more enticing for attackers. C language programming makes UEFI program development simpler for developers; additionally, its more standardized way of booting the system from logical partitions makes UEFI even more appealing as an attacker target.
The UEFI is an effective way for attackers to gain full control over hardware before OS loads. This gives attackers full access to disable critical OS security mechanisms or install malicious programs during early boot stages - giving malware root access and operating without detection.
BIOS
BIOS (Basic Input/Output System) firmware runs on the microprocessor during boot up prior to starting an operating system, providing means of controlling pre-OS environment and loading OS itself, making it an attractive target for malware seeking persistence. Threat actors have taken full advantage of UEFI (Unified Extensible Firmware Interface) rootkits being stealthier and harder to detect than OS itself.
UEFI rootkits can hide in the EFI System Partition (ESP), where UEFI installs boot loaders and utilities that start operating systems on computers, giving it an advantage over OS-dependent rootkits in resisting reinstallation or replacement of hard drives. They're also more resistant to anti-virus tools, making UEFI-rooted kits less susceptible to removal by security tools than their OS counterparts.
Memory
Rootkits differ from Trojans, worms, and viruses by operating one level lower (known as Ring 0 in x86 terms) than the operating system to intercept hardware requests of OSs and intercept hardware requests of these OSs; to achieve this they need to infiltrate memory early during OS bootup.
At this stage, malware registers its Process and Image callback functions, which notify it when new processes and drivers load into memory. Furthermore, an NtReadFile hook will be set up that will call whenever an operating system reads a kernel file; once called it will pass its read IRP through to completion routines which zero all bytes overlapping boot sectors so as to render any subsequent request untraceable by anti-virus scanners or tools that rely on signature matching.
Once malware has compromised a kernel file, it registers another IoInitSystem hook to be executed after IoInitSystem executes. This function modifies its return address with that of a routine that will run upon reboot of an operating system.
After this step is taken, a kernel file will be read from disk and installed into memory, whereupon it will begin executing malicious code from the hard drive containing rootkit functionality that injects itself into processes and communicates with a C&C server.
Rootkit analysis requires keeping in mind that malware authors are always seeking to outwit security researchers and antivirus tools. For them to succeed in doing this they must remain on a victim system without being detected or removed by antimalware software - they do this using techniques like interception techniques in user mode and kernel mode, manipulations with objects (DKOM), bypass filter drivers techniques etc. One recent example is Win32/Gapz which employs splicing to inject its kernel-mode code before IoInitSystem executes; so it runs before ELAM starts without detection by antimalware tools allowing it to avoid detection by antimalware tools.
