Content
Vbootkit
- Type
- Vulnerability
- SubType
- Boot
- Discovery Date
- 05/07/2009
- Length
- 4614 bytes
- Minimum DAT
- 5610 (05/09/2009)
- Updated DAT
- 5610 (05/09/2009)
- Minimum Engine
- 5.3.00
- Description Added
- 05/08/2009
- Description Modified
- 05/08/2009 11:38 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
The main component requires physical access to the system and assumes that the attacker can boot to a removable device or CD. The Vbootkit will then continue the normal system boot process after hooking drive IO so that it can patch Windows files as they are loaded and copy the desired payloads to the system.
Symptoms
Symptoms may very as this detection is for a specific method.
We have seen proof of concepts with included payloads that demonstrate operating system privilege escalation as well as remote key logging capabilities.
Method of Infection
Method of infection requires that the attacker is able to boot the system from a CD or removable device.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
-- Update May 8, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/Researchers-Release-Bootkit-Code-Targeting-Windows-7-646515/?kc=rss
--
Vbootkit is a detection for a set of tools designed to circumvent security in the 64 bit version of Windows 7.
Characteristics
Characteristics -
The main component requires physical access to the system and assumes that the attacker can boot to a removable device or CD. The Vbootkit will then continue the normal system boot process after hooking drive IO so that it can patch Windows files as they are loaded and copy the desired payloads to the system.
Symptoms
Symptoms -
Symptoms may very as this detection is for a specific method.
We have seen proof of concepts with included payloads that demonstrate operating system privilege escalation as well as remote key logging capabilities.
Method of Infection
Method of Infection -
Method of infection requires that the attacker is able to boot the system from a CD or removable device.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
