Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the "features" of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1,500 bytes), and the chance to use it to …
Is this Windows Only?
Could this technique be used on other systems such as Linux, Mac or even Symbian?
As the article mentions you can prevent it by using TPM - thought it's pretty impressive stuff!
Re: Windows only
The technique, as the article mentions, has been about for a while used in such things as the old boot sector viruses.
It relies on some way of being able to run privileged code when a system boots. It then hooks the normal boot process and patches bits that follow so they don't notice it or wipe it out and optionally modify the behaviour of the bits that follow aka the "payload".
The exact patching would depend on the OS and its components being booted. So the technique would be usable under Linux but the patching would be different depending on the kernel version.
If applications scan for the presence of unexpected code things end up as a game of cat and mouse. It might, for example have to patch the OS executable loader, recognize the scanner binary and patch it after loading so it thinks everything is OK.
- Review Samsung Galaxy Note 8: Proof the pen is mightier?
- Nuke plants to rely on PDP-11 code UNTIL 2050!
- Spin doctors brazenly fiddle with tiny bits in front of the neighbours
- Game Theory Out with a bang: The Last of Us lets PS3 exit with head held high
- That Microsoft-Nokia merger you've been predicting? It's no go