Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the "features" of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1,500 bytes), and the chance to use it to …
Is this Windows Only?
Could this technique be used on other systems such as Linux, Mac or even Symbian?
As the article mentions you can prevent it by using TPM - thought it's pretty impressive stuff!
Re: Windows only
The technique, as the article mentions, has been about for a while used in such things as the old boot sector viruses.
It relies on some way of being able to run privileged code when a system boots. It then hooks the normal boot process and patches bits that follow so they don't notice it or wipe it out and optionally modify the behaviour of the bits that follow aka the "payload".
The exact patching would depend on the OS and its components being booted. So the technique would be usable under Linux but the patching would be different depending on the kernel version.
If applications scan for the presence of unexpected code things end up as a game of cat and mouse. It might, for example have to patch the OS executable loader, recognize the scanner binary and patch it after loading so it thinks everything is OK.
- Updated HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
- Peak Apple: Mountain of 80 MILLION 'Air' iPhone 6s ordered
- Students hack Tesla Model S, make all its doors pop open IN MOTION
- BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
- PROOF the Apple iPhone 6 rumor mill hype-gasm has reached its logical conclusion