Federico Biancuzzi interviews Nitin and Vipin Kumar, authors of VBootkit, a rootkit that is able to load from Windows Vista boot-sectors. They discuss the "features" of their code, the support of the various versions of Vista, the possibility to place it inside the BIOS (it needs around 1,500 bytes), and the chance to use it to …
Is this Windows Only?
Could this technique be used on other systems such as Linux, Mac or even Symbian?
As the article mentions you can prevent it by using TPM - thought it's pretty impressive stuff!
Re: Windows only
The technique, as the article mentions, has been about for a while used in such things as the old boot sector viruses.
It relies on some way of being able to run privileged code when a system boots. It then hooks the normal boot process and patches bits that follow so they don't notice it or wipe it out and optionally modify the behaviour of the bits that follow aka the "payload".
The exact patching would depend on the OS and its components being booted. So the technique would be usable under Linux but the patching would be different depending on the kernel version.
If applications scan for the presence of unexpected code things end up as a game of cat and mouse. It might, for example have to patch the OS executable loader, recognize the scanner binary and patch it after loading so it thinks everything is OK.
- Review This is why we CAN have nice things: Samsung Galaxy Alpha
- Hey, YouTube lovers! How about you pay us, we start paying for STUFF? - Google
- MEN: For pity's sake SLEEP with LOTS of WOMEN - and avoid Prostate Cancer
- Vid BONFIRE of the MEGA-BUCKS: $200m+ BURNED in SECONDS in Antares launch blast
- Tim Cook: The classic iPod HAD to DIE, and this is WHY