Malware City/Blog/

Dec
21
Filed Under:
MISCELLANEOUS

New Bitdefender Tool Allows Bootkit Disinfection

21 December 2011
Bootkits are the ultimate e-threats to one’s PC. They have been around since Windows 2000 and have undergone consistent development to circumvent the security mechanisms of operating systems ever since. No doubt, bootkits are the most dangerous and powerful breeds of malware, as they subvert the system at the most basic level possible.

 

It goes without saying that bootkit infection can dramatically impact users’security. Bootkit removal is extremely delicate, as bootkits live outside the file system and can manipulate security checks by returning a copy of the pristine master boot record whenever an antivirus or forensic utility is run atop of the compromised OS. 

That is why we developed a tool that can detect and remove all known variants of bootkits. The tool is available for free on the Malware City Downloads section and can be used on both 32- and 64-bits of Windows.

Download the 32-bit version of the Bootkit Removal Tool

Download the 64-bit version of the Bootkit Removal Tool

Bootkits, rootkits - what is all this about?

Rootkits are specially crafted to hide the presence of other files or processes on the system by manipulating normal methods of detection. Since kernel-mode drivers run with higher privileges on the compromised system, they are also used to allow regular malware access to critical areas of the operating system.

Although extremely powerful, rootkits have limitations. One is the fact that security measures on 64-bit operating systems prevent them from installing themselves unless they have a valid digital signature. In short, upon the early stages of the operating system initialization, security checks filters benign (i.e. antivirus defense mechanisms) and malicious rootkits and stops the latter from infecting 64-bit machines.

The bootkit a rootkit on steroids

 Here is where bootkits get into the spotlight. Bootkits are special rootkits that load their code from a special area of the system, known as the Master Boot Record, that gets full control right after the BIOS has delegated the appropriate boot device. The MBR is responsible for initializing the operating system loader, which would subsequently load the kernel that checks whether a 64-bit kernel-mode driver is digitally signed. If it’s not, it is prevented from loading, blocking the rootkit infection at a very early stage. However, if the MBR gets compromised, the bootkit is able to patch the kernel digital signature validation checks, the final barrier that would prevent an unauthorized kernel-mode rootkit from loading. This is the case with the notorious TDL-4 rootkit that can easily compromise 32- and 64-bit of operating systems alike.

All your data are belongto us

Full HDD encryption has been touted as the de-facto norm for safely storing highly sensitive information, such as sales reports, intellectual property, prototypes and other critical assets of a business. However, most HDD decryption modules are stored unencrypted in the master Boot Record area, which means that all the data stored on the affected disk can be transparently decrypted by the rootkit.

This tool is available courtesy of the Bitdefender Antirootkit Team.





By Bogdan Botezatu
Bogdan never trusts anything until it is disassembled into small pieces and carefully inspected. The passion for writing and the almost obsessive attention to details are some of his greatest qualities and, at the same time, some of his greatest flaws.

Related

20-12-2011 | Does Gaga attack signal a change in tactics for social media scammers?

13-12-2011 | Top 100 Removal Tool for November Available Now

07-12-2011 | Yahoo Closes Zero-Day YIM Hole

03-12-2011 | New Tool to Detect Carrier IQ Tracking Package, Available for Free

Comments:

Steven said on Dec-22-2011 04:11

Dear Mr. Botezatu
First of all thank you for your research!
I have a question: When I start up the latest antibootkit removal tool, , it only scans for a few seconds, while you other tools take about ten minutes or so. Does this mean the scan is not so extended or does the program not function? Thank you for your answer.

Kind regards

Bogdan Botezatu said on Dec-22-2011 04:55

Hey Steven!

Bootkits are located in the MBR, which is only 512 bytes (half a kilobyte, that is). This tool only scans these 512 bytes, unlike our conventional removal tools, which scan tens or hundreds of gigabytes of files. To put it shortly, this tool is faster because it has to scan only a fraction of the disk drive :)

Thanks for bringing this up.

Alex said on Dec-22-2011 15:47

Dear author, your tool does not detect zeroaccess. why?

Wholesale Car Accessories said on Dec-24-2011 00:23

Thanks for this post! i really enjoyed reading it!!!

silver bracelet said on Dec-24-2011 01:13


Solitaire Assurance Rings is addition accepted choice. Rings that affection a dejected architecture in the average of two white adored stones can aftermath a actual clear section of jewelry. This is alone one blazon of ring architecture that produces a arresting look.

wma to mp3 converter said on Dec-30-2011 04:49

New Bitdefender tool? Like for real?
Oh my! It's like an early Christmas present! Thank you so much!!

Solihull Dentists said on Jan-1-2012 05:10

I've just downloaded this tool and used it - very quick and easy to use.

emaar mgf projects in gurgaon said on Jan-24-2012 02:03

Great write-up. I have certainly enjoyed browsing your blog posts.

vinit said on Jan-25-2012 07:24

Hi

I am using win xp sp3 32 bit. When i start the tool, it says initialization failed.

Pls give me a solution on this.
Thanks

silver bracelet said on Feb-6-2012 23:55

It is said that the design would accept a band of oil afterwards cutting for a period, so bright it usually could accumulate the ablaze of diamond. So next is to acquaint some data on allowance design jewelry.

bloons tower defense 5 said on Feb-7-2012 01:41

I will take a look at this tool. It looks very interesting. I using another tool at the moment.

mdd3958504 said on Feb-14-2012 20:33

Solitaire Assurance Rings is addition accepted choice. Rings that affection a dejected architecture in the average of two white adored stones can aftermath a actual clear section of jewelry. This is alone one blazon of ring architecture that produces a arresting look.

wedding dresses online said on Feb-14-2012 20:35

Dear author, your tool does not detect zeroaccess. why?

Danny said on Feb-15-2012 11:32

Rootkit.MBR.Pihar.D is what Im picking up , and this tool doesnt find it and Bitdefender Anti-Virus 2012 is denied acess by it .... Now what??

Cartier Love Bracelet Replica said on Feb-18-2012 04:31

yes,wow nice gadgets and tech.. love this things..

corset wedding dresses said on Feb-21-2012 00:27

OLD STEPHEN descended the two white steps, shutting the black door with the brazen door-plate, by the aid of the brazen full-stop, <a href="http://www.formaldressup.com/backless-wedding-dresses">backless wedding dresses</a> to which he gave a parting polish with the sleeve of his coat, observing that his hot hand clouded it. <a href="http://www.formaldressup.com/short-wedding-dresses">short wedding dresses 2012</a> He crossed the street with his eyes bent upon the ground, and thus was walking sorrowfully away, when he felt a touch upon his arm.

Comment on this

Name:

Email:

Website:

Your email adress will not be published.