While chinese people are happily using my reversed Sinowal source (which I was informed months ago already), and court process against the Stoned Bootkit goes on, I am happily reversing all the bootkits out there. I would suggest let us all pop some pills!
Active Bootkit development in China
[Stolen:1] ; create 16 bit code and assembly only instructions up to 386 instruction set [bits 16] CPU 386 [Original:15] ; create 16 bit code and assembly only instructions up to 386 instruction set [bits 16] CPU 386 [Stolen:35] ; execute original Master Boot Record jmp word 0000h:7C00h [Original:87] ; execute original Master Boot Record jmp word 0000h:7C00h [Stolen:40] times 510-($-$$) db 0 Boot_Signature dw 0AA55h [Original:348] times 510-($-$$) db 0 Boot_Signature dw 0AA55h
"create 16 bit code" is one of the things I am always writing as first in the assembler source file, also in my operating system ToasterOS since 2005. For example ToasterOS' FAT32 bootloader:
[bits 16] ; create a 16 Bit Code CPU 386 ; Assemble instructions up to the 386 instruction set %define Type_Legacy_System %include "interface.asm" org 7C00h ...
There is again a new bootkit - called Trojan.Alipop. I shortly took a look at the bootloader, and can say the bootloader is different from what I have seen so far:
0000004E 0F31 rdtsc 00000050 6691 xchg eax,ecx 00000052 0F31 rdtsc 00000054 6629C8 sub eax,ecx 00000057 663D01000000 cmp eax,0x1 0000005D 7E24 jng 0x83
It checks the time stamp counter after executing xchg. Previously this was a good anti-vm operation, but nowadays most VMs run through virtualization on real CPU anyway and other emulators set the time stamp counters now correctly. It further screws the desktop and installs other software and a kind of desktop toolbar. It also set the home page in Internet Explorer to Google searching for some chinese term.