The Magic of Bootkits

Abstract

In my third paper I want to talk about "The Magic of Bootkits". Boot-Software was occupying me for years in my life time. I wrote an operating system, a boot management solution and at last a "Forensic Lockdown Software" which boots before Windows does. I have seen many stuff there and so I want to discuss a few points of bootkits, whether they become useless or not, whether they will rule the world or not. I am writing this article because I read Pandalabs Security article about "Rootkits in the MBR, a dangerous reality" and I have analyzed development work of vbootkit which I will discuss later. Enjoy reading!

- Peter Kleissner, Software Engineer (September 2008)

The dangerous of Bootkits

Bootkits are loaded before the main operating system is. The term 'Bootkit' refers to a Rootkit installed in any Boot Record (Master Boot Record, Partition Boot Record, Bootloader). Modern Bootkits are able to hook and bypass operating system routines, initialization (processor mode switch) as long as security checks (integrity, code-signed, etc.). They are not only acting on startup, but also during execution of the host operating system. Because Bootkits are loaded before the OS is, they can do what they want (at least what the programmer is capable of letting them do). In normal they do not only hook operating system kernel functions but also give themself kernel rights and do other various things.

How to consider Bootkits

Bootkits differ in their code with common viruses, they are assigned like any other system software directly to machine code the processor executes. Simplified but like Windows they have to support the hardware by their own code, they need their own drivers for graphics, reading from disk etc. An important aspect of system software is the hardware platform and architecture. Boot viruses must be written for a specific architecture (for "normal" computers is the Intel Architecture and classical PC Architecture), so there is a hardware dependency normal software hasn't. Problems for boot viruses are not only the architecture, but the lacking documentation of it. For example, the boot process is a very undocumented way of, which makes it difficult to get a boot software working on nearly any machine. Different computers will support different important features which are required or not.

You can consider bootkits as a high-changing required applications. Unstandardized hardware is one problem, but new standards for previous architecture parts another. We have for example the new GUID Partition Table which replaces the old one, or the BIOS thats ought to be replaced by EFI. For the new Extensible Firmware Interface, you can throw away any previous boot software and write new one.

Another problem beside hardware dependency is target operating system dependency-, the bootkit has to hook operating systems kernel functions and bypass the operating systems security functions. Current bootkits are targeted to operating system versions like specific to Windows XP, Windows Vista or some Linux Kernel. Its also tricky with 32 and 64 bit of operating system versions. It would be possible, but currently not used to include binary code for both different operating system versions.

How to detect a Bootkit

For bootkit detection, I've already worked out a concept for detecting malicious boot software, described in my article Writing a Boot Scan Engine. It's about to scan for patterns, using a black and whitelist, a database, reports and other heuristic methods. When detecting an infected system for a bootkit it is important to know the bootkit is able to hook functions that are used for detection. An example would be the common hooked function ReadFile, which would - in case - return different data then the real one. Of course the computer can be scanned from a live system, but this would be unuserfriendly crap. A solution would be a scanner which is loaded before the main operating system parts are loaded, a place for the scanner would be (Windows specific) in the Windows Bootloader or the Winloader.exe.

The problem of Bootkits in the future with EFI

A big change for boot viruses relies in the change of the old-fashioned BIOS to the new Extensible Firmware Interface (EFI). It makes the old BIOS and bootstrap obsolete and defines new standards for booting operating systems. For the first, old boot viruses will no longer work and can not be "translated" to the new boot system. For the second, we will have much more boot viruses in future within the next 10 years. With new versions of Microsofts operating systems they will explode, because they have the ability to. EFI makes it very easy to develop a boot loading software- or to develop a boot virus or bootkit.

EFI brings better and more standardized support for hardware and supports features like the Portable Executable format that is used in Windows for executables. It's just a matter of time until we have easy to use compilers like Visual Studio for developing EFI applications. When we have this, it's very easy to copy & paste malicious boot software source code. I think the explosion will come in 2-3 years until EFI is etablished and people begin to use its possibilities.

Conclusion

We see a current change in bootkits and in the development of it in the near future. It's incredible to see the effort people are taking to in order to write a full functional bootkit. The good thing on previous bootkits is only experts are capable of writing them, so modern malicious bootkits (the non proof-of-concept ones) are simply not available this time. In 2-3 years we will see a change in bootkits when EFI is etablished, but until EFI applications are nearly like Windows applications, they can be easily found by anti-virus software. See you in 2-3 years, Peter Kleissner.