Attacks before system startup

A major objective pursued by malware writers when developing malicious code is to make it start as early as possible, enabling it to make key modifications to the operating system’s code and system drivers, such as installing hooks, before the antivirus product’s components initialize. As a result, malware and anti-malware products play cat and mouse of sorts, since they operate at the same level: the operating system, system drivers and rootkits all operate in kernel mode.

Bootkits currently represent the most advanced technology available to cybercriminals. It enables malicious code to start before the operating system loads. The technology is implemented in numerous malicious programs.

We have written about bootkits (such as XPAJ and TDSS (TDL4)) several times. The latest bootkit-related publication so far describes scenarios of targeted attacks based on the bootkit technology as implemented in The Mask campaign. However, such papers are not released often and some experts may get the impression that bootkits, like file viruses, are ‘dead’, that Trusted Boot has done its job and that the threat is no longer relevant.

Nevertheless, bootkits do exist; they are in demand on the black market and are extensively used by cybercriminals for purposes which include conducting targeted attacks.

Fragment of TDSS loader code in MBR

Read more: Attacks before system startup