Whistler Bootkit Improves, Bypasses Anti-Virus Detection
According to Mircea Pavel, researcher at security company BitDefender, new malicious software, Rootkit.MBR.Whistler.B was recently contaminating plentiful of the Whistler bootkit records an MBR (master bootkit record), published Softpedia on November 9, 2011.
Following a computer disk's final segmentation, the entire data of Whistler stays with the malware. And suppose the un-segmented space isn't sufficient the bootkit will make the final segmentation smaller, ensuring that a minimum of 400 free sectors is created.
A prominent change evolving within this edition, involves Whistler data's total encryption. As within the bootkit's previous editions the encryption was merely of the malware with the first MBR along with several more components allowed to remain within the un-segmented sectors as plaintext, security software could detect the infection without difficulty Within the more fresh and treacherous variants, the encryption of components occur utilizing the final partition's LBA, with the components located in the partition in the form of a key.
To analyze this bootkit, it's extremely hard as following the MBR's infection by the dropper, it automatically gets eliminated. The driver filled up, and as the computer gets started, the payload is inserted within the processes that'll subsequently ensure that more malware infects the machine.
Furthermore, a driver filled up during startup inserts payload into the processes of user-mode, while the same malware pulls down and runs additional malware. Just as the dropper manages to infect the MBR as well as the partitions containing the data, it'll automatically get removed. Consequently, despite the infection's detection, its origin will get removed and its analysis no longer possible.
And as the dropper does not conceal its master boot record code similar to more such bootkits while the Whistler is also greatly concealed, anti-viruses will find it harder for spotting it. Furthermore, the Whistler remains concealed because the bootkit doesn't have any associated file on the contaminated computer's hard disk.
Pavel states that Whistler is likely to keep on improving and thereby evolving as well as adding more components. Presently, its creation is merely to stealthily cover other malware so that it'll acquire additional diverse payloads soon via hosting them.
» SPAMfighter News - 15-11-2011