Nytro Posted September 30, 2014 Report Posted September 30, 2014 Eugene RodionovESET, CanadaAlexander MatrosovIntel, USADavid HarleyESET North America, UKEmail rodionov@eset.com; alexander.matrosov@intel.com; david.harley.ic@eset.comABSTRACTBootkit threats have always been a powerful weapon in thehands of cybercriminals, allowing them to establish a persistentand stealthy presence in their victims’ systems. The most recentnotable spike in bootkit infections was associated with attacks on64-bit versions of the Microsoft Windows platform, whichrestrict the loading of unsigned kernel-mode drivers. However,these bootkits are not effective against UEFI-based platforms.So, are UEFI-based machines immune against bootkit threats (orwould they be)?The aim of this presentation is to show how bootkit threats haveevolved over time and what we should expect in the near future.First, we will summarize what we have learned about thebootkits seen in the wild targeting the Microsoft Windowsplatform: from TDL4 and Rovnix (the one used by the Carberpbanking trojan) up to Gapz (which employs one of the stealthiestbootkit infection techniques seen so far). We will review theirinfection approaches and the methods they have employed toevade detection and removal from the system.Secondly, we will look at the security of the increasinglypopular UEFI platform from the point of view of the bootkitauthor as UEFI becomes a target of choice for researchers inoffensive security. Proof-of-concept bootkits targetingWindows 8 using UEFI have already been released. We willfocus on various attack vectors against UEFI and discussavailable tools and what measures should be taken to mitigateagainst them.Download: https://www.virusbtn.com/pdf/conference/vb2014/VB2014-RodionovMatrosovHarley.pdf Quote
