Please use this identifier to cite or link to this item: http://hdl.handle.net/10125/41896

A Universal Windows Bootkit: An Analysis of the MBR Bootkit "HDRoot"

File SizeFormat 
paper0747.pdf1.47 MBAdobe PDFView/Open

Item Summary

Title: A Universal Windows Bootkit: An Analysis of the MBR Bootkit "HDRoot"
Authors: Showalter, William
Keywords: malware
reverse-engineering
rootkit
bootkit
mbr
Issue Date: 04 Jan 2017
Abstract: In October, 2015 Kaspersky released an analysis of the bootkit “HDRoot”. Their analysis highlighted mistakes in the bootkit, which made it ineffective at performing its task. Upon attempts to replicate that analysis however, it appears that these conclusions were in error and the bootkit works with any Windows version in the last 16 years. HDRoot represents a serious commitment in time and effort to develop, and an in-depth analysis reveals the work of a significantly capable threat actor. The sample analyzed here dates to 2013, and is the same sample Kasperky reports to have analyzed in their post. However, all evidence points to Kaspersky performing analysis with a 2006 sample, likely the reason for their conclusions. Additionally, mistakes made in reporting the capability of offensive software, provided without means to verify, hurt the security industry by misleading practitioners and limiting their ability for informed decision making.
Pages/Duration: 9 pages
URI/DOI: http://hdl.handle.net/10125/41896
ISBN: 978-0-9981331-0-2
DOI: 10.24251/HICSS.2017.732
Rights: Attribution-NonCommercial-NoDerivatives 4.0 International
Appears in Collections:Deception, Digital Forensics, and Malware Minitrack



Items in ScholarSpace are protected by copyright, with all rights reserved, unless otherwise indicated.