Using the Boot emulator - Bootkit detection technology presented at XFocus 2013

by Neinei ,

Summary : Over the last two years,The boot stage attack technique has emerged a variety of complex method,such as Win32/Gapz using new hijack boot,TDL4/Rovnix botnet virus,APT attacks using Shamoon/Hastati(DarkSeoul),MBRLock .Bootkit skills have been greatly improved,using structural storage method and hidden,boot stage code of polymorphic,the secret boothijacked,modify BIOS/VGA,MBR,VBR,Bootstrap code etc.In this paper,we will also discuss the other of the two ways of boot hijack technique.At the same time,the attack firmware began to increase,such as UEFI Bootkit by Andrea Allievi,modify Coreboot Rakshasa project,etc. At present,the solution of bootkit is to publish independent repair tool,But,can't identify unknown-bootkit threat.How can the anti-boot technique embedded in anti-virus scan engine? In this paper,I designed the boot emulator running in the real mode and analog Windows startup process, loading BIOS,MBR,VBR,BootStrapcode.So that we can earlier find bootkit behavior.Last,I will show how to use custom loading boot solution to prevent bootkit.