Security researchers from antivirus vendor ESET have spotted an offer on the underground market for a new boot loader capable of loading unsigned drivers.The offer was spotted on a Russian-language forum and the poster claims his "boot loader for drivers" that don't require a digital signature is still being tested.
This type of malware, which installs itself in the master boot record (MBR) and can control how Windows starts, is in high-demand because of its resiliency.
One of the most well known threats that display this behavior is TDL4, a so-called bootkit that is able to infect all flavors of Windows, including 64-bit ones.
The TDL4 are developers are definitely not amateurs and are able to come up with sophisticated techniques to bypass the protections introduced by Microsoft.
During April's Patch Tuesday, Microsoft has
released a patch that targeted bootkits and TDL4 in particular. The modifications made to some system files rendered the malware nonfunctional.
Within half a month the TDL4 developers already adapted to the change and put out a
new version capable to overcome the protections put in place by Microsoft.
According to David Harley, a senior research fellow at ESET, the new boot loader being advertised sounds very much like TDL4 in functionality.
It's price, $9,000, is indicative of how valuable this kind of malware is and how much profits it can bring in return. To put this into context, the complete source code for the notorious ZeuS banking trojan was being advertised some months back for $10,000.
Hopefully security researchers will be able to stay on top of this and add detection of the new threat as soon as it comes out of testing and begins being distributed in the wild.
However, the track record of antivirus programs when it comes to protecting against MBR rootkits is not that great. Cleaning such infections is not without risks either and could leave computers unable to boot into Windows.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
