One of the firstly discovered malicious pieces of software that could be considered a bootkit seems to have evolved, encapsulating new mechanisms that could allow it to slip unnoticed by anti-virus solutions.
According to Bitdefender researchers, in the past months the malware identified as Rootkit.MBR.Whistler.B has been seen infecting a lot of master boot records thanks to its new evasion techniques.
The bootkit keeps its data after the last partition on the disk, but if it doesn't find enough unpartitioned space it will shrink the partition until at least 400 sectors are available.
The first sector, which is responsible for defining the components of the Whistler, is encrypted differently than before with the aid of an additional key that is specific to the infected system, the key being hardcoded into the malware's code.
To make sure security products don't detect it as easily as before, the new variant comes with all its components encrypted, unlike the previous version which had only the malicious code encrypted, the rest being left in plain text. The encryption key consists of the absolute sector's LBA.
The analysis of this bootkit is highly difficult since after the dropper does its task infecting the MBR, it removes itself. The driver loaded while the machine boots up injects the payload into processes which will later make sure other malevolent components will land on the system.
Since it doesn't hide its MBR code like other such bootkits and because its payload is fairly well hidden, Whistler is much harder to detect by anti-virus programs. Another thing that helps it hide is the fact that it doesn't keep any files on the hard disk of the infected device.
“It is almost certain that this bootkit will continue its evolution, improving and adding new components. It was built to be just a layer under which other malware are stealthy loaded so it is possible it would gain more diverse payloads in the near future, hosting different kinds of malware,” a researcher states.