In a ESET report on threats and trends for 2012, was stated that bootkits are one of the key technical trends of the year.
In the last few years has increased the spread of malicious software (bootkits), modifying the boot sector in the infected system. Among the most prominent members - TDL4, Olmasco and Rovnix.
Each of them uses different methods of infecting your hard drive, or a modification of the master boot record (MBR), or a modification of the first sector of the boot partition, that is, VBR or IPL (first volume sector, which control is transferred out of MBR - Volume Boot Record / Initial Program Loader). Intuitively, these families are shown in the figure below.
|Scheme of various bootkits families and methods of infection of a disk|
There are several reasons for using bootkits modern threats:
- Ability to run malicious code before running code that gives indisputable advantages and allows control of the OS;
- As a consequence of the first point, the monitoring system allows you to bypass the integrity of key components of the nucleus - PatchGuard (virtually the only way to ensure the survival of the rootkit x64-environment);
- Ability to hide deep their code and, thus, make it invisible to AV-scanners;
- Bootkit is the sector-based storage architecture of the body on the disc, which allows make its malicious code and the code of the payload well beyond the file system, and even partitions, making it nearly impossible to detect;
- Secure rootkit installation in the system.
TOP-10 most active threats for Windows: http://malwarelist.net/2013/02/16/top-10-threats-for-windows/