Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace, the exploitation of the classic BIOS boot process is still very much a threat to enterprises around the world. Furthermore, since malware that tampers with the boot process (aka bootkits) execute before the operating system, such compromises often persist even after incident responders think the incident has been remediated.
The challenge that incident responders and network defenders face when confronted with large enterprise networks is twofold.
First is the collection of boot records from target systems. Boot records consist of Master Boot Records and Volume Boot Records. Bootkits are notorious for hooking legitimate API calls in an attempt to hide bytes they have overwritten in the boot code. Because of this, collecting the bytes by reading the disk from user space is unreliable, as a bootkit may be intercepting the reads and returning legitimate-looking code.
