(Pixabay)

BIOS Boots What? Finding Evil in Boot Code at Scale

Malware continues to take advantage of a legacy component of modern systems designed in the 1980s. Despite the cyber threat landscape continuing to evolve at an ever-increasing pace, the exploitation of the classic BIOS boot process is still very much a threat to enterprises around the world. Furthermore, since malware that tampers with the boot process (aka bootkits) execute before the operating system, such compromises often persist even after incident responders think the incident has been remediated.

The challenge that incident responders and network defenders face when confronted with large enterprise networks is twofold.

First is the collection of boot records from target systems. Boot records consist of Master Boot Records and Volume Boot Records. Bootkits are notorious for hooking legitimate API calls in an attempt to hide bytes they have overwritten in the boot code. Because of this, collecting the bytes by reading the disk from user space is unreliable, as a bootkit may be intercepting the reads and returning legitimate-looking code.

Read more at FireEye

 

(Visited 14 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply

Latest from Cybersecurity

Go to Top
X
X