My colleagues in ESET’s Russian labs have been tracking the Rovnix bootkit family (siblings included) since spring 2011, and a fascinating evolution it’s been, too, taking in a series of techniques for bypassing the security measures built into 64-bit (x64) Windows. Well, it fascinates those of us who work in that area of malware research, who will already have hotfooted over to the ESET blog to read Aleksandr Matrosov’s blog article for the technical lowdown on the latest modifications to the Rovnix bootkit framework.
Win32/Rovnix originally attracted particular attention because it used a somewhat innovative bootkit technique to take control of an infected PC ahead of security software in order, targeting the Volume Boot Record rather than the more-usually-targeted Master Boot Record.
But what does it mean for people who don’t know their MBR from their VBR and don’t really think they should need to take a crash course in the internals of PC hardware and the Window operating system? Well, as long as you’re reasonably sensible about patches and updates, use competent security software, and are reasonably cautious about where you go and what you click on, the esoteric aspects of the boot process probably needn’t bother you too much. All you need to know is that certain malware families have been going out of their way to evade the attention of anti-virus scanning by modifying these disk areas – which constitute important parts of the Windows start-up process – in order to bypass the integrity checks that are built into 64-bit (x64) Windows. (64-bit Windows has noticeable performance advantages over 32-bit versions, but may involve sacrificing some backward-compatibility.)
In fact, about a year ago we noted a significant rise in the number of malware families targeting x64. Right now, though, we’re seeing significant changes in the characteristics of complex threats that are focused on breaching 64-bit security (for instance, the ZeroAccess rootkit family and the stagnation of TDL4.) Why are 64-bit-targeted rootkits and bootkits on the wane? Aleksandr suggests that this is partly related to the time, resources and experience needed to develop new attack techniques in this area. In fact, he cites the complexity of development and debugging on multiple platforms as one of the reasons that the Rovnix bootkit framework is so expensive ($60,000 for a full-featured builder).
Yes, Virginia, there is indeed a market economy for the sale and rent of botnets, malware and other, frankly, criminal services that resembles the legitimate commercial marketplace in many respects, not least its vulnerability to market forces. The latest versions suggest a renewed interest in selling the framework – with features that will make it very suitable for renting. However, Aleksandr believes that future technologies with this degree of stealth will mostly be used in targeted attacks rather than in everyday malware attacks. Even though x64 attacks generally work quite efficiently with 32-bit systems too, there are more cost-effective ways of turning a dishonest penny for the average cyber criminal.