Antimalware researchers Marius Tivadar and Cristian Istrate are back, this time with an update on the infamous CPD bootkit family:
The first variant was a simple MBR infector. Times have changed though and the most recent one is among the stealthiest bootkits in the wild today.
CPD modifies just one dword in the boot sector to load itself. This dword is the HiddenSectors field in the Bios Parameter Block structure. This field tells the Boot sector the LBA at which the partition is located. When the Boot sector loads the next 15 bootstrap sectors, it uses HiddenSectors field to find their location on disk. CPD stores its components at the end of the disk and replaces the original HiddenSectors field with the LBA of the bootkit loader component. This way the bootkit will be loaded instead of the original 15 bootstrap sectors of the partition.
tags
Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. Recruited by Bitdefender in 2004 to add zest to the company's online presence.
View all postsJune 08, 2023
May 02, 2023
January 11, 2023
January 05, 2023