VBootkit is a rootkit that loads from Windows Vista boot-sectors. It can even be placed inside the BIOS to bypass Vista’s product activation and avoid DRM.
When it’s authors, Nitin & Vipin, were asked what Vbootkit is they responded:
A bootkit is a rootkit that is able to load from a boot-sectors (master boot record, CD , PXE , floppies etc) and persist in memory all the way through the transition to protected mode and the startup of the OS. It’s a very interesting type of rootkit. All rootkits install when the OS is running because they use the OS’ features to load (and also they use the Administrator privileges to install), but bootkits are different, they use the boot media to attack the OS , and thus survive. Vbootkit is a bootkit specific for Windows Vista.
It’s a total in-Ram concept. So, it doesn’t touch the hard-disk under any condition and thus leaves no proofs. Just give a reboot to a vbootkit running system, and it vanishes just as it was never here.
While, at this point, Vbootkit is just a proof of concept it could be used to completely circumvent Vista’s security and it’s not easily detectable or traceable. Since the rootkit becomes part of the Vista’s Kernel, it can do anything Vista can do.
If malware authors get their hands on Vbootkit’s source or are able to duplicate it, it’s game over for Vista.
[tags]Security, Vista, Microsoft Windows, Windows Vista, Microsoft Vista, rootkit, vbootkit, bios rootkit[/tags]