Detecting bootkits resident on compromised computers

US 9,251,343 B1
Filed: 03/15/2013
Issued: 02/02/2016
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting bootkit resident on a computer, comprising:

performing an integrity check of a stored boot record comprising a master boot record, including;

generating, at a first time, and storing a baseline hash of the master boot record, the baseline hash comprising a baseline signature;

generating, at a second time, a first additional hash of the master boot record during processing of a content sample within a virtual machine, the second time being subsequent to the first time and the first additional hash comprising a first hash snapshot;

comparing the baseline hash with the first hash snapshot and storing information indicating that the baseline hash and the first hash snapshot are not the same; and

based on the stored information, issuing an alert of a resident bootkit.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques detect bootkits resident on a computer by detecting a change or attempted change to contents of boot locations (e.g., the master boot record) of persistent storage, which may evidence a resident bootkit. Some embodiments may monitor computer operations seeking to change the content of boot locations of persistent storage, where the monitored operations may include API calls performing, for example, WRITE, READ or APPEND operations with respect to the contents of the boot locations. Other embodiments may generate a baseline hash of the contents of the boot locations at a first point of time and a hash snapshot of the boot locations at a second point of time, and compare the baseline hash and hash snapshot where any difference between the two hash values constitutes evidence of a resident bootkit.

Citations

28 Claims

1. A computer-implemented method for detecting bootkit resident on a computer, comprising:
- performing an integrity check of a stored boot record comprising a master boot record, including;
  
  generating, at a first time, and storing a baseline hash of the master boot record, the baseline hash comprising a baseline signature;
  
  generating, at a second time, a first additional hash of the master boot record during processing of a content sample within a virtual machine, the second time being subsequent to the first time and the first additional hash comprising a first hash snapshot;
  
  comparing the baseline hash with the first hash snapshot and storing information indicating that the baseline hash and the first hash snapshot are not the same; and
  
  based on the stored information, issuing an alert of a resident bootkit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-implemented method of claim 1, wherein generating the first additional hash comprises generating a series of additional hashes while processing the content sample within the virtual machine, each hash included in the series of additional hashes comprising a corresponding hash snapshot, wherein a hash included in the series of additional hashes is generated periodically.
  - 3. The computer-implemented method of claim 1, wherein generating the first additional hash comprises generating a series of additional hashes while processing the content sample within the virtual machine, each hash included in the series of additional hashes comprising a corresponding hash snapshot and generated at a separate time.
  - 4. The computer-implemented method of claim 1, further comprising providing a virtual machine and a virtual disk storing the boot record and the master boot record, and processing a content sample in the virtual machine to determine whether the content sample comprises a bootkit.
  - 5. The computer-implemented method of claim 4, further comprising processing the content sample to detect bootkit activity with respect to the boot record stored on a virtual disk located inside a guest image processing on the virtual machine.
  - 6. The computer-implemented method of claim 4, further comprising processing the content sample to detect bootkit activity with respect to the boot record stored on a virtual disk located external to a guest image executing on the virtual machine.
  - 7. The computer-implemented method of claim 1, wherein integrity checking comprises executing a bootkit detecting agent on an endpoint to access the boot record;
    - and providing the master boot record for performing the integrity check, wherein the integrity check is performed to detect bootkits resident on the endpoint.
  - 8. The computer-implemented method of claim 1, wherein a first computer generating the baseline hash and the first additional hash;
    - and a second computer comparing the baseline hash and the first additional hash.
  - 9. The computer-implemented method of claim 1, wherein the baseline hash and the first hash snapshot are generated from only the master boot record.
  - 10. The computer-implemented method of claim 1, further comprising generating a new baseline hash after installing an operating system update.
  - 11. The computer-implemented method of claim 1, further comprising storing the baseline hash as an obfuscated value.
  - 12. The computer-implemented method of claim 1, wherein an operating system instance running on a virtual machine reports API calls seeking to change the contents of the master boot record.
  - 13. The computer-implemented method of claim 1, further comprising:
    - generating, at a third time, a second additional hash of the master boot record, the third time being subsequent to the second time and the second additional has comprising a second hash snapshot;
      
      comparing the baseline hash with the second hash snapshot and storing second information indicating that the baseline hash and the second hash snapshot are not the same; and
      
      based on the stored second information, issuing the alert of a resident bootkit.
  - 14. The computer-implemented method of claim 13, wherein the third time is after the processing of the content sample has finished.
  - 15. The computer-implemented method of claim 13, wherein the third time is during the processing of the content sample.

16. A system for detecting bootkit resident on a computer, comprising:
- an integrity checker operable in conjunction with a boot record stored in persistent storage comprising a master boot record, the integrity checker comprising;
  
  a hash generator configured to generate, at a first time, and store a baseline hash of the master boot record, the baseline hash comprising a baseline signature the hash generator being further configured to generate, at a second time, a first additional hash of the master boot record during processing of a content sample within a virtual machine, the second time being subsequent to the first time and the first additional hash comprising a first hash snapshot;
  
  a comparator configured to compare the baseline hash with the first hash snapshot and storing information indicating that the baseline hash and the first hash snapshot are not the same; and
  
  an alert generator configured to issue, based on the stored information, an alert of a resident bootkit.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The system of claim 16, wherein the hash generator hash snapshot is configured to generate a series of additional hashes while processing the content sample within the virtual machine, each hash included in the series of additional hashes comprising a corresponding hash snapshot and generated at a different point in time.
  - 18. The system of claim 17, wherein the hash generator is configured to generate a series of additional hashes while processing the content sample within the virtual machine, each hash included in the series of additional hashes comprising a corresponding hash snapshot, wherein a hash included the series of additional hashes is generated periodically.
  - 19. The system of claim 16, further comprising a virtual machine including a virtual disk having the boot record and the master boot record, and configured to process a content sample therein to determine whether the content sample comprises a bootkit.
  - 20. The system of claim 16, further comprising a bootkit detecting agent configured to execute within an endpoint to access the boot record;
    - and providing the master boot record to the integrity checker, wherein the integrity checker is configured to detect bootkits resident on the endpoint.
  - 21. The computer-implemented method of claim 16, wherein the hash generator is configured to generate the baseline hash and the first hash snapshot from only the master boot record.

22. A non-transitory machine-readable medium storing instructions,which when executed by a processor, cause the processor to perform a method of bootkit detection, the instructions including:
- instructions for generating, at a first time, and storing a baseline hash of a master boot record, the baseline hash comprising a baseline signature;
  
  instructions for generating, at a second time, a first additional hash of a master boot record during processing of a content sample within a virtual machine, the second time being subsequent to the first time, the first additional hash comprising a first hash snapshot;
  
  instructions for comparing the baseline hash with the first hash snapshot and storing information indicating that the baseline hash and the hash snapshot are not the same; and
  
  instructions for issuing, based on the stored information, an alert of a resident bootkit.
- View Dependent Claims (23, 24)
- - 23. The non-transitory machine-readable medium storing instructions of claim 22, wherein the instructions further comprise:
    - instructions for executing a virtual machine including a virtual disk having the boot record and the master boot record, and processing a content sample therein to determine whether the content sample comprises a bootkit.
  - 24. The non-transitory machine-readable medium storing instructions of claim 22, wherein the instructions further comprise:
    - instructions for executing a bootkit detecting agent on an endpoint to access the boot record;
      
      instructions for providing at least one sector generating the baseline hash and at least one hash snapshot; and
      
      instructions to detect bootkits resident on the endpoint based on comparing the baseline hash with at least one hash snapshot.

25. A system for detecting a bootkit resident on a computer, comprising:
- a monitoring logic configured to detect a change or attempted change to contents of the Moot locations of persistent storage while a content sample is processed in a virtual machine, wherein the detected change or attempted change comprises evidence of a resident bootkit based on a comparison of (i) a baseline hash of the contents of the boot locations generated prior to processing the content sample in the virtual machine and (ii) a hash of the contents of the boot locations generated during processing of the content sample in the virtual machine; and
  
  an alert generator configured to issue, responsive to and in communication with the monitoring logic, an alert regarding the evidence of a resident bootkit.
- View Dependent Claims (26, 27, 28)
- - 26. The system of claim 25, wherein the monitoring logic is configured to monitor computer operations seeking to change the content of boot locations of persistent storage.
  - 27. The system of claim 25, wherein the monitoring logic comprising an intercept utility configured to intercept API calls seeking to change the content of boot locations of persistent storage.
  - 28. The system of claim 25, further comprising a virtual execution environment, and wherein the persistent storage comprises virtual persistent storage.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Singh, Abhishek, Amin, Muhammad, Bu, Zheng, Vincent, Michael M.
Primary Examiner(s)
Henning, Matthew

Application Number

US13/841,633
Time in Patent Office

1,054 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/566 Dynamic detection, i.e. det...

G06F 21/575 Secure boot

Detecting bootkits resident on compromised computers

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting bootkits resident on compromised computers

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links