Detecting bootkits resident on compromised computers
First Claim
1. A computer-implemented method for detecting bootkit resident on a computer, comprising:
- performing an integrity check of a stored boot record comprising a master boot record, including;
generating, at a first time, and storing a baseline hash of the master boot record, the baseline hash comprising a baseline signature;
generating, at a second time, a first additional hash of the master boot record during processing of a content sample within a virtual machine, the second time being subsequent to the first time and the first additional hash comprising a first hash snapshot;
comparing the baseline hash with the first hash snapshot and storing information indicating that the baseline hash and the first hash snapshot are not the same; and
based on the stored information, issuing an alert of a resident bootkit.
7 Assignments
0 Petitions
Accused Products
Abstract
Techniques detect bootkits resident on a computer by detecting a change or attempted change to contents of boot locations (e.g., the master boot record) of persistent storage, which may evidence a resident bootkit. Some embodiments may monitor computer operations seeking to change the content of boot locations of persistent storage, where the monitored operations may include API calls performing, for example, WRITE, READ or APPEND operations with respect to the contents of the boot locations. Other embodiments may generate a baseline hash of the contents of the boot locations at a first point of time and a hash snapshot of the boot locations at a second point of time, and compare the baseline hash and hash snapshot where any difference between the two hash values constitutes evidence of a resident bootkit.
-
Citations
28 Claims
-
1. A computer-implemented method for detecting bootkit resident on a computer, comprising:
-
performing an integrity check of a stored boot record comprising a master boot record, including; generating, at a first time, and storing a baseline hash of the master boot record, the baseline hash comprising a baseline signature; generating, at a second time, a first additional hash of the master boot record during processing of a content sample within a virtual machine, the second time being subsequent to the first time and the first additional hash comprising a first hash snapshot; comparing the baseline hash with the first hash snapshot and storing information indicating that the baseline hash and the first hash snapshot are not the same; and based on the stored information, issuing an alert of a resident bootkit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for detecting bootkit resident on a computer, comprising:
-
an integrity checker operable in conjunction with a boot record stored in persistent storage comprising a master boot record, the integrity checker comprising; a hash generator configured to generate, at a first time, and store a baseline hash of the master boot record, the baseline hash comprising a baseline signature the hash generator being further configured to generate, at a second time, a first additional hash of the master boot record during processing of a content sample within a virtual machine, the second time being subsequent to the first time and the first additional hash comprising a first hash snapshot; a comparator configured to compare the baseline hash with the first hash snapshot and storing information indicating that the baseline hash and the first hash snapshot are not the same; and an alert generator configured to issue, based on the stored information, an alert of a resident bootkit. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A non-transitory machine-readable medium storing instructions,
which when executed by a processor, cause the processor to perform a method of bootkit detection, the instructions including: -
instructions for generating, at a first time, and storing a baseline hash of a master boot record, the baseline hash comprising a baseline signature; instructions for generating, at a second time, a first additional hash of a master boot record during processing of a content sample within a virtual machine, the second time being subsequent to the first time, the first additional hash comprising a first hash snapshot; instructions for comparing the baseline hash with the first hash snapshot and storing information indicating that the baseline hash and the hash snapshot are not the same; and instructions for issuing, based on the stored information, an alert of a resident bootkit. - View Dependent Claims (23, 24)
-
-
25. A system for detecting a bootkit resident on a computer, comprising:
-
a monitoring logic configured to detect a change or attempted change to contents of the Moot locations of persistent storage while a content sample is processed in a virtual machine, wherein the detected change or attempted change comprises evidence of a resident bootkit based on a comparison of (i) a baseline hash of the contents of the boot locations generated prior to processing the content sample in the virtual machine and (ii) a hash of the contents of the boot locations generated during processing of the content sample in the virtual machine; and an alert generator configured to issue, responsive to and in communication with the monitoring logic, an alert regarding the evidence of a resident bootkit. - View Dependent Claims (26, 27, 28)
-
Specification