Thursday, February 18th, 2010 / 18,666 views

Whistler Bootkit – a new powerful Windows bootkit

   

Whistler Bootkit is a new interesting Windows bootkit which attacks all Windows versions from 2000 up to the recent Server 2008 and 7. Whistler Bootkit can be used to start an executable with NT-AUTHORITY\SYSTEM rights on every startup of the OS and secure it from anything and anyone, making “impossible” to remove it. The protected executable is completely hidden and untouchable from any Antivirus Software and from the user of the infected machine.

 

Once Whistler Bootkit is installed in a machine, it can give full and totally hidden access to the attacker without making any kind of suspect to the user of the infected machine. An infected machine can remain compromised for months, if not for years, with this kind of bootkit without leaving any trace of the infection.

 

Main features are:

 

  • Ring 0 Loader, you can add/start your custom drivers
  • Works in all Windows versions from 2000 up to the recent Server 2008 and 7
  • The Ring 0 Loader also works on Vista and 7 ! Unique feature !!!
  • Loading applications protected as SYSTEM\NT-AUTHORITY
  • Loads executable in Safe Mode
  • Once installed it works also with limited guest!
  • Starts exe BEFORE ANY AV is active! Starts before the user is logged on!
  • Installation to hidden place of HDD -> No access for OS/AV/USER
  • Bypasses all AV’s, no AntiVirus will detected it!
  • 64bit supported in future versions !

 

The authors stated that this bootkit was tested successfully with most recent security software and all this security software was fully bypassed and was unable to detect the protected executable file.

 

 

With Whistler Bootkit the malware writers do not need to crypt a malicious executable with packers to avoid Antivirus signature or heuristic detection, since the executable is totally protected even before the Antivirus starts in the OS and it can be persistent across the infected system!

Posted by admin on Thursday, February 18th, 2010 at 5:00 pm and filed under Security News with tags , . You can skip to the end and leave a response. Pinging is currently not allowed.

Related Articles

    4 Approved Responses so far

    1. testelletset Says:
      February 19th, 2010 at 12:57 am

      it’s just the once open stoned bootkit. Same specs, same characteristics. They try to sell it to get some money. It’s not worth buying.

    2. Saleem Says:
      February 19th, 2010 at 11:57 pm

      Does it really work on WinCE also?
      You didnt mention this !!

    3. Madri Says:
      June 6th, 2010 at 8:53 am

      You mentioned that it is completely hidden without trace. But surely, some bandwidth monitor should show activity if data is being sent or received over the internet. It may be hidden from net view and similar programs but bandwidth monitor might be able to report activity. Is that correct. Kindly reply. I am much worried.

    4. rob Says:
      June 8th, 2010 at 2:37 am

      If you use a second computer (linux + snort) to monitor traffic of the main computer you will filter all the traffic in/out of the main computer. So yes, traffic can be monitored

    Leave a Reply