Whistler Bootkit – a new powerful Windows bootkit
Posted by bursali | Posted in Scene | Posted on 21.02.2010 @ 17:55:32
(No Ratings Yet)
Loading ...
(No Ratings Yet) Loading ...1
Gerade auf novirusthanks.org entdeckt:
Whistler Bootkit is a new interesting Windows bootkit which attacks all Windows versions from 2000 up to the recent Server 2008 and 7. Whistler Bootkit can be used to start an executable with NT-AUTHORITY\SYSTEM rights on every startup of the OS and secure it from anything and anyone, making “impossible” to remove it. The protected executable is completely hidden and untouchable from any Antivirus Software and from the user of the infected machine.
Once Whistler Bootkit is installed in a machine, it can give full and totally hidden access to the attacker without making any kind of suspect to the user of the infected machine. An infected machine can remain compromised for months, if not for years, with this kind of bootkit without leaving any trace of the infection.
Main features are:
- Ring 0 Loader, you can add/start your custom drivers
- Works in all Windows versions from 2000 up to the recent Server 2008 and 7
- The Ring 0 Loader also works on Vista and 7 ! Unique feature !!!
- Loading applications protected as SYSTEM\NT-AUTHORITY
- Loads executable in Safe Mode
- Once installed it works also with limited guest!
- Starts exe BEFORE ANY AV is active! Starts before the user is logged on!
- Installation to hidden place of HDD -> No access for OS/AV/USER
- Bypasses all AV’s, no AntiVirus will detected it!
- 64bit supported in future versions !
This bootkit was tested successfully by its author with Trojan Remover, GMER, ComboFix, Kaspersky AV 2010, Ikarus, Prevx and all this security software was fully bypassed and was unable to detect the protected executable file:
Whistler Bootkit working in the new Windows 7
Whistler Bootkit vs GMER
Whistler Bootkit vs Kaspersky 2010
Whistler Bootkit vs Trojan RemoverWith Whistler Bootkit there is no need to crypt a malicious executable with packers to avoid Antivirus signature or heuristic detection, since the executable is totally protected even before the Antivirus starts in the OS and it can be persistent across the infected system.
This bootkit is sold in underground forums by its author for a price of 800 € for a private and custom build. The author offers regular updates and usage support (depending on the buyers usage) for a price of 1000 – 2000 € per month.
Ein Höllenteil Oo
Der Preis ist ‘eigentlich’ in Ordnung, wenn man in Betracht zieht, was man damit alles leisten kann.
Mal gucken wann die Medien davon berichten.
Mit freundlichen Grüßen
~bursali
Every time I come to blog.bursali.eu there is another exciting article up to read. A friend of mine was talking to me about this topic a couple weeks ago, so I think I’ll send them the url here and see what they say.