HDRoot MBR bootkit Analysis

Code in Assembler programming script with a red Word VIRUS

Code in Assembler programming script with a red Word VIRUS

The malware examined here can be broken into several stages. The 64-bit dropper, which was signed with a stolen certificate that has since been revoked, is the first component that is executed. The dropper installs the bootkit to the hard drive along with a backdoor executable to be run on subsequent boots. The backdoor is supplied as a parameter to the dropper and can be any Win32 or Win64 executable.

Full story