The Latest in IT Security

CPD Makes Use of Hidden Sectors

14
Feb
2013

Antimalware researchers Marius Tivadar and Cristian Istrate are back, this time with an update on the infamous CPD bootkit family:

The first variant was a simple MBR infector. Times have changed though and the most recent one is among the stealthiest bootkits in the wild today.

CPD modifies just one dword in the boot sector to load itself. This dword is the HiddenSectors field in the Bios Parameter Block structure. This field tells the Boot sector the LBA at which the partition is located. When the Boot sector loads the next 15 bootstrap sectors, it uses HiddenSectors field to find their location on disk. CPD stores its components at the end of the disk and replaces the original HiddenSectors field with the LBA of the bootkit loader component. This way the bootkit will be loaded instead of the original 15 bootstrap sectors of the partition.

cpd variants

Leave a reply


Categories

SUNDAY, SEPTEMBER 27, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments