Antimalware researchers Marius Tivadar and Cristian Istrate are back, this time with an update on the infamous CPD bootkit family:
The first variant was a simple MBR infector. Times have changed though and the most recent one is among the stealthiest bootkits in the wild today.
CPD modifies just one dword in the boot sector to load itself. This dword is the HiddenSectors field in the Bios Parameter Block structure. This field tells the Boot sector the LBA at which the partition is located. When the Boot sector loads the next 15 bootstrap sectors, it uses HiddenSectors field to find their location on disk. CPD stores its components at the end of the disk and replaces the original HiddenSectors field with the LBA of the bootkit loader component. This way the bootkit will be loaded instead of the original 15 bootstrap sectors of the partition.
Leave a reply