CPD Makes Use of Hidden Sectors
February 14, 2013
Antimalware researchers Marius Tivadar and Cristian Istrate are back, this time with an update on the infamous CPD bootkit family:
The first variant was a simple MBR infector. Times have changed though and the most recent one is among the stealthiest bootkits in the wild today.
CPD modifies just one dword in the boot sector to load itself. This dword is the HiddenSectors field in the Bios Parameter Block structure. This field tells the Boot sector the LBA at which the partition is located. When the Boot sector loads the next 15 bootstrap sectors, it uses HiddenSectors field to find their location on disk. CPD stores its components at the end of the disk and replaces the original HiddenSectors field with the LBA of the bootkit loader component. This way the bootkit will be loaded instead of the original 15 bootstrap sectors of the partition.
tags
Author
Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. Recruited by Bitdefender in 2004 to add zest to the company's online presence.
View all postsRight now Top posts
Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware
June 08, 2023
Vulnerabilities identified in Amazon Fire TV Stick, Insignia FireOS TV Series
May 02, 2023
EyeSpy - Iranian Spyware Delivered in VPN Installers
January 11, 2023
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
January 05, 2023
FOLLOW US ON SOCIAL MEDIA
You might also like
Bookmarks
