| Modern society is a society of information. People’s life is inseparable with computers and networks. Unfortunately, the problem of information security is becoming more and more serious as the development of information technology. Bootkit is a new kind of malicious code originated from traditional Rootkit, by loading itself early in the booting process, Bootkit can hide its malicious actions in OS environment and bypass most security software which brings great threat to our information world. Until now, most security software still uses dynamic detection method whose effect isn’t good.This paper first analyzes the working mechanism of Bootkit and presents its formal description which can tell us why Bootkit is so difficult to detect. Then the ways Bootkit use to hide its malicious data is analyzed and one static detection method is proposed based on this analysis. The Bootkit static detection method uses pattern matching algorithm to search potential malicious data in hidden sectors. Because most Bootkits will hide MBR and PE format data in disk, MBR-Matching and PE-Matching algorithm are designed to match the two types of data. One Bootkit static detection tool named BootDiskChecker is finally implemented which includes several modules,for example:MBR while namelist module、MBR malicious feature string search module 、 MBR backup search module、PE file search module.In the end of this paper, BootDiskChecker is used to detect several well-known Bookit samples. Every module of Boot DiskChecker are tested and the results show that static detection method does gain a very high detecting accuracy rate on these samples. |
PDF Full Text Request