[分享] Windows Bootkit 指南
原文链接:https://artemonsecurity.blogspot.com/2024/05/windows-bootkits-guide.html
Windows Bootkit 指南
There are two main sections in the article, an infographic and web links to researches, samples and sources. The Year column indicates the year of the malware's appearance or when the information became public, Infection refers to the disk entity to be infected (Master Boot Record, UEFI, Volume Boot Record), the detection names of three security vendors and the purpose of the payload.
文章中有两个主要部分,一个是信息图,一个是指向研究、样本和来源的网络链接。“年份”列表示恶意软件出现的年份或信息公开的年份,“感染”是指要感染的磁盘实体(主启动记录、UEFI、卷启动记录)、三个安全供应商的检测名称以及有效负载的用途。
文章中有两个主要部分,一个是信息图,一个是指向研究、样本和来源的网络链接。“年份”列表示恶意软件出现的年份或信息公开的年份,“感染”是指要感染的磁盘实体(主启动记录、UEFI、卷启动记录)、三个安全供应商的检测名称以及有效负载的用途。
eEye BootRoot: A Basis for Bootstrap-Based Windows Kernel Code
eEye BootRoot:基于引导程序的Windows内核代码的基础
https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-soeder.pdf
Stealth MBR rootkit 隐形 MBR rootkit
http://www2.gmer.net/mbr/
✨Vboot Kit ✨Vboot 套件
https://www.blackhat.com/presentations/bh-europe-07/Kumar/Presentation/bh-eu-07-kumar-apr19.pdf
✨Mebroot (Sinowal, Maosboot)
✨Mebroot (Sinowal, Maosboot)
Your computer is now stoned (...again!)
您的计算机现在被石头砸死了(...再来一次!
https://archive.f-secure.com/weblog/archives/Kasslin-Florio-VB2008.pdf
From Gromozon to Mebroot - A Reflection on Rootkits Today
从 Gromozon 到 Mebroot - 对当今 Rootkit 的反思
https://web.archive.org/web/20131026083019/http:/www.prevx.com/blog/119/From-Gromozon-to-Mebroot--A-Reflection-on-Rootkits-Today.html
Post mortem report on the sinowal/nu_nl incident
关于Sinowal/nu_nl事件的验尸报告
https://blog.fox-it.com/2012/03/16/post-mortem-report-on-the-sinowallnu-nl-incident/
Sinowal: MBR rootkit never dies!
Sinowal:MBR rootkit 永不消亡!
https://web.archive.org/web/20130705231427/http://www.saferbytes.it/2012/06/06/sinowal-mbr-rootkit-never-dies-and-it-always-brings-some-new-clever-features/
MBR Rootkit, A New Breed of Malware
MBR Rootkit,一种新型恶意软件
https://archive.f-secure.com/weblog/archives/00001393
Bootkit: the challenge of 2008
Bootkit:2008 年的挑战
https://securelist.com/bootkit-the-challenge-of-2008/36235/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicfa5a.html?f=16&t=543
✨Stoned Bootkit ✨Stoned 靴子套件
https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf
Sources 来源
https://github.com/zhuyue1314/stoned-UEFI-bootkit?search=1
✨Mebratix ✨梅布拉蒂克斯
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic51bc.html?f=16&t=151
✨MBRLock ✨MBR洛克
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic227f.html?f=16&t=507
✨TDL 4 (Tdss, Alureon.DX, Olmarik)
✨TDL 4 (Tdss, Alureon.DX, Olmarik)
Alureon: The First In The Wild 64-Bit Windows Rootkit
Alureon:首款 64 位 Windows Rootkit
https://www.virusbulletin.com/uploads/pdf/conference_slides/2010/Johnson-VB2010.pdf
TDSS. TDL-4 TDSS。TDL-4型
https://securelist.com/tdss-tdl-4/36339/
TDL4 rebooted TDL4 已重新启动
https://www.welivesecurity.com/2011/10/18/tdl4-rebooted/
TDL4 reloaded: Purple Haze all in my brain
TDL4 重装上阵:紫色雾霾都在我的大脑中
https://www.welivesecurity.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain/
The Evolution of TDL: Conquering x64
TDL 的演变:征服 x64
https://web-assets.esetstatic.com/wls/200x/white-papers/The_Evolution_of_TDL.pdf
Defeating x64: The Evolution of the TDL Rootkit
击败 x64:TDL Rootkit 的演变
https://www.slideshare.net/matrosov/defeating-x64-the-evolution-of-the-tdl-rootkit
Tidserv 64-bit Goes Into Hiding
Tidserv 64 位隐藏起来
https://web.archive.org/web/20231210203758/https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=cbf67446-35cc-4957-b42b-0a8299d487af&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
Backdoor.Tidserv and x64 Backdoor.Tidserv 和 x64
https://web.archive.org/web/20130519145126/http://www.symantec.com/connect/blogs/backdoortidserv-and-x64
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicf210.html?f=16&t=19
✨MaxSS – TDL clone (Tdss, SST, Olmasco, Alureon.FE)
✨MaxSS – TDL 克隆(Tdss、SST、Olmasco、Alureon.FE)
Olmasco bootkit: next circle of TDL4 evolution (or not?)
Olmasco bootkit:TDL4 进化的下一个循环(或不是?
https://www.welivesecurity.com/2012/10/18/olmasco-bootkit-next-circle-of-tdl4-evolution-or-not-2/
TDSS Bootkit Spawns Clones
TDSS Bootkit 生成克隆
https://www.bitdefender.com/blog/labs/tdss-bootkit-spawns-clones/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicf0b4.html?f=16&t=596
✨PiXiEServ bootkit ✨PiXiEServ 引导套件
https://j00ru.vexillium.org/2011/10/pixieserv-out-for-public/
https://www.kernelmode.info/forum/viewtopic3de0.html?f=11&t=2505
✨Mebromi (Bioskit, Wador)
✨Mebromi (Bioskit, Wador)
Mebromi: the first BIOS rootkit in the wild
Mebromi:第一个 BIOS rootkit
https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic1321.html?f=16&t=1125
✨Smitnyl ✨斯米特尼尔
Analysis of MBR File System Infector
MBR文件系统感染者分析
https://archive.f-secure.com/weblog/archives/00002101
A thread on km forum + samples
km论坛上的帖子+样本
https://www.kernelmode.info/forum/viewtopicd975.html?f=16&t=750
Analysis of Smitnyl.A, the first hybrid bootkit and file infection
分析Smitnyl.A,第一个混合bootkit和文件感染
https://web.archive.org/web/20231003142928/https://sudonull.com/post/163414-Analysis-of-SmitnylA-the-first-hybrid-bootkit-and-file-infection
✨Popureb ✨波普雷布
MBR Confusion MBR混淆
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ebff36a-0740-415b-b820-f6e48b6af1e1&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
Don’t write it, read it instead!
不要写它,而是阅读它!
https://www.techkings.org/threads/more-on-trojan-win32-popureb-dont-write-it-read-it-instead.26424/
Removing Popureb Doesn’t Require a Windows Reinstall
删除 Popureb 不需要重新安装 Windows
https://www.webroot.com/blog/2011/06/30/removing-popureb-doesnt-require-a-windows-reinstall/
POPUREB: Launchpad for Future Threats
POPUREB:未来威胁的启动板
https://www.trendmicro.com/vinfo/ae/threat-encyclopedia/web-attack/107/popureb-launchpad-for-future-threats
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic75e3.html?f=16&t=968&start=0
✨Rovnix (Mayachok, Cidox, BKLoader)
✨Rovnix(Mayachok、Cidox、BKLoader)
Rovnix.D: the code injection story
Rovnix.D:代码注入故事
https://www.welivesecurity.com/2012/07/27/rovnix-d-the-code-injection-story/
Rovnix bootkit framework updated
Rovnix bootkit 框架已更新
https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/
Rovnix Reloaded: new step of evolution
Rovnix Reloaded:进化的新步骤
https://www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/
Cybercriminals switch from MBR to NTFS
网络犯罪分子从 MBR 切换到 NTFS
https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs/29117/
Hasta La Vista, Bootkit: Exploiting the VBR
Hasta La Vista,Bootkit:利用 VBR
https://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
Mayachok Hooks INT8 to Dodge Emulators
Mayachok 将 INT8 与道奇模拟器挂钩
https://www.bitdefender.co.uk/blog/labs/mayachok-hooks-int8-to-dodge-emulators/
The evolution of Rovnix: Private TCP/IP stacks
Rovnix 的演变:私有 TCP/IP 堆栈
https://blogs.iis.net/windowsserver/the-evolution-of-rovnix-private-tcp-ip-stacks
Cidox Trojan Spoofs HTTP Host Header to Avoid Detection
Cidox 特洛伊木马欺骗 HTTP 主机标头以避免检测
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cidox-trojan-spoofs-http-host-header-to-avoid-detection/
Rovnix new evolution Rovnix 新进化
https://www.malwaretech.com/2014/05/rovnix-new-evolution.html
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic5a58.html?f=16&t=981
✨Carberp ✨卡伯普
Evolution of Win32Carberp: going deeper
Win32Carberp的演变:更深入
https://www.welivesecurity.com/2011/11/21/evolution-of-win32carberp-going-deeper/
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
卡伯普演化和黑洞:超越事件视界的调查
https://web-assets.esetstatic.com/wls/200x/Carberp-Evolution-and-BlackHole-public.pdf
Sources 来源
https://github.com/hryuk/Carberp/tree/master/source%20-%20absource/pro/all%20source/bootkit
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicf82b.html?p=10206#p10206
✨XPAJ ✨XPAJ公司
XPAJ: Reversing a Windows x64 Bootkit
XPAJ:反转 Windows x64 Bootkit
https://securelist.com/xpaj-reversing-a-windows-x64-bootkit/36563/
Xpaj - the bootkit edition
Xpaj - bootkit 版本
https://www.bitdefender.co.uk/blog/labs/xpaj-the-bootkit-edition/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic5ef8.html?f=21&t=2059
✨Yurn ✨蒙古包
Yurn trojan adds bootkit functionality
Yurn 特洛伊木马添加了 bootkit 功能
https://www.bitdefender.co.uk/blog/labs/yurn-trojan-adds-bootkit-functionality/
A thread on km 公里上的线程
https://www.kernelmode.info/forum/viewtopic7df6.html?f=16&t=2083
✨Gapz ✨加普兹
Trojan.Gapz.1 infecting Windows in a new manner
Trojan.Gapz.1 以新方式感染 Windows
https://news.drweb.com/show/?i=2979&c=5&lng=en&p=0
Win32/Gapz: New Bootkit Technique
Win32/Gapz:新的 Bootkit 技术
https://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/
Win32/Gapz: steps of evolution
Win32/Gapz:演进的步骤
https://www.welivesecurity.com/2012/12/27/win32gapz-steps-of-evolution/
Win32/Gapz family ring0 payload
Win32/Gapz 系列环 0 有效负载
https://inresearching.blogspot.com/2013/03/win32gapz-family-ring0-payload.html
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicbc00.html?f=16&t=2306
✨Guntior ✨贡蒂奥尔
Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers
Guntior - 不依赖 Windows 磁盘驱动程序的高级启动套件的故事
https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e
Guntior Bootkit upgraded Guntior Bootkit 升级
https://zerosecurity.org/2013/06/guntior-bootkit-upgraded/
✨Whistler Bootkit ✨惠斯勒靴子套件
Whistler Bootkit Flies Under the Radar
惠斯勒 Bootkit 在雷达下飞行
https://www.bitdefender.co.uk/blog/labs/whistler-bootkit-flies-under-the-radar/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicfa77.html?f=16&t=2473
✨Halcbot ✨哈尔克博特
Bootkit that steals online game users’ account information
窃取在线游戏用户帐户信息的 Bootkit
http://asec.ahnlab.com/328
Detailed analysis of Halcbot bootkit tampering with MBR
Halcbot bootkit篡改MBR的详细分析
http://asec.ahnlab.com/5
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicfa67.html?f=16&t=2514
✨Caphaw ✨卡普霍
Caphaw attacking major European banks using webinject plugin
Caphaw 使用 webinject 插件攻击欧洲主要银行
https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic3208.html?p=18527#p18527
✨Plite (PBBot, Gpb) ✨Plite(PBBot、Gpb)
Plite Bootkit Spies on Gamers
Plite Bootkit 监视游戏玩家
https://www.bitdefender.co.uk/blog/labs/plite-rootkit-spies-on-gamers/
Trojan.GBPBoot.1 MBR infector
Trojan.GBPBoot.1 MBR 感染者
https://news.drweb.ru/show/?lng=ru&i=2927&c=9
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic0fe5.html?f=16&t=1666
✨Simda ✨西姆达
WinNT/Simda WinNT/西姆达
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=WinNT/Simda&threatId=
Win32/Simda family ring0 payload
Win32/Simda 系列环 0 有效负载
https://inresearching.blogspot.com/2013/07/win32simda-family-ring0-payload.html
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopice0b7.html?p=19755#p19755
✨Gootkit ✨咕噜咕噜
BackDoor.Gootkit.112 后门.Gootkit.112
https://vms.drweb.com/virus/?i=3771317
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicabb9.html?f=16&t=3242
✨Sednit ✨塞德尼特
En Route with Sednit: A Mysterious Downloader
与Sednit一起前进:一个神秘的下载器
https://web-assets.esetstatic.com/wls/2016/10/eset-sednit-part3.pdf
✨Pitou (Backboot) ✨Pitou (Backboot)
Bootkits are not dead. Pitou is back!
Bootkit 并没有死。皮图回来了!
https://www.tgsoft.it/news/news_archivio.asp?id=884
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic0dc7.html?f=16&t=3667
✨Hacking Team Vector EDK ✨黑客团队 Vector EDK
https://github.com/hackedteam/vector-edk
✨LoJax ✨洛贾克斯
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
LoJax:在野外发现的第一个 UEFI rootkit,由 Sednit 小组提供
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
✨EfiGuard UEFI bootkit ✨EfiGuard UEFI 引导套件
https://github.com/Mattiwatti/EfiGuard
✨MosaicRegressor ✨马赛克回归器
MosaicRegressor: Lurking in the Shadows of UEFI
MosaicRegressor:潜伏在UEFI的阴影中
https://securelist.com/mosaicregressor/98849/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/07080558/MosaicRegressor_Technical-details.pdf
✨FinSpy (Finfisher) ✨FinSpy (Finfisher)
FinSpy: unseen findings FinSpy:看不见的发现
https://securelist.com/finspy-unseen-findings/104322/
✨ESPecter
UEFI threats moving to the ESP: Introducing ESPecter bootkit
迁移到 ESP 的 UEFI 威胁:ESPecter bootkit 简介
https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/
✨MoonBounce ✨月亮弹跳
MoonBounce: the dark side of UEFI firmware
MoonBounce:UEFI固件的阴暗面
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
A deeper UEFI dive into MoonBounce
更深入地了解 MoonBounce 的 UEFI
https://www.binarly.io/blog/a-deeper-uefi-dive-into-moonbounce
✨BlackLotus ✨黑莲花
BlackLotus UEFI bootkit: Myth confirmed
BlackLotus UEFI bootkit:神话已证实
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
BlackLotus bootkit BlackLotus 引导套件
https://github.com/ldpreload/BlackLotus
The Untold Story of the BlackLotus UEFI Bootkit
BlackLotus UEFI Bootkit 不为人知的故事
https://www.binarly.io/blog/the-untold-story-of-the-blacklotus-uefi-bootkit
Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
使用 CVE-2022-21894 调查攻击的指南:BlackLotus 活动
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
✨Glupteba ✨谷氨酸
Diving Into Glupteba's UEFI Bootkit
深入了解 Glupteba 的 UEFI Bootkit
https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/
✨Other ✨其他
Modern bootkit trends: bypassing kernel-mode signing policy
现代 bootkit 趋势:绕过内核模式签名策略
https://www.virusbulletin.com/conference/vb2011/abstracts/modern-bootkit-trends-bypassing-kernel-mode-signing-policy/
Bootkits: past, present & future
Bootkits:过去、现在和未来
https://www.virusbulletin.com/conference/vb2014/abstracts/bootkits-past-present-amp-future/
Exposing Bootkits with BIOS Emulation
使用 BIOS 仿真公开 Bootkit
https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf
Attacks before system startup
系统启动前的攻击
https://securelist.com/attacks-before-system-startup/63725/
UEFI Firmware Rootkits: Myths and Reality
UEFI 固件 Rootkit:神话与现实
https://www.blackhat.com/docs/asia-17/materials/asia-17-Matrosov-The-UEFI-Firmware-Rootkits-Myths-And-Reality.pdf
Detecting UEFI Bootkits in the Wild
在野外检测 UEFI Bootkit
https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html
MosaicRegressor: Lurking in the Shadows of UEFI
MosaicRegressor:潜伏在UEFI的阴影中
https://securelist.com/mosaicregressor/98849/
Trickbot Now Offers «TrickBoot»: Persist, Brick, Profit
Trickbot 现在提供 «TrickBoot»:坚持、砖块、利润
https://eclypsium.com/wp-content/uploads/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf
DreamBoot UEFI bootkit DreamBoot UEFI 引导套件
https://github.com/quarkslab/dreamboot
The Chinese bootkit 中文靴子
https://securelist.com/the-chinese-bootkit/29653/
✨Rovnix(Mayachok、Cidox、BKLoader)
Rovnix.D: the code injection story
Rovnix.D:代码注入故事
https://www.welivesecurity.com/2012/07/27/rovnix-d-the-code-injection-story/
Rovnix bootkit framework updated
Rovnix bootkit 框架已更新
https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/
Rovnix Reloaded: new step of evolution
Rovnix Reloaded:进化的新步骤
https://www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/
Cybercriminals switch from MBR to NTFS
网络犯罪分子从 MBR 切换到 NTFS
https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs/29117/
Hasta La Vista, Bootkit: Exploiting the VBR
Hasta La Vista,Bootkit:利用 VBR
https://www.welivesecurity.com/2011/08/23/hasta-la-vista-bootkit-exploiting-the-vbr/
Mayachok Hooks INT8 to Dodge Emulators
Mayachok 将 INT8 与道奇模拟器挂钩
https://www.bitdefender.co.uk/blog/labs/mayachok-hooks-int8-to-dodge-emulators/
The evolution of Rovnix: Private TCP/IP stacks
Rovnix 的演变:私有 TCP/IP 堆栈
https://blogs.iis.net/windowsserver/the-evolution-of-rovnix-private-tcp-ip-stacks
Cidox Trojan Spoofs HTTP Host Header to Avoid Detection
Cidox 特洛伊木马欺骗 HTTP 主机标头以避免检测
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cidox-trojan-spoofs-http-host-header-to-avoid-detection/
Rovnix new evolution Rovnix 新进化
https://www.malwaretech.com/2014/05/rovnix-new-evolution.html
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic5a58.html?f=16&t=981
✨Carberp ✨卡伯普
Evolution of Win32Carberp: going deeper
Win32Carberp的演变:更深入
https://www.welivesecurity.com/2011/11/21/evolution-of-win32carberp-going-deeper/
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
卡伯普演化和黑洞:超越事件视界的调查
https://web-assets.esetstatic.com/wls/200x/Carberp-Evolution-and-BlackHole-public.pdf
Sources 来源
https://github.com/hryuk/Carberp/tree/master/source%20-%20absource/pro/all%20source/bootkit
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicf82b.html?p=10206#p10206
✨XPAJ ✨XPAJ公司
XPAJ: Reversing a Windows x64 Bootkit
XPAJ:反转 Windows x64 Bootkit
https://securelist.com/xpaj-reversing-a-windows-x64-bootkit/36563/
Xpaj - the bootkit edition
Xpaj - bootkit 版本
https://www.bitdefender.co.uk/blog/labs/xpaj-the-bootkit-edition/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic5ef8.html?f=21&t=2059
✨Yurn ✨蒙古包
Yurn trojan adds bootkit functionality
Yurn 特洛伊木马添加了 bootkit 功能
https://www.bitdefender.co.uk/blog/labs/yurn-trojan-adds-bootkit-functionality/
A thread on km 公里上的线程
https://www.kernelmode.info/forum/viewtopic7df6.html?f=16&t=2083
✨Gapz ✨加普兹
Trojan.Gapz.1 infecting Windows in a new manner
Trojan.Gapz.1 以新方式感染 Windows
https://news.drweb.com/show/?i=2979&c=5&lng=en&p=0
Win32/Gapz: New Bootkit Technique
Win32/Gapz:新的 Bootkit 技术
https://www.welivesecurity.com/2012/12/27/win32gapz-new-bootkit-technique/
Win32/Gapz: steps of evolution
Win32/Gapz:演进的步骤
https://www.welivesecurity.com/2012/12/27/win32gapz-steps-of-evolution/
Win32/Gapz family ring0 payload
Win32/Gapz 系列环 0 有效负载
https://inresearching.blogspot.com/2013/03/win32gapz-family-ring0-payload.html
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicbc00.html?f=16&t=2306
✨Guntior ✨贡蒂奥尔
Guntior - the story of an advanced bootkit that doesn't rely on Windows disk drivers
Guntior - 不依赖 Windows 磁盘驱动程序的高级启动套件的故事
https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e
Guntior Bootkit upgraded Guntior Bootkit 升级
https://zerosecurity.org/2013/06/guntior-bootkit-upgraded/
✨Whistler Bootkit ✨惠斯勒靴子套件
Whistler Bootkit Flies Under the Radar
惠斯勒 Bootkit 在雷达下飞行
https://www.bitdefender.co.uk/blog/labs/whistler-bootkit-flies-under-the-radar/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicfa77.html?f=16&t=2473
✨Halcbot ✨哈尔克博特
Bootkit that steals online game users’ account information
窃取在线游戏用户帐户信息的 Bootkit
http://asec.ahnlab.com/328
Detailed analysis of Halcbot bootkit tampering with MBR
Halcbot bootkit篡改MBR的详细分析
http://asec.ahnlab.com/5
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicfa67.html?f=16&t=2514
✨Caphaw ✨卡普霍
Caphaw attacking major European banks using webinject plugin
Caphaw 使用 webinject 插件攻击欧洲主要银行
https://www.welivesecurity.com/2013/02/25/caphaw-attacking-major-european-banks-with-webinject-plugin/
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic3208.html?p=18527#p18527
✨Plite (PBBot, Gpb) ✨Plite(PBBot、Gpb)
Plite Bootkit Spies on Gamers
Plite Bootkit 监视游戏玩家
https://www.bitdefender.co.uk/blog/labs/plite-rootkit-spies-on-gamers/
Trojan.GBPBoot.1 MBR infector
Trojan.GBPBoot.1 MBR 感染者
https://news.drweb.ru/show/?lng=ru&i=2927&c=9
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic0fe5.html?f=16&t=1666
✨Simda ✨西姆达
WinNT/Simda WinNT/西姆达
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=WinNT/Simda&threatId=
Win32/Simda family ring0 payload
Win32/Simda 系列环 0 有效负载
https://inresearching.blogspot.com/2013/07/win32simda-family-ring0-payload.html
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopice0b7.html?p=19755#p19755
✨Gootkit ✨咕噜咕噜
BackDoor.Gootkit.112 后门.Gootkit.112
https://vms.drweb.com/virus/?i=3771317
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopicabb9.html?f=16&t=3242
✨Sednit ✨塞德尼特
En Route with Sednit: A Mysterious Downloader
与Sednit一起前进:一个神秘的下载器
https://web-assets.esetstatic.com/wls/2016/10/eset-sednit-part3.pdf
✨Pitou (Backboot) ✨Pitou (Backboot)
Bootkits are not dead. Pitou is back!
Bootkit 并没有死。皮图回来了!
https://www.tgsoft.it/news/news_archivio.asp?id=884
A thread on km + samples
km + 样本上的线程
https://www.kernelmode.info/forum/viewtopic0dc7.html?f=16&t=3667
✨Hacking Team Vector EDK ✨黑客团队 Vector EDK
https://github.com/hackedteam/vector-edk
✨LoJax ✨洛贾克斯
LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
LoJax:在野外发现的第一个 UEFI rootkit,由 Sednit 小组提供
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
✨EfiGuard UEFI bootkit ✨EfiGuard UEFI 引导套件
https://github.com/Mattiwatti/EfiGuard
✨MosaicRegressor ✨马赛克回归器
MosaicRegressor: Lurking in the Shadows of UEFI
MosaicRegressor:潜伏在UEFI的阴影中
https://securelist.com/mosaicregressor/98849/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/10/07080558/MosaicRegressor_Technical-details.pdf
✨FinSpy (Finfisher) ✨FinSpy (Finfisher)
FinSpy: unseen findings FinSpy:看不见的发现
https://securelist.com/finspy-unseen-findings/104322/
✨ESPecter
UEFI threats moving to the ESP: Introducing ESPecter bootkit
迁移到 ESP 的 UEFI 威胁:ESPecter bootkit 简介
https://www.welivesecurity.com/2021/10/05/uefi-threats-moving-esp-introducing-especter-bootkit/
✨MoonBounce ✨月亮弹跳
MoonBounce: the dark side of UEFI firmware
MoonBounce:UEFI固件的阴暗面
https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
A deeper UEFI dive into MoonBounce
更深入地了解 MoonBounce 的 UEFI
https://www.binarly.io/blog/a-deeper-uefi-dive-into-moonbounce
✨BlackLotus ✨黑莲花
BlackLotus UEFI bootkit: Myth confirmed
BlackLotus UEFI bootkit:神话已证实
https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/
BlackLotus bootkit BlackLotus 引导套件
https://github.com/ldpreload/BlackLotus
The Untold Story of the BlackLotus UEFI Bootkit
BlackLotus UEFI Bootkit 不为人知的故事
https://www.binarly.io/blog/the-untold-story-of-the-blacklotus-uefi-bootkit
Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
使用 CVE-2022-21894 调查攻击的指南:BlackLotus 活动
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
✨Glupteba ✨谷氨酸
Diving Into Glupteba's UEFI Bootkit
深入了解 Glupteba 的 UEFI Bootkit
https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/
✨Other ✨其他
Modern bootkit trends: bypassing kernel-mode signing policy
现代 bootkit 趋势:绕过内核模式签名策略
https://www.virusbulletin.com/conference/vb2011/abstracts/modern-bootkit-trends-bypassing-kernel-mode-signing-policy/
Bootkits: past, present & future
Bootkits:过去、现在和未来
https://www.virusbulletin.com/conference/vb2014/abstracts/bootkits-past-present-amp-future/
Exposing Bootkits with BIOS Emulation
使用 BIOS 仿真公开 Bootkit
https://www.blackhat.com/docs/us-14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation-WP.pdf
Attacks before system startup
系统启动前的攻击
https://securelist.com/attacks-before-system-startup/63725/
UEFI Firmware Rootkits: Myths and Reality
UEFI 固件 Rootkit:神话与现实
https://www.blackhat.com/docs/asia-17/materials/asia-17-Matrosov-The-UEFI-Firmware-Rootkits-Myths-And-Reality.pdf
Detecting UEFI Bootkits in the Wild
在野外检测 UEFI Bootkit
https://blogs.vmware.com/security/2021/06/detecting-uefi-bootkits-in-the-wild-part-1.html
MosaicRegressor: Lurking in the Shadows of UEFI
MosaicRegressor:潜伏在UEFI的阴影中
https://securelist.com/mosaicregressor/98849/
Trickbot Now Offers «TrickBoot»: Persist, Brick, Profit
Trickbot 现在提供 «TrickBoot»:坚持、砖块、利润
https://eclypsium.com/wp-content/uploads/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf
DreamBoot UEFI bootkit DreamBoot UEFI 引导套件
https://github.com/quarkslab/dreamboot
The Chinese bootkit 中文靴子
https://securelist.com/the-chinese-bootkit/29653/
Bootkit Threat Evolution in 2011
2011 年的 Bootkit 威胁演变
https://www.welivesecurity.com/2012/01/03/bootkit-threat-evolution-in-2011-2/
2011 年的 Bootkit 威胁演变
https://www.welivesecurity.com/2012/01/03/bootkit-threat-evolution-in-2011-2/
