Malware Win32/Gapz - New Bootkit Technique
ESET Security highlights a new bootkit called Gapz, which uses sophisticated techniques to infect and hide in vulnerable systems:
QUOTE: This new bootkit technique allows the malware to execute its code before the OS loader receives control, using only a few modifications to the VBR (highlighted as “BIOS Parameter Block modification” in the figure above). This brand new technology was seen for the first time in the latest modification of the Win32/Gapz bootkit. (You can read about its sophisticated dropper in a recently published blog The latest modification of the Win32/Gapz bootkit infects the VBR of the active partition. What is remarkable about this technique is that only a few bytes of the original VBR are affected. This makes the threat stealthier. The essence of this approach is that Win32/Gapz modifies the “Hidden Sectors” field of the VBR while all the other data and code of the VBR and IPL remain untouched.