"Nice Boots" - A Large-Scale Analysis of Bootkits and New Ways to Stop Them

Abstract. Bootkits are among the most advanced and persistent tech-nologies used in modern malware. For a deeper insight into their be-havior, we conducted the first large-scale analysis of bootkit technology, covering 2,424 bootkit samples on Windows 7 and XP over the past 8 years. From the analysis, we derive a core set of fundamental properties that hold for all bootkits on these systems and result in abnormalities during the system’s boot process. Based on those abnormalities we de-veloped heuristics allowing us to detect bootkit infections. Moreover, by judiciously blocking the bootkit’s infection and persistence vector, we can prevent bootkit infections in the first place. Furthermore, we present a survey on their evolution and describe how bootkits can evolve in the future