The resurrection of master boot record (MBR) infection techniques has been common for a while now.
Why? Mainly to bypass security mechanisms such as Windows PatchGuard and kernel driver signing which were introduced in Windows Vista and later.
Families of malware that use this technique are called bootkits. TDL and Sinowal were the first widespread, sophisticated threats to adopt bootkit infection techniques.
Copycats and variations followed, ranging from those that completely overwrite the MBR with a malicious loader to ones that manipulate values to alter loading offsets to hijack the boot process.
One bootkit that has been out for a while now is the Chinese bootkit Guntior.
Droppers have been around since at least 2010 and are still seen in the wild.
Detailed analyses of some versions have already been completed on some online forums and blogs, so we won't repeat that; instead we will discuss an interesting technique employed by the bootkit's dropper.
Read more: http://nakedsecurity.sophos.com/2013/06/12/guntior-bootkit-up-to-new-tricks/
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
