XPAJ: reversing a Windows x64 bootkit

(Publication) Google search: [1]

XPAJ: reversing a Windows x64 bootkit
Botnet	Xpaj
Malware	Xpaj (bot), TDL-4 (bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date	2012 / June 19,2012
Editor/Conference	Kaspersky lab
Link	https://www.securelist.com/en/analysis/204792235/XPAJ Reversing a Windows x64 Bootkit (Archive copy)
Author	Vyacheslav Rusakov
Type

Abstract

“ Introduction

The number of bootkits is steadily growing. All kinds of new bootkits are appearing: sophisticated and simple, serving different purposes (such as rootkits or ransomware Trojans). Malware writers are not above analyzing their competitors’ malicious code.

It is not easy to impress a malware expert with a new bootkit nowadays: boot-record infections have been studied sufficiently in-depth and plenty of information on the subject can be found online. However, this time we have come across an interesting specimen: the Xpaj file infector, complete with bootkit functionality and able to run both under Windows x86 and Windows x64. What makes it stand out is that it successfully runs on Windows x64 with PatchGuard enabled, using splicing in the kernel to protect the infected boot record from being read or modified.

In this paper, I analyze the rootkit’s operation under Windows 7 x64. It is not worth analyzing the rootkit’s operation under Windows x86, since the malware uses more or less the same algorithm in both operating system versions.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1049,
   editor = {Kaspersky lab},
   author = {Vyacheslav Rusakov},
   title = {XPAJ: reversing a Windows x64 bootkit},
   date = {19},
   month = Jun,
   year = {2012},
   howpublished = {\url{https://www.securelist.com/en/analysis/204792235/XPAJ_Reversing_a_Windows_x64_Bootkit}},
 }