That Damned Whistler Bootkit

mbrcheckWorse than a 404 error or a “Wireless Network Not Found” notification, more horrifying than any Trojan or worm (short of CryptoLocker); more confounding and infuriating than any popup ad, reappearing toolbar or spyware… your computer has a problem.  It’s infected with something, and it’s a bootkit.

“What’s a bootkit?  You mean rootkit, right?”  No, it’s a bootkit, and here’s the difference:  a rootkit is subversive, usually malicious, code designed to evade detection and removal.  Typically, a rootkit will entrench itself in the Windows registry or attach itself to the Windows or Linux kernel. Modern rootkits can steal passwords and files, make your computer a spam-bot or transparently log your keystrokes.  There are legitimate uses for rootkits, but most these are “legitimate” in the same way flamethrowers are “legal” in most states. Rootkits are detected and removed by most consumer-grade antivirus and antispyware programs; free removal tools include Malwarebytes’ Anti-Malware and AVG Anti-Rootkit Free. 

A bootkit is similar in deed but exceedingly more difficult to detect and remove.   A bootkit resides on the master boot record of your hard drive, executing code before any user is logged in and before your antivirus is active.  These processes are invisible to your operating system and antivirus, and can be executed with administrative permissions on any NT-based machine, even in safe mode, even on 64-bit machines.  Scary, huh?

There are a few fairly accurate ways I’ve come across in detecting bootkit activity without a utility (this assumes, of course, that you have already resolved the mouse chatter, screen flicker, pop-ups and browser redirects): 

  • Random music or internet commercials play – and iexplore.exe respawns in Task Manager without a parent window. 
  • Network connections intermittently lock up for a few seconds at a time, booting network users from network drives, applications or printers.
  • Blue- or black-screen startups even though your antivirus, antimalware and Scandisk reveal no errors; Event Viewer logs are a dead end; your errors seem tied to power supply, video or network drivers and you’re sure your hardware is fine.
  • After your antivirus does remove a stubborn infection, your machine fails to boot with messages such as “Missing Operating System” or “Primary Boot Drive Not Detected”.

So how do you remove a bootkit?  There are some third-party utilities to detect and remove bootkits, but I’ve had mixed success with them.  MBRCheck is very effective in detecting an infected MBR, but when you need to write a new MBR the most straightforward method is the command prompt:  You need to write yourself a new MBR.

How to write yourself a new MBR in XP, Vista or 7… coming soon.