A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #20337  by EP_X0FF
 Fri Aug 02, 2013 3:00 am
http://eugene.kaspersky.com/2013/08/01/ ... -bootkits/

After you filter all marketing BS in this article, take a look at the end of it. Cool table with invasive scary super-duper advanced bootkits fucking up all AV, except of course Kaspersky. In case if editors will fix this fuckup it is screenshoted.
fckup.png
fckup.png (66.7 KiB) Viewed 537 times
We have here:

TDL (1 version), cool story bro. Died in the beginning of 2009 and never has any bootkit capabilities.
Sinowal, another cool story. Died in development even before Windows 7 release. Used by small private group of people and based on 2008 year source code.
TDL2, cool story continues. Replaced by TDL3 in the end of 2009 and never has any bootkit capabilities.
TDL3, no comments. Died in 2010, replaced by TDL4 which is bootkit version of TDL3.
Pihar/SST - finally somehow modern bootkits! Both a forks of TDL4. SST has non bootkit version. Currently used by small group of people. Removes in a few seconds even without AV.
ZeroAccess - lolwut???
Cidox - exists as user mode backdoor and bootkit powered by BkLoader.

Fairy tales about NSA/CIA/Stuxnet and other APT crap they work out much better than the stories about real malware.

What a fun part of this: for every real bootkit item in this table (there only 2) you don't need paid AV to remove it. Deal with it, Eugene, saviour of the world.

Results in this table provided by recent comparative test http://www.anti-malware-test.com/test-r ... _Test_2012, made on Kaspersky sponsored portal, they specially created as Russian av-comparatives analogue in 2006. Their test are known are very doubful and sometimes ridicuolus like it was in 2011 with http://www.anti-malware.ru/malware_treatment_test_2011 when they were forced to completely review results after it was discovered their results are incorrect in many positions.

Note about ZeroAccess: they only added it in test when their patron solution were able to deal with it. Later in 2010 and 2011 (when it was actively establishing botnet powered by rootkit variant) they always were against testing it with all kind of excuses - zeroaccess dead (and we are about testing with TDL1 yeah), kills our av's etc, while even in that time was friendly version of it. All because if tested there will be no 100% result of Kaspersky in final results table. Do you still trust them? :)

This article should be named "The phantom of the marketing bootkits".