What is a boot kit?

Every computer must "boot" or "boot up" when it is turned on. The hardware is activated, the operating system is loaded and other processes are executed so that everything is ready for use. If cybercriminals manage to hook into this process with malware, the tools used are called “bootkits”. How this works, how you can get this malware and what helps against it, you can read in this guide.

How is a bootkit defined?

A bootkit is a special type of malware that aims to manipulate a computer's boot process. The term "boot" refers to the process of booting the computer and loading the operating system. The malware is referred to as a "kit" because it is made up of several tools that infect different locations and processes. 

A boot kit is able to modify the normal boot process by anchoring itself in the core components of the operating system or the BIOS (Basic Input Output System) or UEFI (Unified Extensible Firmware Interface). This gives it privileged access and allows it to penetrate deep into the system without being detected by the protection mechanisms or anti-malware apps that are loaded after it.

Similarities to the rootkit

Depending on the source used, bootkits are described as a mixture of so-called boot sector viruses and rootkits. A rootkit is a malware toolkit that is used to gain admin rights. A rootkit enables hackers to gain administrative access to a computer, network or server. So the bootkit can be seen as a more serious and extensive subcategory of the rootkit. More about this here: What is a rootkit?

How is a bootkit used by criminals?

Criminals can use bootkits to gain unauthorized access to computers and perform various covert activities. Some common uses or targets of bootkits include the following:

• stealth operations: Bootkits have the ability to hide deep in the system and evade anti-malware tools. As a result, attackers can remain undetected for a longer period of time and continue their measures (Monitoring, inject more malware, Cryptojacking, etc.).
• Data theft: By sneaking in via the boot process and bypassing protection mechanisms, criminals can gain full access to the computer and thereby steal sensitive information such as files, documents, passwords, bank details, contact details and other information from infected computers.
• Remote control: A bootkit can allow cybercriminals to remotely control the infected computer. This allows them to install additional malware unnoticed, remove the contents of the hard drive and embed the computer in a botnet. As part of a bot network, the computer can then DDoS attack be used.

How does the bootkit get on the computer?

As with almost any malware, there are different ways that a bootkit can get onto the computer, onto the server or into a network. Here are a few things to watch out for, if possible:

• By means of security gaps in the operating system or in individual apps (Feat)
• About downloads from dubious sources (questionable files, "cracked" apps)
• Attachments in questionable emails, downloads from websites linked in emails
• Drive-by downloads when visiting compromised websites
• Infected data carriers such as USB sticks, hard drives or network devices

How to protect yourself from a bootkit?

As with the routes of infection, there are also answers to the protective measures that have already been mentioned for other malware. So to protect yourself from bootkits, you can consider the following points:

• Provide the operating system and individual apps with the latest updates to close possible security gaps (and thus gateways for cybercriminals).
• Do not open links and attachments from questionable emails; in the case of strange e-mails from known contacts, it is better to use other communication channels to find out whether the e-mail really came from them.
• Only download software from trustworthy sources (developer websites, App Store, etc.) and not from dubious portals with strange "installation guides".
• If possible, the security measures of the computer such as firewalls, the macOS Gatekeeper and similar leave activated.
• Ignore scam emails and calls, and don't download software that purports to solve banking or cloud problems. Do not allow yourself to be misled into foolish actions by artificially created haste (example: fake iCloud mail).

Infected with bootkit: how to clean the computer?

If you have determined that your computer is infected, or at least that it is behaving abnormally, and you now want to remove the bootkit (or delete other malware), then there are various possible solutions. A sign of infection can be, for example, that the computer takes an unusually long time to start up. Other signs are changing or flickering displays when booting, a high system load immediately after logging in and the like. With Little Snitch you can see if there is any conspicuous network activity.

First, you can use the anti-malware mechanisms implemented in the system or additionally installed. You can do this on a Mac CleanMyMac X or Malwarebytes use to locate and delete malware on a per-system basis. However, as already mentioned above, you will probably not recognize the bootkit itself, but only malware that has been downloaded from it, which may be replaced after removal. More serious measures are needed to remove deeper-seated malware.

On the one hand, you can completely reinstall the operating system. Before that, it makes sense to completely erase the hard drive, which you can do with an operating system that you start from a USB stick or DVD. You use this to access the computer, delete its hard drive(s) and then reinstall the operating system - on the Mac, for example, B. via Internet recovery to use a new, clean macOS loaded directly from the Apple servers.

On the other hand, if this is possible on your computer, you can exchange the hard drive or the SSD storage bar for a new model. This is especially possible on Windows PCs and many Windows laptops. It looks more difficult on the Apple Mac and especially on the MacBook. Here you can get the help you need with the Sadaghian workshop Requests. In any case, you should check which usage error led to the infection so that you don't repeat it with the fresh hard drive.

In any case, it is of course an advantage if you have a backup of your data at hand that was created before the malware infection. This is because some root and boot kits, as well as various other malicious software, can establish themselves in different locations and re-download the removed components from there. Therefore, backing up the data after infection is not the safest option if you want to fill the deleted / replaced and newly populated hard drive with your individual content. 

Conclusion on the topic of boot kit

Bootkit is one of the most dangerous and stubborn types of malware. It interferes with the boot process of a computer and thus enables the attackers to anchor their malware deep in the system. It is important to be aware of the threat and practice safe computer usage practices to protect yourself from it and other types of malware. By keeping the operating system and apps up to date, enabling security mechanisms and being careful when dealing with e-mails and the web, you can generally protect your computer very well against malware attacks. Bootkit infections need more severe measures to fix than other malware.

Johannes Domke

[On vacation] After graduating from high school, Johannes completed training as a business assistant specializing in foreign languages. But then he decided to research and write, which led to his independence. He has been working for Sir Apfelot, among others, for several years now. His articles include product introductions, news, instructions, video games, consoles and much more. He follows Apple keynotes live via stream.