Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Are GPT bootkits reality?

  • Please log in to reply
2 replies to this topic

#1 cunikcz


  • Members
  • 34 posts
  • Local time:07:33 AM

Posted 30 December 2017 - 06:58 PM

Hi, I've searching information about GPT rootkits but I don't find anything mention about GPT rootkits. Do they really exist? And I can read  article about bootsector on Wikipedia  and I don't understand this word " IBM PC compatible". The bootsector use only in IBM computers?


Sorry for my English


Happy New Year for all on bleeping computer 

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,047 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:33 AM

Posted 04 January 2018 - 08:10 AM

GUID Partition Table (GPT)


...is a standard for the layout of the partition table on a physical storage device used in a desktop or server PC, such as a hard disk drive or solid-state drive, using globally unique identifiers (GUID). Although it forms a part of the Unified Extensible Firmware Interface (UEFI) standard (Unified EFI Forum proposed replacement for the PC BIOS), it is also used on some BIOS systems because of the limitations of master boot record (MBR) partition tables, which use 32 bits for storing logical block addresses (LBA) and size information on a traditionally 512-byte disk sector.


Bios/UEFI (firmware) virus's exist but are very rare. Researchers have demonstrated in a test environment proof of concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive a reformat and reinfected a clean disk. This type of malware exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS. Although in February 2015, Kaspersky Labs reported "persistent, invisible espionage malware inside the firmware of hard drives compatible with nearly all major hard drive brands: Seagate, Western Digital, Samsung". This particular threat targeted government and military institutions, telecom and energy companies, nuclear research facilities, oil companies, encryption software developers, and media outlets.

These are comments by Aryeh Goretsky, security researcher and author at WeLiveSecurity.

Most of the malware we see involving the Master Boot Record these days is in the form of bootkits, which is a specialized kind of rootkit that attacks the Master Boot Record or the Volume Boot Record which follows it on a disk. It is rare to see an actual MBR virus these days, although the vector is making a comeback for other attacks, mostly to get around things like code-signing under 64-bit versions of Microsoft Windows. A GPT actually starts with a Master Boot Record for legacy compatibility, so an attacker would probably just need to make sure they took the GPT's presence into consideration, so as not to accidentally overwrite any of it. I suppose an attacker could also create a new partition via the GPT in order to store attack code that they did not want to store on the other partition(s) on the computer.

Would there possibly be GPT virus in the near future?

These are comments from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.

UEFI (Unified Extensible Firmware Interface) was introduced as a replacement for traditional BIOS in order to standardize computer firmware through a reference specification. However, there are several companies that develop UEFI firmware and there can be significant differences between the implementations used by computer manufactures. These articles explain the complexity of the UEFI, secure boot protocol and exploitation.

Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for cyber-criminals to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means than a BIOS virus.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 cunikcz

  • Topic Starter

  • Members
  • 34 posts
  • Local time:07:33 AM

Posted 06 January 2018 - 12:18 PM

Ok, thank you for reply. We say GPT rootkits doesn't exist in wild. Respectively doesn't exist correct malware sample in GPT. Firmware malware too (Stuxnet is exception). UEFI malware exist only at proof of concept. CIH run only under Windows 95 and Mebromi overwrite only BIOS. Not UEFI.


Is my thinking correct? 

Edited by cunikcz, 06 January 2018 - 12:33 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users