Kaspersky Lab has patented technology capable of detecting surreptitious bootkit activity and implementing the appropriate security measures. The technology is designed to address one of today’s most dangerous computer threats – bootkits that run on the system without the user’s knowledge by loading before the operating system and antivirus applications.
Russian patent No. 2472215 issued to Kaspersky Lab describes a method for identifying unknown malware by emulating a computer’s startup process. If any suspicious changes to the Master Boot Record (MBR) are detected, the technology collects data from those sectors of the disk that are involved in the startup process, puts the data in a special container which saves the disk’s physical parameters for accurate emulation and then sends the container to Kaspersky Lab for analysis. The company’s experts reproduce the computer’s startup process, analyse the contents of the container and, if an unknown threat is detected, create signatures for the threat, extract the original boot record from the data in the container in order to recover the system and take any other measures necessary to block the bootkit.
In addition, the newly-patented technology effectively prevents attempts to overwrite the MBR by intercepting all access attempts and by scanning the hard drive using known threat signatures. If any suspicious activity is detected, the technology blocks MBR access and the malicious file or data is deleted or quarantined. Thus, the technology developed by Kaspersky Lab not only quickly and reliably cleans bootkit-infected computers but prevents possible future infections as well.