he technology is designed to address one of today’s most dangerous computer threats – bootkits that run on the system without the user’s knowledge by loading before the operating system and antivirus applications.
Russian patent No. 2472215 issued to Kaspersky Lab describes a method for identifying unknown malware by emulating a computer’s startup process. If any suspicious changes to the Master Boot Record (MBR) are detected, the technology collects data from those sectors of the disk that are involved in the startup process, puts the data in a special container which saves the disk’s physical parameters for accurate emulation and then sends the container to Kaspersky Lab for analysis. The company’s experts reproduce the computer’s startup process, analyze the contents of the container and, if an unknown threat is detected, create signatures for the threat, extract the original boot record from the data in the container in order to recover the system and take any other measures necessary to block the bootkit.
In addition, the newly-patented technology effectively prevents attempts to overwrite the MBR by intercepting all access attempts and by scanning the hard drive using known threat signatures. If any suspicious activity is detected, the technology blocks MBR access and the malicious file or data is deleted or quarantined. Thus, the technology developed by Kaspersky Lab not only quickly and reliably cleans bootkit-infected computers but prevents possible future infections as well.
"It took our company just over a year to patent a unique bootkit detection technology. During that period Kaspersky Lab included the technology in many of its consumer and corporate products, enhancing the protection offered by them. Specifically, the technology that we have just patented is responsible for the very high scores we have achieved in tests organized by the AV-Test research lab that evaluate the detection and removal of hidden malware." said
Nikita Shvetsov, Vice-President Threat Research at Kaspersky Lab.
