Kaspersky Lab patents technology that detects and removes bootkits
05 Feb 2013
Kaspersky Lab has patented technology capable of detecting surreptitious bootkit activity and implementing the appropriate security measures. The technology is designed to address one of today’s most dangerous computer threats – bootkits that run on the system without the user’s knowledge by loading before the operating system and antivirus applications.
- The new patent describes a technology that identifies unknown malware by emulating the computer’s startup process
- The technology is successfully used in Kaspersky Lab products, such as Kaspersky Internet Security 2013, Kaspersky Endpoint Security 8 for Windows, and Kaspersky PURE 2.0
- The authors of the technology are Kaspersky Lab experts Yury Parshin and Vladislav Pintiysky
- Kaspersky Lab’s Russian patent portfolio includes 66 patents. All in all, the company has 128 patents issued in the US, Russia, China and European countries
Russian patent No. 2472215 issued to Kaspersky Lab describes a method for identifying unknown malware by emulating a computer’s startup process. If any suspicious changes to the Master Boot Record (MBR) are detected, the technology collects data from those sectors of the disk that are involved in the startup process, puts the data in a special container which saves the disk’s physical parameters for accurate emulation and then sends the container to Kaspersky Lab for analysis. The company’s experts reproduce the computer’s startup process, analyze the contents of the container and, if an unknown threat is detected, create signatures for the threat, extract the original boot record from the data in the container in order to recover the system and take any other measures necessary to block the bootkit.
In addition, the newly-patented technology effectively prevents attempts to overwrite the MBR by intercepting all access attempts and by scanning the hard drive using known threat signatures. If any suspicious activity is detected, the technology blocks MBR access and the malicious file or data is deleted or quarantined. Thus, the technology developed by Kaspersky Lab not only quickly and reliably cleans bootkit-infected computers but prevents possible future infections as well.
Nikita Shvetsov, Vice-President Threat Research
"It took our company just over a year to patent a unique bootkit detection technology. During that period Kaspersky Lab included the technology in many of its consumer and corporate products, enhancing the protection offered by them. Specifically, the technology that we have just patented is responsible for the very high scores we have achieved in tests organized by the AV-Test research lab that evaluate the detection and removal of hidden malware."