HDRoot Bootkit
Posted: October 7, 2015
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 9/10 |
|---|---|
| Infected PCs: | 841 |
| First Seen: | October 7, 2015 |
|---|---|
| Last Seen: | August 24, 2022 |
| OS(es) Affected: | Windows |
The HDRoot Bootkit is a high-level threat developed with the intention of granting third parties persistent network access to an infected PC. So far, the HDRoot Bootkit solely is deployed by the Winnti organization, a group of threat developers known for their attack campaigns against software publishers and, in particular, gaming companies. Because the HDRoot Bootkit is actively updated to thwart standard anti-malware protocols, you should update your security software before scanning any computer in an attempt to remove the HDRoot Bootkit from the compromised system.
Getting to the Root of an Old Winnti Problem Resurfaced
The HDRoot Bootkit is a system boot-based rootkit based on the HDD Rootkit, a piece of malware seen as long ago as 2006. Since the HDRoot Bootkit's predecessor potentially predates the Winnti hacker group, some PC security experts speculate that the hackers are turning to third-party sources for renting or purchasing new threats. Whatever the case behind the HDRoot Bootkit's origins, it's one of the latest threats to arise from an organization whose calling card is assaulting the PC security of software businesses.
Although some kinds of Winnti threats may include drastic features like Trojan.Win32.KillWin.sp's hard drive wipe, the HDRoot Bootkit is deployed with relatively subtle goals in mind. While displaying no visible symptoms to any casual PC users, the HDRoot Bootkit gives thir5d parties remote access to the infected PC through one of two methods:
- The HDRoot Bootkit may load a corrupted version of a Windows svchost.exe memory process. Svchost.exe is a common background element of Windows systems, and may be overlooked when browsing one's memory processes manually.
- A secondary backdoor method the HDRoot Bootkit uses involves loading functions into local memory. So far, common PC security solutions have experienced more difficulty in detecting this backdoor variant, as opposed to the relatively common Svchost.exe exploit.
While the HDRoot Bootkit's backdoor is exploitable for any number of reasons, Winnti has a consistent history of targeting gaming companies with the intention of collecting information. In some cases, systems compromised by this organization have then had their hard drives wiped or otherwise damaged.
Severing the Root of Another Spyware Campaign
Winnti is a seasoned group who have been in operation since, at least, 2009. Accordingly, they've taken other steps to protect the HDRoot Bootkit, including during the initial install routine particularly. However, the HDRoot Bootkit also may block critical Windows services, such as the Windows Update. These attacks, while having drastically negative effects on the security of an infected system, also could let PC owners identify a possible HDRoot Bootkit infection before any long-term damage occurs.
The HDRoot Bootkit, like all bootkits, loads during your PC's booting routine, and doesn't display itself in the format of a standard, installed program. Additionally, Winnti is believed to be developing new versions of the HDRoot Bootkit to account for potential counter-responses from major anti-malware companies. Removing an HDRoot Bootkit should be left to your installed anti-malware tools, whenever possible, although out-of-date software may be less able to identify or delete this threat.
The HDRoot Bootkit has an observed tendency of being deployed against companies in South Korea. However, other, typical victims of Winnti also may be targeted, ranging as far afield as the Western Europe.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.