Malware continues to take advantage of a legacy component of modern
systems designed in the 1980s. Despite the cyber threat landscape
continuing to evolve at an ever-increasing pace, the exploitation of
the classic BIOS boot process is still very much a threat to
enterprises around the world. Furthermore, since malware that tampers
with the boot process (aka bootkits) execute before the operating
system, such compromises often persist even after incident responders
think the incident has been remediated.
This post details the challenges FireEye faced examining boot
records at scale and our solution to find evil boot records in large
The challenge that incident responders and network defenders face
when confronted with large enterprise networks is twofold.