HDRoot Explained

Hi guys,

Dmitry Tarakanov, an Information Security Specialist recently reported about a HDRoot found during an investigation.

While tracking Winnti group activity, a suspicious 64-bit sample which was a standalone utility with the name HDD Rootkit for planting a bootkit on a computer has been found. Bootkit is coded to infect the operating system with a backdoor at the early booting stage. Several backdoors that the HDRoot bootkit used for infecting operating systems have been found during an investigation.


Since the backdoor installed with the use of HDRoot might be arbitrary; what malware is run by HDRoot bootkit in every case where it might be found cannot be described. Two types of malware that were identified while tracking HDRoot have been collected. The first one has been extracted manually from the hard drives of victims where HDRoot was detected. Another one has been found in a standalone dropper that contained both HDRoot and the installed backdoor.


The downloader bootmgr.exe was also compiled on 18 November 2013 like the dropper. According to the list specified in its body, it downloads files by following URLs and runs them

In the second downloader, the malware is able to recognize two parameters: “install” and “remove”. In the installation branch it creates the auto-starting “Winlogon” service with the description “Provides automatic configuration for the 802.11 adapters” and adjusted to run its own executable. The “remove” parameter obviously leads to the deleting of this service.

Earlier discovery

“We were not actually the first AV company to encounter HDRoot malware face to face. At the end of 2013 South Korean AhnLab issued a comprehensive report on the ETSO Hacking group based on incident response cases their digital forensic team was working on. ETSO malware, according to AhnLab’s classification, mostly corresponds to Winnti malware as we detect it. During their analysis AhnLab’s engineers discovered infected MBRs that, according to their description (pages 14-15, chapter “2.5 Maintain Network Presence”), sound like the result of an HDRoot bootkit installer at work:

we know about incident handlers not necessarily from AV companies that are acquainted with the HDD Rootkit utility. However, when it comes to detection, despite the fact that this dangerous threat is quite old, antivirus products were not that good at detecting it.”


Looking at the available data, Dmitry points out that, HDRoot infections prevail in Winnti’s traditional region of primary interest – South East Asia, especially South Korea, according to KSN. But other parts of the world have also been affected and the extent and impact of this threat may be significant.

But he also says that, numbers don’t represent the nature of the targets. It means that by simply looking at the numbers we can’t see what sort of companies were attacked. Hence, the map may present a different story from the reality in terms of probable damage for a particular country.

They have managed to mitigate an HDRoot infection in two major companies in Russia and the UK where the malware was discovered on multiple servers with the use of their products. In both cases, the damage due to infection could be very significant, especially in Russia where many of the company’s customers could have been affected.

He further explains “Although we have not found many malware families installed using HDRoot, and attribute known HDRoot-related activity to Winnti, we continue to assume that this bootkit may be used in multiple APT. We already know about an overlap in Winnti activity and other APT from previous incidents. Taking into account the HDRoot installer’s nature as a standalone tool, it’s very possible that this bootkit could be in the hands of other threat actors.”


Check out the full post with his analysis on: https://securelist.com/analysis/publications/72356/i-am-hdroot-part-2/

Source: Akati

Comments are closed.