Anti-Malware Research

CPD Makes Use of Hidden Sectors

Antimalware researchers Marius Tivadar and Cristian Istrate are back, this time with an update on the infamous CPD bootkit family:

The first variant was a simple MBR infector. Times have changed though and the most recent one is among the stealthiest bootkits in the wild today.

CPD modifies just one dword in the boot sector to load itself. This dword is the HiddenSectors field in the Bios Parameter Block structure. This field tells the Boot sector the LBA at which the partition is located. When the Boot sector loads the next 15 bootstrap sectors, it uses HiddenSectors field to find their location on disk. CPD stores its components at the end of the disk and replaces the original HiddenSectors field with the LBA of the bootkit loader component. This way the bootkit will be loaded instead of the original 15 bootstrap sectors of the partition.

cpd variants

About the author


Razvan Stoica is a journalist turned teacher turned publicist and technology evangelist. When Bitdefender isn't paying him to bring complex subjects to wide audiences, he enjoys writing fiction, skiing and biking. Razvan Stoica started off writing for a science monthly and was the chief editor of a science fiction magazine for a short while before moving on to the University of Medicine in Bucharest where he lectured on the English language. Recruited by Bitdefender in 2004 to add zest to the company's online presence, he has fulfilled a bevy of roles within the company since. In his current position, he is primarily responsible for the communications and community-building efforts of the Bitdefender research and technology development arm.