Amazing info.
I remember reading somewhere back a few months ago that researchers were able to install one of these advanced bootkits on a machine that was running full-system encryption via truecrypt - *one* round of AES. The story was surprising at the time because that was one of the few mitigations of the installation of these bootkits - the idea being that existing (truecrypt boot loader) code was already in the MBR and that overwriting any of it would render the system unbootable since the truecrypt boot loader would be hence corrupt and wouldn't even load. Apparently there was still enough free space in the MBR to write to after the truecrypt code ended.
However, no one said anything about cascade encryption.
If you had a combination of AES+Twofish+Serpent as your system encryption scheme - would that be enough to plug any holes in the MBR to prevent these bootkits from installing? Anyone?