Boot Sector Viruses & Rootkits Poised For Comeback

Ant writes "Ars Technica says Panda Labs' first quarter 2008 malware report raises a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible (pdf). Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive. The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future. Forecasting these trends is always tricky."

With or Without TPM?

[sainttX]

If we have hardware security support, this is not that easy..

Let me guess

[WindBourne]

Panda labs has a new product that protects just this? Call me a cynic, but ....

Re:

[MooseMuffin]

Yep. Just copy this little protection file into your MBR...

No need

[WindBourne]

just buy something from China. Perhaps Panda is aware of the new effort underway?

Re:

[ta bu shi da yu]

Bah. Run Linux, no reboots. No reboots = no problems with boot-sector viruses.

Re:Let me guess

[Lumpy]

That's ok ASUS has had that protection for decades.

MBR protection has been in every bios on ASUS motherboards for at least 12 years now. turn it on and NOTHING can write to the mbr.

gotta love how old tech solves the "new hotness".

Re:

[Molochi]

MBR bios protection seems to be pretty common on "homebuilt" and "mom and pop" machines. But my laptop (acer) doesn't seem to have it. I don't see an option to enable it on our toshiba (though it runs vista so NBD). I don't do PC support anymore, do the vast number of Dells running XP have MBR protection in bios?

Re:

[Anonymous Coward]

Professional laptops like Panasonic tough books have it.

Maybe the toy grade stuff like toshiba and dell dont.

Re:

[SatanicPuppy]

I won't use anything but ASUS motherboards. Once you get used to the feature set on a good motherboard, the crap you get from the big computer manufacturers is just intolerable.

Most of them skimp on the motherboard because most consumers don't understand the difference between a fast processor on a good motherboard, and a fast processor on a terrible motherboard. They just look at mhz and ram, and ignore bus speed/bandwidth.

Re:Let me guess

[Anonymous Coward]

Not quite. It protects the bios from hard disk writes using int 13h. It won't protect from programs accessing the hard drive directly using I/O ports, which any modern MBR virus is likely to do.

Re:

[tlhIngan]

Not quite. It protects the bios from hard disk writes using int 13h. It won't protect from programs accessing the hard drive directly using I/O ports, which any modern MBR virus is likely to do.

True, most protection does this, especially from 12 years ago when DOS was still a viable platform.

However, I don't see why more modern systems can't store a copy of the MBR in the CMOS - it is, after all, only 512 bytes in size. On boot, it simply does a compare between the MBR on the hard disk and the one it stored

Windows Malicious Software Removal Tool

[mrbluze]

Windows is a program which inserts code into the master boot record, often before the user has broken open the packaging of their new computer, resulting in loading of malicious code at power-on which causes the computer to phone-home and results in the gradual loss of available disk space on the affected drive. Multiple other vulnerabilities have also been reported.

Various removal tools [ubuntu.com] are available free of charge. This is considered a critical and urgent update.

I can see it now

[oni]

GNU GRUB version 0.95 (638 lower / 288704K upper memory)

Ubuntu, kernel 2.6.12-9-386
Ubuntu, kernel 2.6.12-9-386 (recovery mode)
Ubuntu, memtest86+
Other operating systems:
Windows NT/2000/XP
omfgh4xorz-r00tk1tz3113

Use the up and down keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the commands
before booting, or 'c' for a command-line

hmm, something's not right here

Re:I can see it now

[ettlz]

hmm, something's not right here

Yep. The latest grub is 0.97.

Or are you talking about the space-munching change of layout?

Re:I can see it now

[maxch]

call me crazy, but that Windows entry seems suspicious.

Re:

[jeric23]

More phishy might be if the GRUB entry was "Windows CE/ME/NT"

Re:

[Anonymous Coward]

Indeed. You misspelled Windows Vista.

Re:

[ArcticFlood]

Yeah, you don't have a password set for grub.

The old ways still work

[ais523]

I still check to make sure that there aren't any floppy disks left in the drives before I power-on (and I still have floppy drives, even an external one for the laptop); it seems now the old habits may have a reason. Of course, nowadays malware doesn't have to rely on floppy disks accidentally left in drives and sharing of executables from one computer to another because the Internet exists; but that doesn't stop the old threats working, just provides a more modern alternative that gets more attention.

Re:

[Tanman]

You can boot from a cd/dvd as well as a floppy.

Re:

[Digi-John]

Or a usb stick in many cases. Sneaky.

Re:

[LiquidCoooled]

Why do you have to boot it?
Don't a lot of USB sticks have u3?

u3 installs a device driver on Windows and creates a fake cd rom so that the memory stick can autorun.

Fuck waiting for the autorun, its the device driver I would be worried about.

Re:

[GigaplexNZ]

Autorun.inf also allows autorunning from USB drives without installing special drivers. This is how many USB keys spread, plug in the drive and it copies the virus to the host machine. Plug a clean USB key into an infected machine, it copies onto the USB key. The University I went to had a constant virus infection in one of the computer labs that didn't disable autorun.

Re:

[jmadren]

No, Autorun.inf will not automatically run on plain USB flash drives. Microsoft didn't think to support that. Autorun.inf will only work on CD drives. That's why U3 flash drives have firmware in them that emulates a CD drive, to trick Windows into automatically running the Autorun.inf. U3 doesn't install special drivers on the computer, Windows does that itself in response to seeing a new CD hardware device (except for Win95/98, for which you have to install some drivers).

Re:

[GigaplexNZ]

Not true. If I stick autorun.inf on any plain old USB drive (including external enclosures) autorun.inf is triggered. I use this all the time to set the drive icon and to prevent Windows popping up the default autorun window that prompts whether you want to open music files in WMP, pictures in the picture viewer, open explorer to browse files etc. Heck, I can even do this on SATA hard drives and hotplug them and it still uses autorun.inf. See http://dailycupoftech.com/usb-drive-autoruninf-tweaking/ [dailycupoftech.com]

Re:

[Nullav]

And sometimes hard drives. (I know, I was shocked, too.)

Re:

[Anonymous Coward]

Or just disable floppy, cdrom and usb from the boot order in your bios

Re:

[DMUTPeregrine]

Funnily, I do the exact opposite. I boot from a floppy, all the time. It's write-protected, of course. It contains GRUB. I eject it as soon as it loads the Linux, and plug it back in when I need to boot. Thus, the probability of corruption of my boot sector mattering is greatly reduced.

Re:

[GigaplexNZ]

The fact that it is on a floppy drive is enough to corrupt it. None of my floppy disks have valid data anymore, it self-corrupts over time.

OBL: Battlestar Gallactica Reference

[powerlord]

it seems now the old habits may have a reason.

"All this has happened before. All this will happen again"

Cool

[dedazo]

The last time any of my machines had anything resembling a virus, malware or trojans it came in a floppy boot sector and it was called "Natas" or something like that.

Bill Clinton was president, the Nasdaq was at 5,000 or something like that and I was smoking pot. Maybe we'll go back to the old days in more ways than one!

Re:

[Abreu]

Well, I don't know about boot sector viruses or about pot, but theres a chance you might get a 'President Clinton' once more...

-

*Disclaimer: The above is a joke and not an endorsement or criticism of any US candidate... I am not USian and I don't really care much for american policies.

Re:

[Artuir]

From the looks of it, most of us "USians" (that is my new favorite term) haven't cared much for American policies or politics for quite some time!

Re:

[Mista2]

I work in an IT department, our engineers all know about AV security, or home PCs are given free copies of what we have at work, All is good. Yesterday an engineer plugged in a brand new external USB drive, it was r00ted already. Trojan attempted to load into one of the local disks and was picked up by a scanner. It can happen to anyone these days.

Re:

[BlackSnake112]

I remember back in college (1992) I bought a box of 10 floppy disks. All 10 were infected (with ripper I think). I wrote to the disk company letting them know the numbers that were on the box. About three weeks later I got a huge box. It had over 1000 brand new floppies and a letter thanking me for letting them know about that issue. Also was an apology for getting infected disks. I didn't have to buy floppy disks for years.

Re:

[MrMr]

Exactly, the last time any of my machines had anything resembling a virus it was running DOS 2.11, Btw I keep hearing about this new gui you can put on top of that, is that any good?

Re:

[jwo7777777]

No, avoid like the plague. Recommend that you revert to CP/M.

Re:

[desertfool]

Geez, you sound too much like me. My first day in MIS in 1993 I found a PC with Natas on it. Then I went searching around the building and found a few more, along with infected floppies. That was nasty just because when it popped up after hiding for a while it destroyed all executables that ran.

I suddenly feel so old.

Bah!

[Well-Fed Troll]

I spit on thee, thou foul virus writing knaves.
Wilt it doth survive the lowly Format?
Truly I say unto thee, Real Men write CMOS infecting viruses.

Re:

[couchslug]

"Truly I say unto thee, Real Men write CMOS infecting viruses."

Don't remind them. :)

Re:Bah!

[MadnessASAP]

Speaking of which, I remember seeing a rather nifty POC for storing a rootkit in a video cards BIOS. I don't think anybody has taken advantage of it yet though.

Re:

[Jesus_666]

You can say what you want about the olden days, but CIH was epic.

Re:

[repvik]

Your BIOS guards against that attack vector if you use BIOS-calls to write to the harddrive. Not very likely, and very easy to circumvent...

Re:

[FireXtol]

Actually my BIOS supports Trend Chipaway Virus protection, so I should be protected.

Watch out for what you buy

[Digi-John]

A danger to be alert to is the possibility of viruses and rootkits that ship with the computer. Consider that most computers have a lot of parts made in China; suppose the Chinese government decides it's going to slip something into your BIOS? That is a major issue for national security, and it's not just speculation; I've seen test viruses that sit in the BIOS and do a SUID root on a specific file in /tmp on every bootup. EFI is just as vulnerable, because it's basically a complete Unix-like OS just for booting.

Re:

[Digi-John]

But the Chinese Government? Come on - you're meant to be a respectable member of society who has their own opinions, and doesn't spend their life sat in front of the History Channel watching any documentary with the words 'conspiracy theory' in the title.

This is less of a concern for the private citizen than for major corporations and government entities. The speculation on this is not coming from the History Channel (I always turn off the conspiracy theory crap anyway), but from experienced scientists a

Why?

[Rurik]

I wonder why a virus writer would even want to do this? Nearly all have learned that instead of wreaking havoc for fun, they can wreak havoc and make money off it. There's a reason most writers stopped writing boot sector viruses. Viruses are more fun when they can perform click-fraud, and other long-term money making actions, instead of destroying a user's computer.

Re:Why?

[eldavojohn]

I don't think this article was talking about viruses that merely hose your hard drive. Granted, that's what most of those did, I think they are dreaming up something that writes your MBR to another piece of the hard drive and gains root access right when you start your computer. If virus writers are sophisticated enough, maybe the write something like an extended firmware interface that loads your operating system normally and you don't even know about it running in the background. Again, that's a high level of sophistication but I was blown away by what the virtual machines have been able to do.

There's also evidence that I am skeptical of like:

The problem with boot viruses is that their attack vector is fairly well-guarded. Any antivirus program worth beans will detect a suspicious attempt to modify the MBR and will alert the end user accordingly. Running as a user rather than an administrator should also prevent such modification even if you don't have an antivirus scanner installed. Panda implies that this kind of exploit could be an issue in Linux, and I suppose that's theoretically possible, but Linux always creates a user account without root access by default.

If Panda's report really did imply that, they just lost a whole shitload of credibility in my book. I'm not stupid enough to think that Linux is impenetrable but I know that the Unix-like security scheme with users in userland and superusers in kerneland is always observed.

Re:

[The_reformant]

The obvious use being running a hypervisor which then boots the original OS.

Re:

[hesaigo999ca]

Seems funny Panda would go out and name Linux as a sole heir to
this possible infection, I wonder how much money they are getting
under the table from M$ to write this bull...

Re:Why?

[sjames]

Consider the MBR just one of several potential hooks into the system. It need not destroy the machine at all. It could (for example) install itself as ring 0, load the OS below itself and then the fun begins.

Consider the havoc it could create if it can manage to get itself into the SMI handler by playing dirty tricks with the RAM controler that are only possible before the OS switches to protected mode.

Re:Why?

[darkmeridian]

I think the plan is to have a MBR virus plant a rootkit that pwns the OS and zombies the system without anyone realizing what's going on.

Re:

[LowlyWorm]

I have often suspected antivirus companies themselves. They are the ones who always benefit from the never ending array of new viruses. Sure, there are a lot of hacker want-to-bes that write them but are there really that many malicious hackers? I am sure there are more viruses than hackers. Just look at the list of viruses you antivirus "protects" against. There must be a few virus writers making a LOT of viruses. Who would do that and what would their motivation be?

Re:

[MadnessASAP]

This is a reply to your signature. But I believe the word "bad" has been stricken from the dictionary from now on you are advised to use "doubleplus ungood." Of course admitting to having been exposed to something ungood is sufficient reason to have you erased, you are hereby ordered to sit in front of your telescreen with your hands in plain sight until representatives from the Ministry of Truth arrive.

Re:

[LowlyWorm]

The Ministry of Truth can put it in their memory holes. Besides, we have always been at war with Iraq. Unless it was Afghanistan... or Iran ... or North Korea ... or Venezuela ... or Cuba... or The U.S.S.R. ... or ...

Re:

[m50d]

Who would do that and what would their motivation be?

Less dangerous are the bored teenagers, doing it out of boredom. Think of how you were when you were 14, now imagine you could code pretty well. A decent percentage of our modern 14 year olds can, and a few of them will put it into practice writing virii for amusement.

More dangerous are the professional criminals, doing it because it's easy money. Own the machines, sell them to a spammer. Or if you don't want to worry about handling the business side you

Re:

[LowlyWorm]

That certainly happens but it would surprise me that AV companies don't see the easy money too. A virus writer approached by a spammer or crime syndicate (or vice-versa) can't be that common of a scenario. AV companies have been in business for some time. There are some reputable free AV programs but there are bad apples everywhere.

Re:

[bendodge]

Wasn't there a lot of hubbub a few months ago when drive mfg's were planning to increase the sector size? That would sure make, uh, interesting boot sector viruses more practical.

The same reasons it worked in the DOS era

[Reziac]

I predicted a comeback of the BSV (boot sector virus) immediately following the end of the DOS-based antivirus apps that could run from a floppy boot, and here we are today... as to WHY:

1) Wonderful place to hide your spyware. The MBR space is about 5k. Of this only about 500 bytes is typically in use; the remainder is large enough to host compact spyware with its own SMTP server (there are already malwares out there with these functions packed into only 3k of code).

2) Blackmail. Encrypting BSVs were at one

Warning: Panda is linked to Scientology

[Anonymous Coward]

Sorry for being off topic, but it should be pointed out that Panda is strongly linked [wikipedia.org] with the cult of Scientology. While it doesn't make them necessarily evil, the recent events of people being harassed for protesting against the cult and the tactics employed by the cult to obtain at any cost personal data of protesters, should suggest the use of different antivirus/antispam programs, especially in a close source environment like Windows where the user cannot easily monitor what the software does and what

Widespread?

[gmuslera]

If well that kind of virus could be made, and work, the odds of getting infected looks so low (EVEN for windows users) that probably wont be very widespread.

In the other hand, if you have already something ugly running as admin/root in your box in a way or another, it could deploy the MBR part, but dont see the advantage of this if is anyway already in control (afaik some rootkits/trojans (?) for windows hide themselves from scanners intercepting network/disk drivers or something similar, so no big advantage there)

Re:

[Culture20]

Imagine an MBR virus shipping from the factory on floppies, USB sticks, USB HDDs, or a BIOS or MBR virus/rootkit on new Lenovo machines (sorry, China's an easy target these days).

Re:

[AvitarX]

Where do you think Apples are made?

And they have that fancy BIOS that could be a lot of fun too.

It doesn't even need to be China. The potential payout is enough that organized crime anywhere could pull it off, though in a country like China it is probably easier to bribe enough people to slip your stuff into the assembly line.

Re:

[gaspyy]

Actually, my USB flash memory got infected when I went to a nearby service office to print something.

My AV (Bitdefender) caught it. It was an executable and autorun.inf

Subsequently, I disabled autorun for all drives.

Virtualization complications

[wheatking]

so what happens w/ all this virtualization (VMware, Xen, Microsoft/Kidaro, RingCube, Moka5,...) coming in... aren't bare metal vulnerabilities @ the hypervisor layer a bigger deal?

Even worse threats on the horizon...

[jdb2]

For a rootkit, the lower the level it can modify the system at, the better. We've seen this progression, from user-mode,to kernel mode hooks,to kernel mode data structures etc. So, obviously the rootkit authors know that their current methods will be obsolete in the near future, and have "lowered the bar" (pun intended ;) to the MBR. (Heh, that also rhymes ;) Anyway, if you think this is the last safe haven for rootkits, you're wrong -- really wrong. How about a rootkit that splits itself into tiny chunks, compresses them, and then inserts them into the free space available on the various BIOS's in your system eg. Video, Hard Drive, RAID Controller etc.? Impossible you say, well, I advise you to watch this presentation :

http://youtube.com/watch?v=G26oZtzluAQ&fmt=6 [youtube.com]

Systems with the ability to boot from a storage device other than a hard drive, say, a USB drive, are especially vulnerable, as the rootkit doesn't have to gain access to the BIOSs via the OS. Instead, it modifies the boot sector of the USB drive and then, upon bootup, after the BIOS boots off the USB drive, hides itself via the previously mentioned technique, so as to ensure it will run even if the boot sector of the USB drive is modified. This is possible as, upon bootup, the BIOS scans for memory mapped expansion ROMs (the previously mentioned BIOS's spread throughout your system) and then transfers control to each one.

Something to think about.

jdb2

Re:

[CDOS_CDOS run]

It's funny a hundred years ago in the mid to late 90s floppy viruses stopped being effective because people stopped exchanging floppies, but at that same time network viruses thrived due to connection to the internet. Now with USB keys so common, a floppy type virus should/could make a good living. No one worries about the potential that someones USB key carries a virus.

Re:

[Reziac]

And even simpler, the hidden "recovery partitions" that are now so common on OEM machines. (Or the 7mb hidden partition that Partition Magic creates on every HD that isn't set up with an active partition.)

Point being, free space is free space, and there is always some way INTO that free space.

I imagine some protection might be achieved for a BIOS by filling the leftover space with spurious data, but it only takes one clever virus writer to figure out how to delete the junk data...

As to write-protection, if

EFI / intel atm / amd Remote IT may be targets

[Joe The Dragon]

EFI / intel atm / amd Remote IT may be targets that are not part of the OS on the system and are tied to the NIC controllers, chipset , video and other hardware parts and there is not that many report tools for keeping the bios / firmware up to date.

EFI can use a partition on the hard disk to store Extensions and the Extensions can also come form add in cards / on board roms and other places.

The hardware based Remote IT tools may be holes that hackers can use and can be limited by flash rom space to store u

Re:

[nullchar]

You sure it was your computer?

How would this affect EFI-based computers...

[analog_line]

...which from my (limited) understanding, an MBR is set aside, but not actually used for booting anything. I guess technically it's free space, so another hiding place, but nothing normally accesses that record, so would this kind of thing have any effect? You know, on computers like Intel Macs, which all use EFI.

Re:

[greed]

You'd have to attack the EFI "system volume" instead of the MBR. Seeing as rEFIt can replace the default Mac OS booter, there's definitely a way to do it.

Re:

[Reziac]

It doesn't matter. All a BSV or rootkit needs is a small amount of hidden free space -- on the HD (isn't EFI essentially BIOS-type code but located on the HD?) or as others have pointed out, in any system ROM, such as the BIOS on your video card.

Considering that some video cards and most HDs can be used in either PC or Mac... a smart virus need only check which type of system it's in, and configure itself accordingly.

I foresee a return to jumper-based write-protection for system ROMs. (A flag in software ca

great idea

[ILuvRamen]

And you know what really helps is writing detailed how-to theory articles, saying it's inevitable, and repeating how effective it could be. That will ensure that all these gloom and doom virus articles come true! That must be what all these authors want or something or they'd all shut up.

Good Comments

[not_hylas( )]

There are some really good comments here, (checks, sees if it's /.)
After the jump - read the comments, starting here:
Further:

http://www.securityfocus.com/comments/articles/11372/33017/threaded#33017 [securityfocus.com]

http://slashdot.org/comments.pl?sid=453034&cid=22412440 [slashdot.org]

corrected headline ..

[rs232]

Panda Labs talks up the malware scare to sell PRODUC~1 ..

"The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future"

Like, what kind of 'computers' does the vast majority of this malware run on.

New rootkits

[Wowsers]

New rootkits? Is Sony releasing some new gadget this year?

In the immortal words of Bush The Great...

[freedom_india]

...i say "Bring 'em on"
-:)