Boot Sector Viruses & Rootkits Poised For Comeback 95
Ant writes "Ars Technica says Panda Labs' first quarter 2008 malware report raises a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible (pdf). Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive. The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future. Forecasting these trends is always tricky."
With or Without TPM? (Score:4, Interesting)
Let me guess (Score:5, Interesting)
Re: (Score:2, Funny)
No need (Score:2)
Re: (Score:2)
Re:Let me guess (Score:5, Insightful)
MBR protection has been in every bios on ASUS motherboards for at least 12 years now. turn it on and NOTHING can write to the mbr.
gotta love how old tech solves the "new hotness".
Re: (Score:3, Informative)
Re: (Score:1, Informative)
Maybe the toy grade stuff like toshiba and dell dont.
Re: (Score:2)
Most of them skimp on the motherboard because most consumers don't understand the difference between a fast processor on a good motherboard, and a fast processor on a terrible motherboard. They just look at mhz and ram, and ignore bus speed/bandwidth.
Re:Let me guess (Score:5, Informative)
Re: (Score:3, Interesting)
True, most protection does this, especially from 12 years ago when DOS was still a viable platform.
However, I don't see why more modern systems can't store a copy of the MBR in the CMOS - it is, after all, only 512 bytes in size. On boot, it simply does a compare between the MBR on the hard disk and the one it stored
Windows Malicious Software Removal Tool (Score:4, Funny)
Windows is a program which inserts code into the master boot record, often before the user has broken open the packaging of their new computer, resulting in loading of malicious code at power-on which causes the computer to phone-home and results in the gradual loss of available disk space on the affected drive. Multiple other vulnerabilities have also been reported.
Various removal tools [ubuntu.com] are available free of charge. This is considered a critical and urgent update.
I can see it now (Score:5, Funny)
Ubuntu, kernel 2.6.12-9-386
Ubuntu, kernel 2.6.12-9-386 (recovery mode)
Ubuntu, memtest86+
Other operating systems:
Windows NT/2000/XP
omfgh4xorz-r00tk1tz3113
Use the up and down keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the commands
before booting, or 'c' for a command-line
hmm, something's not right here
Re:I can see it now (Score:4, Funny)
Yep. The latest grub is 0.97.
Or are you talking about the space-munching change of layout?
Re:I can see it now (Score:4, Funny)
Re: (Score:1)
Re: (Score:2, Funny)
Re: (Score:1)
The old ways still work (Score:3, Interesting)
Re: (Score:2, Insightful)
Re: (Score:2, Insightful)
Re: (Score:2, Insightful)
Don't a lot of USB sticks have u3?
u3 installs a device driver on Windows and creates a fake cd rom so that the memory stick can autorun.
Fuck waiting for the autorun, its the device driver I would be worried about.
Re: (Score:1)
Re: (Score:2, Informative)
Re: (Score:1)
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2, Insightful)
OBL: Battlestar Gallactica Reference (Score:2)
"All this has happened before. All this will happen again"
Cool (Score:4, Funny)
Bill Clinton was president, the Nasdaq was at 5,000 or something like that and I was smoking pot. Maybe we'll go back to the old days in more ways than one!
Re: (Score:3, Funny)
-
*Disclaimer: The above is a joke and not an endorsement or criticism of any US candidate... I am not USian and I don't really care much for american policies.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
I suddenly feel so old.
Bah! (Score:4, Funny)
Wilt it doth survive the lowly Format?
Truly I say unto thee, Real Men write CMOS infecting viruses.
Re: (Score:2)
Don't remind them.
Re:Bah! (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Watch out for what you buy (Score:5, Interesting)
Re: (Score:1)
But the Chinese Government? Come on - you're meant to be a respectable member of society who has their own opinions, and doesn't spend their life sat in front of the History Channel watching any documentary with the words 'conspiracy theory' in the title.
This is less of a concern for the private citizen than for major corporations and government entities. The speculation on this is not coming from the History Channel (I always turn off the conspiracy theory crap anyway), but from experienced scientists a
Why? (Score:5, Insightful)
Re:Why? (Score:4, Insightful)
There's also evidence that I am skeptical of like:
Re: (Score:1)
Re: (Score:1)
this possible infection, I wonder how much money they are getting
under the table from M$ to write this bull...
Re:Why? (Score:4, Insightful)
Consider the MBR just one of several potential hooks into the system. It need not destroy the machine at all. It could (for example) install itself as ring 0, load the OS below itself and then the fun begins.
Consider the havoc it could create if it can manage to get itself into the SMI handler by playing dirty tricks with the RAM controler that are only possible before the OS switches to protected mode.
Re:Why? (Score:4, Insightful)
Re: (Score:2, Interesting)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Less dangerous are the bored teenagers, doing it out of boredom. Think of how you were when you were 14, now imagine you could code pretty well. A decent percentage of our modern 14 year olds can, and a few of them will put it into practice writing virii for amusement.
More dangerous are the professional criminals, doing it because it's easy money. Own the machines, sell them to a spammer. Or if you don't want to worry about handling the business side you
Re: (Score:1)
Re: (Score:2)
The same reasons it worked in the DOS era (Score:2)
1) Wonderful place to hide your spyware. The MBR space is about 5k. Of this only about 500 bytes is typically in use; the remainder is large enough to host compact spyware with its own SMTP server (there are already malwares out there with these functions packed into only 3k of code).
2) Blackmail. Encrypting BSVs were at one
Warning: Panda is linked to Scientology (Score:2, Interesting)
Widespread? (Score:3, Interesting)
In the other hand, if you have already something ugly running as admin/root in your box in a way or another, it could deploy the MBR part, but dont see the advantage of this if is anyway already in control (afaik some rootkits/trojans (?) for windows hide themselves from scanners intercepting network/disk drivers or something similar, so no big advantage there)
Re: (Score:3, Interesting)
Re: (Score:2, Insightful)
And they have that fancy BIOS that could be a lot of fun too.
It doesn't even need to be China. The potential payout is enough that organized crime anywhere could pull it off, though in a country like China it is probably easier to bribe enough people to slip your stuff into the assembly line.
Re: (Score:2)
My AV (Bitdefender) caught it. It was an executable and autorun.inf
Subsequently, I disabled autorun for all drives.
Virtualization complications (Score:5, Insightful)
Even worse threats on the horizon... (Score:5, Interesting)
http://youtube.com/watch?v=G26oZtzluAQ&fmt=6 [youtube.com]
Systems with the ability to boot from a storage device other than a hard drive, say, a USB drive, are especially vulnerable, as the rootkit doesn't have to gain access to the BIOSs via the OS. Instead, it modifies the boot sector of the USB drive and then, upon bootup, after the BIOS boots off the USB drive, hides itself via the previously mentioned technique, so as to ensure it will run even if the boot sector of the USB drive is modified. This is possible as, upon bootup, the BIOS scans for memory mapped expansion ROMs (the previously mentioned BIOS's spread throughout your system) and then transfers control to each one.
Something to think about.
jdb2
Re: (Score:1)
Re: (Score:2)
Point being, free space is free space, and there is always some way INTO that free space.
I imagine some protection might be achieved for a BIOS by filling the leftover space with spurious data, but it only takes one clever virus writer to figure out how to delete the junk data...
As to write-protection, if
EFI / intel atm / amd Remote IT may be targets (Score:2)
EFI can use a partition on the hard disk to store Extensions and the Extensions can also come form add in cards / on board roms and other places.
The hardware based Remote IT tools may be holes that hackers can use and can be limited by flash rom space to store u
Re: (Score:1)
How would this affect EFI-based computers... (Score:3, Interesting)
Re: (Score:1)
Re: (Score:2)
Considering that some video cards and most HDs can be used in either PC or Mac... a smart virus need only check which type of system it's in, and configure itself accordingly.
I foresee a return to jumper-based write-protection for system ROMs. (A flag in software ca
great idea (Score:3, Funny)
Good Comments (Score:2)
After the jump - read the comments, starting here:
Further:
http://www.securityfocus.com/comments/articles/11372/33017/threaded#33017 [securityfocus.com]
http://slashdot.org/comments.pl?sid=453034&cid=22412440 [slashdot.org]
corrected headline .. (Score:2)
"The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future"
Like, what kind of 'computers' does the vast majority of this malware run on.
New rootkits (Score:1)
In the immortal words of Bush The Great... (Score:2)
-:)