Boot Record Rootkit Threatens Vista, XP, NT

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."

Like it matters

[ILuvRamen]

They can fix the hell out of it and it would still be vulnerable. What if someone wrote a super small bootable virus, then the virus' initial form used Partition Magic-like functionality to write its own partition and stick the virus on it then tell the computer before restarting to boot from that one. Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open. I'm pretty sure Windows can't protect the MBR if it isn't running.

Re:Like it matters

That'd require changes to the partition table, which is protected from NT's usermode IIRC.

Re:Like it matters

[Nimey]

The slashot discussion system is a joke run by arrogant, biased, opinion nazis Tutorial:

1) That's "Slashdot". -1 for capitalization, -5 for spelling.
2) Nazi is capitalized.
3) Your sig is an automatic Godwin. Might want to fix that.
4) You didn't end your sentence with punctuation. This one calls for a period.
5) Arrogant? You bet!

Re:Like it matters

[Opportunist]

Hen and egg. How does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn't suddenly jump in and exists. It has to be brought into the machine. A virus or trojan does jack when it just sits on your machine. It is a program. It has to be executed to do its "magic".

There are exactly three ways to get this done. First, remote (RPC) exploits, which is easy to defeat with a router that does not allow any packets in to sensitive ports. Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability. Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

Re:Like it matters

[MBCook]

What if someone wrote a super small bootable virus,

Yeah, like something that could fit in a 512 byte MBR...

, then the virus' initial form used Partition Magic-like functionality to write its own partition

Why bother?

and stick the virus on it then tell the computer before restarting to boot from that one.

That's what this does. It modifies the MBR to load the virus as a driver out of a pair of sectors.

Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open.

This already does whatever it wants. And the "files open" comment is non-sensical, the pre-boot environment has no concept of "open files", it's just a little 512 byte loader.

I'm pretty sure Windows can't protect the MBR if it isn't running.

There isn't much Windows (or any) OS can do when it isn't running.

If you read the article (it contains scary things like x86 assembly, I know, but you can skip that) you'd see that the describe this hooks into the load routines used by Windows. By intercepting these calls and redirecting them, it prevents you from overwriting the MBR or even detecting that it's changed (to a degree). To fix this you have to open a clean environment (like the recovery console off the Windows CD) and have it fix the MBR.

Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2.

I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

PS: Whoever modded the parent as informative either doesn't know what they're talking about, is drunk, or is in cahoots.

PPS: Sorry. I've been looking for an excuse to use the word "cahoots" all day.

Re:Like it matters

[Vaticus]

How on earth does Ramen relate to MBR and Windows variants?

Re:Like it matters

[wizardforce]

well if it's going to attack liek that it would need higher privilages- that is it needs to exploit another flaw to exploit this one. That being said, it appears that pretty much any OS that has that particular method used [seperate partition + virus] would be affected. No doubt delivered in the same way it has always been, users downloading a new program. you can patch the OS all you want, you still can't patch the user.

Re:Like it matters

[Nimey]

I see that you are not an adherent of the True Church of the Flying Spaghetti Monster. The FSM has *everything* to do with Windows; we don't call it spaghetti code for nothing!

Re:Like it matters

[Lumpy]

Almost all BIOSes released in the past 5 years had MBR protection. Install your OS, turn on MBR protection and let the virus try.

I hated it at first, Linux installs failing as LILO not getting to write to the MBR until you turned it off.

Re:Like it matters

[cgenman]

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

http://www.nuklearpower.com/daily.php?date=080103

Re:Like it matters

[m50d]

I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

I can't imagine that would make any difference. The computer needs to boot somehow, there are legitimate reasons for modifying the boot code (such as installing a new OS, or fixing flaws in it) so you can't just block it wholesale, and any program that runs at the boot stage will necessarily have complete control of your computer. About the best you can do is require the user to confirm before overwriting the MBR - something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof.

Re:Like it matters

[neo8750]

I don't know about you but my motherboard gives me a warning any time a program tries to mess with the MBR. Sure it could be worked around but its 1 extra step they have to work around.

Please correct me if this isn't a good way to prevent this

Re:Like it matters

[Leto-II]

How on earth does Ramen relate to MBR and Windows variants? While I do wish it had something to do with his holiness the Flying Spaghetti Monster, in this case I believe it has to do with the original poster's name: ILuvRamen.

Re:Like it matters

[EmperorKagato]

If you knew you were right you wouldn't post as Anonymous Coward.

Re:Like it matters

Also, "opinion Nazis" is a noun and should probably be spelled "opinion-Nazis" (or Opinion Nazis? Opinion-Nazis?)... and therefore, the use of commas is incorrect.

The Slashdot discussion system is a joke run by arrogant and biased opinion-Nazis.

Re:Like it matters

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

You keep using that word. I do not think it means what you think it means.

Re:Like it matters

[Dramacrat]

Raymond? I hate that guy!

Re:Like it matters

I'm too lazy to create an account, you insensitive clod!

Re:Like it matters

[Mistshadow2k4]

Because they're invisible?

Re:Like it matters

Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

What? Have you ever seen the Witty Worm? You know, that worm that proves just because you try to have security through obscurity you can still be vulnerable if you don't keep up to date? Best practices keep systems secure, not some "ultimate solution."

Re:Like it matters

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it. I knew it all along.... CURSE YOU KEYBOARD!!! *punches keyboard* h fdsjkl hs

Re:Like it matters

[Entropius]

Two-word noun phrases are only hyphenated when used in adjective form. For instance:

Gamma rays are a type of ionizing radiation.

but

The gamma-ray burst released 4.3 blargajoules of energy.

Re:Like it matters

Yeah, because painful truth always gets modded up because it's true, and never modded down because it's painful. Dumbass.

Re:Like it matters

[david_thornley]

Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability.

This is much less important in real operating systems, which don't allow mail clients or web browsers to muck up boot sectors and the like. Unfortunately, a whole lot of people are using toy operating systems by this criterion.

Re:Like it matters

[jhol13]

You, sir, are truly a Windows man: "Any attempt to separate users and administrators is a bad thing".

Re:Like it matters

You get moderated down because you open your fool mouth without thinking. Remember the molten salt solar plant post? You basically repeatedly opened your gob to say, "I have no idea how all this works, but I'm much smarter than the guys who get paid megabux to design this stuff so <idiocy/>, <idiocy/>, <idiocy/>."

Re:Like it matters

[banished]

Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2.

Indeed, the common cold has been around slightly longer, and we still haven't figured out how to prevent that, either.

Re:Like it matters

Nuke sick people from orbit. It is the only way to be sure.

Re:Like it matters

the slashdot discussion system is such a load of bullshit, I don't really care what people think. I've been up and down between -1 and +2 about 3 times now.

that's because you're a retard. you don't actually think about what you are saying. just look at the comments you've made lately:

yeah, especially when they figure out that it always takes more energy to build a complex mollecule than to burn it. Seriously, some scientists are just dumb. Plants use nutrients to build complex mollecules from CO2

if they ever want to improve their crappy economy, they should all just learn english. In case you haven't noticed, every country that does international business has like 50% of the people know fluent english. Plus who the heck else in the world uses cyrillic?

see? TEH STUPID YOU ARE? it's simple: learn to spell, think about what you post [stupidity lives online forever you know] and quite whining about how abused you are because you post idiotic comments and get modded into the ground for it, I mean really, quit being such a whiny bitch.

Re:Like it matters

So, is it "Fuck-off, you git" or "Fuck off, you git"?

Re:Like it matters

I work for them, and that worm has been thought to have been written by a previous employee due to the high level of product knowledge demonstrated in the worm's code - so it was most likely for malicious intent towards the company.

Any your example doesn't have any bearing on if using products with no market share is safer or not, unless you're trying to suggest we don't have any market share or something stupid.

Re:Like it matters

[The+Analog+Kid]

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

You forgot to select the tachyon detection grid option in your virus scanner. Duh.

Re:Like it matters

The latter, because "Fuck off" is an imperative verb form and has nothing to do with adjectives.

Re:Like it matters

[alshithead]

Dude, your attitude may very well be a significant reason for being modded into oblivion.

"the slashdot discussion system is such a load of bullshit, I don't really care what people think. I've been up and down between -1 and +2 about 3 times now"

-good, learn, leave, or at least keep quiet...if you don't care what people think then why do you care about how you are modded?

"Maybe I don't get how this works but I like to actually post what I think about the story instead of some fluffy, karma magnet bullshit."

-right, you don't get how this works. No one cares what you think if you can't post your opinion intelligently or at least in a form that also asks a question (as in seeking enlightenment or other opinions).

"If some Linux assholes wanna mod me down cuz I merely said I don't use Linux then they should be banned as far as I'm concerned."

-way to go dude, this is Slashdot so calling folks who use Linux assholes is not a good way to win friends. While we're at it, most Linux users won't mod you down just because you don't use Linux. They may pity you or consider you an IT novice, but they won't mod you down just for not using Linux. If you think Slashdot users should be banned for any reason then you obviously don't get Slashdot. That's why we have a moderation system. Go back to Yahoo or AOL maybe?

"But I did change my sig for you. That's how it is and you know it cuz I keep it real"

-No one gives a crap about your sig although you might get bonus points if your sig is creative enough. A lot of Slashdot folks may consider you irrelevant just for saying, "cuz I keep it real".

As a final note...try reading the FAQ. While you're at it, please reread your post and see if you really even deserved my tongue in cheek reply much less whether if it was even worth anyone else's time to read. Get a grip and think before you post.

alshithead

Re:Like it matters

[infonography]

Almost all BIOSes released in the past 5 years had MBR protection. Install your OS, turn on MBR protection and let the virus try.

SNIP consider the average user^H^H^H^H^H^H^H^H^H Windows user has to rely on AOL for their anti-virus.

[I am shaking my head while my hand are vigorously rubbing my brow in shock, sadness, and disbelief. Later I will pull out some hair. ]

Re:Like it matters

[burnin1965]

since you can never know whether your mail client or your web browser

word processor, spreadsheet, presentation software, desktop database software, etc, etc. Since the whole idea of using a computer is to run code there are a miriad of exploit possibilities in just about any application that has scripting capabilities or simply an bug in the code which can be used to execute code. This is the reason applications should not be running with permissions that allow operations like writing to the MBR when there is no reason to.

Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

Like Windows ME? While it has virtually no market share I'd hardly recommend it for use in any application. Actually your best bet is to use something that has a good secure design which trys to reduce the potential for exploits. My personal choice is linux and while it does not have the desktop market share of Windows NT variants it does have a massive server/router/appliance install base and it is continually under attack, however, over the years of using linux for my desktop solutions I've yet to have any issues related to exploits.

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

Can you provide a link to the statistics showing "the most used and most successful way of infecting a machine" is by users executing the code themselves? Visiting a web page with a browser you are executing or reading e-mail with a mail reader you executed either of which may have an exploit via a code bug or scripting is not the same thing as a user executing the code themselves. I assume your suggesting that the users are actually clicking on the executable and intentionally running the code which infects their system, which does happen but I'd like to see the study before I believe that is the #1 successful attack vector.

Re:Like it matters

[cbreaker]

Yes, it's the super complicated SlashDot moderation system designed specifically to baffle the weak minded. Although some chimps have been known to figure it out, it apparently still has some effectiveness.

Re:Like it matters

[module0000]

Fixed tutorial:

1) Attack stupid poster
2) Praise grammar Nazi
3) ???????????????????
4) PROFIT!!!11!

Re:Like it matters

[Vaticus]

In true /. form, I had not read the Poster's Name, just what they had typed. Thanks Leto-II.

Re:Like it matters

[Fizzl]

Repeat after me, Slashdot is not a game! Slashdot is not a game.
Stop thinking about the fucking moderation, take your head out of your arse and try to post coherent, intelligent and interesting posts with something non-trivial content. Alternatively, shut the fuck up.

Now. Does it make my post more relevant if I post with karma bonus?

Re:Like it matters

I've gotten unrated posts modded "overrated"

You don't understand that a post given an over-rated mod has less of a right to exist?

Re:Like it matters

[inode_buddha]

"Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2."

Most likely because the way PC's work at a low level hasn't changed all that much. The BIOS is going to load whatever it finds in the first 512 bytes if disk into RAM. And the MBR doesn't necessarily have to be there; it is relocatable.

Re:Like it matters

[Tmack]

I can't imagine that would make any difference. The computer needs to boot somehow, there are legitimate reasons for modifying the boot code (such as installing a new OS, or fixing flaws in it) so you can't just block it wholesale, and any program that runs at the boot stage will necessarily have complete control of your computer. About the best you can do is require the user to confirm before overwriting the MBR - something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof.

I think most modern Bios's have MBR/boot sector virus protection options. Basically you set the option in the BIOS and it either prevents MBR access (through the on-chip IDE controller, duno about off-board cards or scsi devices) or interrupts the system and displays an alert screen (similar to an overheat warning some do). To use it, you turn it off, install your OS with boot loader of choice, then go turn it on. Anything trying to write MBR data gets rejected or notifies you in pretty ASCII colors on screen with beeps. I know its prevented me from installing lilo a couple times.

Tm

Re:Like it matters

[Anne+Honime]

What if someone wrote a super small bootable virus, then the virus' initial form used Partition Magic-like functionality to write its own partition and stick the virus on it then tell the computer before restarting to boot from that one. Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open.

No need to create a new partition. On a traditional disk, the first cylinder is reserved to the mbr, but the mbr lives on a single sector. The cyclinder on today's drives is much bigger, well enough for a nasty bug. That's how lilo works, by the way, and such a virus would nuke it on the spot.

Re:Like it matters

[toadlife]

"Can you provide a link to the statistics showing "the most used and most successful way of infecting a machine" is by users executing the code themselves?" Go to any one of the Anti Virus websites where they list a "top xxx" threats list, and look at the infection methods. You'll find that a large majority of them are spread via social engineering.

Re:Like it matters

The hyphenated form would be used in a sentence like this:

"Give me all your money or I shall throw a fuck-off big rock at you."

Re:Like it matters

[killmofasta]

In all the years of virus hunting and gathering,
I only got a boot sector virus once. Now, I just fdisk /MBR in the startup sequence.
I may have had anynumber of boot sector viruses. I dont know. They all disappear
before I have a chance to detect them.

Windows cannot protect the MBR if windows is running or not AND THEY SHOUDLNT.
Its really up to the hardware vendors.

Put it into BIOS or have a jumper on the drive.
( Simple effortless fix, vs MAJOR CLUSTER F*** )
( I used to turn it off, and then fdisk /MBR then turn it back on in the bios. )
I always thought it was a nice feature. Where the hell did it go?

Re:Like it matters

Since when? Pass the fucking salt please...

Re:Like it matters

[digitig]

Two-word noun phrases are only hyphenated when used in adjective form.

I don't know about US usage, but in British usage there's no such rule, according to both Partridge's "Usage and Abusage" and Fowler's "Modern English Usage" (arguably two of the three most influential prescriptive grammars of the 20th century, the third being Fowler's "The King's English", which I don't have to hand).

As Partidge points out, "In the life of a compound word there are three stages: (1) two separate words (cat bird); (2) a hyphenated compound (cat-bird); (3) a single word (catbird)."

Apart from a few cases where the form is forced by a risk of ambiguity, whether a compound is hyphenated is determined by how far along that progression the compound has gone, and there is no rule to determine it. For example, in the same article Partridge uses "Dog-show" as a compound noun, thus hyphenated. And as an example of where a hyphen is forced, Partridge compares "The author's tense-sequence is defective in this passage" (see the hyphenated noun phrase used as a noun there?) with "A tense sequence of events succeeded a dull sequence". Clearly two-word noun phrases are not only hyphenated when used in adjective form.

So you're right that "grammar Nazi" does not have to be hyphenated, but for the wrong reason.

Re:Like it matters

[ajs318]

Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability.

By reading and understanding the Source Code, you can get a reasonably good idea about what your mail client or your web browser (or one of its myriad plugins) might be doing. Statistically, any given vulnerability is more likely to be discovered this way by a Good Guy than by a Bad Guy (since the former are more numerous than the latter).

Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

But the lower the market share, the fewer the number of Good Guys reading the Source Code. I'd certainly rather use something such as Firefox (which is getting much attention) and remember to stay on top of updates, than use something obscure.

Re:Like it matters

[Fred_A]

The slashot discussion system is a joke run by arrogant, biased, opinion nazis Tutorial:

1) That's "Slashdot". -1 for capitalization, -5 for spelling.
2) Nazi is capitalized. Also shouldn't it be Nazi's ? You know, just so we'd have something to bitch about on slow days ?

Re:Like it matters

[Fred_A]

Hen and egg. How does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn't suddenly jump in and exists. Really ?
That's not what my users have been telling me...

Those sneaky weasels !

Re:Like it matters

[sqlrob]

There are more good guys, but are there more *qualified* good guys?

How long was the zlib double free present? How long was the hardcoded password in Firebird?

Re:Like it matters

[Fred_A]

In all the years of virus hunting and gathering,
I only got a boot sector virus once. Now, I just fdisk /MBR in the startup sequence. Good idea, Ill do that as well !

while true ; grub-install /dev/sda ; sleep 60 ; done

</foaming_at_the_mouth>

Re:Like it matters

[Fred_A]

In all the years of virus hunting and gathering,
I only got a boot sector virus once. Now, I just fdisk /MBR in the startup sequence.
I may have had anynumber of boot sector viruses. I dont know. They all disappear
before I have a chance to detect them. As an aside here's the problem with that scheme :

1. Machine boots
   
2. MBR loads Windows
   
3. Windows overwrites MBR
   
4. Windows gets infected somehow
   
5. Presumably Virus checks for prior infection
   
6. Virus overwrites MBR
   
7. stuff happens (?)
   
8. machine shuts down
   

*time goes by*
Then :

1. Machine boots
   
2. MBR loads Windows *and* virus
   
3. Windows overwrites MBR
   
4. Presumably Virus checks for prior infection
   
5. Virus overwrites MBR (sounds familiar?)
   
6. stuff happens (?)
   
7. machine shuts down
   

Windows cannot protect the MBR if windows is running or not AND THEY SHOUDLNT.
Its really up to the hardware vendors.

Put it into BIOS or have a jumper on the drive.
( Simple effortless fix, vs MAJOR CLUSTER F*** )
( I used to turn it off, and then fdisk /MBR then turn it back on in the bios. )
I always thought it was a nice feature. Where the hell did it go? If infection of the MBR by a virus is a concern, hardware protection (as in having the controller forbid access) is indeed the only real solution in the current Windows context.

Re:Like it matters

[Smidge204]

Since the average Windows user is probably buying a brand name PC, there is no excuse for not enabling the BIOS MBR protection at the factory. Those who are smart enough to install their own OS are *probably* smart enough to notice the warnign and turn it off themselves.

=Smidge=

Re:Like it matters

Oooooh, XML compliant snarkism. Nice.

Re:Like it matters

CURSE YOU KEYBOARD!!! *punches keyboard* h fdsjkl hs

That's some funny shit right there.

Re:Like it matters

[Nimey]

Aw hell, I can't resist:

Tutorial:
1) BiCapitalization is bad, mmmkay, especially when the word in question isn't officially so. ....
2) I got nothin'.

Re:Like it matters

[weicco]

This is much less important in real operating systems, which don't allow mail clients or web browsers to muck up boot sectors and the like.

My mail client and web browser is run on lowest privilege level there is. No MBR mucking. No system file mucking. I run Vista and IE7 with non-admin rights. This security hole doesn't concern me or any other Vista user who is not stupid enough to turn off UAC.

Re:Like it matters

[Keeper+Of+Keys]

It's a long time since I studied high school grammar, but I'm pretty sure multiple adjectives which qualify the same noun should be separated by commas:

"Give me all your money or I shall throw a fuck-off, big rock at you."

However, there is something fishy about the word order here; so ultimately I'd go for:

"Give me all your money or I shall throw a big, fuck-off rock at you."

Re:Like it matters

[swillden]

I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

Whether EFI or BIOS, this is a (small) part of what TCPA is intended to defeat. The idea is that the EFI or BIOS hands a copy of the boot sector to the TPM before loading it, and the TPM hashes it into a state register. The boot sector code sends a copy of the boot loader code to the TPM for hashing before it loads, then the boot loader sends a copy of the OS kernel to the TPM before it loads, and so on.

Any piece of code along the way, or even user-level code after boot, can check the state register to decide if the boot code integrity is intact. Also, decryption keys can be bound to register states, so you can ensure that if malicious code does somehow get into the boot process, it cannot access data encrypted with those keys.

I fiddled for a while with a TPM-enabled GRUB to allow whole disk encryption keys (dm-crypt) to be bound to the boot state. It's a nice setup in that you have whole-disk encryption without having to enter a boot passphrase or attach a USB key or anything, and it ensures that any malicious modification of loader or kernel disables access to the data on the drive. Unfortuanately, it also loses access to the drive data when any non-malicious modification occurs. It's not terribly difficult to address that issue, but it really needs to be integrated into the package management system and thought through very carefully to ensure that no sort of failure during upgrade can leave your system inaccessible -- and yet the process must also not allow malicious code to do the same sort of "upgrades".

Of course, this is somewhat less of an issue on *nix, because write access to the MBR requires root privs.

One other thought about this situation: Although I'm generally a fan of TCPA for all of the good things it can be used for, I'm also leery of the evil that Microsoft can do with it. My paranoid side wonders if MS doesn't have a hand in this MBR virus -- and more to come -- as justification for pushing universal TPM deployment. TPMs are useful in machines that have high security requirements, but in consumer machines there's little value and lots of risk.

Re:Like it matters

[peragrin]

Real Operating systems have been doing that for 20 years, yet MSFT only just introduced it a year ago.

Windows MSFT reinventing Unix Poorly. When MSFT implents something similar to X i will not be able to stop laughing. They already have come up with a real command shell (Powershell)

Re:Like it matters

[cgenman]

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

I hate this blame-the-user viewpoint. Executing code is what computers are there to do. We bemoan the abysmal program monoculture of I.E. and Outlook Express, yet we blame unknowing users who try programs they find online. Furthermore, the distinction between a .SWF file and an .EXE file may seem massive to you and me, but it's pretty academic to the average user for whom their computer is just a tool for getting stuff done.

A computer is a system to run code, whose utility lies in its ability to run a broad range of unexpected applications. What we need is not a culture that discourages experimentation and blames the user, but an OS with a clean separation between system and applications, protected memory, and protected disks outside of an application and user's home spaces. As the line between the desktop and the internet starts to fade, we need at an OS level some of the protections originally intended for untrusted space.

Re:Like it matters

[Vandil+X]

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

Indeed. When I worked in IT support for 12 years, I cleaned up my fair share of user-executed virus/trojan attachments with such fun names as (paraphrasing, it's been a while) SnowWhiteNakedPics.exe, YourSecretAdmirer.exe, and my favorite, FilthyWhores.exe.

The best was that these were often run by people with high-level or otherwise revered/critical positions within the companies I provided support for...

Re:Like it matters

[DarthStrydre]

Like everything XML - While it may be compliant it is never the right tool for the job. Correcting this..:

"I have no idea how all this works, but I'm much smarter than the guys who get paid megabux to design this stuff so foo."

Re:Like it matters

[Reziac]

I first saw BIOS-based MBR protection in BIOS code dated 1992 (on a 486 motherboard). It was common enough back then, but fell out of favour during the early Win32 era, probably because it would scream and halt the system when Win9x went to rewrite the MBR (which it does occasionally for no reason that I know of).

I've noticed it's made a comeback in the past few years, and this is a good thing -- it may drive some users crazy, but it's good to HAVE it there if you want to use it.

Re:Like it matters

[snoyberg]

Since when? Pass the fucking salt please...

I'm afraid to ask, but how do you use salt in that manner?

Re:Like it matters

[Reziac]

FDISK /MBR is all fine and good if your virus merely resides in the MBR sector, and didn't alter the MBR code itself, and if your virus didn't encrypt the drive (which some did, back in the day). If it did, bye-bye data.

Re:Like it matters

[burnin1965]

Go to any one of the Anti Virus websites where they list a "top xxx" threats list, and look at the infection methods.

Okay, so I went to norton.com and looked at their latest list, threats list, and risks, and vulnerabilities. And to be honest its still not very clear. I suspect you are correct that most of the infections take place by tricking a user into running an application which is either malware itself or installs a virus. The problem is that there list doesn't really specify how the virii/trojans are installed. There seems to be a 50/50 split between actual malware applications and virii/trojans and there were multiple vulnerabilities last year which could have been used as attack vectors to install virii/trojans versus getting a user to actually run a malware application.

On McAfee's site its pretty much the same, there is no definite means of determining the method of attack for virii/trojans and they are viewed as a seperate threat type. Of course they list the same vulnerabilities which could have been used as an attack vector along with some new ones just released today.

I agree that the user is probably the most likely attack vector but then a vulnerability has the potential for a much bigger impact because even the users who are not easy to trick into running an application become prey. So while it seems probably I still wouldn't feel comfortable jumping to conclusions as its just to easy to say "its the dumb users".

Re:Like it matters

[danbert8]

I don't know, but it sure sounds painful...

Re:Like it matters

Thank you, for some reason there is a rampant wierd myth here on slashdot that installing windows is incredibly easy and the typical user does it all the time.

If a Dell or HP coems without the MBR protection turned on then infection from a MBR virus is the fault of that PC maker.

Re:Like it matters

[cbreaker]

That's a new low, my friend. I generally don't mind the grammar Nazi thing, but this is really sad.

So, just to stoop to your level:

1) "Aw" isn't a word. "Aww" isn't either, but at least it's more accepted.
2) Neither is "mmmkay."
3) Feel free to use a single period at the end of a sentence.
4) "I got nothin'" should read "I have nothing."

Re:Like it matters

[toadlife]

I didn't mean to say that exploits aren't used very much. I just think that the user is, has always, and will continue to be the number one avenue of infection.

I think a lot of malware today is spread via any method possible, which is why infection methods are not listed by AV companies. There is too much money involved for the scumbags that spread this crap to leave any door unopened. Today I see all kinds of non-Microsoft Windows programs like flash, java, real player, quicktime, firefox and all of the various IM clients being exploited, as opposed to a several years ago when the majority of vulnerabilities targeted were of outlook express and IE.

Anytime I start to doubt the sheer determination many people have to infect themselves, I remember a couple of years back when email worms first started to become "popular". Email server all came to the rescue and started implementing virus scanning on the email servers. To avoid detection, malware cretins placed their payload inside of zip files and the worms continued to spread. Email server admins then acted by scanning inside the zip files, and malware cretins promptly responded by encrypting the zip files and placing the password to the zip file in the body of the email...and the worms continued to spread!

Re:Like it matters

[Opportunist]

Nope. Sorry, nope. There may be more people with good intentions than people with bad intentions, but the answer is, as usual: money.

Exploits, especially unknown 0days, are valuable. 4 to 5 digits is not impossible, depending on the impact, an exploit that can infect every machine running Windows, fully patched, without any action necessary by the user (i.e. a new remote exploit) can easily get you more money than you make in a year. Or 10 years, if you happen to be in, say, Uzbekistan.

Now, being "good" and reporting it gets you zip. Nada. Well, maybe a lawsuit from MS.

Question for 500: Do you think more "good" guys are hunting for exploits or more "bad" guys?

Re:Like it matters

[Opportunist]

An indicator is "spreading method". If it says email, you can rest assured it relies on social engineering.

Re:Like it matters

[MrResistor]

"Fuck-off" modifies "big", not "rock", so I think the original is correct.

"Give me all your money or I shall throw a really, big rock at you."

"Give me all your money or I shall throw a big, really rock at you."

Both of these are clearly wrong.

Re:Like it matters

[Keeper+Of+Keys]

Might be a cultural difference, but here in the UK "fuck-off" used in this way means something like "really big", "devastatingly impressive", "winning"; as in: "That new Radiohead album comes in a fuck-off gatefold sleeve". It is an adjective not an adverb.

Re:Like it matters

[MrResistor]

I never suggested it was an adverb. In the original version of the sentence it is an adjective modifying another adjective (How big is the rock? Fuck-off big.), which is perfectly acceptable according to my understanding of English grammar.

Re:Like it matters

[Keeper+Of+Keys]

It seems to me not so much a question of grammar, as of idiom. Where I hang out I tend to hear people say things like: "He threw a fuck-off rock at me"; haven't heard it used to qualify other adjectives - "fuck-off big" has a certain redundancy. But if it is used that way, the sentence I was originally complaining about is perfectly OK and I retract.

Re:Like it matters

[killmofasta]

I wanted to say, that ONLY my current Gaming RIG. Abit motherboard does NOT have this feature. The Shuttle SB51 Motherboard HAS this feature. and it works well. I put an infected Win98 HD in it and it was lightning up like a chrismas tree. DENY DENY DENY.

Its no longer an issue, and I am ditching my Abit board.

A hardware solution is the only real solution, as Windows cannot tell its *SS from a hole in the ground. The scheduler blows CHUNKS. I am working on a scheduler handler, along the lines of Alan Cox's suggestions for the changes made to the early SGI Linux implementations. ( I have the Kernel book, and its a tough read, even after taking the OS design class...)

Thanks

Re:Like it matters

[killmofasta]

Virus Encryption is so increadibly rare...
Those were the ones that held your data hostage...
Well, If you didnt do backups...
Virus Encryption = HD crash. Same effect, same result.

Since the MBR code is in FDISK...Its write protected, and executable compressed. ( kinda old stuff, but hey... they are extremely unlikely to figure that one out. Much better targets for storm bots....but I did get one from an old rescued HD... ::)) It was kinda cute to fight it off, and see who won. ( I did eventually, Thank you HiREM.. )

VISTA

I have a hard time taking seriously someone who can't bother with proper capitalization.

Re:VISTA

seriously take the stick out of your ass...

Re:Why is Windows still using MBR?

[Lost+Engineer]

Are you trolling?

Macs use EFI and PC's use BIOS. That's why.

Messed up

Unfortunately, all the Windows NT family (including Vista) still have the same flaw -- incest. NT and ME were siblings who married to produce XP. It doesn't help any that NT's father, 95, produced NT via a union with his daughter, 98. XP then killed NT and had a child with ME. He later gouged his GUI out. The end result of all this is Vista. And you guys wonder why Vista has security issues? Poor guy must have complex on top of complex, not to mention more than a few birth defects.

Re:Messed up

[phrostie]

ROTFL

i so wish i had mod points

Re:Messed up

[jdjbuffalo]

LMAO. You win the award for the funniest post I've read on Slashdot in a while.

I only wish you had logged in. I never friend people with funny posts but I just might have for this one.

Re:Messed up

[module0000]

Pfft. Pics or it didn't happen!

I, for one, welcome our byte-code spooging overlords.

Re:Messed up

[o'reor]

It doesn't help any that NT's father, 95, produced NT via a union with his daughter, 98.

Gross. Well actually, NT (going back to 3.xx) was not the daughter of W95xW98, but rather the (already) bastard child of Win3.11 who raped his mother VMS during the First War of the OS (ugly, ugly -- you don't really want to know).

Therefore NT3.5 is W95's stepsister -- given that W95 is the legitimate heir of Win3.11. It turned out then that W95, who was a real pervert due to its dominant 16-bit gene, chkdsked his stepsister NT3.51 (they don't used words like "fscked" in that family, they have their own lingo), who begat NT4.0. Then NT4.0 and his aunt W98 both got drunk one night, and soon they gave birth to Win2K. Somehow at that point in the family tree, the 16-bit gene got culled out. But the inbreeding continues...

Re:Messed up

[Jugalator]

Hey now, what Vista can do, it can do damn well!

Re:Messed up

[smchris]

Actually, the Ur-mother of the 32-bit desktop was probably OS2. Virtually unknown today and only spoken of among a small cult who cherish the old ways. There are rumors Microsoft itself indulged in the rites of OS2 before a conversion experience.

Re:Messed up

[Neanderthal+Ninny]

This sounds like one big bad soap opera and they all should see Dr. Phil. Watch out Britney Spears, here comes the Windows family.

Re:Messed up

[o'reor]

Indeed. And OS2's HPFS and NT's NTFS native file systems share more than a few similarities.

How is it different from LILIO and Grub?

[snikulin]

It's not a troll. I just want to know. If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.

Re:How is it different from LILIO and Grub?

[MBCook]

Yes. That's all LILO, GRUB, NTLDR, and such do. They call the BIOS functions to read partition tables and such, load code from a specific place, and execute it.

You could easily install LILO on the last sector of a disk (or anywhere else, just a free sector you can protect from being used). Write a little tiny program that does nothing but read that sector into memory (having known the address ahead of time, finding that code is what makes GRUB and NTLDR slightly more complex than this), and execute it. LILO would then continue having no idea what happened before it.

Amazing little things, boot loaders. Check out the Wikipedia article on Master Boot Records. They talk about NTLDR where until XP/2K (when it got support for non-english error messages), the code was just a scant 139 bytes.

Read about some of them. LILO is simple (and kind of stupid) and fits in 512 bytes. GRUB is smarter, and works by loading more code that it finds using it's first stage (which is under 512 bytes). It's a little tiny OS that only uses BIOS calls to load another OS. That's why you can edit entires, add new ones, etc. That couldn't fit in 512 bytes (and still be useful on most computers).

Re:How is it different from LILIO and Grub?

It's not a troll. I just want to know. If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.

On a Linux system, you must supply the root password before you are allowed to modify the MBR. On Windows AFAIK, you just have to click "OK" when the system asks you a question similar to "You are about to modify the MBR, is this OK?".

On a Windows system then, anyone with two minutes unsupervised access to a machine can compromise it yet leave it in the same state as it was left in from all outward appearances.

On Linux, you would have to have two minutes unsupervised access plus knowledge of the root password ... and your activity would be logged anyway. You could always boot a Linux LiveCD (so that you know the root passwrod) ... but doing that you could not leave the machine in the same state you had left it in ... because you had to reboot.

Re:How is it different from LILIO and Grub?

[snikulin]

> Yes. That's all LILO, GRUB, NTLDR, and such do.
So, the submission is a FUD attempt, then?

Re:How is it different from LILIO and Grub?

[Alpha830RulZ]

So, having RTFA, it seems to me that at the very least, the little nasty is designed to work with the windows boot process, and currently would at least cause a grub based system to puke, giving you notice of a situation. Then you could use ahref=http://supergrub.forjamari.linex.org//rel=url2html-8983http://supergrub.forjamari.linex.org//>to fix your loader? On a sidenote, while SuperGrub isn't going to win any points for graphic style, it did an excellent job of fixing my Fully Ryobi'd windows/Fedora situation, and is a nice little tool written by some nice folks in Italy, http://forja.linex.org/ .

Obviously, a bad guy could extend the approach and anticipate Grub as well, trying to side step that, but it would probably be a much more complicated task, figuring out how to hide from all the kernel variants of Linux.

If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.

Re:How is it different from LILIO and Grub?

No. LILO, GRUB and (joking aside) the Microsoft bootloader are not malicious (the microsoft one is stupid, but not malicious). If the 512 bytes does something else - like, oh, jump to the main part of the virus stashed in the filesystem, then it's a problem. The real craziness here is windows letting userspace write to the MBR without so much as a "uh, you sure you want to do that?". It'll pop up 50 UAC requesters asking about trivialities, but when it comes to something that can totally hose your system's ability to restart in a fraction of a second? Not a peep.

Now, linux will actually let you do that as root, too, but not otherwise. The problem is most people run windows as the equivalent of root.

Re:How is it different from LILIO and Grub?

[dbcad7]

In order to run lilo, you need to be root.. correct ?
so although you might be able to install it in some sector (giving you the benifit), ... how are you going to run it without being root ?

If you were just explaining the flexibility of where Lilo can be installed, I understand that.. but it kind of seems you implied that a malware script could be made to just willy nilly install and run lilo.. maybe it can, but I'd have to have more proof.

Re:How is it different from LILIO and Grub?

[snikulin]

> In order to run lilo, you need to be root.. correct ? Nope. There is not user/kernel space at this time.

Re:How is it different from LILIO and Grub?

[burnin1965]

If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.

Are you root? If not then the answer is no.

The real issue here is not whether an exploit like this would work with lilo or grub, the issue, as noted by TFA, is that "Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected !"

Note: MBR can be modified from usermode, the first sectors of disk are still unprotected

Yikes!!!

Re:How is it different from LILIO and Grub?

[GravityStar]

If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.

Are you root? If not then the answer is no.
Root is still a user, and LILO is still just usercode.

Note: MBR can be modified from usermode, the first sectors of disk are still unprotected
Yes, in this regard it is just as secure as Linux. You still need to be a administrator to overwrite the mbr. Reversing all of this damn argument, how exactly do you propose we defend the contents of the MBR from root on Linux? (Or GNU/Linux if you will)

Re:How is it different from LILIO and Grub?

[dbcad7]

I can find no other place where it is said this is possible.. perhaps if permissions were changed on the installed version, but then I don't know if the code for Lilo checks for root.. even rescue disks that have Lilo give you root access so you can make the changes.. and here we are talking physical access to get root.. I suppose i could download a copy of Lilo and change permissions to see if it let me run it as a user.. hmmm..

Re:How is it different from LILIO and Grub?

[jimicus]

You're both right and wrong at the same time.

In order to execute the code which bootstraps the OS, you're correct. But from context, I suspect the OP meant "in order to install LILO to the MBR".

Which you most certainly do need to be root to do.

Re:How is it different from LILIO and Grub?

[Jesus_666]

You neither need to work as root all the time on a *nix box, nor is that the common way to do work. Windows Vista still has plenty of programs that insist on writing to system directories at run-time so while it is possible to work as something else than an administrator there still are some configurations under which it's much easier to just screw security to hell and give yourself administrator privileges.

Re:How is it different from LILIO and Grub?

If you give people the possibility to write directly to dev nodes on your system just like that you have more serious securityproblems than this mbr stuff.

Re:How is it different from LILIO and Grub?

[DrSkwid]

Only if you are in multi-user mode, otherwise you just boot in single-user mode which has no passwords, you don't even need to boot Linux, any OS that boots from CD can edit your MBR.

Re:How is it different from LILIO and Grub?

[dbcad7]

This is what I mean.. I guess a little confusing, but yes I am meaning running lilo, that uses a configuration file to configure the loader (I guess also called lilo) usually in the MBR. (although can be located elsewhere, which is what started this)

How would you run the bootloader again on an already booted system as a user ?

Re:How is it different from LILIO and Grub?

[jimicus]

LILO's a bit of a complicated one, because technically what happens is you write a configuration file, run a program (which is called lilo, but more accurately should be called lilo-installer or somesuch) and this program installs a small bootloader in your MBR based on the configuration file.

You wouldn't rerun the bootloader once booted - the harm comes from if you allow any user rather than just root/administrator/(insert equivalent here) to write to the MBR because malware installed in that way could guarantee it will be executed each time the user reboots and with, say, a hypervisor remain totally invisible to the operating system.

However, NT hasn't allowed non-Admin users to do stupid stuff like that ever so unless you're running everything as admin it's a nonissue.

It can be done from user mode, that's true, but unavoidable.

Re:How is it different from LILIO and Grub?

[Talchas]

Don't you just need write access to /dev/sda or /dev/hda? Thats all you should need. Now root should probably be the only one with write access to disks, but thats another matter.

Re:How is it different from LILIO and Grub?

[jimicus]

Yes, but only root can do that.

IOW, Linux isn't fundamentally immune to such an issue. Having said that, neither is any OS which is designed around a hierarchical structure of "most powerful user at the top, other users have decreasing levels of power". Something like EROS might be able to prevent such things, but it's really a research operating system which AFAICT is a long way from reliably booting, much less doing anything useful. And EROS doesn't have the advantage that Linux had of having a fairly complete userland toolset ready and waiting, needing little more than a kernel.

Re:How is it different from LILIO and Grub?

[HiThere]

Well, when the system is running you need to be root not to run lilo, but to save the changes.
When the system is booting, it doesn't yet know the difference between root and other users. That has to wait until late in the process, and the boot manager takes place as the first step in the process. (It's analogous to the "LOAD" button that some 1401 card readers had...a hard wired piece of code to read in aome cards and do what the program on them said to do. (The cards had to be punched in 1401 binary, of course. And there *was* not operating system.)

If you were to execute a boot loader while the system was running it would be equivalent to crashing and restarting. If you were to do it with a restart address at a particular address, it would be equivalent to crashing and restarting from that address. (Notice that I said "crashing", not shutting down.)

As far as I know, neither Grub nor LILO allow you to execute the boot loader while the system is running. The named programs are for configuration and installation. Because crashing is a bad idea. Sufficiently so that only a hardware switch is allowed to do it intentionally. (And that's because bad idea or not, sometimes it's the best one available.)

Re:How is it different from LILIO and Grub?

[sexconker]

Just enable boot sector protection in your BIOS.

Re:How is it different from LILIO and Grub?

[burnin1965]

Yes, in this regard it is just as secure as Linux. You still need to be a administrator to overwrite the mbr.

Really, perhaps I misunderstood the article as it appears they are saying a regular user on an NT/XP/Vista box can edit the first sectors of the disk. On a linux system you would have to intentionally login with the root account to do this. Normal use of a linux system does not require that you login as root and regular users cannot edit the MBR.

all of this damn argument, how exactly do you propose we defend the contents of the MBR from root on Linux? (Or GNU/Linux if you will)

Excellent question, I suggest reading up on SElinux. You can use SElinux policies to lock down even the root user but in an extremely granular way. I think you have a great idea and considering that once a system is setup there really is not reason even for the root user to be editing the MBR. There may be other methods to achieve the same result but I've only studied SElinux.

Re:How is it different from LILIO and Grub?

[faber0]

Funny that the only MS OS that actually protects you (as in Administrator) is Vista with UAC turned on. Besides that i still think replacing an MBR is a perfectly sane thing to do from an Administrators/Root account.

- Faber

Misleading...

[SanityInAnarchy]

Alright, I get the defense in depth concept, but I don't consider it to be a severe vulnerability that the MBR is writable while Windows is running. I consider that to be a feature, one I wish Microsoft did more of -- for example, I can install Linux from a Linux LiveCD, or I can install a second copy of it on another partition, etc. As far as I can tell, OS X is similarly flexible -- it forces you to type your password, but it can deliver a firmware update from within the OS -- think equivalent to a BIOS update, so even earlier than the MBR.

So, to clarify: It's writable from userland, which is not the same as being writable by any user. If they have Admin access (which means you already clicked a "This program wants to modify your Master Boot Record, are you sure?"), you're already screwed -- kind of like how, on Linux, if they have root, you're already screwed.

In other words, it's possible to modify your Master Boot Record without rebooting your computer. This is a good thing.

What's more, this is not new. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...

Re:Misleading...

[Jeffrey+Baker]

In my admittedly limited experience, any user account can do some pretty scary stuff in Windows XP. I once was surprised to find out that I could load a firmware update onto a Plextor DVD burner using the guest account on a Windows XP machine. If you can program device firmware you can obviously subvert the entire operating system. I was appalled, and I showed it to the local Windows sysadmin, and he was appalled. It seemed to be a bit of clever programming on the part of the Plextor people, and there did not seem to be any way to defend against it.

Re:Misleading...

[hcmtnbiker]

What's more, this is not new [wikipedia.org]. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...

Actually Blue Pill is much more interesting then this. Blue Pill can actually trap a running instance of an OS inside a rootkit. The one from the article requires a reboot, and hoping you didn't detect it before then. Blue Pill can also be used to attack any operating system, the one from the article only works with systems that use NTLDR.

Re:Misleading...

"In other words, it's possible to modify your Master Boot Record without rebooting your computer. This is a good thing."

Yeah but its not possible to install a patch without rebooting :)

Re:Misleading...

[mcmaddog]

Macintosh computers not only require an admin password to update the firmware, but also require you to shut down and then startup holding the power button for about 5 seconds to trigger the update process so physical access and intention are required.

Re:Misleading...

[tyler_larson]

Beyond misleading. Not newsworthy.

Overwriting your MBR is possible only with raw access to the hard drive, and is always possible with raw access to the hard drive. In other words, Vista shares this same flaw with nearly every operating system in existence. Raw device IO is a restricted operation specifically for this reason, because it circumvents all other protection. To gain this access, you need to already have unfettered administrative access, which means you stand to gain nothing further.

Re:Misleading...

Well you are wrong.
Whatever fool gave the NT/XP a EAL security rating must be sorry.
See an OS should be CAPABLE of locking everything down. If it can't it should log. Both IBM Z/OS, and I believe CISCO, dont fall for the old hacked MBR trick without bleating loudly about it.

We will ignore the next vector: people hacking the disk drives firmware and re-mapping disk sectors, perhaps by writing a soft parity error in MBR, and having custom MBR soft recovery to hide mavolent code. There are enough DELL's out there, to make it worthwhile to do a few bios fiddles. But no need - hacking DMA transfers in crappy insecure video card 'universal' drivers is much nicer - just like flashing printer network cards.

Either way - USER should set the policy here , or the MEAN's to set ACL on MBR. Cant do that = loss of certification, or should do.
Any twit could read how ATM's or IBM's crypto packages boot, and quickly conclude people have done better.

Yes, some bios's do check MBR, but how would you know. You really need to quizz the # I/O's from the disk drive, but building in firmware protection implies you have smart people.

Re:Misleading...

[Jesus_666]

I don't want to know the kind of screwed up configuration which has the guest account running with administrator rights.

Re:Misleading...

So, to clarify: It's writable from userland, which is not the same as being writable by any user. If they have Admin access (which means you already clicked a "This program wants to modify your Master Boot Record, are you sure?"), you're already screwed -- kind of like how, on Linux, if they have root, you're already screwed.

Except on a Linux machine, if you want roots password, you'll have to threaten to kill him before you get it. Where as on Windows, any moron logs in as administrator. Heck, last I checked, you couldn't even install MS Office without being administrator, and when MS don't fix their own programs, they can't expect anyone else to fix theirs either. So of course any random crap you download off the internet (Adobe Reader? Sony "non-DRM'ed" music?) will require being installed as administrator too. And *that's* when it will install it's root kit.

Re:Misleading...

[ajs318]

You can firmware-upgrade many optical drives just by loading a disc with the firmware on it. The drive reads the TOC, spots a telltale filename, checks the file for telltale data and if it seems correct, loads up its new firmware. This doesn't involve the OS at all. You could plug the drive into just a PSU, no connection to a motherboard even, and upgrade it.

The assumption is that if you have physical access to the machine, you can do what you want with it anyway.

Re:Misleading...

[ajs318]

Actually, with Linux, you don't need the root password. You just need physical access to the machine. Reboot it. If running LILO, enter linux init=/bin/sh ; if running GRUB, edit the boot command line and include init=/bin/sh in it somewhere. Press RETURN. When you get the # prompt, enter
# mount -oremount / to make the disk writable
# awk '/^root/{print}' /etc/shadow > /old_root_password to make a copy of the old scrambled root password,
# passwd and enter a password you can remember. Twice.
# init 6 to reboot the machine again. You can now log in as root, using the password you supplied. No need for any special weapons, boot discs &c. This is one you can carry entirely in your head.

To restore the original root password, the sequence is
# awk '!/^root/{print}' /etc/shadow >> /old_root_password
# cp -f /old_root_password /etc/shadow
# rm -f /old_root_password - don't use this till the last minute, because the password will be changed as soon as you modify /etc/shadow. I don't know if this works on other Unix systems.

Re:Misleading...

[cookd]

Yup. Drivers have the ability to provide access to anybody they want. It is the responsibility of the driver's author to determine whether or not to grant "update firmware" access to a particular account. You are correct that the driver should not be doing this.

Re:Misleading...

If the guest user has permission to read from the DVD drive, then this implies they have permission to send commands to the DVD drive. If Windows sends what should be a "safe" command, and the driver/firmware interprets this command as a "rewrite firmware" command, the fault may lie with Plextor. (Imagine a video card that rewrote its firmware when a specially crafted bitmap was displayed on the screen. That would be a similar situation. We'd blame the video card vendor for not coming up with a secure way to send firmware updates; not the OS vendor.)

I've no knowledge of this specific DVD drive, but thinking about the motivations of the operating system vendor vs the motivations of the DVD burner vendor, it wouldn't be surprising if the DVD burner vendor was the one who took the shortcut because they didn't care about security and just wanted to get it working as quickly and easily as possible.

Re:Misleading...

[Joe+The+Dragon]

that is the system bios.

Also the Dell windows based bios updater needs you to be a windows admin or give it the admin name and password + a bios password if there is one to update the bios.

Re:Misleading...

[Pharmboy]

I think that is the key to remember: The OS can only protect a computer that someone isn't siting in front of. I can re/boot in single user mode and do anything I want to a Linux box, if I am sitting in front of it. If you have access to physcially TOUCH any computer, you can hack it, and likely no amount of operating system or other software can change that. Even disabling floppy, USB and CDROM wont' stop me from pulling the battery or jumping a jumper to reset the password. (with laptops, your mileage may vary)

Re:Misleading...

[Abcd1234]

The assumption is that if you have physical access to the machine, you can do what you want with it anyway.

Where, in the GPs post, did he say that physical access was required to do the firmware update from the guest account? Oh right! He didn't!

So... what was your point, again?

Re:Misleading...

[Talchas]

Only if the person running the machine hasn't required a password for the GRUB command line. Of course, you can do the boot disc/clear CMOS/whatever method anyway, so its still insecure.

Re:Misleading...

[sherl0k]

And for distros that don't use the root account?

Re:Misleading...

[ajs318]

Yeah, there's that. Carry a boot CD (maybe with several kernels) on an actual disc (in case you can't use a USB key ..... maybe better to use a cheap MP3 player preloaded with a repetitive techno track that can be played to anyone who asks), and a minimal tool kit (screwdriver handle with interchangeable bits, needle nose pliers, wire cutters, tweezers, a few motherboard jumpers, a few known good 13 Amp plug fuses, powerfinder screwdriver ..... I'd say a cordless soldering iron, solder and a canister of fuel if I didn't think that I really meant minimal ..... weigh the probability of needing a tool against the drawbacks of having to carry it) with you. You can then reset the BIOS password, fix the boot order, boot a kernel that works, mount the drives and chroot into the system, if you have to.


"The worst case? Well ..... let's see. Have you got any CD burners in there?"
"Yes, in the management suite, behind digital door locks. Or in the IT department. Digital locks again."
"And do those management machines have a high-speed internet connection as well?"
"Oh, yes."
"Well, in that case ..... I reckon, in the absolute worst case, your friend could be doing whatever he wanted with your computer systems in about one hour."
"One hour? That's not so bad. That gives us something. You say that's the worst case, right?"
"Oh, yeah, from his point of view, one hour is the worst case. But if he's smart, he's probably already been and gone."

Re:Misleading...

[kilgortrout]

If you have physical access to any box you can get root access; just pop in any livecd and su to root or use sudo. Want to lock down the bios with passwords and prohibit booting off anything but the hard drive? Go ahead, I'll pull the drive out of the box, hook it up to my laptop through usb and and tinker with the mbr to my hearts content. The only sure fire way to protect against a user with physical access is constant surveillance but then you have the who'll guard the guards problem. Nothing new in that observation as it's been made a million times before.

Re:Misleading...

[Reziac]

Remember Chip-Away, the old BIOS-based boot sector protection that was commonly seen on 486-era machines? It screamed bloody murder and halted the system any time ANYTHING tried to alter the boot code or MBR. I'm wondering if it's time to return to using such protection.

Since FProt is now dropping their DOS-based version, AFAIK there are no longer any AV products that can run with a minimal OS, such as a DOS floppy boot. All AVs that I know of require a fullblown OS, thus minimally either installed on the suspect system (not a good idea) or run from a Live CD, which you may not have the luxury of preparing on short notice (or may have a system that won't boot from CD -- I still see 'em once in a while).

So... I think we'll see a major upswing in BSV and suchlike, since our tools for detecting them are too limited.

Re:Misleading...

[Paradigm_Complex]

With physical access to the machine you can easily get anything unencrypted, irrelevant of OS. Boot of your own device (CD/DVD/flash/floppy/whatever) and there's no issue logging into root on your own OS. If the BIOS is locked and won't let you boot off another device rip out the battery for a bit. Heck, just take the harddrive and put it into your machine. Nothing is secure if the attacker has physical access, irrelevant of OS. If you can't do this on Linux without physical access or root I'd consider it secure.

Re:Misleading...

[runderwo]

I've no knowledge of this specific DVD drive, but thinking about the motivations of the operating system vendor vs the motivations of the DVD burner vendor, it wouldn't be surprising if the DVD burner vendor was the one who took the shortcut because they didn't care about security and just wanted to get it working as quickly and easily as possible.

LG CD-ROMs Destroyed by Mandrake 9.2

Re:Misleading...

[shentino]

Which is why having a boot loader password is a good idea.

Re:Misleading...

[SanityInAnarchy]

If the guest user has permission to read from the DVD drive, then this implies they have permission to send commands to the DVD drive.

On Windows, maybe.

On Linux, it means the user has permission to read from the DVD drive.

If Windows sends what should be a "safe" command, and the driver/firmware interprets this command as a "rewrite firmware" command,

That is possible, if, say, it was a "read" command, or maybe an "eject the disc" command.

More importantly, though, drivers should make a distinction between normal read/write access and firmware flashing. As a normal user, I should be able to send "commands", like eject, close, etc; I should be able to read; I should be able to write (burn); I should not be able to flash the firmware.

(That, admittedly, is probably a problem linux also has.)

But you're right, it does look like the problem is Plextor here.

Re:Misleading...

[SanityInAnarchy]

Yeah but its not possible to install a patch without rebooting :)

Not sure about Windows, but Linux will actually "install" the patch -- it just won't run it without rebooting.

The important feature here is that you can basically put your disk in a state where, if you were to cold boot right there, everything would already be installed the way it's supposed to be -- no weird tricks during an otherwise "normal" boot. When it says "done installing", it really means "done installing", and while you have to reboot for it to take effect, that is really just a reboot.

Re:Misleading...

[SanityInAnarchy]

See an OS should be CAPABLE of locking everything down. If it can't it should log.

None of which tells me that it's a bad thing if everything isn't locked down, even if it's not locked down by default. I don't know enough about NT to know if it can be sufficiently locked down in this way. I do know Linux can.

Oh, and speaking of logs: What's your guarantee that log is still valid? On most machines, root access means freedom to modify the logs, the log daemon, and so on.

Re:Misleading...

[SanityInAnarchy]

Overwriting your MBR is possible only with raw access to the hard drive, and is always possible with raw access to the hard drive. In other words, Vista shares this same flaw with nearly every operating system in existence.

Except, you know, OSes which don't allow raw access to the hard drive.

To gain this access, you need to already have unfettered administrative access, which means you stand to gain nothing further.

That depends on the system, but I tend to agree you, and I made the same point.

Re:Misleading...

[tyler_larson]

Except, you know, OSes which don't allow raw access to the hard drive.

Like, for example?

All Windows variations do. All unix-based OSes do. All Mac OSes do (both new and old). Obviously all single-user operating systems do because there's no protection. I would say that covers "nearly every". Can you come up with a significant exception?

Re:Misleading...

[SanityInAnarchy]

Like, for example?

A heavily-patched Linux. I'm fairly sure one can configure SELinux to disallow this.

Or Linux running in some sort of virtual machine (usermode Linux, XEN, etc) which disallowed access to the real raw disk.

I would say that covers "nearly every".

Oh, sorry, didn't see that. You're right.

Re:Why is Windows still using MBR?

All ACs are trolls.

We're also all inveterate liars.

Treacherous Computing to the rescue!

I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

Re:Treacherous Computing to the rescue!

[ScrewMaster]

The jellied gasoline salvo is on the way, with a thermite chaser.

Re:Treacherous Computing to the rescue!

The cure is worse than the disease.

Re:Treacherous Computing to the rescue!

[noidentity]

It's exactly the sort of problem any decent OS can solve. Untrusted code says "hey, I'd like to write this to the MBR", OS says "hell no!". Why is any special hardware needed, beyond basic memory protection?

Re:Treacherous Computing to the rescue!

[kvezach]

Initiating flame... done!

I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

And you can "solve" crime with a ubiquitous secret police, but would you want to?

Re:Treacherous Computing to the rescue!

[TemporalBeing]

I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

No, TPM was designed to solve the problem of Microsoft losing Windows as a monopoly by preventing you from installing anything else.

The solution to this problem is correct usages of the Admin (root) accounts, which Unix/Linux has had solved for more than a decade; but according to TFA Microsoft has yet to solve. This, of course, Microsoft's fault.

So please, don't try use use TPM to solve this. It won't. If I bet (but I don't), I'd bet you could even get Windows on a TPM machine to overwrite the MBR in the same manner as the article is mentioning. TPM won't solve the job that the OS is meant to - other than to deny you from running that OS, which is its real purpose. ;-) Too bad Microsoft is the entity behind TPM; otherwise we might be able to use TPM to move everyone off of Windows. ;-)

Re:Treacherous Computing to the rescue!

[Doug+Neal]

There is nothing intrinsically wrong with TPM technology per se, as long as the user/owner/administrator has the ultimate decision about what is "trusted" or not. Giving the final veto to a third party that's only serving its own interests - that's when it's a problem.

Re:Treacherous Computing to the rescue!

[Reziac]

You don't need TC for this. All you need is a BIOS-level program *that the user can turn on and off as they please*, like the old ChipAway boot sector protection that was built into many 486-era BIOSs.

You have run Vista with elevated administrative...

[figleaf]

... to write to the MBR.
For all other sectors Vista prevents writes to raw disk sectors even with admin permissions.

Users withouts admin permissions/without elevation cannot write to the MBR in Vista.

The perfect virus

[arotenbe]

Unfortunately, all the Windows NT family (including Vista) still have the same security flaw -- MBR [Master Boot Record] can be modified from usermode.

"Security flaw"? Heck, I'm almost finished with the virus that overwrites the MBR with GRUB stage 1!

Alright, I guess I'm forced to admit I'm just kidding.

Re:The perfect virus

[Cassini2]

I'm almost finished with the virus that overwrites the MBR with GRUB stage 1!

You must work for Microsoft. Almost every Linux distribution in existence uses GRUB for a bootloader. Only Microsoft calls Linux "an evil virus-like plague," as it sweeps the world, eliminating proprietary software, vaporizing multinational corporations, and saving the poor from the ravages of the new generation of software robber barons.

Re:The perfect virus

[andreyw]

I'm forced to conclude that the majority of Slashdot's most vehement and fervent posters are autistic inhabitants of their parents' basements, with no sense of humor at all.

-1.

Re:The perfect virus

[Mgns]

I'm still in the crib, you insensitive clod!

Re:The perfect virus

[skiman1979]

"Security flaw"? Heck, I'm almost finished with the virus that overwrites the MBR with GRUB stage 1!

Now all you have to do is set it up to boot an installation image of Linux through PXE to a TFTP server. :-D

A boot sector virus? In my PC?

[Purity+Of+Essence]

It's more likely than you think.

What is this? 1986?

Re:A boot sector virus? In my PC?

[Nimey]

Your computer is now stoned.

Re:A boot sector virus? In my PC?

[Jeffrey+Baker]

Yeah right. Do you think the virus idiots know how to program a virus into 512 bytes these days? I've seen self-styled viruses that are carrying around msvcrt.dll. Those guys should be embarrassed.

Re:A boot sector virus? In my PC?

That's because marijuana is good stuff. You hear me?! GOOD STUFF!! Even computers think so. I guess you have to be a politician to get your head so far up your ass that you actually think it's bad. Tell me, how do the conservative pro-lifers reconcile drug prohibition with the fact that GOD created marijuana??

To quote Bill Hicks, after the Creation God said "oh my .. ME... I left fuckin' pot everywhere. Now people might think they're supposed to USE it ... now I'll have to create Republicans..."

Re:A boot sector virus? In my PC?

[Architect_sasyr]

Oh damn that took me back... Thanks for reminding me of the moment where I looked at my computer and thought 'It too huh... wonder where it got its trip from'

Re:A boot sector virus? In my PC?

[shdwtek]

512 bytes should be enough for any virus.

Re:A boot sector virus? In my PC?

[tlhIngan]

Yeah right. Do you think the virus idiots know how to program a virus into 512 bytes these days? I've seen self-styled viruses that are carrying around msvcrt.dll. Those guys should be embarrassed.

Actually, it's a bit less. The first sector of a hard disk contains the MBR code and the partition table.

The partition table takes 64 bytes (16 bytes x 4 entries), and there's a two-byte signature that the BIOS checks to ensure the MBR is valid.

That gives you roughly 446 bytes of code that you can actually run. Most MBR code basically reads the partition table, finds a partition with the "active" flag set, then loads the first sector of that partition into memory. The partition loader then copies more sectors from disk so it can load the OS.

That's why you can install GRUB and LILO into either the partition or MBR. The MBR version basically overwrites the existing MBR to always load LILO or GRUB regardless of what the partition table says. The partition version relies on the MBR code passing it control.

Of course, having the first cylinder of a disk unused makes it convenient to stash away the extra code you need.

Re:A boot sector virus? In my PC?

I preferred the Monkey virus, thanks. Or a combination of them. Stoned Monkey, anyone?

Re:A boot sector virus? In my PC?

[Keruo]

All you need is a call to certain point of disk to run the code right?
Remember that almost all current Windows systems reserve 1-8Mb space for converting the drive to dynamic disk.
8Mb is likely enough to run almost fullblown virtual machine, atleast versatile enough to hide beneath the "primary" os and act as a spam/ddos drone/keylogging trojan unnoticed.
Sure, it'll eat some resources sitting there, but your average Joe/Jill won't really notice that. They just curse their damn slow computer.

Re:A boot sector virus? In my PC?

[Thing+1]

A corollary to bricked, I suppose.

Re:A boot sector virus? In my PC?

[Technician]

Your computer is now stoned.

Wow, talk about an old virus. I think I still have that one on a floppy somewhere. I remember studying that one. I did a fresh DOS install to infect. When I was done, it was removed by booting a clean floppy and re-partitioning, formatting and reinstalling. I took no chances with that one. For those who are not familiar with the phrase;

http://en.wikipedia.org/wiki/Stoned_(computer_virus)

Re:A boot sector virus? In my PC?

[Jesus_666]

Actually, that reference is amazingly current with regards to Vista:

http://www.theregister.co.uk/2007/09/17/vista_hit_by_stoned_angelina/

type help for available commands.

boot /dev/null

You didn't capitalize your sentence.

So I guess he'll ignore you too. :-P

Foolproof Windows?

[Archangel+Michael]

"something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof."

Windows is made for fools ... and grandmas ... and CEOs. Besides, If you make something foolproof (VISTA) only fools will use it.

Re:Foolproof Windows?

[Ash+Vince]

A relevant quote from somewhere or other:

"Theres no such thing as a foolproof system because fools are too inventive."

I tried to just verify this is the correct quote but it seems to exist in many forms on the net, all have a similar meaning. Incidentally if anyone can point me in the direction of it original source I would be interested to know where it came from.

Of course..

[Junta]

Whether it's a an MBR record or an executable file stored on a filesystem the firmware may understand, the concepts are the same. Any sane operating system will allow you to modify boot files (after all, how else do you upgrade early-execution code). Whether it's an MBR or a more sophisticate piece of firmware, the principle is the same. The question is whether users have been trained to always be administrator, or if they've been trained the more disciplined way where uncommon (at least should be)/privileged operations can only be executed at significant obious pain.

Under linux even, a number of distributions have on occasion ventured down the very dangerous/wrong approach of skipping user accounts and going all root for the sake of convenience. However, the mainstream usage of linux (and OSX) is thankfully non-root users, and as such any *serious* applications accomodate that usage pattern (with the bonus of being sanely multi-user.

Meanwhile, Windows heritage has been less optimal. The consumer oriented MS platforms right up until XP didn't have a meaningful non-administrator concept, as well as much of a multi-user concept. As a consequence, many application developers did bad things that would break (i.e. using registry entries that are machine specific rather than user specific, or even writing things like saved documents/games to the application Program Files directory. Win9x even provided relevant spots that would evolve to something meaningful, but without significant meaning, many third parties ignored it, especially after Win3.x training. XP was the first definitive wake up call to a WIDE variety of developers. Even so, the majority of users ended up being administrative users to make up for the gap (as well as having no easy automatic privilege escalation). Hell, even a customized preload I saw sets up one user, renaming the administrator user (and in fact, calls an un-renamed administrator account a security risk... indeed).

OSX made a clean break with OSX (relegating "classic" applications to a relatively severe sandbox"), Linux never had such an unclean history to overcome. So while OSX implementing clean privilege escalation, and Linux has been working on facilities that lend itself well to that (i.e. DBus). Windows XP did not make a clean break, and Vista didn't etiher, but Vista's UAC is an attempt at giving users a facility to do privilege escalation. It's annoying because of bad programs and bad habits. But non-admin default usage + UAC is the only way they have of maintaining a sane featureset without being considered so vulnerable.

It also doesn't help that so many Windows users see "click here for free smilies" and think it's a good idea to do so.

Re:Of course..

[MrLizardo]

It also doesn't help that so many Windows users see "click here for free smilies" and think it's a good idea to do so. The best part is when they get mad and argue with you when you try to remove the malware they put there.
"But I *liked* the free smiley faces!"
"It's spyware, handing your personal info and passwords to nefarious third-parties! You weren't supposed to be installing random software on your work computer to begin with."
"So I can't keep the smiley faces?"
"No!"

Re:Of course..

[cbreaker]

UAC is a step in the right direction but it shows how deeply flawed Windows is. You need to be an administrator to do far too many things. While a MacOS or a Linux installation will prompt you for your password when you install software or change core operation system behaviors (boot disk stuff, system tools, etc) Windows requires that you be an administrator to change your time zone or Desktop resolution.

All that, and because Microsoft wants to (rightfully so, in their position) support as many older apps as possible, you see the UAC a lot more than you should if said application was written with user-mode-only in mind.

For Microsoft to truly fix Windows, it would probably break a lot of stuff. Personally, I don't think it would be a bad idea. Like Apple, they could sandbox any older apps, and the "new" Windows could be a lot better. But it would not be smooth. They've painted themselves into a pretty corner, that's for sure. The reason they did it, was because they could. Everyone was going to run Windows anyways.

Re:Of course..

[toadlife]

Windows requires that you be an administrator to change your time zone or Desktop resolution. Time on a multi-user computer system is a sensitive thing and should require admin rights. I don't where you came up with the desktop resolution bit. Anyone can change that.

Re:Of course..

It's not abount changeing time, only the time zone. If Windows would store the system time in UTC this would only change the way the time is displayed to the user, not the internal time.

There is nothing sensitive about that.

Re:Of course..

[Hal_Porter]

It's not about changing time, only the time zone. If Windows would store the system time in UTC this would only change the way the time is displayed to the user, not the internal time.

There is nothing sensitive about that. Windows system time has always been in UTC. By default before Vista both changing the time and changing the time zone required that the user running the program be in the admin group (though Admins could change this and let anyone do it), but in Vista Microsoft changed things so that unprivileged users could change the time zone -

http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx

To do this, we had to go through the various system tasks that users perform and for each one ask the question: "should the user have to be an administrator to complete this task?" What we found was that in Windows XP there were many cases where we required the administrative privilege if the user was making a change that impacted the entire system (rather than just their user account). We subsequently learned that this was too broad a distinction and in fact, with some common sense rules, we could protect the system while still making it usable. We also found that there were many cases in previous versions of Windows where we had lumped things together when instead only part of the task really should have required the user to be an administrator. For example, in Windows XP you had to be an administrator in order to change the time or the time zone of the system. The reason that time functions are usually restricted is that you can do some pretty sneaky things if you can change the system time -- like trick system logs or backdate emails. But as it turns out, changing the time zone of the machine so that a business traveler based on the West Coast goes to their meetings at the right time when they are visiting New York really doesnt need to be protected -- so in Windows Vista, we split that out and now allow a standard user to change the time zone. If you have a Vista machine, try it. Right click on the clock in task bar and choose Adjust Date and Time. Changing the time requires a UAC prompt, changing the time zone does not.

Incidentally Windows system time is stored as a 64 bit count of 100ns intervals since 1601. Why 100ns? Larry Osterman said
http://blogs.msdn.com/oldnewthing/archive/2004/08/25/220195.aspx#220259

Because 100ns is "good enough". You can represent any date from the 1601 to the year 20,000 in 64bits worth of 100ns units.

1ns is too small, it runs out in 200 years. 1000ns is too granular for some clock speeds (it's 1/10th of a millisecond). Interesting, eh? 200 years was regard as too short a lifetime for NT based OSs and APIs, Dave Cutler probably expects NT to have a thousand year reign ;-) . And 1000ns was too granular. Some book I read commented that the range of FILETIME is ok, but "in twenty years 100ns will be seen as hopelessly coarse"

Unix by contrast uses a 32 bit count of seconds which is both too coarse and will run out in a mere 30 years.

Re:Of course..

[HiThere]

"Always"? You've got a short time horizon. Admittedly I haven't used MSWind in a long time, but MSWind95 stored time as a time (i.e., localtime). Linux installs had to step carefully around how the clock was set, because if they were sharing a computer with an MSWind machine they shouldn't use UTC.

I don't know what it is these days, so I can't claim that MS still does things that way. But they DID.

Re:Of course..

[cbreaker]

Perhaps Vista sets UTC, I don't know, but up to Windows XP and Windows 2003 R2 it's localtime. Who knows what he's been smoking.

Re:Of course..

[Hal_Porter]

NT based OSs always use UTC internally. The RTC is in local time, because that's what the majority of PC based OSs (i.e. 16 bit Windows, Dos and probably OS/2 and Xenix) used to set it to -

http://blogs.msdn.com/oldnewthing/archive/2004/09/02/224672.aspx

Linux installs had to step carefully around how the clock was set, because if they were sharing a computer with an MSWind machine they shouldn't use UTC. Yeah, but it's very convenient for people dual booting between MS OSs. Maybe Linux should have adopted the PC platform de facto standard of setting the Bios to local time even if like NT based OSs it uses UTC internally. Then people using it wouldn't have been inconvenienced.

Solution is in your BIOS settings

[DigiShaman]

As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.

Re:Solution is in your BIOS settings

[tlhIngan]

As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.

Ah, but these things only work in two ways:

1) The write protect only works if the OS makes a BIOS call to the MBR. The BIOS then traps this request and asks if you mean to write to the MBR. This works pretty well as most boot sector virii exist in DOS, which uses the BIOS, rather than Windows.

2) The BIOS makes a copy of the MBR and saves it in the CMOS. On boot, it loads the boot sector as normal, and does a quick comparison (it's only 512 bytes). If it differs (because someone overwrote the MBR code, or someone changed the partition table), it asks what you want to do - restore from backup, or accept the modifications.

No good filesystem should need the MBR once the system is booted. Other than reading the partition table. (The MBR, being 446 bytes in size, is also pretty standardized, which is why any utility that rewrites the MBR code can get your system booting again. Linux rewrites MBR can boot Windows, Windows fdisk can make Linux bootable again, etc. Basically, the MBR code just examines the partition table (in RAM - the BIOS doesn't care or know about the last 66 bytes being partition table. It loads the entire 512 byte sector into RAM), finds an entry marked with an "active" flag, and copies the first sector out of that partition into RAM and jumps into that code.

Extended partitions are the devil, which is why most MBRs can't boot from an extended partition.

Re:You have run Vista with elevated administrative

[jamstar7]

So how hard is it to exploit a flaw that gives a program elevated admin permissions?

Hmm!

some words come to mind, in particular:

"I came for a colossal doughnut, and I'm gonna get a colossal doughnut"

This is a security flaw...why?

[Myria]

A program running as root takes over a machine. News at 11!

It's really annoyed me that security companies continually report these things when they have no relevance to actual security. The concentration should always be on preventing malware from acquiring root access in the first place. Vista, despite its faults, actually does a much better job of this than its predecessors.

Also, this is Slashdot. Slashdot has Linux users, and wouldn't Linux users know that overwriting is even easier to do in Linux than NT? "dd if=trojan.bin of=/dev/hda", anyone?

By the way, there are many more bad things you can do as Administrator than just hack the boot sector. You can use bcdedit to create a fake Windows XP boot entry then put your Trojan kernel there.

Re:This is a security flaw...why?

[PPH]

By the way, there are many more bad things you can do as Administrator than just hack the boot sector.

I guess that's why Administrator (root) is a completely separate user on *NIX systems, not just an attribute of some logged in user.

Re:This is a security flaw...why?

[WK2]

To be fair, I inferred from the summary and article that this was possible by an ordinary user. After I read several comments on slashdot that say something similar to what you say, I checked the article, and read it carefully. Nowhere does it say whether or not Administrator access is required to use their rootkit. I would have assumed that it was not.

If you are right, and Administrator access is required to write to the MBR, then this is certainly not a security-related issue.

Re:This is a security flaw...why?

[HonIsCool]

By the way, there are many more bad things you can do as Administrator than just hack the boot sector.
I guess that's why Administrator (root) is a completely separate user on *NIX systems, not just an attribute of some logged in user.

Is this a better approach do you think? If so, why?
And have you heard of capabilities?

Re:This is a security flaw...why?

[DrSkwid]

root itself is a security flaw

Re:This is a security flaw...why?

[PPH]

root itself is a security flaw

Much less so than assigning Admin privileges to a regular user or depending on certificates to vouch for the benign nature of a package.

I suppose you could design a system where the average user never needs to be troubled by understanding what is being done to their system and can delegate responsibility for its maintenance to some trusted third party. But no such third party exists.

As long as I have to issue a sudo command or log in as root, it will take an amazing amount of social engineering/liquor/large breasted females to convince me to do something stupid.

Re:This is a security flaw...why?

[DrSkwid]

I shall repeat myself more verbosely, the ability of a regular user to log in via userland as a super user is a security flaw by design.

Re:This is a security flaw...why?

[PPH]

There are no *NIX systems wherein regular users may log in as the superuser (root).

Code written to the last sectors of the disk

It ocurred to me that these last sectors are also (sometimes) use to store mirror info in gmirror, a GEOM "layer" I use to mirror my FreeBSD system. Just where the info is stored depends on the logical layout of your mirror devices, and are you really dual booting between Windows and a gmirrored BSD system? And blah, blah, blah.

But I'm going to look into it.

Re:You have run Vista with elevated administrative

[Mr2001]

Not as hard as finding such a flaw in the first place. Why, have you found one?

Can't write sectors anymore? Lame...

[yeremein]

The newest victim of DRM: disk imaging utilities.

IIRC, that's what the "pagefile attack" was all about - getting the kernel to run unsigned code. To close that loophole, MS prevents you from performing raw writes.

Oh well, dd on a Knoppix CD still works.

Actually, come to think of it, if this raw-write-disallowing only applies to disks that have pagefiles on them, then this wouldn't be a real loss, because you'd be unable to lock the volume anyway--and restoring over the existing pagefile would be a Bad Thing in terms of system reliability and such.

bootkey

[Tumbleweed]

If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.

Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes.

Re:bootkey

The point of the cd boot is the cd is a read-only medium

Re:bootkey

Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes.

Oh boy dongles! Just what I want! My computer / software won't operate correctly with out this USB stick. But have faith in the license management company and their secretive ways. They're there to protect you and your interests. Really... Okay a boot loader on USB stick isn't quite so bad, but like someone responded to you already, a CD would be read-only.

I think on linux you'd have to be root to do something like dd if=/dev/zero of=/dev/sda bs=512 count=1 ... so I don't think some arbitrary user level exploit or malware would be able to write to the MBR. And wasn't bth linux and now vista GPT aware? I haven't read to far into that yet. Hmm

Re:bootkey

[c0d3h4x0r]

Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes. Until you lose your USB key...

Okay, found some documentation on this

[yeremein]

Here.

It actually looks reasonable - you can still perform raw disk writes from userland (with admin rights, of course) - you just can't write over a mounted volume. Disk imaging utilities will still work, provided they dismount any volumes before they overwrite them (which they ought to be doing anyway; I should know, I wrote a Windows disk imaging utility at my last job).

And of course, you can't dismount a disk with an active pagefile on it, so it solves that vulnerability. But it does so in a reasonable way--I can't really imagine why a well-behaved program would want to scribble over a mounted volume; you don't know whether the cache is just going to clobber what you wrote in a second anyway. So I apologize for my FUD in the parent message; this security feature actually seems to strike a good balance.

Now the FUD in TFA is another story...

Back in the day

[AndGodSed]

(which was only a few years ago 1999ish :)) we used to refer to it as PEBCAC errors. Problem Exists Between Keyboard And Chair.

Also of course was the prevalent ID10T virus. I swear, we once actually told a guy that after he wiped his pc for the n'th time, and he ate it all up...

Re:Back in the day

[spootle]

I didn't know keyboard was spelt with a C.

Re:Back in the day

[AndGodSed]

Bwahahaha... it would seem the PEPCAK strikes again!

Re:Back in the day

[AndGodSed]

Oh dear... I seem to be on a roll... I K'd the wrong C... *bangs head on C... erm Keyboard*

Re:Back in the day

Ha, keep your tail Petween your legs!

Re:Back in the day

[Fred_A]

Oh dear... I seem to be on a roll... I K'd the wrong C... *bangs head on C... erm Keyboard* Problem Exists Between Chair and Keyboard
Problem Exists Between Keyboard and Chair

Hmm... choices, choices...

Same difference IMO.

Re:Back in the day

[Killjoy_NL]

Just go for PICNIC

Problem In Chair, Not In Computer

^_^

I Thought Vista Was a Re-Write?

[BigAssRat]

Once again, I thought Vista was supposed to be a complete re-write of Windows code. How do they manage to keep the same old buggy code from NT 4.0?

Re:I Thought Vista Was a Re-Write?

[flyingfsck]

Uhmm, that is thanks to the extensive experience of the programmers and an advanced programming tool invoked with the secret codes ctrl-c and ctrl-v...

MR Team?

[tieTYT]

Let me get this straight... Windows is so insecure a team of Mental Retards can hack it?

Re:MR Team?

[nullCRC]

No, you don't even need a team to do that.

Round and round we go...

[Fizzl]

MBR was THE attack vector for viruses back in the good old times of MS-DOS and floppies. Now it's new again?

Like Freud would say...

[g4b]

... it is a clear sign of Oedipus Complex in that family.

Now I understand, why every Windows is always afraid giving away any USB Stick.

Flashback

Something wonderful has happened, your Windows is alive!

Educated users on safe platforms

[SpaceLifeForm]

Under GNU/Linux, you typically have better educated users. There is no need to defend against those users, they are not attacking their own machine. It is uneducated users that are tricked into executing malicious code, that allow outside attackers to control their machine.

He Who Controls the Bootloader

Re:Educated users on safe platforms

[rossjudson]

Security by arrogance. That's a new one.

Re:Educated users on safe platforms

Not a new one to people who use windows.

Re:Educated users on safe platforms

[DrSkwid]

Yeah, those NVidia drivers that let you remote root were the fault of uneducated users tricked into running malicious code. http://kerneltrap.org/node/7228

It's only one of many over the years.

Re:Educated users on safe platforms

[myvirtualid]

Under GNU/Linux, you typically have better educated users.

This was true back in the day, that is, when virtually all Linux users were home-brew hacking DYIers who either loved all things CSish or hated all things M$ish and knew there were alternatives.

You know, the gentoo and sid crowds.

Then RedHat happened and Ubuntu happened and hell froze over and DELL and HP started shipping systems with an OS other than Windoze and what you say is no longer true.

It's probably still true that the majority of Linux users are "better educated" (or, perhaps, informed and intent hacker hobbyists) and that virtually all people running Linux servers fall into that crowd, but it is no longer true that "only the educated" run Linux.

There are enough people now running Linux because it just works for them, enough people who still aren't really clear on what OS is and DO NOT NEED TO BE!. Seriously, why should they give a damn, they just want their computer to work, just like they want their car and their alarm systems and the elevators downtown to work without having to know a ton of geeky crap or push 16 buttons in exactly the right sequence slap!... ...where was I?

There are enough people now running Linux because it just works that Linux needs to consider that these users may not always know what they are doing. Ubuntu does this pretty well, with the way things are hidden behind an extra password dialog, along with decent - adequate? - explanatory text. It should be enough to give sufficient pause to prevent serious damage.

There is no need to defend against those users, they are not attacking their own machine.

It's not a question of users attacking their own machines. It's a question of preventing accidental damage of the kind that Linux seemed to once revel in encouraging....

It is uneducated users that are tricked into executing malicious code, that allow outside attackers to control their machine.

Bollocks. Everybody makes mistakes. Windows - at least older versions - ensured that all mistakes were grave. Modern Linux - and modern Windows when properly configured and properly patched (is this an NP problem? :->) - make it so mistakes are less likely to be 100% fatal 100% of the time.

And to return to your first quote....

Under GNU/Linux, you typically have better educated users.

Under BSD, you typically have better educated users.

There, fixed that for you.

(I don't use BSD, never have, but I do recognise that Linux has, for whatever reason, taken off in non-geek circles in a way BSD has yet to, and may never want to. Don't get me wrong, some of the BSD products seem downright amazing, but the user bases of BSD and Linux have diverged considerably, and for the moment Linux is winning the popularity contest. Does that make it better? No. Worse? No. Just more popular.)

Re:Educated users on safe platforms

[Some_Llama]

"Security by arrogance. That's a new one."

Obviously you haven't heard of Apple computers?

Re:Educated users on safe platforms

[myowntrueself]

Under BSD, you typically have better educated users.

Right... and that would include OSX, eh?

Re:Educated users on safe platforms

[rossjudson]

Obviously I haven't. Good point. ;)

Re:Why is Windows still using MBR?

It appears you're running out of new racial slurs to use. I mean seriously, wopcock?

Had a rootkit virus on XP for 5 years

I had a recurring rootkit virus on XP for 5 years before someone created the definitons to fix it. The only thing I could do was format the drive completely and restore from disk to remove it. I could remove it then every 3-6 months I would get it again probably from a old floppy or cd. (?) I was able to remove it finally with AVG or Karpinski I forget.

Re:Had a rootkit virus on XP for 5 years

[DanJ_UK]

Kaspersky?

Um...

With administrative privileges, if overwriting the MBR from userland is blocked, aren't malicious codes could always install device drivers that does that job?

DOS 3.3 called...

[(Score.5,+Interestin]

... it wants its viruses back!

If you read the OP this is pretty much what DOS viruses were doing 20 years ago. Wow.

Re:You have run Vista with elevated administrative

[lhorn]

Most motherboards from the last part of previous century on had boot virus protection in some form, usually a write block on the first sectors of the first harddisk. This was enabled/disabled in the BIOS setup and effectively stopped any attempt to modify these sectors. Had to be turned off for OS installation, lilo modification etc, but I found it well worth the hassle. Has this disappeared? (Found on a P4B close by - so Asus had it recently)

MBR is a vulnerability by definition

[ajs318]

The MBR is a vulnerability by definition. Almost the only way to protect it is by having a jumper on the HDD itself, which must be fitted to enable writing to the MBR and must be removed to enable booting. That means that everytime you want to install a bootstrap loader, you will have to open up the machine and muck about inside it.

Question is, is the threat from the MBR vulnerability significant enough to warrant such a drastic solution?

Except...

[Junta]

Under linux, that's dictated by /etc/localtime. So, Linux isn't different from Windows in that respect.

There are applications which independently track the time zone, but they piss me off because they don't concur and I don't feel like selecting my time zone per application.

Re:Except...

That's just the default, the TZ environment variable overrides this.

MS or Plextor's issue?

[phorm]

I'm not sure if you can blame MS in this case though. If your machine is interfacing with the device through a plextor driver, which similarly allows the firmware update (as a non-privileged user), I'd say the weakness is Plextor's. Drivers need to be able to do their thing, and I'm not really sure that the OS could easily differentiate between a driver reading/writing a DVD or writing firmware. So if this were the case, MS wouldn't really be to blame unless it was actually their driver, or perhaps if the Plextor driver passed MS Certification.

Ultimate Boot CD for Windows (UBCD4Win)

[Futurepower(R)]

There is a simple solution: Boot from the Ultimate Boot CD for Windows (UBCD4Win), and run a scan on all the boot sectors of all hard drives. Since the original, possibly infected, operating system and hard drives are not in control, the rootkit has no effect.

Re:Ultimate Boot CD for Windows (UBCD4Win)

[homer_ca]

That may or may not help. You could write an MBR rootkit to only run once to install the malicious kernel driver. That way it would survive an MBR restore, but there would also be evidence of the rootkit in the Windows filesystem or registry. Still, you're right that using a boot CD to scan the boot sectors and filesystem will bypass the rootkit.

This is not to shocking

[arkham6]

Being appalled is the natural state of existence for a windows sysadmin.

In Reply to Your Sig

[Dareth]

Why do death penalty advocates mostly oppose abortion while vegans mostly support it?

Because it is easier to justify executing someone for murder or other horrible crime, than for simply being inconvenient.

No root, no problem

[ajs318]

Disabling the root account is simply done by having no entry, or an invalid entry (i.e. containing a character in the "scrambled password" field which cannot be generated by the scrambling algorithm, i.e. matching [^A-Za-z0-9./] and thus preventing any rescrambled password from ever matching it), for "root" in the file /etc/shadow.

Booting with "init=/bin/sh" means that instead of starting the process scheduler init (which would then run several instances of getty; each of which runs login, which checks that you entered a valid login that appears in /etc/passwd, a password which when scrambled matches the corresponding one in /etc/shadow and, if so, launches a program specified in /etc/passwd -- usually a shell -- in the name of the user whose login you typed), you start the shell directly, without having your login checked. You can only have one process going on at once, but that's still enough to have some phun with. And the shell just conveniently assumes your userid number is 0, which is root, so you get all the powers and none of the responsibilities.

Once you've done the passwd step, you have now created a valid /etc/shadow entry for root; and thus even if the root account was disabled before, you've enabled it. Later, you will restore the old (possibly bogus or non-existent) entry to the /etc/shadow file. You really should fix the timestamp on this; but you already left a big enough clue that you'd been mucking around when you rebooted the box. If the sysadmin doesn't notice that, hell, you might as well just pick the machine up and wander out the front door with it. (Probably doesn't even look suspicious if you have a pair of coveralls and an ID badge.)

BIOS Boot SEctor Virus Protection Derecated?

[DarthStrydre]

Actually, it seems most modern BIOSes do NOT have this option. I have not tested it, but I assume that even if the option is set, it can only trap calls made through the BIOS int13h. (DOS, Windows 3.1, Windows 9x/Me in legacy disk access mode only) Once you transition to protected mode and the 32bit realm, the BIOS is out of the loop for disk access. It is possible that somehow the Southbridge, or disk controller can get programmed to look for LBA 0x00000000 or CHS 0,0,1 accesses and block them, but I do not believe this is the case.

Windows 98SE

[Yvan256]

Say what you want about Windows 98SE, but it still runs quite a number of games and is immune to Windows 2000/XP/Vista crapware.

Re:Windows 98SE

[Yvan256]

Yes, I know, it IS vulnerable to this particular kind of problems. I was talking about more recent viruses and trojans. :D

RECOVERY CONSOLE & FIXMBR, all a body needs vs

Uh, any AntiVIrus program worth its salt nowadays, checks the bootrecord.

Now, SINCE this is a rootkit, or even a device driver driven trojan, out of Ring 0/kernelmode/RPL 0 etc. et al, & one that MIGHT disable antivirus tools, OR, misreport info. to they? Ok... then, admittedly, I might be wondering myself, was my machine acting up in any way... & you're also probably "not sure if you have this bug or not" due to its mechanics (noted above (if things on your rig are acting stupidly))??

Repair it!

Recovery Console has an EASY fix as well, called the fixmbr command, to do so.

(& you can install it into Windows 2000 upwards, using (insert cd/dvd letter here)::\i386\winnt32.exe /cmdcons & have it as an easy to use boot option, no F8 bootup OR even OS installation disk required then)

To avoid that

You can use parameters "password" and "restricted" in lilo.conf

Hybrid Vigor

[SanityInAnarchy]

By the way, this technique does NOT work on all systems. I'm not entirely sure about the last time I tried it on Ubuntu, but on at least some systems, the initrd will also respond to init=foo, thus you'll get the initrd environment. That's not to say that you couldn't do similar damage from there (including running a root shell on the "real" system), I'm just stressing that there is no one way to attack all Linux systems.

Also, some of your stuff here is sloppy, on the systems for which it will work. "init 6" is not what you want -- you don't have init running at all at this point. What you want is to manually unmount, or "mount -o remount,ro", every filesystem, then sync, then either physically reboot or mess with /sbin/poweroff and such.

Or you can simply set everything back to the way you found it (mounted readonly and such), then "exec /sbin/init", and the system will have absolutely no clue that you changed anything.

Regardless, on anything, you just need physical access to the machine and sufficient time.

Re:Hybrid Vigor

[ajs318]

By the way, this technique does NOT work on all systems. I'm not entirely sure about the last time I tried it on Ubuntu, but on at least some systems, the initrd will also respond to init=foo, thus you'll get the initrd environment. That's not to say that you couldn't do similar damage from there (including running a root shell on the "real" system)

Ubuntu have been experimenting with upstart as a replacement for the traditional init lately, and I don't know for sure how compatible this is with the existing syntax.

It's possible to continue the boot process manually if you somehow find yourself within the initrd environment, including launching a root shell. The only times I've ever managed to get a machine in that state have been while I was mucking around trying to build my own distro (actually by modifying someone else's distro, but isn't that how everyone does it?) and missed out some important file or other.

I'm just stressing that there is no one way to attack all Linux systems.

Which is a good thing in and of itself. Biodiversity in ecosystems, and all that.

"init 6" is not what you want -- you don't have init running at all at this point. What you want is to manually unmount, or "mount -o remount,ro", every filesystem, then sync, then either physically reboot or mess with /sbin/poweroff and such.

It doesn't really matter about init not running. The command as given will launch init, going straight into runlevel 6 (i.e. reboot). You're right that it would be possible to remount / read-only and # exec /sbin/init with no need for a reboot -- I hadn't thought of that. Must be some vestiges of Windows badness still glooping around in my brain!

Re:Hybrid Vigor

[SanityInAnarchy]

Ubuntu have been experimenting with upstart as a replacement for the traditional init lately, and I don't know for sure how compatible this is with the existing syntax.

Pretty close. They haven't been using upstart nearly as much as I think they should -- most things are still following the old SysV design.

It's possible to continue the boot process manually if you somehow find yourself within the initrd environment, including launching a root shell.

I know, just pointing out, you can't do it with the same commands. The "init=/bin/sh" line will probably work in an initrd, but the process of getting to the "real" filesystem is a lot harder. (Fortunately, for the most common case, it's possible to simply unmount the root filesystem, sync, and then ctrl+alt+del or hard reboot.)

It doesn't really matter about init not running. The command as given will launch init, going straight into runlevel 6 (i.e. reboot).

Ah, I see. Still, does it work well, considering that was not an "exec" command, and therefore, init won't be running as PID 1? I kind of didn't like the idea of leaving the bash process around, even only for a reboot.

You're right that it would be possible to remount / read-only and # exec /sbin/init with no need for a reboot -- I hadn't thought of that. Must be some vestiges of Windows badness still glooping around in my brain!

Just be thankful that you didn't have to mess with initrds as much as I did. (This was before I moved to ubuntu, where I can generate/update a stock initramfs with one command.)