Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boot Record Rootkit Threatens Vista, XP, NT

Posted by kdawson on from the writing-to-zero dept.

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."

11 of 261 comments (clear)

  1. Re:Like it matters by Anonymous Coward · · Score: 3, Informative

    That'd require changes to the partition table, which is protected from NT's usermode IIRC.

  2. Re:Like it matters by MBCook · · Score: 5, Informative

    What if someone wrote a super small bootable virus,

    Yeah, like something that could fit in a 512 byte MBR...

    , then the virus' initial form used Partition Magic-like functionality to write its own partition

    Why bother?

    and stick the virus on it then tell the computer before restarting to boot from that one.

    That's what this does. It modifies the MBR to load the virus as a driver out of a pair of sectors.

    Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open.

    This already does whatever it wants. And the "files open" comment is non-sensical, the pre-boot environment has no concept of "open files", it's just a little 512 byte loader.

    I'm pretty sure Windows can't protect the MBR if it isn't running.

    There isn't much Windows (or any) OS can do when it isn't running.

    If you read the article (it contains scary things like x86 assembly, I know, but you can skip that) you'd see that the describe this hooks into the load routines used by Windows. By intercepting these calls and redirecting them, it prevents you from overwriting the MBR or even detecting that it's changed (to a degree). To fix this you have to open a clean environment (like the recovery console off the Windows CD) and have it fix the MBR.

    Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2.

    I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

    PS: Whoever modded the parent as informative either doesn't know what they're talking about, is drunk, or is in cahoots.

    PPS: Sorry. I've been looking for an excuse to use the word "cahoots" all day.

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  3. Misleading... by SanityInAnarchy · · Score: 5, Informative

    Alright, I get the defense in depth concept, but I don't consider it to be a severe vulnerability that the MBR is writable while Windows is running. I consider that to be a feature, one I wish Microsoft did more of -- for example, I can install Linux from a Linux LiveCD, or I can install a second copy of it on another partition, etc. As far as I can tell, OS X is similarly flexible -- it forces you to type your password, but it can deliver a firmware update from within the OS -- think equivalent to a BIOS update, so even earlier than the MBR.

    So, to clarify: It's writable from userland, which is not the same as being writable by any user. If they have Admin access (which means you already clicked a "This program wants to modify your Master Boot Record, are you sure?"), you're already screwed -- kind of like how, on Linux, if they have root, you're already screwed.

    In other words, it's possible to modify your Master Boot Record without rebooting your computer. This is a good thing.

    What's more, this is not new. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...

    --
    Don't thank God, thank a doctor!
    1. Re:Misleading... by ajs318 · · Score: 4, Informative

      Actually, with Linux, you don't need the root password. You just need physical access to the machine. Reboot it. If running LILO, enter linux init=/bin/sh ; if running GRUB, edit the boot command line and include init=/bin/sh in it somewhere. Press RETURN. When you get the # prompt, enter
      # mount -oremount / to make the disk writable
      # awk '/^root/{print}' /etc/shadow > /old_root_password to make a copy of the old scrambled root password,
      # passwd and enter a password you can remember. Twice.
      # init 6 to reboot the machine again. You can now log in as root, using the password you supplied. No need for any special weapons, boot discs &c. This is one you can carry entirely in your head.

      To restore the original root password, the sequence is
      # awk '!/^root/{print}' /etc/shadow >> /old_root_password
      # cp -f /old_root_password /etc/shadow
      # rm -f /old_root_password       - don't use this till the last minute, because the password will be changed as soon as you modify /etc/shadow. I don't know if this works on other Unix systems.

      --
      Je fume. Tu fumes. Nous fûmes!
  4. You have run Vista with elevated administrative... by figleaf · · Score: 5, Informative

    ... to write to the MBR.
    For all other sectors Vista prevents writes to raw disk sectors even with admin permissions.

    Users withouts admin permissions/without elevation cannot write to the MBR in Vista.

  5. Re:How is it different from LILIO and Grub? by MBCook · · Score: 5, Informative

    Yes. That's all LILO, GRUB, NTLDR, and such do. They call the BIOS functions to read partition tables and such, load code from a specific place, and execute it.

    You could easily install LILO on the last sector of a disk (or anywhere else, just a free sector you can protect from being used). Write a little tiny program that does nothing but read that sector into memory (having known the address ahead of time, finding that code is what makes GRUB and NTLDR slightly more complex than this), and execute it. LILO would then continue having no idea what happened before it.

    Amazing little things, boot loaders. Check out the Wikipedia article on Master Boot Records. They talk about NTLDR where until XP/2K (when it got support for non-english error messages), the code was just a scant 139 bytes.

    Read about some of them. LILO is simple (and kind of stupid) and fits in 512 bytes. GRUB is smarter, and works by loading more code that it finds using it's first stage (which is under 512 bytes). It's a little tiny OS that only uses BIOS calls to load another OS. That's why you can edit entires, add new ones, etc. That couldn't fit in 512 bytes (and still be useful on most computers).

    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  6. Re:Like it matters by Entropius · · Score: 3, Informative

    Two-word noun phrases are only hyphenated when used in adjective form. For instance:

    Gamma rays are a type of ionizing radiation.

    but

    The gamma-ray burst released 4.3 blargajoules of energy.

  7. Re:A boot sector virus? In my PC? by tlhIngan · · Score: 3, Informative

    Yeah right. Do you think the virus idiots know how to program a virus into 512 bytes these days? I've seen self-styled viruses that are carrying around msvcrt.dll. Those guys should be embarrassed.


    Actually, it's a bit less. The first sector of a hard disk contains the MBR code and the partition table.

    The partition table takes 64 bytes (16 bytes x 4 entries), and there's a two-byte signature that the BIOS checks to ensure the MBR is valid.

    That gives you roughly 446 bytes of code that you can actually run. Most MBR code basically reads the partition table, finds a partition with the "active" flag set, then loads the first sector of that partition into memory. The partition loader then copies more sectors from disk so it can load the OS.

    That's why you can install GRUB and LILO into either the partition or MBR. The MBR version basically overwrites the existing MBR to always load LILO or GRUB regardless of what the partition table says. The partition version relies on the MBR code passing it control.

    Of course, having the first cylinder of a disk unused makes it convenient to stash away the extra code you need.
  8. Re:Solution is in your BIOS settings by tlhIngan · · Score: 3, Informative

    As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

    Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.


    Ah, but these things only work in two ways:

    1) The write protect only works if the OS makes a BIOS call to the MBR. The BIOS then traps this request and asks if you mean to write to the MBR. This works pretty well as most boot sector virii exist in DOS, which uses the BIOS, rather than Windows.

    2) The BIOS makes a copy of the MBR and saves it in the CMOS. On boot, it loads the boot sector as normal, and does a quick comparison (it's only 512 bytes). If it differs (because someone overwrote the MBR code, or someone changed the partition table), it asks what you want to do - restore from backup, or accept the modifications.

    No good filesystem should need the MBR once the system is booted. Other than reading the partition table. (The MBR, being 446 bytes in size, is also pretty standardized, which is why any utility that rewrites the MBR code can get your system booting again. Linux rewrites MBR can boot Windows, Windows fdisk can make Linux bootable again, etc. Basically, the MBR code just examines the partition table (in RAM - the BIOS doesn't care or know about the last 66 bytes being partition table. It loads the entire 512 byte sector into RAM), finds an entry marked with an "active" flag, and copies the first sector out of that partition into RAM and jumps into that code.

    Extended partitions are the devil, which is why most MBRs can't boot from an extended partition.
  9. Re:How is it different from LILIO and Grub? by Anonymous Coward · · Score: 3, Informative

    No. LILO, GRUB and (joking aside) the Microsoft bootloader are not malicious (the microsoft one is stupid, but not malicious). If the 512 bytes does something else - like, oh, jump to the main part of the virus stashed in the filesystem, then it's a problem. The real craziness here is windows letting userspace write to the MBR without so much as a "uh, you sure you want to do that?". It'll pop up 50 UAC requesters asking about trivialities, but when it comes to something that can totally hose your system's ability to restart in a fraction of a second? Not a peep.

    Now, linux will actually let you do that as root, too, but not otherwise. The problem is most people run windows as the equivalent of root.

  10. bootkey by Tumbleweed · · Score: 4, Informative

    If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.

    Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes.