Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boot Record Rootkit Threatens Vista, XP, NT

Posted by kdawson on from the writing-to-zero dept.

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."

10 of 261 comments (clear)

  1. Re:Why is Windows still using MBR? by Lost+Engineer · · Score: 2, Insightful

    Are you trolling?

    Macs use EFI and PC's use BIOS. That's why.

  2. Re:Like it matters by Opportunist · · Score: 5, Insightful

    Hen and egg. How does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn't suddenly jump in and exists. It has to be brought into the machine. A virus or trojan does jack when it just sits on your machine. It is a program. It has to be executed to do its "magic".

    There are exactly three ways to get this done. First, remote (RPC) exploits, which is easy to defeat with a router that does not allow any packets in to sensitive ports. Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability. Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

    And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Treacherous Computing to the rescue! by Anonymous Coward · · Score: 4, Insightful

    I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

    1. Re:Treacherous Computing to the rescue! by kvezach · · Score: 3, Insightful

      Initiating flame... done!

      I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

      And you can "solve" crime with a ubiquitous secret police, but would you want to?

  4. Re:Like it matters by m50d · · Score: 2, Insightful
    I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

    I can't imagine that would make any difference. The computer needs to boot somehow, there are legitimate reasons for modifying the boot code (such as installing a new OS, or fixing flaws in it) so you can't just block it wholesale, and any program that runs at the boot stage will necessarily have complete control of your computer. About the best you can do is require the user to confirm before overwriting the MBR - something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof.

    --
    I am trolling
  5. This is a security flaw...why? by Myria · · Score: 3, Insightful

    A program running as root takes over a machine. News at 11!

    It's really annoyed me that security companies continually report these things when they have no relevance to actual security. The concentration should always be on preventing malware from acquiring root access in the first place. Vista, despite its faults, actually does a much better job of this than its predecessors.

    Also, this is Slashdot. Slashdot has Linux users, and wouldn't Linux users know that overwriting is even easier to do in Linux than NT? "dd if=trojan.bin of=/dev/hda", anyone?

    By the way, there are many more bad things you can do as Administrator than just hack the boot sector. You can use bcdedit to create a fake Windows XP boot entry then put your Trojan kernel there.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  6. Re:Like it matters by Anonymous Coward · · Score: 2, Insightful

    You get moderated down because you open your fool mouth without thinking. Remember the molten salt solar plant post? You basically repeatedly opened your gob to say, "I have no idea how all this works, but I'm much smarter than the guys who get paid megabux to design this stuff so <idiocy/>, <idiocy/>, <idiocy/>."

  7. Re:Like it matters by burnin1965 · · Score: 3, Insightful

    since you can never know whether your mail client or your web browser
    word processor, spreadsheet, presentation software, desktop database software, etc, etc. Since the whole idea of using a computer is to run code there are a miriad of exploit possibilities in just about any application that has scripting capabilities or simply an bug in the code which can be used to execute code. This is the reason applications should not be running with permissions that allow operations like writing to the MBR when there is no reason to.

    Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).
    Like Windows ME? While it has virtually no market share I'd hardly recommend it for use in any application. Actually your best bet is to use something that has a good secure design which trys to reduce the potential for exploits. My personal choice is linux and while it does not have the desktop market share of Windows NT variants it does have a massive server/router/appliance install base and it is continually under attack, however, over the years of using linux for my desktop solutions I've yet to have any issues related to exploits.

    And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.
    Can you provide a link to the statistics showing "the most used and most successful way of infecting a machine" is by users executing the code themselves? Visiting a web page with a browser you are executing or reading e-mail with a mail reader you executed either of which may have an exploit via a code bug or scripting is not the same thing as a user executing the code themselves. I assume your suggesting that the users are actually clicking on the executable and intentionally running the code which infects their system, which does happen but I'd like to see the study before I believe that is the #1 successful attack vector.
  8. Re:Educated users on safe platforms by rossjudson · · Score: 5, Insightful

    Security by arrogance. That's a new one.

  9. Re:Educated users on safe platforms by myvirtualid · · Score: 2, Insightful

    Under GNU/Linux, you typically have better educated users.

    This was true back in the day, that is, when virtually all Linux users were home-brew hacking DYIers who either loved all things CSish or hated all things M$ish and knew there were alternatives.

    You know, the gentoo and sid crowds.

    Then RedHat happened and Ubuntu happened and hell froze over and DELL and HP started shipping systems with an OS other than Windoze and what you say is no longer true.

    It's probably still true that the majority of Linux users are "better educated" (or, perhaps, informed and intent hacker hobbyists) and that virtually all people running Linux servers fall into that crowd, but it is no longer true that "only the educated" run Linux.

    There are enough people now running Linux because it just works for them, enough people who still aren't really clear on what OS is and DO NOT NEED TO BE!. Seriously, why should they give a damn, they just want their computer to work, just like they want their car and their alarm systems and the elevators downtown to work without having to know a ton of geeky crap or push 16 buttons in exactly the right sequence slap!... ...where was I?

    There are enough people now running Linux because it just works that Linux needs to consider that these users may not always know what they are doing. Ubuntu does this pretty well, with the way things are hidden behind an extra password dialog, along with decent - adequate? - explanatory text. It should be enough to give sufficient pause to prevent serious damage.

    There is no need to defend against those users, they are not attacking their own machine.

    It's not a question of users attacking their own machines. It's a question of preventing accidental damage of the kind that Linux seemed to once revel in encouraging....

    It is uneducated users that are tricked into executing malicious code, that allow outside attackers to control their machine.

    Bollocks. Everybody makes mistakes. Windows - at least older versions - ensured that all mistakes were grave. Modern Linux - and modern Windows when properly configured and properly patched (is this an NP problem? :->) - make it so mistakes are less likely to be 100% fatal 100% of the time.

    And to return to your first quote....

    Under GNU/Linux, you typically have better educated users.

    Under BSD, you typically have better educated users.

    There, fixed that for you.

    (I don't use BSD, never have, but I do recognise that Linux has, for whatever reason, taken off in non-geek circles in a way BSD has yet to, and may never want to. Don't get me wrong, some of the BSD products seem downright amazing, but the user bases of BSD and Linux have diverged considerably, and for the moment Linux is winning the popularity contest. Does that make it better? No. Worse? No. Just more popular.)

    --
    I'm here EdgeKeep Inc.