Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boot Record Rootkit Threatens Vista, XP, NT

Posted by kdawson on from the writing-to-zero dept.

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."

6 of 261 comments (clear)

  1. Re:Like it matters by Opportunist · · Score: 5, Insightful

    Hen and egg. How does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn't suddenly jump in and exists. It has to be brought into the machine. A virus or trojan does jack when it just sits on your machine. It is a program. It has to be executed to do its "magic".

    There are exactly three ways to get this done. First, remote (RPC) exploits, which is easy to defeat with a router that does not allow any packets in to sensitive ports. Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability. Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

    And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Treacherous Computing to the rescue! by Anonymous Coward · · Score: 4, Insightful

    I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

    1. Re:Treacherous Computing to the rescue! by kvezach · · Score: 3, Insightful

      Initiating flame... done!

      I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

      And you can "solve" crime with a ubiquitous secret police, but would you want to?

  3. This is a security flaw...why? by Myria · · Score: 3, Insightful

    A program running as root takes over a machine. News at 11!

    It's really annoyed me that security companies continually report these things when they have no relevance to actual security. The concentration should always be on preventing malware from acquiring root access in the first place. Vista, despite its faults, actually does a much better job of this than its predecessors.

    Also, this is Slashdot. Slashdot has Linux users, and wouldn't Linux users know that overwriting is even easier to do in Linux than NT? "dd if=trojan.bin of=/dev/hda", anyone?

    By the way, there are many more bad things you can do as Administrator than just hack the boot sector. You can use bcdedit to create a fake Windows XP boot entry then put your Trojan kernel there.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  4. Re:Like it matters by burnin1965 · · Score: 3, Insightful

    since you can never know whether your mail client or your web browser
    word processor, spreadsheet, presentation software, desktop database software, etc, etc. Since the whole idea of using a computer is to run code there are a miriad of exploit possibilities in just about any application that has scripting capabilities or simply an bug in the code which can be used to execute code. This is the reason applications should not be running with permissions that allow operations like writing to the MBR when there is no reason to.

    Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).
    Like Windows ME? While it has virtually no market share I'd hardly recommend it for use in any application. Actually your best bet is to use something that has a good secure design which trys to reduce the potential for exploits. My personal choice is linux and while it does not have the desktop market share of Windows NT variants it does have a massive server/router/appliance install base and it is continually under attack, however, over the years of using linux for my desktop solutions I've yet to have any issues related to exploits.

    And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.
    Can you provide a link to the statistics showing "the most used and most successful way of infecting a machine" is by users executing the code themselves? Visiting a web page with a browser you are executing or reading e-mail with a mail reader you executed either of which may have an exploit via a code bug or scripting is not the same thing as a user executing the code themselves. I assume your suggesting that the users are actually clicking on the executable and intentionally running the code which infects their system, which does happen but I'd like to see the study before I believe that is the #1 successful attack vector.
  5. Re:Educated users on safe platforms by rossjudson · · Score: 5, Insightful

    Security by arrogance. That's a new one.