Boot Record Rootkit Threatens Vista, XP, NT

Re:Like it matters by Anonymous Coward · 2008-01-07 14:50 · Score: 3, Informative

That'd require changes to the partition table, which is protected from NT's usermode IIRC.

Re:Why is Windows still using MBR? by Lost+Engineer · 2008-01-07 14:52 · Score: 2, Insightful

Are you trolling?

Macs use EFI and PC's use BIOS. That's why.

Messed up by Anonymous Coward · 2008-01-07 14:54 · Score: 5, Funny

Unfortunately, all the Windows NT family (including Vista) still have the same flaw -- incest. NT and ME were siblings who married to produce XP. It doesn't help any that NT's father, 95, produced NT via a union with his daughter, 98. XP then killed NT and had a child with ME. He later gouged his GUI out. The end result of all this is Vista. And you guys wonder why Vista has security issues? Poor guy must have complex on top of complex, not to mention more than a few birth defects.

Re:Messed up by phrostie · 2008-01-07 16:00 · Score: 1

ROTFL

i so wish i had mod points
Re:Messed up by jdjbuffalo · 2008-01-07 18:18 · Score: 1

LMAO. You win the award for the funniest post I've read on Slashdot in a while.

I only wish you had logged in. I never friend people with funny posts but I just might have for this one.

--
We have four boxes with which to defend our freedom: the soap box, the ballot box, the jury box, and the cartridge box.
Re:Messed up by module0000 · 2008-01-07 18:28 · Score: 1

Pfft. Pics or it didn't happen!

I, for one, welcome our byte-code spooging overlords.

--
Trackball users will be first against the wall.
Re:Messed up by o'reor · 2008-01-07 20:52 · Score: 3, Funny

It doesn't help any that NT's father, 95, produced NT via a union with his daughter, 98.
Gross. Well actually, NT (going back to 3.xx) was not the daughter of W95xW98, but rather the (already) bastard child of Win3.11 who raped his mother VMS during the First War of the OS (ugly, ugly -- you don't really want to know).
Therefore NT3.5 is W95's stepsister -- given that W95 is the legitimate heir of Win3.11. It turned out then that W95, who was a real pervert due to its dominant 16-bit gene, chkdsked his stepsister NT3.51 (they don't used words like "fscked" in that family, they have their own lingo), who begat NT4.0. Then NT4.0 and his aunt W98 both got drunk one night, and soon they gave birth to Win2K. Somehow at that point in the family tree, the 16-bit gene got culled out. But the inbreeding continues...

--
In Soviet Russia, our new overlords are belong to all your base.
Re:Messed up by Jugalator · 2008-01-07 21:57 · Score: 1

Hey now, what Vista can do, it can do damn well!

--
Beware: In C++, your friends can see your privates!
Re:Messed up by smchris · 2008-01-08 01:11 · Score: 2, Funny

Actually, the Ur-mother of the 32-bit desktop was probably OS2. Virtually unknown today and only spoken of among a small cult who cherish the old ways. There are rumors Microsoft itself indulged in the rites of OS2 before a conversion experience.
Re:Messed up by Neanderthal+Ninny · 2008-01-08 09:18 · Score: 1

This sounds like one big bad soap opera and they all should see Dr. Phil. Watch out Britney Spears, here comes the Windows family.
Re:Messed up by o'reor · 2008-01-08 09:35 · Score: 1

Indeed. And OS2's HPFS and NT's NTFS native file systems share more than a few similarities.

--
In Soviet Russia, our new overlords are belong to all your base.

Re:Like it matters by Nimey · 2008-01-07 14:54 · Score: 5, Funny

The slashot discussion system is a joke run by arrogant, biased, opinion nazis Tutorial:

1) That's "Slashdot". -1 for capitalization, -5 for spelling.
2) Nazi is capitalized.
3) Your sig is an automatic Godwin. Might want to fix that.
4) You didn't end your sentence with punctuation. This one calls for a period.
5) Arrogant? You bet!

--
Hail Eris, full of mischief...

E pluribus sanguinem

How is it different from LILIO and Grub? by snikulin · 2008-01-07 14:55 · Score: 4, Interesting

It's not a troll. I just want to know. If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.

Re:How is it different from LILIO and Grub? by MBCook · 2008-01-07 15:18 · Score: 5, Informative

Yes. That's all LILO, GRUB, NTLDR, and such do. They call the BIOS functions to read partition tables and such, load code from a specific place, and execute it.
You could easily install LILO on the last sector of a disk (or anywhere else, just a free sector you can protect from being used). Write a little tiny program that does nothing but read that sector into memory (having known the address ahead of time, finding that code is what makes GRUB and NTLDR slightly more complex than this), and execute it. LILO would then continue having no idea what happened before it.
Amazing little things, boot loaders. Check out the Wikipedia article on Master Boot Records. They talk about NTLDR where until XP/2K (when it got support for non-english error messages), the code was just a scant 139 bytes.
Read about some of them. LILO is simple (and kind of stupid) and fits in 512 bytes. GRUB is smarter, and works by loading more code that it finds using it's first stage (which is under 512 bytes). It's a little tiny OS that only uses BIOS calls to load another OS. That's why you can edit entires, add new ones, etc. That couldn't fit in 512 bytes (and still be useful on most computers).

--
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Re:How is it different from LILIO and Grub? by snikulin · 2008-01-07 15:30 · Score: 1

> Yes. That's all LILO, GRUB, NTLDR, and such do.
So, the submission is a FUD attempt, then?
Re:How is it different from LILIO and Grub? by Alpha830RulZ · 2008-01-07 16:16 · Score: 1

So, having RTFA, it seems to me that at the very least, the little nasty is designed to work with the windows boot process, and currently would at least cause a grub based system to puke, giving you notice of a situation. Then you could use ahref=http://supergrub.forjamari.linex.org//rel=url2html-8983http://supergrub.forjamari.linex.org//>to fix your loader? On a sidenote, while SuperGrub isn't going to win any points for graphic style, it did an excellent job of fixing my Fully Ryobi'd windows/Fedora situation, and is a nice little tool written by some nice folks in Italy, http://forja.linex.org/ .

Obviously, a bad guy could extend the approach and anticipate Grub as well, trying to side step that, but it would probably be a much more complicated task, figuring out how to hide from all the kernel variants of Linux.

If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.

--
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Re:How is it different from LILIO and Grub? by Anonymous Coward · 2008-01-07 16:47 · Score: 3, Informative

No. LILO, GRUB and (joking aside) the Microsoft bootloader are not malicious (the microsoft one is stupid, but not malicious). If the 512 bytes does something else - like, oh, jump to the main part of the virus stashed in the filesystem, then it's a problem. The real craziness here is windows letting userspace write to the MBR without so much as a "uh, you sure you want to do that?". It'll pop up 50 UAC requesters asking about trivialities, but when it comes to something that can totally hose your system's ability to restart in a fraction of a second? Not a peep.

Now, linux will actually let you do that as root, too, but not otherwise. The problem is most people run windows as the equivalent of root.
Re:How is it different from LILIO and Grub? by dbcad7 · 2008-01-07 16:51 · Score: 1

In order to run lilo, you need to be root.. correct ?
so although you might be able to install it in some sector (giving you the benifit), ... how are you going to run it without being root ?
If you were just explaining the flexibility of where Lilo can be installed, I understand that.. but it kind of seems you implied that a malware script could be made to just willy nilly install and run lilo.. maybe it can, but I'd have to have more proof.

--
waiting for ad.doubleclick.net
Re:How is it different from LILIO and Grub? by snikulin · 2008-01-07 16:55 · Score: 1

> In order to run lilo, you need to be root.. correct ? Nope. There is not user/kernel space at this time.
Re:How is it different from LILIO and Grub? by burnin1965 · 2008-01-07 17:49 · Score: 2, Informative

If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.
Are you root? If not then the answer is no.

The real issue here is not whether an exploit like this would work with lilo or grub, the issue, as noted by TFA, is that "Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected !"

Note: MBR can be modified from usermode, the first sectors of disk are still unprotected

Yikes!!!
Re:How is it different from LILIO and Grub? by GravityStar · 2008-01-07 18:26 · Score: 1

If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.
Are you root? If not then the answer is no.
Root is still a user, and LILO is still just usercode.
Note: MBR can be modified from usermode, the first sectors of disk are still unprotected
Yes, in this regard it is just as secure as Linux. You still need to be a administrator to overwrite the mbr. Reversing all of this damn argument, how exactly do you propose we defend the contents of the MBR from root on Linux? (Or GNU/Linux if you will)
Re:How is it different from LILIO and Grub? by dbcad7 · 2008-01-07 18:59 · Score: 1

I can find no other place where it is said this is possible.. perhaps if permissions were changed on the installed version, but then I don't know if the code for Lilo checks for root.. even rescue disks that have Lilo give you root access so you can make the changes.. and here we are talking physical access to get root.. I suppose i could download a copy of Lilo and change permissions to see if it let me run it as a user.. hmmm..

--
waiting for ad.doubleclick.net
Re:How is it different from LILIO and Grub? by jimicus · 2008-01-07 20:18 · Score: 1

You're both right and wrong at the same time.

In order to execute the code which bootstraps the OS, you're correct. But from context, I suspect the OP meant "in order to install LILO to the MBR".

Which you most certainly do need to be root to do.
Re:How is it different from LILIO and Grub? by Jesus_666 · 2008-01-07 21:22 · Score: 1

You neither need to work as root all the time on a *nix box, nor is that the common way to do work. Windows Vista still has plenty of programs that insist on writing to system directories at run-time so while it is possible to work as something else than an administrator there still are some configurations under which it's much easier to just screw security to hell and give yourself administrator privileges.

--
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Re:How is it different from LILIO and Grub? by DrSkwid · 2008-01-08 02:51 · Score: 1

Only if you are in multi-user mode, otherwise you just boot in single-user mode which has no passwords, you don't even need to boot Linux, any OS that boots from CD can edit your MBR.

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:How is it different from LILIO and Grub? by dbcad7 · 2008-01-08 02:53 · Score: 1

This is what I mean.. I guess a little confusing, but yes I am meaning running lilo, that uses a configuration file to configure the loader (I guess also called lilo) usually in the MBR. (although can be located elsewhere, which is what started this)
How would you run the bootloader again on an already booted system as a user ?

--
waiting for ad.doubleclick.net
Re:How is it different from LILIO and Grub? by jimicus · 2008-01-08 03:24 · Score: 1

LILO's a bit of a complicated one, because technically what happens is you write a configuration file, run a program (which is called lilo, but more accurately should be called lilo-installer or somesuch) and this program installs a small bootloader in your MBR based on the configuration file.

You wouldn't rerun the bootloader once booted - the harm comes from if you allow any user rather than just root/administrator/(insert equivalent here) to write to the MBR because malware installed in that way could guarantee it will be executed each time the user reboots and with, say, a hypervisor remain totally invisible to the operating system.

However, NT hasn't allowed non-Admin users to do stupid stuff like that ever so unless you're running everything as admin it's a nonissue.

It can be done from user mode, that's true, but unavoidable.
Re:How is it different from LILIO and Grub? by Talchas · 2008-01-08 03:44 · Score: 1

Don't you just need write access to /dev/sda or /dev/hda? Thats all you should need. Now root should probably be the only one with write access to disks, but thats another matter.

--
As the Americans learned so painfully in Earth's final century,free flow of information is the only safeguard against...
Re:How is it different from LILIO and Grub? by jimicus · 2008-01-08 06:05 · Score: 1

Yes, but only root can do that.

IOW, Linux isn't fundamentally immune to such an issue. Having said that, neither is any OS which is designed around a hierarchical structure of "most powerful user at the top, other users have decreasing levels of power". Something like EROS might be able to prevent such things, but it's really a research operating system which AFAICT is a long way from reliably booting, much less doing anything useful. And EROS doesn't have the advantage that Linux had of having a fairly complete userland toolset ready and waiting, needing little more than a kernel.
Re:How is it different from LILIO and Grub? by HiThere · 2008-01-08 07:22 · Score: 1

Well, when the system is running you need to be root not to run lilo, but to save the changes.
When the system is booting, it doesn't yet know the difference between root and other users. That has to wait until late in the process, and the boot manager takes place as the first step in the process. (It's analogous to the "LOAD" button that some 1401 card readers had...a hard wired piece of code to read in aome cards and do what the program on them said to do. (The cards had to be punched in 1401 binary, of course. And there *was* not operating system.)

If you were to execute a boot loader while the system was running it would be equivalent to crashing and restarting. If you were to do it with a restart address at a particular address, it would be equivalent to crashing and restarting from that address. (Notice that I said "crashing", not shutting down.)

As far as I know, neither Grub nor LILO allow you to execute the boot loader while the system is running. The named programs are for configuration and installation. Because crashing is a bad idea. Sufficiently so that only a hardware switch is allowed to do it intentionally. (And that's because bad idea or not, sometimes it's the best one available.)

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Re:How is it different from LILIO and Grub? by sexconker · 2008-01-08 08:13 · Score: 1

Just enable boot sector protection in your BIOS.
Re:How is it different from LILIO and Grub? by burnin1965 · 2008-01-08 10:00 · Score: 1

Yes, in this regard it is just as secure as Linux. You still need to be a administrator to overwrite the mbr.
Really, perhaps I misunderstood the article as it appears they are saying a regular user on an NT/XP/Vista box can edit the first sectors of the disk. On a linux system you would have to intentionally login with the root account to do this. Normal use of a linux system does not require that you login as root and regular users cannot edit the MBR.
all of this damn argument, how exactly do you propose we defend the contents of the MBR from root on Linux? (Or GNU/Linux if you will)
Excellent question, I suggest reading up on SElinux. You can use SElinux policies to lock down even the root user but in an extremely granular way. I think you have a great idea and considering that once a system is setup there really is not reason even for the root user to be editing the MBR. There may be other methods to achieve the same result but I've only studied SElinux.
Re:How is it different from LILIO and Grub? by faber0 · 2008-01-08 13:04 · Score: 1

Funny that the only MS OS that actually protects you (as in Administrator) is Vista with UAC turned on. Besides that i still think replacing an MBR is a perfectly sane thing to do from an Administrators/Root account.

- Faber

Re:Like it matters by Opportunist · 2008-01-07 14:55 · Score: 5, Insightful

Hen and egg. How does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn't suddenly jump in and exists. It has to be brought into the machine. A virus or trojan does jack when it just sits on your machine. It is a program. It has to be executed to do its "magic".

There are exactly three ways to get this done. First, remote (RPC) exploits, which is easy to defeat with a router that does not allow any packets in to sensitive ports. Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability. Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.

Re:Like it matters by MBCook · 2008-01-07 14:56 · Score: 5, Informative

What if someone wrote a super small bootable virus,

Yeah, like something that could fit in a 512 byte MBR...

, then the virus' initial form used Partition Magic-like functionality to write its own partition

Why bother?

and stick the virus on it then tell the computer before restarting to boot from that one.

That's what this does. It modifies the MBR to load the virus as a driver out of a pair of sectors.

Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open.

This already does whatever it wants. And the "files open" comment is non-sensical, the pre-boot environment has no concept of "open files", it's just a little 512 byte loader.

I'm pretty sure Windows can't protect the MBR if it isn't running.

There isn't much Windows (or any) OS can do when it isn't running.

If you read the article (it contains scary things like x86 assembly, I know, but you can skip that) you'd see that the describe this hooks into the load routines used by Windows. By intercepting these calls and redirecting them, it prevents you from overwriting the MBR or even detecting that it's changed (to a degree). To fix this you have to open a clean environment (like the recovery console off the Windows CD) and have it fix the MBR.

Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2.

I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

PS: Whoever modded the parent as informative either doesn't know what they're talking about, is drunk, or is in cahoots.

PPS: Sorry. I've been looking for an excuse to use the word "cahoots" all day.

--
Comment forecast: Bits of genius surrounded by a sea of mediocrity.

Misleading... by SanityInAnarchy · 2008-01-07 15:03 · Score: 5, Informative

Alright, I get the defense in depth concept, but I don't consider it to be a severe vulnerability that the MBR is writable while Windows is running. I consider that to be a feature, one I wish Microsoft did more of -- for example, I can install Linux from a Linux LiveCD, or I can install a second copy of it on another partition, etc. As far as I can tell, OS X is similarly flexible -- it forces you to type your password, but it can deliver a firmware update from within the OS -- think equivalent to a BIOS update, so even earlier than the MBR.

So, to clarify: It's writable from userland, which is not the same as being writable by any user. If they have Admin access (which means you already clicked a "This program wants to modify your Master Boot Record, are you sure?"), you're already screwed -- kind of like how, on Linux, if they have root, you're already screwed.

In other words, it's possible to modify your Master Boot Record without rebooting your computer. This is a good thing.

What's more, this is not new. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...

--
Don't thank God, thank a doctor!

Re:Misleading... by Jeffrey+Baker · 2008-01-07 16:16 · Score: 4, Interesting

In my admittedly limited experience, any user account can do some pretty scary stuff in Windows XP. I once was surprised to find out that I could load a firmware update onto a Plextor DVD burner using the guest account on a Windows XP machine. If you can program device firmware you can obviously subvert the entire operating system. I was appalled, and I showed it to the local Windows sysadmin, and he was appalled. It seemed to be a bit of clever programming on the part of the Plextor people, and there did not seem to be any way to defend against it.
Re:Misleading... by hcmtnbiker · 2008-01-07 17:16 · Score: 1

What's more, this is not new [wikipedia.org]. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...

Actually Blue Pill is much more interesting then this. Blue Pill can actually trap a running instance of an OS inside a rootkit. The one from the article requires a reboot, and hoping you didn't detect it before then. Blue Pill can also be used to attack any operating system, the one from the article only works with systems that use NTLDR.

--
If i had one dollar for every brain you dont have, i would have $1.
Re:Misleading... by mcmaddog · 2008-01-07 18:10 · Score: 1

Macintosh computers not only require an admin password to update the firmware, but also require you to shut down and then startup holding the power button for about 5 seconds to trigger the update process so physical access and intention are required.
Re:Misleading... by tyler_larson · 2008-01-07 18:51 · Score: 1

Beyond misleading. Not newsworthy.
Overwriting your MBR is possible only with raw access to the hard drive, and is always possible with raw access to the hard drive. In other words, Vista shares this same flaw with nearly every operating system in existence. Raw device IO is a restricted operation specifically for this reason, because it circumvents all other protection. To gain this access, you need to already have unfettered administrative access, which means you stand to gain nothing further.

--
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
Re:Misleading... by Jesus_666 · 2008-01-07 21:25 · Score: 1, Troll

I don't want to know the kind of screwed up configuration which has the guest account running with administrator rights.

--
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
Re:Misleading... by ajs318 · 2008-01-07 23:53 · Score: 1

You can firmware-upgrade many optical drives just by loading a disc with the firmware on it. The drive reads the TOC, spots a telltale filename, checks the file for telltale data and if it seems correct, loads up its new firmware. This doesn't involve the OS at all. You could plug the drive into just a PSU, no connection to a motherboard even, and upgrade it.

The assumption is that if you have physical access to the machine, you can do what you want with it anyway.

--
Je fume. Tu fumes. Nous fûmes!
Re:Misleading... by ajs318 · 2008-01-08 00:12 · Score: 4, Informative

Actually, with Linux, you don't need the root password. You just need physical access to the machine. Reboot it. If running LILO, enter linux init=/bin/sh ; if running GRUB, edit the boot command line and include init=/bin/sh in it somewhere. Press RETURN. When you get the # prompt, enter
# mount -oremount / to make the disk writable
# awk '/^root/{print}' /etc/shadow > /old_root_password to make a copy of the old scrambled root password,
# passwd and enter a password you can remember. Twice.
# init 6 to reboot the machine again. You can now log in as root, using the password you supplied. No need for any special weapons, boot discs &c. This is one you can carry entirely in your head.

To restore the original root password, the sequence is
# awk '!/^root/{print}' /etc/shadow >> /old_root_password # cp -f /old_root_password /etc/shadow # rm -f /old_root_password - don't use this till the last minute, because the password will be changed as soon as you modify /etc/shadow. I don't know if this works on other Unix systems.

--
Je fume. Tu fumes. Nous fûmes!
Re:Misleading... by cookd · 2008-01-08 02:08 · Score: 1

Yup. Drivers have the ability to provide access to anybody they want. It is the responsibility of the driver's author to determine whether or not to grant "update firmware" access to a particular account. You are correct that the driver should not be doing this.

--
Time flies like an arrow. Fruit flies like a banana.
Re:Misleading... by Joe+The+Dragon · 2008-01-08 03:15 · Score: 1

that is the system bios.

Also the Dell windows based bios updater needs you to be a windows admin or give it the admin name and password + a bios password if there is one to update the bios.
Re:Misleading... by Pharmboy · 2008-01-08 03:16 · Score: 1

I think that is the key to remember: The OS can only protect a computer that someone isn't siting in front of. I can re/boot in single user mode and do anything I want to a Linux box, if I am sitting in front of it. If you have access to physcially TOUCH any computer, you can hack it, and likely no amount of operating system or other software can change that. Even disabling floppy, USB and CDROM wont' stop me from pulling the battery or jumping a jumper to reset the password. (with laptops, your mileage may vary)

--
Tequila: It's not just for breakfast anymore!
Re:Misleading... by Abcd1234 · 2008-01-08 03:17 · Score: 1

The assumption is that if you have physical access to the machine, you can do what you want with it anyway.

Where, in the GPs post, did he say that physical access was required to do the firmware update from the guest account? Oh right! He didn't!

So... what was your point, again?
Re:Misleading... by Talchas · 2008-01-08 03:47 · Score: 2, Informative

Only if the person running the machine hasn't required a password for the GRUB command line. Of course, you can do the boot disc/clear CMOS/whatever method anyway, so its still insecure.

--
As the Americans learned so painfully in Earth's final century,free flow of information is the only safeguard against...
Re:Misleading... by sherl0k · 2008-01-08 04:01 · Score: 1

And for distros that don't use the root account?
Re:Misleading... by ajs318 · 2008-01-08 05:01 · Score: 2, Interesting

Yeah, there's that. Carry a boot CD (maybe with several kernels) on an actual disc (in case you can't use a USB key ..... maybe better to use a cheap MP3 player preloaded with a repetitive techno track that can be played to anyone who asks), and a minimal tool kit (screwdriver handle with interchangeable bits, needle nose pliers, wire cutters, tweezers, a few motherboard jumpers, a few known good 13 Amp plug fuses, powerfinder screwdriver ..... I'd say a cordless soldering iron, solder and a canister of fuel if I didn't think that I really meant minimal ..... weigh the probability of needing a tool against the drawbacks of having to carry it) with you. You can then reset the BIOS password, fix the boot order, boot a kernel that works, mount the drives and chroot into the system, if you have to.

"The worst case? Well ..... let's see. Have you got any CD burners in there?"
"Yes, in the management suite, behind digital door locks. Or in the IT department. Digital locks again."
"And do those management machines have a high-speed internet connection as well?"
"Oh, yes."
"Well, in that case ..... I reckon, in the absolute worst case, your friend could be doing whatever he wanted with your computer systems in about one hour."
"One hour? That's not so bad. That gives us something. You say that's the worst case, right?"
"Oh, yeah, from his point of view, one hour is the worst case. But if he's smart, he's probably already been and gone."

--
Je fume. Tu fumes. Nous fûmes!
Re:Misleading... by kilgortrout · 2008-01-08 05:33 · Score: 1

If you have physical access to any box you can get root access; just pop in any livecd and su to root or use sudo. Want to lock down the bios with passwords and prohibit booting off anything but the hard drive? Go ahead, I'll pull the drive out of the box, hook it up to my laptop through usb and and tinker with the mbr to my hearts content. The only sure fire way to protect against a user with physical access is constant surveillance but then you have the who'll guard the guards problem. Nothing new in that observation as it's been made a million times before.
Re:Misleading... by Reziac · 2008-01-08 06:33 · Score: 1

Remember Chip-Away, the old BIOS-based boot sector protection that was commonly seen on 486-era machines? It screamed bloody murder and halted the system any time ANYTHING tried to alter the boot code or MBR. I'm wondering if it's time to return to using such protection.

Since FProt is now dropping their DOS-based version, AFAIK there are no longer any AV products that can run with a minimal OS, such as a DOS floppy boot. All AVs that I know of require a fullblown OS, thus minimally either installed on the suspect system (not a good idea) or run from a Live CD, which you may not have the luxury of preparing on short notice (or may have a system that won't boot from CD -- I still see 'em once in a while).

So... I think we'll see a major upswing in BSV and suchlike, since our tools for detecting them are too limited.

--
~REZ~ #43301. Who'd fake being me anyway?
Re:Misleading... by Paradigm_Complex · 2008-01-08 07:41 · Score: 1

With physical access to the machine you can easily get anything unencrypted, irrelevant of OS. Boot of your own device (CD/DVD/flash/floppy/whatever) and there's no issue logging into root on your own OS. If the BIOS is locked and won't let you boot off another device rip out the battery for a bit. Heck, just take the harddrive and put it into your machine. Nothing is secure if the attacker has physical access, irrelevant of OS. If you can't do this on Linux without physical access or root I'd consider it secure.

--
"A witty saying proves nothing." - Voltaire
Re:Misleading... by runderwo · 2008-01-08 09:01 · Score: 1

I've no knowledge of this specific DVD drive, but thinking about the motivations of the operating system vendor vs the motivations of the DVD burner vendor, it wouldn't be surprising if the DVD burner vendor was the one who took the shortcut because they didn't care about security and just wanted to get it working as quickly and easily as possible.

LG CD-ROMs Destroyed by Mandrake 9.2

--
LRC, the best-read libertarian site on the web
Re:Misleading... by shentino · 2008-01-09 05:42 · Score: 1

Which is why having a boot loader password is a good idea.
Re:Misleading... by SanityInAnarchy · 2008-01-09 18:54 · Score: 1

If the guest user has permission to read from the DVD drive, then this implies they have permission to send commands to the DVD drive.

On Windows, maybe.

On Linux, it means the user has permission to read from the DVD drive.
If Windows sends what should be a "safe" command, and the driver/firmware interprets this command as a "rewrite firmware" command,
That is possible, if, say, it was a "read" command, or maybe an "eject the disc" command.

More importantly, though, drivers should make a distinction between normal read/write access and firmware flashing. As a normal user, I should be able to send "commands", like eject, close, etc; I should be able to read; I should be able to write (burn); I should not be able to flash the firmware.

(That, admittedly, is probably a problem linux also has.)

But you're right, it does look like the problem is Plextor here.

--
Don't thank God, thank a doctor!
Re:Misleading... by SanityInAnarchy · 2008-01-09 18:57 · Score: 1

Yeah but its not possible to install a patch without rebooting :)

Not sure about Windows, but Linux will actually "install" the patch -- it just won't run it without rebooting.

The important feature here is that you can basically put your disk in a state where, if you were to cold boot right there, everything would already be installed the way it's supposed to be -- no weird tricks during an otherwise "normal" boot. When it says "done installing", it really means "done installing", and while you have to reboot for it to take effect, that is really just a reboot.

--
Don't thank God, thank a doctor!
Re:Misleading... by SanityInAnarchy · 2008-01-09 19:08 · Score: 1

See an OS should be CAPABLE of locking everything down. If it can't it should log.

None of which tells me that it's a bad thing if everything isn't locked down, even if it's not locked down by default. I don't know enough about NT to know if it can be sufficiently locked down in this way. I do know Linux can.

Oh, and speaking of logs: What's your guarantee that log is still valid? On most machines, root access means freedom to modify the logs, the log daemon, and so on.

--
Don't thank God, thank a doctor!
Re:Misleading... by SanityInAnarchy · 2008-01-09 19:11 · Score: 1

Overwriting your MBR is possible only with raw access to the hard drive, and is always possible with raw access to the hard drive. In other words, Vista shares this same flaw with nearly every operating system in existence.

Except, you know, OSes which don't allow raw access to the hard drive.

To gain this access, you need to already have unfettered administrative access, which means you stand to gain nothing further.

That depends on the system, but I tend to agree you, and I made the same point.

--
Don't thank God, thank a doctor!
Re:Misleading... by tyler_larson · 2008-01-10 17:15 · Score: 1

Except, you know, OSes which don't allow raw access to the hard drive.

Like, for example?
All Windows variations do. All unix-based OSes do. All Mac OSes do (both new and old). Obviously all single-user operating systems do because there's no protection. I would say that covers "nearly every". Can you come up with a significant exception?

--
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
Re:Misleading... by SanityInAnarchy · 2008-01-11 05:48 · Score: 1

Like, for example?

A heavily-patched Linux. I'm fairly sure one can configure SELinux to disallow this.

Or Linux running in some sort of virtual machine (usermode Linux, XEN, etc) which disallowed access to the real raw disk.

I would say that covers "nearly every".

Oh, sorry, didn't see that. You're right.

--
Don't thank God, thank a doctor!

Re:Like it matters by Vaticus · 2008-01-07 15:11 · Score: 1

How on earth does Ramen relate to MBR and Windows variants?

--
John 3:16. Know it.
Drink Yourself Healthy: MonaVie

Re:Like it matters by wizardforce · 2008-01-07 15:12 · Score: 1

well if it's going to attack liek that it would need higher privilages- that is it needs to exploit another flaw to exploit this one. That being said, it appears that pretty much any OS that has that particular method used [seperate partition + virus] would be affected. No doubt delivered in the same way it has always been, users downloading a new program. you can patch the OS all you want, you still can't patch the user.

--
Sigs are too short to say anything truly profound so read the above post instead.

Treacherous Computing to the rescue! by Anonymous Coward · 2008-01-07 15:14 · Score: 4, Insightful

I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

Re:Treacherous Computing to the rescue! by ScrewMaster · 2008-01-07 15:28 · Score: 2, Funny

The jellied gasoline salvo is on the way, with a thermite chaser.

--
The higher the technology, the sharper that two-edged sword.
Re:Treacherous Computing to the rescue! by Anonymous Coward · 2008-01-07 17:31 · Score: 1, Informative

The cure is worse than the disease.
Re:Treacherous Computing to the rescue! by noidentity · 2008-01-07 22:01 · Score: 1

It's exactly the sort of problem any decent OS can solve. Untrusted code says "hey, I'd like to write this to the MBR", OS says "hell no!". Why is any special hardware needed, beyond basic memory protection?
Re:Treacherous Computing to the rescue! by kvezach · 2008-01-07 22:15 · Score: 3, Insightful

Initiating flame... done!

I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

And you can "solve" crime with a ubiquitous secret police, but would you want to?
Re:Treacherous Computing to the rescue! by TemporalBeing · 2008-01-08 04:32 · Score: 1

I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.
No, TPM was designed to solve the problem of Microsoft losing Windows as a monopoly by preventing you from installing anything else.

The solution to this problem is correct usages of the Admin (root) accounts, which Unix/Linux has had solved for more than a decade; but according to TFA Microsoft has yet to solve. This, of course, Microsoft's fault.

So please, don't try use use TPM to solve this. It won't. If I bet (but I don't), I'd bet you could even get Windows on a TPM machine to overwrite the MBR in the same manner as the article is mentioning. TPM won't solve the job that the OS is meant to - other than to deny you from running that OS, which is its real purpose. ;-) Too bad Microsoft is the entity behind TPM; otherwise we might be able to use TPM to move everyone off of Windows. ;-)

--
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
Re:Treacherous Computing to the rescue! by Doug+Neal · 2008-01-08 06:15 · Score: 1

There is nothing intrinsically wrong with TPM technology per se, as long as the user/owner/administrator has the ultimate decision about what is "trusted" or not. Giving the final veto to a third party that's only serving its own interests - that's when it's a problem.
Re:Treacherous Computing to the rescue! by Reziac · 2008-01-08 06:35 · Score: 1

You don't need TC for this. All you need is a BIOS-level program *that the user can turn on and off as they please*, like the old ChipAway boot sector protection that was built into many 486-era BIOSs.

--
~REZ~ #43301. Who'd fake being me anyway?

Re:Like it matters by Nimey · 2008-01-07 15:15 · Score: 4, Funny

I see that you are not an adherent of the True Church of the Flying Spaghetti Monster. The FSM has *everything* to do with Windows; we don't call it spaghetti code for nothing!

--
Hail Eris, full of mischief...

E pluribus sanguinem

Re:Like it matters by Lumpy · 2008-01-07 15:16 · Score: 2, Informative

Almost all BIOSes released in the past 5 years had MBR protection. Install your OS, turn on MBR protection and let the virus try.

I hated it at first, Linux installs failing as LILO not getting to write to the MBR until you turned it off.

--
Do not look at laser with remaining good eye.

You have run Vista with elevated administrative... by figleaf · 2008-01-07 15:18 · Score: 5, Informative

... to write to the MBR.
For all other sectors Vista prevents writes to raw disk sectors even with admin permissions.

Users withouts admin permissions/without elevation cannot write to the MBR in Vista.

Re:Like it matters by cgenman · 2008-01-07 15:19 · Score: 4, Funny

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

http://www.nuklearpower.com/daily.php?date=080103

--
The ______ Agenda

Re:Like it matters by m50d · 2008-01-07 15:20 · Score: 2, Insightful

I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

I can't imagine that would make any difference. The computer needs to boot somehow, there are legitimate reasons for modifying the boot code (such as installing a new OS, or fixing flaws in it) so you can't just block it wholesale, and any program that runs at the boot stage will necessarily have complete control of your computer. About the best you can do is require the user to confirm before overwriting the MBR - something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof.

--
I am trolling

The perfect virus by arotenbe · 2008-01-07 15:22 · Score: 1

Unfortunately, all the Windows NT family (including Vista) still have the same security flaw -- MBR [Master Boot Record] can be modified from usermode.

"Security flaw"? Heck, I'm almost finished with the virus that overwrites the MBR with GRUB stage 1!

Alright, I guess I'm forced to admit I'm just kidding.

--
Tomato wedge sperm darts that are Republican.

Re:The perfect virus by Cassini2 · 2008-01-07 16:27 · Score: 1

I'm almost finished with the virus that overwrites the MBR with GRUB stage 1!

You must work for Microsoft. Almost every Linux distribution in existence uses GRUB for a bootloader. Only Microsoft calls Linux "an evil virus-like plague," as it sweeps the world, eliminating proprietary software, vaporizing multinational corporations, and saving the poor from the ravages of the new generation of software robber barons.
Re:The perfect virus by andreyw · 2008-01-07 18:22 · Score: 2, Funny

I'm forced to conclude that the majority of Slashdot's most vehement and fervent posters are autistic inhabitants of their parents' basements, with no sense of humor at all.

-1.
Re:The perfect virus by Mgns · 2008-01-07 22:30 · Score: 1

I'm still in the crib, you insensitive clod!
Re:The perfect virus by skiman1979 · 2008-01-08 00:19 · Score: 1

"Security flaw"? Heck, I'm almost finished with the virus that overwrites the MBR with GRUB stage 1!
Now all you have to do is set it up to boot an installation image of Linux through PXE to a TFTP server. :-D

--
Having a smoking section in a public restaurant is like having a peeing section in a public swimming pool.

Re:Like it matters by neo8750 · 2008-01-07 15:26 · Score: 1

I don't know about you but my motherboard gives me a warning any time a program tries to mess with the MBR. Sure it could be worked around but its 1 extra step they have to work around.

Please correct me if this isn't a good way to prevent this

A boot sector virus? In my PC? by Purity+Of+Essence · 2008-01-07 15:26 · Score: 4, Funny

It's more likely than you think.

What is this? 1986?

--
+0 Meh

Re:A boot sector virus? In my PC? by Nimey · 2008-01-07 15:37 · Score: 4, Funny

Your computer is now stoned.

--
Hail Eris, full of mischief...

E pluribus sanguinem
Re:A boot sector virus? In my PC? by Jeffrey+Baker · 2008-01-07 16:10 · Score: 4, Funny

Yeah right. Do you think the virus idiots know how to program a virus into 512 bytes these days? I've seen self-styled viruses that are carrying around msvcrt.dll. Those guys should be embarrassed.
Re:A boot sector virus? In my PC? by Architect_sasyr · 2008-01-07 16:19 · Score: 1

Oh damn that took me back... Thanks for reminding me of the moment where I looked at my computer and thought 'It too huh... wonder where it got its trip from'

--
Me failed English...
FreeBSD over Linux. If my comments seem odd, this may explain...
Re:A boot sector virus? In my PC? by shdwtek · 2008-01-07 16:32 · Score: 4, Funny

512 bytes should be enough for any virus.
Re:A boot sector virus? In my PC? by tlhIngan · 2008-01-07 16:35 · Score: 3, Informative

Yeah right. Do you think the virus idiots know how to program a virus into 512 bytes these days? I've seen self-styled viruses that are carrying around msvcrt.dll. Those guys should be embarrassed.

Actually, it's a bit less. The first sector of a hard disk contains the MBR code and the partition table.

The partition table takes 64 bytes (16 bytes x 4 entries), and there's a two-byte signature that the BIOS checks to ensure the MBR is valid.

That gives you roughly 446 bytes of code that you can actually run. Most MBR code basically reads the partition table, finds a partition with the "active" flag set, then loads the first sector of that partition into memory. The partition loader then copies more sectors from disk so it can load the OS.

That's why you can install GRUB and LILO into either the partition or MBR. The MBR version basically overwrites the existing MBR to always load LILO or GRUB regardless of what the partition table says. The partition version relies on the MBR code passing it control.

Of course, having the first cylinder of a disk unused makes it convenient to stash away the extra code you need.
Re:A boot sector virus? In my PC? by Keruo · 2008-01-07 17:21 · Score: 4, Interesting

All you need is a call to certain point of disk to run the code right?
Remember that almost all current Windows systems reserve 1-8Mb space for converting the drive to dynamic disk.
8Mb is likely enough to run almost fullblown virtual machine, atleast versatile enough to hide beneath the "primary" os and act as a spam/ddos drone/keylogging trojan unnoticed.
Sure, it'll eat some resources sitting there, but your average Joe/Jill won't really notice that. They just curse their damn slow computer.

--
There are no atheists when recovering from tape backup.
Re:A boot sector virus? In my PC? by Thing+1 · 2008-01-07 17:33 · Score: 1

A corollary to bricked, I suppose.

--
I feel fantastic, and I'm still alive.
Re:A boot sector virus? In my PC? by Technician · 2008-01-07 17:54 · Score: 1

Your computer is now stoned.

Wow, talk about an old virus. I think I still have that one on a floppy somewhere. I remember studying that one. I did a fresh DOS install to infect. When I was done, it was removed by booting a clean floppy and re-partitioning, formatting and reinstalling. I took no chances with that one. For those who are not familiar with the phrase;

http://en.wikipedia.org/wiki/Stoned_(computer_virus)

--
The truth shall set you free!
Re:A boot sector virus? In my PC? by Jesus_666 · 2008-01-07 21:33 · Score: 1

Actually, that reference is amazingly current with regards to Vista:

http://www.theregister.co.uk/2007/09/17/vista_hit_by_stoned_angelina/

--
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)

Re:Like it matters by Leto-II · 2008-01-07 15:28 · Score: 1

How on earth does Ramen relate to MBR and Windows variants? While I do wish it had something to do with his holiness the Flying Spaghetti Monster, in this case I believe it has to do with the original poster's name: ILuvRamen.

--
Do not anger the worm.

Re:Like it matters by Anonymous Coward · 2008-01-07 15:44 · Score: 1, Funny

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

You keep using that word. I do not think it means what you think it means.

Of course.. by Junta · 2008-01-07 15:51 · Score: 5, Interesting

Whether it's a an MBR record or an executable file stored on a filesystem the firmware may understand, the concepts are the same. Any sane operating system will allow you to modify boot files (after all, how else do you upgrade early-execution code). Whether it's an MBR or a more sophisticate piece of firmware, the principle is the same. The question is whether users have been trained to always be administrator, or if they've been trained the more disciplined way where uncommon (at least should be)/privileged operations can only be executed at significant obious pain.

Under linux even, a number of distributions have on occasion ventured down the very dangerous/wrong approach of skipping user accounts and going all root for the sake of convenience. However, the mainstream usage of linux (and OSX) is thankfully non-root users, and as such any *serious* applications accomodate that usage pattern (with the bonus of being sanely multi-user.

Meanwhile, Windows heritage has been less optimal. The consumer oriented MS platforms right up until XP didn't have a meaningful non-administrator concept, as well as much of a multi-user concept. As a consequence, many application developers did bad things that would break (i.e. using registry entries that are machine specific rather than user specific, or even writing things like saved documents/games to the application Program Files directory. Win9x even provided relevant spots that would evolve to something meaningful, but without significant meaning, many third parties ignored it, especially after Win3.x training. XP was the first definitive wake up call to a WIDE variety of developers. Even so, the majority of users ended up being administrative users to make up for the gap (as well as having no easy automatic privilege escalation). Hell, even a customized preload I saw sets up one user, renaming the administrator user (and in fact, calls an un-renamed administrator account a security risk... indeed).

OSX made a clean break with OSX (relegating "classic" applications to a relatively severe sandbox"), Linux never had such an unclean history to overcome. So while OSX implementing clean privilege escalation, and Linux has been working on facilities that lend itself well to that (i.e. DBus). Windows XP did not make a clean break, and Vista didn't etiher, but Vista's UAC is an attempt at giving users a facility to do privilege escalation. It's annoying because of bad programs and bad habits. But non-admin default usage + UAC is the only way they have of maintaining a sane featureset without being considered so vulnerable.

It also doesn't help that so many Windows users see "click here for free smilies" and think it's a good idea to do so.

--
XML is like violence. If it doesn't solve the problem, use more.

Re:Of course.. by MrLizardo · 2008-01-07 18:30 · Score: 1

It also doesn't help that so many Windows users see "click here for free smilies" and think it's a good idea to do so. The best part is when they get mad and argue with you when you try to remove the malware they put there.
"But I *liked* the free smiley faces!"
"It's spyware, handing your personal info and passwords to nefarious third-parties! You weren't supposed to be installing random software on your work computer to begin with."
"So I can't keep the smiley faces?"
"No!"

--
^I'm with stupid.^
Re:Of course.. by cbreaker · 2008-01-07 18:31 · Score: 1

UAC is a step in the right direction but it shows how deeply flawed Windows is. You need to be an administrator to do far too many things. While a MacOS or a Linux installation will prompt you for your password when you install software or change core operation system behaviors (boot disk stuff, system tools, etc) Windows requires that you be an administrator to change your time zone or Desktop resolution.

All that, and because Microsoft wants to (rightfully so, in their position) support as many older apps as possible, you see the UAC a lot more than you should if said application was written with user-mode-only in mind.

For Microsoft to truly fix Windows, it would probably break a lot of stuff. Personally, I don't think it would be a bad idea. Like Apple, they could sandbox any older apps, and the "new" Windows could be a lot better. But it would not be smooth. They've painted themselves into a pretty corner, that's for sure. The reason they did it, was because they could. Everyone was going to run Windows anyways.

--
- It's not the Macs I hate. It's Digg users. -
Re:Of course.. by toadlife · 2008-01-07 20:47 · Score: 1

Windows requires that you be an administrator to change your time zone or Desktop resolution. Time on a multi-user computer system is a sensitive thing and should require admin rights. I don't where you came up with the desktop resolution bit. Anyone can change that.

--
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Re:Of course.. by Hal_Porter · 2008-01-08 02:09 · Score: 1

It's not about changing time, only the time zone. If Windows would store the system time in UTC this would only change the way the time is displayed to the user, not the internal time.

There is nothing sensitive about that. Windows system time has always been in UTC. By default before Vista both changing the time and changing the time zone required that the user running the program be in the admin group (though Admins could change this and let anyone do it), but in Vista Microsoft changed things so that unprivileged users could change the time zone -

http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx
To do this, we had to go through the various system tasks that users perform and for each one ask the question: "should the user have to be an administrator to complete this task?" What we found was that in Windows XP there were many cases where we required the administrative privilege if the user was making a change that impacted the entire system (rather than just their user account). We subsequently learned that this was too broad a distinction and in fact, with some common sense rules, we could protect the system while still making it usable. We also found that there were many cases in previous versions of Windows where we had lumped things together when instead only part of the task really should have required the user to be an administrator. For example, in Windows XP you had to be an administrator in order to change the time or the time zone of the system. The reason that time functions are usually restricted is that you can do some pretty sneaky things if you can change the system time -- like trick system logs or backdate emails. But as it turns out, changing the time zone of the machine so that a business traveler based on the West Coast goes to their meetings at the right time when they are visiting New York really doesnt need to be protected -- so in Windows Vista, we split that out and now allow a standard user to change the time zone. If you have a Vista machine, try it. Right click on the clock in task bar and choose Adjust Date and Time. Changing the time requires a UAC prompt, changing the time zone does not.

Incidentally Windows system time is stored as a 64 bit count of 100ns intervals since 1601. Why 100ns? Larry Osterman said
http://blogs.msdn.com/oldnewthing/archive/2004/08/25/220195.aspx#220259
Because 100ns is "good enough". You can represent any date from the 1601 to the year 20,000 in 64bits worth of 100ns units.

1ns is too small, it runs out in 200 years. 1000ns is too granular for some clock speeds (it's 1/10th of a millisecond). Interesting, eh? 200 years was regard as too short a lifetime for NT based OSs and APIs, Dave Cutler probably expects NT to have a thousand year reign ;-) . And 1000ns was too granular. Some book I read commented that the range of FILETIME is ok, but "in twenty years 100ns will be seen as hopelessly coarse"

Unix by contrast uses a 32 bit count of seconds which is both too coarse and will run out in a mere 30 years.

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
Re:Of course.. by HiThere · 2008-01-08 07:06 · Score: 1

"Always"? You've got a short time horizon. Admittedly I haven't used MSWind in a long time, but MSWind95 stored time as a time (i.e., localtime). Linux installs had to step carefully around how the clock was set, because if they were sharing a computer with an MSWind machine they shouldn't use UTC.

I don't know what it is these days, so I can't claim that MS still does things that way. But they DID.

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Re:Of course.. by cbreaker · 2008-01-08 11:09 · Score: 1

Perhaps Vista sets UTC, I don't know, but up to Windows XP and Windows 2003 R2 it's localtime. Who knows what he's been smoking.

--
- It's not the Macs I hate. It's Digg users. -
Re:Of course.. by Hal_Porter · 2008-01-08 17:04 · Score: 1

NT based OSs always use UTC internally. The RTC is in local time, because that's what the majority of PC based OSs (i.e. 16 bit Windows, Dos and probably OS/2 and Xenix) used to set it to -

http://blogs.msdn.com/oldnewthing/archive/2004/09/02/224672.aspx
Linux installs had to step carefully around how the clock was set, because if they were sharing a computer with an MSWind machine they shouldn't use UTC. Yeah, but it's very convenient for people dual booting between MS OSs. Maybe Linux should have adopted the PC platform de facto standard of setting the Bios to local time even if like NT based OSs it uses UTC internally. Then people using it wouldn't have been inconvenienced.

--
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;

Re:Like it matters by Anonymous Coward · 2008-01-07 16:00 · Score: 1, Funny

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it. I knew it all along.... CURSE YOU KEYBOARD!!! *punches keyboard* h fdsjkl hs

Solution is in your BIOS settings by DigiShaman · 2008-01-07 16:01 · Score: 2, Informative

As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.

--
Life is not for the lazy.

Re:Solution is in your BIOS settings by tlhIngan · 2008-01-07 16:42 · Score: 3, Informative

As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.

Ah, but these things only work in two ways:

1) The write protect only works if the OS makes a BIOS call to the MBR. The BIOS then traps this request and asks if you mean to write to the MBR. This works pretty well as most boot sector virii exist in DOS, which uses the BIOS, rather than Windows.

2) The BIOS makes a copy of the MBR and saves it in the CMOS. On boot, it loads the boot sector as normal, and does a quick comparison (it's only 512 bytes). If it differs (because someone overwrote the MBR code, or someone changed the partition table), it asks what you want to do - restore from backup, or accept the modifications.

No good filesystem should need the MBR once the system is booted. Other than reading the partition table. (The MBR, being 446 bytes in size, is also pretty standardized, which is why any utility that rewrites the MBR code can get your system booting again. Linux rewrites MBR can boot Windows, Windows fdisk can make Linux bootable again, etc. Basically, the MBR code just examines the partition table (in RAM - the BIOS doesn't care or know about the last 66 bytes being partition table. It loads the entire 512 byte sector into RAM), finds an entry marked with an "active" flag, and copies the first sector out of that partition into RAM and jumps into that code.

Extended partitions are the devil, which is why most MBRs can't boot from an extended partition.

Re:Like it matters by Entropius · 2008-01-07 16:04 · Score: 3, Informative

Two-word noun phrases are only hyphenated when used in adjective form. For instance:

Gamma rays are a type of ionizing radiation.

but

The gamma-ray burst released 4.3 blargajoules of energy.

Re:Like it matters by david_thornley · 2008-01-07 16:04 · Score: 1

Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability.

This is much less important in real operating systems, which don't allow mail clients or web browsers to muck up boot sectors and the like. Unfortunately, a whole lot of people are using toy operating systems by this criterion.

--
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes

Re:Like it matters by jhol13 · 2008-01-07 16:11 · Score: 1

You, sir, are truly a Windows man: "Any attempt to separate users and administrators is a bad thing".

This is a security flaw...why? by Myria · 2008-01-07 16:18 · Score: 3, Insightful

A program running as root takes over a machine. News at 11!

It's really annoyed me that security companies continually report these things when they have no relevance to actual security. The concentration should always be on preventing malware from acquiring root access in the first place. Vista, despite its faults, actually does a much better job of this than its predecessors.

Also, this is Slashdot. Slashdot has Linux users, and wouldn't Linux users know that overwriting is even easier to do in Linux than NT? "dd if=trojan.bin of=/dev/hda", anyone?

By the way, there are many more bad things you can do as Administrator than just hack the boot sector. You can use bcdedit to create a fake Windows XP boot entry then put your Trojan kernel there.

--
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager

Re:This is a security flaw...why? by PPH · 2008-01-07 17:41 · Score: 1

By the way, there are many more bad things you can do as Administrator than just hack the boot sector.
I guess that's why Administrator (root) is a completely separate user on *NIX systems, not just an attribute of some logged in user.

--
Have gnu, will travel.
Re:This is a security flaw...why? by WK2 · 2008-01-07 18:16 · Score: 1

To be fair, I inferred from the summary and article that this was possible by an ordinary user. After I read several comments on slashdot that say something similar to what you say, I checked the article, and read it carefully. Nowhere does it say whether or not Administrator access is required to use their rootkit. I would have assumed that it was not.

If you are right, and Administrator access is required to write to the MBR, then this is certainly not a security-related issue.

--
Write your own Choose Your Own Adventure. http://www.freegameengines.org/gamebook-engine/
Re:This is a security flaw...why? by HonIsCool · 2008-01-07 20:09 · Score: 1

By the way, there are many more bad things you can do as Administrator than just hack the boot sector.
I guess that's why Administrator (root) is a completely separate user on *NIX systems, not just an attribute of some logged in user.

Is this a better approach do you think? If so, why?
And have you heard of capabilities?

--
"Give me six lines of C++ code written by the most competent programmer, and I will find enough in there to hang him."
Re:This is a security flaw...why? by DrSkwid · 2008-01-08 03:02 · Score: 1

root itself is a security flaw

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:This is a security flaw...why? by PPH · 2008-01-08 07:05 · Score: 1

root itself is a security flaw
Much less so than assigning Admin privileges to a regular user or depending on certificates to vouch for the benign nature of a package.
I suppose you could design a system where the average user never needs to be troubled by understanding what is being done to their system and can delegate responsibility for its maintenance to some trusted third party. But no such third party exists.
As long as I have to issue a sudo command or log in as root, it will take an amazing amount of social engineering/liquor/large breasted females to convince me to do something stupid.

--
Have gnu, will travel.
Re:This is a security flaw...why? by DrSkwid · 2008-01-08 09:51 · Score: 1

I shall repeat myself more verbosely, the ability of a regular user to log in via userland as a super user is a security flaw by design.

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:This is a security flaw...why? by PPH · 2008-01-08 12:27 · Score: 1

There are no *NIX systems wherein regular users may log in as the superuser (root).

--
Have gnu, will travel.

Re:Like it matters by Anonymous Coward · 2008-01-07 16:21 · Score: 2, Insightful

You get moderated down because you open your fool mouth without thinking. Remember the molten salt solar plant post? You basically repeatedly opened your gob to say, "I have no idea how all this works, but I'm much smarter than the guys who get paid megabux to design this stuff so <idiocy/>, <idiocy/>, <idiocy/>."

Re:Like it matters by banished · 2008-01-07 16:23 · Score: 1

Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2.

Indeed, the common cold has been around slightly longer, and we still haven't figured out how to prevent that, either.

Re:You have run Vista with elevated administrative by Mr2001 · 2008-01-07 16:32 · Score: 1

Not as hard as finding such a flaw in the first place. Why, have you found one?

--
Visual IRC: Fast. Powerful. Free.

Re:Like it matters by The+Analog+Kid · 2008-01-07 16:44 · Score: 1

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

You forgot to select the tachyon detection grid option in your virus scanner. Duh.

Re:Like it matters by Anonymous Coward · 2008-01-07 17:12 · Score: 5, Funny

The latter, because "Fuck off" is an imperative verb form and has nothing to do with adjectives.

bootkey by Tumbleweed · 2008-01-07 17:27 · Score: 4, Informative

If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.

Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes.

Re:bootkey by c0d3h4x0r · 2008-01-09 00:27 · Score: 1

Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes. Until you lose your USB key...

--
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.

Okay, found some documentation on this by yeremein · 2008-01-07 17:45 · Score: 2, Interesting

Here.

It actually looks reasonable - you can still perform raw disk writes from userland (with admin rights, of course) - you just can't write over a mounted volume. Disk imaging utilities will still work, provided they dismount any volumes before they overwrite them (which they ought to be doing anyway; I should know, I wrote a Windows disk imaging utility at my last job).

And of course, you can't dismount a disk with an active pagefile on it, so it solves that vulnerability. But it does so in a reasonable way--I can't really imagine why a well-behaved program would want to scribble over a mounted volume; you don't know whether the cache is just going to clobber what you wrote in a second anyway. So I apologize for my FUD in the parent message; this security feature actually seems to strike a good balance.

Now the FUD in TFA is another story...

Back in the day by AndGodSed · 2008-01-07 17:46 · Score: 1

(which was only a few years ago 1999ish :)) we used to refer to it as PEBCAC errors. Problem Exists Between Keyboard And Chair.

Also of course was the prevalent ID10T virus. I swear, we once actually told a guy that after he wiped his pc for the n'th time, and he ate it all up...

--

Seven Days with Ubuntu Unity

Re:Back in the day by spootle · 2008-01-07 19:58 · Score: 1

I didn't know keyboard was spelt with a C.
Re:Back in the day by AndGodSed · 2008-01-07 20:28 · Score: 1

Bwahahaha... it would seem the PEPCAK strikes again!

--
Seven Days with Ubuntu Unity
Re:Back in the day by AndGodSed · 2008-01-07 20:31 · Score: 1

Oh dear... I seem to be on a roll... I K'd the wrong C... *bangs head on C... erm Keyboard*

--
Seven Days with Ubuntu Unity
Re:Back in the day by Fred_A · 2008-01-07 23:54 · Score: 1

Oh dear... I seem to be on a roll... I K'd the wrong C... *bangs head on C... erm Keyboard* Problem Exists Between Chair and Keyboard
Problem Exists Between Keyboard and Chair

Hmm... choices, choices...

Same difference IMO.

--

May contain traces of nut.
Made from the freshest electrons.
Re:Back in the day by Killjoy_NL · 2008-01-08 04:23 · Score: 1

Just go for PICNIC

Problem In Chair, Not In Computer

^_^

--
This is the sig that says NI (again)

Re:Like it matters by infonography · 2008-01-07 17:50 · Score: 1

Almost all BIOSes released in the past 5 years had MBR protection. Install your OS, turn on MBR protection and let the virus try.

SNIP consider the average user^H^H^H^H^H^H^H^H^H Windows user has to rely on AOL for their anti-virus.

[I am shaking my head while my hand are vigorously rubbing my brow in shock, sadness, and disbelief. Later I will pull out some hair. ]

--
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23

I Thought Vista Was a Re-Write? by BigAssRat · 2008-01-07 18:12 · Score: 1

Once again, I thought Vista was supposed to be a complete re-write of Windows code. How do they manage to keep the same old buggy code from NT 4.0?

Re:I Thought Vista Was a Re-Write? by flyingfsck · 2008-01-07 20:05 · Score: 3, Funny

Uhmm, that is thanks to the extensive experience of the programmers and an advanced programming tool invoked with the secret codes ctrl-c and ctrl-v...

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!

Re:Like it matters by burnin1965 · 2008-01-07 18:17 · Score: 3, Insightful

since you can never know whether your mail client or your web browser

word processor, spreadsheet, presentation software, desktop database software, etc, etc. Since the whole idea of using a computer is to run code there are a miriad of exploit possibilities in just about any application that has scripting capabilities or simply an bug in the code which can be used to execute code. This is the reason applications should not be running with permissions that allow operations like writing to the MBR when there is no reason to.

Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

Like Windows ME? While it has virtually no market share I'd hardly recommend it for use in any application. Actually your best bet is to use something that has a good secure design which trys to reduce the potential for exploits. My personal choice is linux and while it does not have the desktop market share of Windows NT variants it does have a massive server/router/appliance install base and it is continually under attack, however, over the years of using linux for my desktop solutions I've yet to have any issues related to exploits.

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

Can you provide a link to the statistics showing "the most used and most successful way of infecting a machine" is by users executing the code themselves? Visiting a web page with a browser you are executing or reading e-mail with a mail reader you executed either of which may have an exploit via a code bug or scripting is not the same thing as a user executing the code themselves. I assume your suggesting that the users are actually clicking on the executable and intentionally running the code which infects their system, which does happen but I'd like to see the study before I believe that is the #1 successful attack vector.

Re:Like it matters by cbreaker · 2008-01-07 18:17 · Score: 4, Funny

Yes, it's the super complicated SlashDot moderation system designed specifically to baffle the weak minded. Although some chimps have been known to figure it out, it apparently still has some effectiveness.

--
- It's not the Macs I hate. It's Digg users. -

MR Team? by tieTYT · 2008-01-07 18:31 · Score: 1

Let me get this straight... Windows is so insecure a team of Mental Retards can hack it?

Re:MR Team? by nullCRC · 2008-01-08 02:28 · Score: 1

No, you don't even need a team to do that.

--
Vescere bracis meis.

Re:Like it matters by Vaticus · 2008-01-07 18:37 · Score: 1

In true /. form, I had not read the Poster's Name, just what they had typed. Thanks Leto-II.

--
John 3:16. Know it.
Drink Yourself Healthy: MonaVie

Round and round we go... by Fizzl · 2008-01-07 18:42 · Score: 2, Funny

MBR was THE attack vector for viruses back in the good old times of MS-DOS and floppies. Now it's new again?

--
Bot Assisted Blogging

Educated users on safe platforms by SpaceLifeForm · 2008-01-07 19:01 · Score: 1

Under GNU/Linux, you typically have better educated users. There is no need to defend against those users, they are not attacking their own machine. It is uneducated users that are tricked into executing malicious code, that allow outside attackers to control their machine.

He Who Controls the Bootloader

--
You are being MICROattacked, from various angles, in a SOFT manner.

Re:Educated users on safe platforms by rossjudson · 2008-01-07 20:30 · Score: 5, Insightful

Security by arrogance. That's a new one.
Re:Educated users on safe platforms by DrSkwid · 2008-01-08 02:53 · Score: 1

Yeah, those NVidia drivers that let you remote root were the fault of uneducated users tricked into running malicious code. http://kerneltrap.org/node/7228

It's only one of many over the years.

--
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Re:Educated users on safe platforms by myvirtualid · 2008-01-08 03:31 · Score: 2, Insightful

Under GNU/Linux, you typically have better educated users.
This was true back in the day, that is, when virtually all Linux users were home-brew hacking DYIers who either loved all things CSish or hated all things M$ish and knew there were alternatives.
You know, the gentoo and sid crowds.
Then RedHat happened and Ubuntu happened and hell froze over and DELL and HP started shipping systems with an OS other than Windoze and what you say is no longer true.
It's probably still true that the majority of Linux users are "better educated" (or, perhaps, informed and intent hacker hobbyists) and that virtually all people running Linux servers fall into that crowd, but it is no longer true that "only the educated" run Linux.
There are enough people now running Linux because it just works for them, enough people who still aren't really clear on what OS is and DO NOT NEED TO BE!. Seriously, why should they give a damn, they just want their computer to work, just like they want their car and their alarm systems and the elevators downtown to work without having to know a ton of geeky crap or push 16 buttons in exactly the right sequence slap!... ...where was I?
There are enough people now running Linux because it just works that Linux needs to consider that these users may not always know what they are doing. Ubuntu does this pretty well, with the way things are hidden behind an extra password dialog, along with decent - adequate? - explanatory text. It should be enough to give sufficient pause to prevent serious damage.
There is no need to defend against those users, they are not attacking their own machine.
It's not a question of users attacking their own machines. It's a question of preventing accidental damage of the kind that Linux seemed to once revel in encouraging....
It is uneducated users that are tricked into executing malicious code, that allow outside attackers to control their machine.
Bollocks. Everybody makes mistakes. Windows - at least older versions - ensured that all mistakes were grave. Modern Linux - and modern Windows when properly configured and properly patched (is this an NP problem? :->) - make it so mistakes are less likely to be 100% fatal 100% of the time.
And to return to your first quote....
Under GNU/Linux, you typically have better educated users.
Under BSD, you typically have better educated users.
There, fixed that for you.
(I don't use BSD, never have, but I do recognise that Linux has, for whatever reason, taken off in non-geek circles in a way BSD has yet to, and may never want to. Don't get me wrong, some of the BSD products seem downright amazing, but the user bases of BSD and Linux have diverged considerably, and for the moment Linux is winning the popularity contest. Does that make it better? No. Worse? No. Just more popular.)

--
I'm here EdgeKeep Inc.
Re:Educated users on safe platforms by Some_Llama · 2008-01-08 06:12 · Score: 1

"Security by arrogance. That's a new one."

Obviously you haven't heard of Apple computers?
Re:Educated users on safe platforms by myowntrueself · 2008-01-08 09:24 · Score: 1

Under BSD, you typically have better educated users.

Right... and that would include OSX, eh?

--
In the free world the media isn't government run; the government is media run.
Re:Educated users on safe platforms by rossjudson · 2008-01-09 18:23 · Score: 1

Obviously I haven't. Good point. ;)

Re:Like it matters by inode_buddha · 2008-01-07 19:09 · Score: 1

"Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2."

Most likely because the way PC's work at a low level hasn't changed all that much. The BIOS is going to load whatever it finds in the first 512 bytes if disk into RAM. And the MBR doesn't necessarily have to be there; it is relocatable.

--
C|N>K

Re:Like it matters by Tmack · 2008-01-07 19:29 · Score: 2, Informative

I can't imagine that would make any difference. The computer needs to boot somehow, there are legitimate reasons for modifying the boot code (such as installing a new OS, or fixing flaws in it) so you can't just block it wholesale, and any program that runs at the boot stage will necessarily have complete control of your computer. About the best you can do is require the user to confirm before overwriting the MBR - something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof.

I think most modern Bios's have MBR/boot sector virus protection options. Basically you set the option in the BIOS and it either prevents MBR access (through the on-chip IDE controller, duno about off-board cards or scsi devices) or interrupts the system and displays an alert screen (similar to an overheat warning some do). To use it, you turn it off, install your OS with boot loader of choice, then go turn it on. Anything trying to write MBR data gets rejected or notifies you in pretty ASCII colors on screen with beeps. I know its prevented me from installing lilo a couple times.

Tm

--
Support TBI Research: http://www.raisinhope.org

Re:Like it matters by Anne+Honime · 2008-01-07 20:19 · Score: 1

What if someone wrote a super small bootable virus, then the virus' initial form used Partition Magic-like functionality to write its own partition and stick the virus on it then tell the computer before restarting to boot from that one. Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open.

No need to create a new partition. On a traditional disk, the first cylinder is reserved to the mbr, but the mbr lives on a single sector. The cyclinder on today's drives is much bigger, well enough for a nasty bug. That's how lilo works, by the way, and such a virus would nuke it on the spot.

DOS 3.3 called... by (Score.5,+Interestin · 2008-01-07 21:02 · Score: 2, Funny

... it wants its viruses back!

If you read the OP this is pretty much what DOS viruses were doing 20 years ago. Wow.

Re:Like it matters by toadlife · 2008-01-07 21:05 · Score: 1

"Can you provide a link to the statistics showing "the most used and most successful way of infecting a machine" is by users executing the code themselves?" Go to any one of the Anti Virus websites where they list a "top xxx" threats list, and look at the infection methods. You'll find that a large majority of them are spread via social engineering.

--
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.

Re:Like it matters by killmofasta · 2008-01-07 21:15 · Score: 2, Informative

In all the years of virus hunting and gathering,
I only got a boot sector virus once. Now, I just fdisk /MBR in the startup sequence.
I may have had anynumber of boot sector viruses. I dont know. They all disappear
before I have a chance to detect them.

Windows cannot protect the MBR if windows is running or not AND THEY SHOUDLNT.
Its really up to the hardware vendors.

Put it into BIOS or have a jumper on the drive.
( Simple effortless fix, vs MAJOR CLUSTER F*** )
( I used to turn it off, and then fdisk /MBR then turn it back on in the bios. )
I always thought it was a nice feature. Where the hell did it go?

Re:You have run Vista with elevated administrative by lhorn · 2008-01-07 22:06 · Score: 1

Most motherboards from the last part of previous century on had boot virus protection in some form, usually a write block on the first sectors of the first harddisk. This was enabled/disabled in the BIOS setup and effectively stopped any attempt to modify these sectors. Had to be turned off for OS installation, lilo modification etc, but I found it well worth the hassle. Has this disappeared? (Found on a P4B close by - so Asus had it recently)

--
accept no limits but time

Re:Like it matters by digitig · 2008-01-07 22:24 · Score: 2, Informative

Two-word noun phrases are only hyphenated when used in adjective form.

I don't know about US usage, but in British usage there's no such rule, according to both Partridge's "Usage and Abusage" and Fowler's "Modern English Usage" (arguably two of the three most influential prescriptive grammars of the 20th century, the third being Fowler's "The King's English", which I don't have to hand).

As Partidge points out, "In the life of a compound word there are three stages: (1) two separate words (cat bird); (2) a hyphenated compound (cat-bird); (3) a single word (catbird)."

Apart from a few cases where the form is forced by a risk of ambiguity, whether a compound is hyphenated is determined by how far along that progression the compound has gone, and there is no rule to determine it. For example, in the same article Partridge uses "Dog-show" as a compound noun, thus hyphenated. And as an example of where a hyphen is forced, Partridge compares "The author's tense-sequence is defective in this passage" (see the hyphenated noun phrase used as a noun there?) with "A tense sequence of events succeeded a dull sequence". Clearly two-word noun phrases are not only hyphenated when used in adjective form.

So you're right that "grammar Nazi" does not have to be hyphenated, but for the wrong reason.

--
Quidnam Latine loqui modo coepi?

MBR is a vulnerability by definition by ajs318 · 2008-01-07 23:03 · Score: 1

The MBR is a vulnerability by definition. Almost the only way to protect it is by having a jumper on the HDD itself, which must be fitted to enable writing to the MBR and must be removed to enable booting. That means that everytime you want to install a bootstrap loader, you will have to open up the machine and muck about inside it.

Question is, is the threat from the MBR vulnerability significant enough to warrant such a drastic solution?

--
Je fume. Tu fumes. Nous fûmes!

Re:Like it matters by ajs318 · 2008-01-07 23:45 · Score: 1

Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability.

By reading and understanding the Source Code, you can get a reasonably good idea about what your mail client or your web browser (or one of its myriad plugins) might be doing. Statistically, any given vulnerability is more likely to be discovered this way by a Good Guy than by a Bad Guy (since the former are more numerous than the latter).

Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

But the lower the market share, the fewer the number of Good Guys reading the Source Code. I'd certainly rather use something such as Firefox (which is getting much attention) and remember to stay on top of updates, than use something obscure.

--
Je fume. Tu fumes. Nous fûmes!

Re:Like it matters by Fred_A · 2008-01-07 23:48 · Score: 1

The slashot discussion system is a joke run by arrogant, biased, opinion nazis Tutorial:

1) That's "Slashdot". -1 for capitalization, -5 for spelling.
2) Nazi is capitalized. Also shouldn't it be Nazi's ? You know, just so we'd have something to bitch about on slow days ?

--

May contain traces of nut.
Made from the freshest electrons.

Re:Like it matters by Fred_A · 2008-01-07 23:51 · Score: 2, Funny

Hen and egg. How does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn't suddenly jump in and exists. Really ?
That's not what my users have been telling me...

Those sneaky weasels !

--

May contain traces of nut.
Made from the freshest electrons.

Re:Like it matters by sqlrob · 2008-01-07 23:58 · Score: 1

There are more good guys, but are there more *qualified* good guys?

How long was the zlib double free present? How long was the hardcoded password in Firebird?

Re:Like it matters by Fred_A · 2008-01-08 00:00 · Score: 1

In all the years of virus hunting and gathering,
I only got a boot sector virus once. Now, I just fdisk /MBR in the startup sequence. Good idea, Ill do that as well !

while true ; grub-install /dev/sda ; sleep 60 ; done

</foaming_at_the_mouth>

--

May contain traces of nut.
Made from the freshest electrons.

Re:Like it matters by Fred_A · 2008-01-08 00:10 · Score: 1

In all the years of virus hunting and gathering,
I only got a boot sector virus once. Now, I just fdisk /MBR in the startup sequence.
I may have had anynumber of boot sector viruses. I dont know. They all disappear
before I have a chance to detect them. As an aside here's the problem with that scheme :

Machine boots
MBR loads Windows
Windows overwrites MBR
Windows gets infected somehow
Presumably Virus checks for prior infection
Virus overwrites MBR
stuff happens (?)
machine shuts down

*time goes by*
Then :

Machine boots
MBR loads Windows *and* virus
Windows overwrites MBR
Presumably Virus checks for prior infection
Virus overwrites MBR (sounds familiar?)
stuff happens (?)
machine shuts down

Windows cannot protect the MBR if windows is running or not AND THEY SHOUDLNT.
Its really up to the hardware vendors.

Put it into BIOS or have a jumper on the drive.
( Simple effortless fix, vs MAJOR CLUSTER F*** )
( I used to turn it off, and then fdisk /MBR then turn it back on in the bios. )
I always thought it was a nice feature. Where the hell did it go? If infection of the MBR by a virus is a concern, hardware protection (as in having the controller forbid access) is indeed the only real solution in the current Windows context.

--

May contain traces of nut.
Made from the freshest electrons.

Re:Like it matters by Smidge204 · 2008-01-08 01:05 · Score: 1

Since the average Windows user is probably buying a brand name PC, there is no excuse for not enabling the BIOS MBR protection at the factory. Those who are smart enough to install their own OS are *probably* smart enough to notice the warnign and turn it off themselves.

=Smidge=

Re:Foolproof Windows? by Ash+Vince · 2008-01-08 01:06 · Score: 1

A relevant quote from somewhere or other:

"Theres no such thing as a foolproof system because fools are too inventive."

I tried to just verify this is the correct quote but it seems to exist in many forms on the net, all have a similar meaning. Incidentally if anyone can point me in the direction of it original source I would be interested to know where it came from.

--
I dont read /. to RTFA, I read /. to offend people in ignorance.

Except... by Junta · 2008-01-08 01:06 · Score: 1

Under linux, that's dictated by /etc/localtime. So, Linux isn't different from Windows in that respect.

There are applications which independently track the time zone, but they piss me off because they don't concur and I don't feel like selecting my time zone per application.

--
XML is like violence. If it doesn't solve the problem, use more.

MS or Plextor's issue? by phorm · 2008-01-08 01:41 · Score: 1

I'm not sure if you can blame MS in this case though. If your machine is interfacing with the device through a plextor driver, which similarly allows the firmware update (as a non-privileged user), I'd say the weakness is Plextor's. Drivers need to be able to do their thing, and I'm not really sure that the OS could easily differentiate between a driver reading/writing a DVD or writing firmware. So if this were the case, MS wouldn't really be to blame unless it was actually their driver, or perhaps if the Plextor driver passed MS Certification.

Re:Like it matters by Anonymous Coward · 2008-01-08 01:56 · Score: 1, Funny

Oooooh, XML compliant snarkism. Nice.

Re:Like it matters by Nimey · 2008-01-08 02:16 · Score: 1

Aw hell, I can't resist:

Tutorial:
1) BiCapitalization is bad, mmmkay, especially when the word in question isn't officially so. ....
2) I got nothin'.

--
Hail Eris, full of mischief...

E pluribus sanguinem

Ultimate Boot CD for Windows (UBCD4Win) by Futurepower(R) · 2008-01-08 02:19 · Score: 1

There is a simple solution: Boot from the Ultimate Boot CD for Windows (UBCD4Win), and run a scan on all the boot sectors of all hard drives. Since the original, possibly infected, operating system and hard drives are not in control, the rootkit has no effect.

Re:Ultimate Boot CD for Windows (UBCD4Win) by homer_ca · 2008-01-08 05:37 · Score: 1

That may or may not help. You could write an MBR rootkit to only run once to install the malicious kernel driver. That way it would survive an MBR restore, but there would also be evidence of the rootkit in the Windows filesystem or registry. Still, you're right that using a boot CD to scan the boot sectors and filesystem will bypass the rootkit.

Re:Like it matters by weicco · 2008-01-08 02:22 · Score: 1

This is much less important in real operating systems, which don't allow mail clients or web browsers to muck up boot sectors and the like.

My mail client and web browser is run on lowest privilege level there is. No MBR mucking. No system file mucking. I run Vista and IE7 with non-admin rights. This security hole doesn't concern me or any other Vista user who is not stupid enough to turn off UAC.

--
You don't know what you don't know.

Re:Like it matters by Keeper+Of+Keys · 2008-01-08 02:24 · Score: 1

It's a long time since I studied high school grammar, but I'm pretty sure multiple adjectives which qualify the same noun should be separated by commas:

"Give me all your money or I shall throw a fuck-off, big rock at you."

However, there is something fishy about the word order here; so ultimately I'd go for:

"Give me all your money or I shall throw a big, fuck-off rock at you."

Re:Like it matters by swillden · 2008-01-08 02:40 · Score: 2, Informative

I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

Whether EFI or BIOS, this is a (small) part of what TCPA is intended to defeat. The idea is that the EFI or BIOS hands a copy of the boot sector to the TPM before loading it, and the TPM hashes it into a state register. The boot sector code sends a copy of the boot loader code to the TPM for hashing before it loads, then the boot loader sends a copy of the OS kernel to the TPM before it loads, and so on.

Any piece of code along the way, or even user-level code after boot, can check the state register to decide if the boot code integrity is intact. Also, decryption keys can be bound to register states, so you can ensure that if malicious code does somehow get into the boot process, it cannot access data encrypted with those keys.

I fiddled for a while with a TPM-enabled GRUB to allow whole disk encryption keys (dm-crypt) to be bound to the boot state. It's a nice setup in that you have whole-disk encryption without having to enter a boot passphrase or attach a USB key or anything, and it ensures that any malicious modification of loader or kernel disables access to the data on the drive. Unfortuanately, it also loses access to the drive data when any non-malicious modification occurs. It's not terribly difficult to address that issue, but it really needs to be integrated into the package management system and thought through very carefully to ensure that no sort of failure during upgrade can leave your system inaccessible -- and yet the process must also not allow malicious code to do the same sort of "upgrades".

Of course, this is somewhat less of an issue on *nix, because write access to the MBR requires root privs.

One other thought about this situation: Although I'm generally a fan of TCPA for all of the good things it can be used for, I'm also leery of the evil that Microsoft can do with it. My paranoid side wonders if MS doesn't have a hand in this MBR virus -- and more to come -- as justification for pushing universal TPM deployment. TPMs are useful in machines that have high security requirements, but in consumer machines there's little value and lots of risk.

--
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.

Re:Like it matters by peragrin · 2008-01-08 02:44 · Score: 1

Real Operating systems have been doing that for 20 years, yet MSFT only just introduced it a year ago.

Windows MSFT reinventing Unix Poorly. When MSFT implents something similar to X i will not be able to stop laughing. They already have come up with a real command shell (Powershell)

--
i thought once I was found, but it was only a dream.

Re:Like it matters by cgenman · 2008-01-08 03:03 · Score: 1

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

I hate this blame-the-user viewpoint. Executing code is what computers are there to do. We bemoan the abysmal program monoculture of I.E. and Outlook Express, yet we blame unknowing users who try programs they find online. Furthermore, the distinction between a .SWF file and an .EXE file may seem massive to you and me, but it's pretty academic to the average user for whom their computer is just a tool for getting stuff done.

A computer is a system to run code, whose utility lies in its ability to run a broad range of unexpected applications. What we need is not a culture that discourages experimentation and blames the user, but an OS with a clean separation between system and applications, protected memory, and protected disks outside of an application and user's home spaces. As the line between the desktop and the internet starts to fade, we need at an OS level some of the protections originally intended for untrusted space.

--
The ______ Agenda

This is not to shocking by arkham6 · 2008-01-08 03:21 · Score: 1

Being appalled is the natural state of existence for a windows sysadmin.

Re:Like it matters by Vandil+X · 2008-01-08 04:51 · Score: 1

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

Indeed. When I worked in IT support for 12 years, I cleaned up my fair share of user-executed virus/trojan attachments with such fun names as (paraphrasing, it's been a while) SnowWhiteNakedPics.exe, YourSecretAdmirer.exe, and my favorite, FilthyWhores.exe.

The best was that these were often run by people with high-level or otherwise revered/critical positions within the companies I provided support for...

--
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START

In Reply to Your Sig by Dareth · 2008-01-08 05:05 · Score: 1

Why do death penalty advocates mostly oppose abortion while vegans mostly support it?

Because it is easier to justify executing someone for murder or other horrible crime, than for simply being inconvenient.

--

I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling

Re:Like it matters by DarthStrydre · 2008-01-08 05:07 · Score: 1

Like everything XML - While it may be compliant it is never the right tool for the job. Correcting this..:

"I have no idea how all this works, but I'm much smarter than the guys who get paid megabux to design this stuff so foo."

No root, no problem by ajs318 · 2008-01-08 05:14 · Score: 1

Disabling the root account is simply done by having no entry, or an invalid entry (i.e. containing a character in the "scrambled password" field which cannot be generated by the scrambling algorithm, i.e. matching [^A-Za-z0-9./] and thus preventing any rescrambled password from ever matching it), for "root" in the file /etc/shadow.

Booting with "init=/bin/sh" means that instead of starting the process scheduler init (which would then run several instances of getty; each of which runs login, which checks that you entered a valid login that appears in /etc/passwd, a password which when scrambled matches the corresponding one in /etc/shadow and, if so, launches a program specified in /etc/passwd -- usually a shell -- in the name of the user whose login you typed), you start the shell directly, without having your login checked. You can only have one process going on at once, but that's still enough to have some phun with. And the shell just conveniently assumes your userid number is 0, which is root, so you get all the powers and none of the responsibilities.

Once you've done the passwd step, you have now created a valid /etc/shadow entry for root; and thus even if the root account was disabled before, you've enabled it. Later, you will restore the old (possibly bogus or non-existent) entry to the /etc/shadow file. You really should fix the timestamp on this; but you already left a big enough clue that you'd been mucking around when you rebooted the box. If the sysadmin doesn't notice that, hell, you might as well just pick the machine up and wander out the front door with it. (Probably doesn't even look suspicious if you have a pair of coveralls and an ID badge.)

--
Je fume. Tu fumes. Nous fûmes!

BIOS Boot SEctor Virus Protection Derecated? by DarthStrydre · 2008-01-08 05:36 · Score: 1

Actually, it seems most modern BIOSes do NOT have this option. I have not tested it, but I assume that even if the option is set, it can only trap calls made through the BIOS int13h. (DOS, Windows 3.1, Windows 9x/Me in legacy disk access mode only) Once you transition to protected mode and the 32bit realm, the BIOS is out of the loop for disk access. It is possible that somehow the Southbridge, or disk controller can get programmed to look for LBA 0x00000000 or CHS 0,0,1 accesses and block them, but I do not believe this is the case.

Re:Like it matters by Reziac · 2008-01-08 06:43 · Score: 1

I first saw BIOS-based MBR protection in BIOS code dated 1992 (on a 486 motherboard). It was common enough back then, but fell out of favour during the early Win32 era, probably because it would scream and halt the system when Win9x went to rewrite the MBR (which it does occasionally for no reason that I know of).

I've noticed it's made a comeback in the past few years, and this is a good thing -- it may drive some users crazy, but it's good to HAVE it there if you want to use it.

--
~REZ~ #43301. Who'd fake being me anyway?

Re:Like it matters by snoyberg · 2008-01-08 06:45 · Score: 1

Since when? Pass the fucking salt please...

I'm afraid to ask, but how do you use salt in that manner?

--
Thank God for evolution.

Re:Like it matters by Reziac · 2008-01-08 06:48 · Score: 1

FDISK /MBR is all fine and good if your virus merely resides in the MBR sector, and didn't alter the MBR code itself, and if your virus didn't encrypt the drive (which some did, back in the day). If it did, bye-bye data.

--
~REZ~ #43301. Who'd fake being me anyway?

Windows 98SE by Yvan256 · 2008-01-08 08:40 · Score: 1

Say what you want about Windows 98SE, but it still runs quite a number of games and is immune to Windows 2000/XP/Vista crapware.

Re:Windows 98SE by Yvan256 · 2008-01-08 08:47 · Score: 1

Yes, I know, it IS vulnerable to this particular kind of problems. I was talking about more recent viruses and trojans. :D

Re:Like it matters by burnin1965 · 2008-01-08 09:46 · Score: 1

Go to any one of the Anti Virus websites where they list a "top xxx" threats list, and look at the infection methods.

Okay, so I went to norton.com and looked at their latest list, threats list, and risks, and vulnerabilities. And to be honest its still not very clear. I suspect you are correct that most of the infections take place by tricking a user into running an application which is either malware itself or installs a virus. The problem is that there list doesn't really specify how the virii/trojans are installed. There seems to be a 50/50 split between actual malware applications and virii/trojans and there were multiple vulnerabilities last year which could have been used as attack vectors to install virii/trojans versus getting a user to actually run a malware application.

On McAfee's site its pretty much the same, there is no definite means of determining the method of attack for virii/trojans and they are viewed as a seperate threat type. Of course they list the same vulnerabilities which could have been used as an attack vector along with some new ones just released today.

I agree that the user is probably the most likely attack vector but then a vulnerability has the potential for a much bigger impact because even the users who are not easy to trick into running an application become prey. So while it seems probably I still wouldn't feel comfortable jumping to conclusions as its just to easy to say "its the dumb users".

Re:Like it matters by danbert8 · 2008-01-08 10:20 · Score: 1

I don't know, but it sure sounds painful...

--
Yes it's an anecdote! Were you expecting original research in a Slashdot comment?

Re:Like it matters by cbreaker · 2008-01-08 11:14 · Score: 1

That's a new low, my friend. I generally don't mind the grammar Nazi thing, but this is really sad.

So, just to stoop to your level:

1) "Aw" isn't a word. "Aww" isn't either, but at least it's more accepted.
2) Neither is "mmmkay."
3) Feel free to use a single period at the end of a sentence.
4) "I got nothin'" should read "I have nothing."

--
- It's not the Macs I hate. It's Digg users. -

Re:Like it matters by toadlife · 2008-01-08 11:23 · Score: 1

I didn't mean to say that exploits aren't used very much. I just think that the user is, has always, and will continue to be the number one avenue of infection.

I think a lot of malware today is spread via any method possible, which is why infection methods are not listed by AV companies. There is too much money involved for the scumbags that spread this crap to leave any door unopened. Today I see all kinds of non-Microsoft Windows programs like flash, java, real player, quicktime, firefox and all of the various IM clients being exploited, as opposed to a several years ago when the majority of vulnerabilities targeted were of outlook express and IE.

Anytime I start to doubt the sheer determination many people have to infect themselves, I remember a couple of years back when email worms first started to become "popular". Email server all came to the rescue and started implementing virus scanning on the email servers. To avoid detection, malware cretins placed their payload inside of zip files and the worms continued to spread. Email server admins then acted by scanning inside the zip files, and malware cretins promptly responded by encrypting the zip files and placing the password to the zip file in the body of the email...and the worms continued to spread!

--
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.

Re:Had a rootkit virus on XP for 5 years by DanJ_UK · 2008-01-08 14:12 · Score: 1

Kaspersky?

--
- Dan

Re:Like it matters by Opportunist · 2008-01-08 19:45 · Score: 1

Nope. Sorry, nope. There may be more people with good intentions than people with bad intentions, but the answer is, as usual: money.

Exploits, especially unknown 0days, are valuable. 4 to 5 digits is not impossible, depending on the impact, an exploit that can infect every machine running Windows, fully patched, without any action necessary by the user (i.e. a new remote exploit) can easily get you more money than you make in a year. Or 10 years, if you happen to be in, say, Uzbekistan.

Now, being "good" and reporting it gets you zip. Nada. Well, maybe a lawsuit from MS.

Question for 500: Do you think more "good" guys are hunting for exploits or more "bad" guys?

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.

Re:Like it matters by Opportunist · 2008-01-08 19:48 · Score: 1

An indicator is "spreading method". If it says email, you can rest assured it relies on social engineering.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.

Hybrid Vigor by SanityInAnarchy · 2008-01-09 19:05 · Score: 1

By the way, this technique does NOT work on all systems. I'm not entirely sure about the last time I tried it on Ubuntu, but on at least some systems, the initrd will also respond to init=foo, thus you'll get the initrd environment. That's not to say that you couldn't do similar damage from there (including running a root shell on the "real" system), I'm just stressing that there is no one way to attack all Linux systems.

Also, some of your stuff here is sloppy, on the systems for which it will work. "init 6" is not what you want -- you don't have init running at all at this point. What you want is to manually unmount, or "mount -o remount,ro", every filesystem, then sync, then either physically reboot or mess with /sbin/poweroff and such.

Or you can simply set everything back to the way you found it (mounted readonly and such), then "exec /sbin/init", and the system will have absolutely no clue that you changed anything.

Regardless, on anything, you just need physical access to the machine and sufficient time.

--
Don't thank God, thank a doctor!

Re:Hybrid Vigor by ajs318 · 2008-01-10 01:59 · Score: 1

By the way, this technique does NOT work on all systems. I'm not entirely sure about the last time I tried it on Ubuntu, but on at least some systems, the initrd will also respond to init=foo, thus you'll get the initrd environment. That's not to say that you couldn't do similar damage from there (including running a root shell on the "real" system)
Ubuntu have been experimenting with upstart as a replacement for the traditional init lately, and I don't know for sure how compatible this is with the existing syntax.

It's possible to continue the boot process manually if you somehow find yourself within the initrd environment, including launching a root shell. The only times I've ever managed to get a machine in that state have been while I was mucking around trying to build my own distro (actually by modifying someone else's distro, but isn't that how everyone does it?) and missed out some important file or other.
I'm just stressing that there is no one way to attack all Linux systems.
Which is a good thing in and of itself. Biodiversity in ecosystems, and all that.
"init 6" is not what you want -- you don't have init running at all at this point. What you want is to manually unmount, or "mount -o remount,ro", every filesystem, then sync, then either physically reboot or mess with /sbin/poweroff and such.
It doesn't really matter about init not running. The command as given will launch init, going straight into runlevel 6 (i.e. reboot). You're right that it would be possible to remount / read-only and # exec /sbin/init with no need for a reboot -- I hadn't thought of that. Must be some vestiges of Windows badness still glooping around in my brain!

--
Je fume. Tu fumes. Nous fûmes!
Re:Hybrid Vigor by SanityInAnarchy · 2008-01-11 05:18 · Score: 1

Ubuntu have been experimenting with upstart as a replacement for the traditional init lately, and I don't know for sure how compatible this is with the existing syntax.

Pretty close. They haven't been using upstart nearly as much as I think they should -- most things are still following the old SysV design.

It's possible to continue the boot process manually if you somehow find yourself within the initrd environment, including launching a root shell.

I know, just pointing out, you can't do it with the same commands. The "init=/bin/sh" line will probably work in an initrd, but the process of getting to the "real" filesystem is a lot harder. (Fortunately, for the most common case, it's possible to simply unmount the root filesystem, sync, and then ctrl+alt+del or hard reboot.)

It doesn't really matter about init not running. The command as given will launch init, going straight into runlevel 6 (i.e. reboot).

Ah, I see. Still, does it work well, considering that was not an "exec" command, and therefore, init won't be running as PID 1? I kind of didn't like the idea of leaving the bash process around, even only for a reboot.

You're right that it would be possible to remount / read-only and # exec /sbin/init with no need for a reboot -- I hadn't thought of that. Must be some vestiges of Windows badness still glooping around in my brain!

Just be thankful that you didn't have to mess with initrds as much as I did. (This was before I moved to ubuntu, where I can generate/update a stock initramfs with one command.)

--
Don't thank God, thank a doctor!

Re:Like it matters by MrResistor · 2008-01-10 06:03 · Score: 1

"Fuck-off" modifies "big", not "rock", so I think the original is correct.

"Give me all your money or I shall throw a really, big rock at you."

"Give me all your money or I shall throw a big, really rock at you."

Both of these are clearly wrong.

--
Under capitalism man exploits man. Under communism it's the other way around.

Re:Like it matters by Keeper+Of+Keys · 2008-01-10 06:15 · Score: 1

Might be a cultural difference, but here in the UK "fuck-off" used in this way means something like "really big", "devastatingly impressive", "winning"; as in: "That new Radiohead album comes in a fuck-off gatefold sleeve". It is an adjective not an adverb.

Re:Like it matters by MrResistor · 2008-01-10 07:30 · Score: 1

I never suggested it was an adverb. In the original version of the sentence it is an adjective modifying another adjective (How big is the rock? Fuck-off big.), which is perfectly acceptable according to my understanding of English grammar.

--
Under capitalism man exploits man. Under communism it's the other way around.

Re:Like it matters by Keeper+Of+Keys · 2008-01-10 07:35 · Score: 1

It seems to me not so much a question of grammar, as of idiom. Where I hang out I tend to hear people say things like: "He threw a fuck-off rock at me"; haven't heard it used to qualify other adjectives - "fuck-off big" has a certain redundancy. But if it is used that way, the sentence I was originally complaining about is perfectly OK and I retract.

Re:Like it matters by killmofasta · 2008-01-11 13:49 · Score: 1

I wanted to say, that ONLY my current Gaming RIG. Abit motherboard does NOT have this feature. The Shuttle SB51 Motherboard HAS this feature. and it works well. I put an infected Win98 HD in it and it was lightning up like a chrismas tree. DENY DENY DENY.

Its no longer an issue, and I am ditching my Abit board.

A hardware solution is the only real solution, as Windows cannot tell its *SS from a hole in the ground. The scheduler blows CHUNKS. I am working on a scheduler handler, along the lines of Alan Cox's suggestions for the changes made to the early SGI Linux implementations. ( I have the Kernel book, and its a tough read, even after taking the OS design class...)

Thanks

Re:Like it matters by killmofasta · 2008-01-11 13:56 · Score: 1

Virus Encryption is so increadibly rare...
Those were the ones that held your data hostage...
Well, If you didnt do backups...
Virus Encryption = HD crash. Same effect, same result.

Since the MBR code is in FDISK...Its write protected, and executable compressed. ( kinda old stuff, but hey... they are extremely unlikely to figure that one out. Much better targets for storm bots....but I did get one from an old rescued HD... ::)) It was kinda cute to fight it off, and see who won. ( I did eventually, Thank you HiREM.. )

Slashdot Mirror

Boot Record Rootkit Threatens Vista, XP, NT

201 of 261 comments (clear)