Slashdot Mirror
Boot Record Rootkit Threatens Vista, XP, NT
Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."
That'd require changes to the partition table, which is protected from NT's usermode IIRC.
Are you trolling?
Macs use EFI and PC's use BIOS. That's why.
1) That's "Slashdot". -1 for capitalization, -5 for spelling.
2) Nazi is capitalized.
3) Your sig is an automatic Godwin. Might want to fix that.
4) You didn't end your sentence with punctuation. This one calls for a period.
5) Arrogant? You bet!
Hail Eris, full of mischief...
E pluribus sanguinem
It's not a troll. I just want to know. If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.
Hen and egg. How does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn't suddenly jump in and exists. It has to be brought into the machine. A virus or trojan does jack when it just sits on your machine. It is a program. It has to be executed to do its "magic".
There are exactly three ways to get this done. First, remote (RPC) exploits, which is easy to defeat with a router that does not allow any packets in to sensitive ports. Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability. Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).
And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yeah, like something that could fit in a 512 byte MBR...
Why bother?
That's what this does. It modifies the MBR to load the virus as a driver out of a pair of sectors.
This already does whatever it wants. And the "files open" comment is non-sensical, the pre-boot environment has no concept of "open files", it's just a little 512 byte loader.
There isn't much Windows (or any) OS can do when it isn't running.
If you read the article (it contains scary things like x86 assembly, I know, but you can skip that) you'd see that the describe this hooks into the load routines used by Windows. By intercepting these calls and redirecting them, it prevents you from overwriting the MBR or even detecting that it's changed (to a degree). To fix this you have to open a clean environment (like the recovery console off the Windows CD) and have it fix the MBR.
Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2.
I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.
PS: Whoever modded the parent as informative either doesn't know what they're talking about, is drunk, or is in cahoots.
PPS: Sorry. I've been looking for an excuse to use the word "cahoots" all day.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Alright, I get the defense in depth concept, but I don't consider it to be a severe vulnerability that the MBR is writable while Windows is running. I consider that to be a feature, one I wish Microsoft did more of -- for example, I can install Linux from a Linux LiveCD, or I can install a second copy of it on another partition, etc. As far as I can tell, OS X is similarly flexible -- it forces you to type your password, but it can deliver a firmware update from within the OS -- think equivalent to a BIOS update, so even earlier than the MBR.
So, to clarify: It's writable from userland, which is not the same as being writable by any user. If they have Admin access (which means you already clicked a "This program wants to modify your Master Boot Record, are you sure?"), you're already screwed -- kind of like how, on Linux, if they have root, you're already screwed.
In other words, it's possible to modify your Master Boot Record without rebooting your computer. This is a good thing.
What's more, this is not new. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...
Don't thank God, thank a doctor!
I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.
I see that you are not an adherent of the True Church of the Flying Spaghetti Monster. The FSM has *everything* to do with Windows; we don't call it spaghetti code for nothing!
Hail Eris, full of mischief...
E pluribus sanguinem
Almost all BIOSes released in the past 5 years had MBR protection. Install your OS, turn on MBR protection and let the virus try.
I hated it at first, Linux installs failing as LILO not getting to write to the MBR until you turned it off.
Do not look at laser with remaining good eye.
... to write to the MBR.
For all other sectors Vista prevents writes to raw disk sectors even with admin permissions.
Users withouts admin permissions/without elevation cannot write to the MBR in Vista.
If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?
http://www.nuklearpower.com/daily.php?date=080103
The ______ Agenda
I can't imagine that would make any difference. The computer needs to boot somehow, there are legitimate reasons for modifying the boot code (such as installing a new OS, or fixing flaws in it) so you can't just block it wholesale, and any program that runs at the boot stage will necessarily have complete control of your computer. About the best you can do is require the user to confirm before overwriting the MBR - something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof.
I am trolling
It's more likely than you think.
What is this? 1986?
+0 Meh
Whether it's a an MBR record or an executable file stored on a filesystem the firmware may understand, the concepts are the same. Any sane operating system will allow you to modify boot files (after all, how else do you upgrade early-execution code). Whether it's an MBR or a more sophisticate piece of firmware, the principle is the same. The question is whether users have been trained to always be administrator, or if they've been trained the more disciplined way where uncommon (at least should be)/privileged operations can only be executed at significant obious pain.
Under linux even, a number of distributions have on occasion ventured down the very dangerous/wrong approach of skipping user accounts and going all root for the sake of convenience. However, the mainstream usage of linux (and OSX) is thankfully non-root users, and as such any *serious* applications accomodate that usage pattern (with the bonus of being sanely multi-user.
Meanwhile, Windows heritage has been less optimal. The consumer oriented MS platforms right up until XP didn't have a meaningful non-administrator concept, as well as much of a multi-user concept. As a consequence, many application developers did bad things that would break (i.e. using registry entries that are machine specific rather than user specific, or even writing things like saved documents/games to the application Program Files directory. Win9x even provided relevant spots that would evolve to something meaningful, but without significant meaning, many third parties ignored it, especially after Win3.x training. XP was the first definitive wake up call to a WIDE variety of developers. Even so, the majority of users ended up being administrative users to make up for the gap (as well as having no easy automatic privilege escalation). Hell, even a customized preload I saw sets up one user, renaming the administrator user (and in fact, calls an un-renamed administrator account a security risk... indeed).
OSX made a clean break with OSX (relegating "classic" applications to a relatively severe sandbox"), Linux never had such an unclean history to overcome. So while OSX implementing clean privilege escalation, and Linux has been working on facilities that lend itself well to that (i.e. DBus). Windows XP did not make a clean break, and Vista didn't etiher, but Vista's UAC is an attempt at giving users a facility to do privilege escalation. It's annoying because of bad programs and bad habits. But non-admin default usage + UAC is the only way they have of maintaining a sane featureset without being considered so vulnerable.
It also doesn't help that so many Windows users see "click here for free smilies" and think it's a good idea to do so.
XML is like violence. If it doesn't solve the problem, use more.
As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.
Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.
Life is not for the lazy.
Two-word noun phrases are only hyphenated when used in adjective form. For instance:
Gamma rays are a type of ionizing radiation.
but
The gamma-ray burst released 4.3 blargajoules of energy.
A program running as root takes over a machine. News at 11!
It's really annoyed me that security companies continually report these things when they have no relevance to actual security. The concentration should always be on preventing malware from acquiring root access in the first place. Vista, despite its faults, actually does a much better job of this than its predecessors.
Also, this is Slashdot. Slashdot has Linux users, and wouldn't Linux users know that overwriting is even easier to do in Linux than NT? "dd if=trojan.bin of=/dev/hda", anyone?
By the way, there are many more bad things you can do as Administrator than just hack the boot sector. You can use bcdedit to create a fake Windows XP boot entry then put your Trojan kernel there.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
You get moderated down because you open your fool mouth without thinking. Remember the molten salt solar plant post? You basically repeatedly opened your gob to say, "I have no idea how all this works, but I'm much smarter than the guys who get paid megabux to design this stuff so <idiocy/>, <idiocy/>, <idiocy/>."
The latter, because "Fuck off" is an imperative verb form and has nothing to do with adjectives.
If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.
Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes.
Here.
It actually looks reasonable - you can still perform raw disk writes from userland (with admin rights, of course) - you just can't write over a mounted volume. Disk imaging utilities will still work, provided they dismount any volumes before they overwrite them (which they ought to be doing anyway; I should know, I wrote a Windows disk imaging utility at my last job).
And of course, you can't dismount a disk with an active pagefile on it, so it solves that vulnerability. But it does so in a reasonable way--I can't really imagine why a well-behaved program would want to scribble over a mounted volume; you don't know whether the cache is just going to clobber what you wrote in a second anyway. So I apologize for my FUD in the parent message; this security feature actually seems to strike a good balance.
Now the FUD in TFA is another story...
Yes, it's the super complicated SlashDot moderation system designed specifically to baffle the weak minded. Although some chimps have been known to figure it out, it apparently still has some effectiveness.
- It's not the Macs I hate. It's Digg users. -
I'm forced to conclude that the majority of Slashdot's most vehement and fervent posters are autistic inhabitants of their parents' basements, with no sense of humor at all.
-1.
MBR was THE attack vector for viruses back in the good old times of MS-DOS and floppies. Now it's new again?
Bot Assisted Blogging
I can't imagine that would make any difference. The computer needs to boot somehow, there are legitimate reasons for modifying the boot code (such as installing a new OS, or fixing flaws in it) so you can't just block it wholesale, and any program that runs at the boot stage will necessarily have complete control of your computer. About the best you can do is require the user to confirm before overwriting the MBR - something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof.
I think most modern Bios's have MBR/boot sector virus protection options. Basically you set the option in the BIOS and it either prevents MBR access (through the on-chip IDE controller, duno about off-board cards or scsi devices) or interrupts the system and displays an alert screen (similar to an overheat warning some do). To use it, you turn it off, install your OS with boot loader of choice, then go turn it on. Anything trying to write MBR data gets rejected or notifies you in pretty ASCII colors on screen with beeps. I know its prevented me from installing lilo a couple times.Tm
Support TBI Research: http://www.raisinhope.org
Uhmm, that is thanks to the extensive experience of the programmers and an advanced programming tool invoked with the secret codes ctrl-c and ctrl-v...
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Security by arrogance. That's a new one.
... it wants its viruses back!
If you read the OP this is pretty much what DOS viruses were doing 20 years ago. Wow.
In all the years of virus hunting and gathering, /MBR in the startup sequence.
/MBR then turn it back on in the bios. )
I only got a boot sector virus once. Now, I just fdisk
I may have had anynumber of boot sector viruses. I dont know. They all disappear
before I have a chance to detect them.
Windows cannot protect the MBR if windows is running or not AND THEY SHOUDLNT.
Its really up to the hardware vendors.
Put it into BIOS or have a jumper on the drive.
( Simple effortless fix, vs MAJOR CLUSTER F*** )
( I used to turn it off, and then fdisk
I always thought it was a nice feature. Where the hell did it go?
I don't know about US usage, but in British usage there's no such rule, according to both Partridge's "Usage and Abusage" and Fowler's "Modern English Usage" (arguably two of the three most influential prescriptive grammars of the 20th century, the third being Fowler's "The King's English", which I don't have to hand).
As Partidge points out, "In the life of a compound word there are three stages: (1) two separate words (cat bird); (2) a hyphenated compound (cat-bird); (3) a single word (catbird)."
Apart from a few cases where the form is forced by a risk of ambiguity, whether a compound is hyphenated is determined by how far along that progression the compound has gone, and there is no rule to determine it. For example, in the same article Partridge uses "Dog-show" as a compound noun, thus hyphenated. And as an example of where a hyphen is forced, Partridge compares "The author's tense-sequence is defective in this passage" (see the hyphenated noun phrase used as a noun there?) with "A tense sequence of events succeeded a dull sequence". Clearly two-word noun phrases are not only hyphenated when used in adjective form.
So you're right that "grammar Nazi" does not have to be hyphenated, but for the wrong reason.
Quidnam Latine loqui modo coepi?
That's not what my users have been telling me...
Those sneaky weasels !
May contain traces of nut.
Made from the freshest electrons.
Whether EFI or BIOS, this is a (small) part of what TCPA is intended to defeat. The idea is that the EFI or BIOS hands a copy of the boot sector to the TPM before loading it, and the TPM hashes it into a state register. The boot sector code sends a copy of the boot loader code to the TPM for hashing before it loads, then the boot loader sends a copy of the OS kernel to the TPM before it loads, and so on.
Any piece of code along the way, or even user-level code after boot, can check the state register to decide if the boot code integrity is intact. Also, decryption keys can be bound to register states, so you can ensure that if malicious code does somehow get into the boot process, it cannot access data encrypted with those keys.
I fiddled for a while with a TPM-enabled GRUB to allow whole disk encryption keys (dm-crypt) to be bound to the boot state. It's a nice setup in that you have whole-disk encryption without having to enter a boot passphrase or attach a USB key or anything, and it ensures that any malicious modification of loader or kernel disables access to the data on the drive. Unfortuanately, it also loses access to the drive data when any non-malicious modification occurs. It's not terribly difficult to address that issue, but it really needs to be integrated into the package management system and thought through very carefully to ensure that no sort of failure during upgrade can leave your system inaccessible -- and yet the process must also not allow malicious code to do the same sort of "upgrades".
Of course, this is somewhat less of an issue on *nix, because write access to the MBR requires root privs.
One other thought about this situation: Although I'm generally a fan of TCPA for all of the good things it can be used for, I'm also leery of the evil that Microsoft can do with it. My paranoid side wonders if MS doesn't have a hand in this MBR virus -- and more to come -- as justification for pushing universal TPM deployment. TPMs are useful in machines that have high security requirements, but in consumer machines there's little value and lots of risk.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Under GNU/Linux, you typically have better educated users.
This was true back in the day, that is, when virtually all Linux users were home-brew hacking DYIers who either loved all things CSish or hated all things M$ish and knew there were alternatives.
You know, the gentoo and sid crowds.
Then RedHat happened and Ubuntu happened and hell froze over and DELL and HP started shipping systems with an OS other than Windoze and what you say is no longer true.
It's probably still true that the majority of Linux users are "better educated" (or, perhaps, informed and intent hacker hobbyists) and that virtually all people running Linux servers fall into that crowd, but it is no longer true that "only the educated" run Linux.
There are enough people now running Linux because it just works for them, enough people who still aren't really clear on what OS is and DO NOT NEED TO BE!. Seriously, why should they give a damn, they just want their computer to work, just like they want their car and their alarm systems and the elevators downtown to work without having to know a ton of geeky crap or push 16 buttons in exactly the right sequence slap!... ...where was I?
There are enough people now running Linux because it just works that Linux needs to consider that these users may not always know what they are doing. Ubuntu does this pretty well, with the way things are hidden behind an extra password dialog, along with decent - adequate? - explanatory text. It should be enough to give sufficient pause to prevent serious damage.
There is no need to defend against those users, they are not attacking their own machine.
It's not a question of users attacking their own machines. It's a question of preventing accidental damage of the kind that Linux seemed to once revel in encouraging....
It is uneducated users that are tricked into executing malicious code, that allow outside attackers to control their machine.
Bollocks. Everybody makes mistakes. Windows - at least older versions - ensured that all mistakes were grave. Modern Linux - and modern Windows when properly configured and properly patched (is this an NP problem? :->) - make it so mistakes are less likely to be 100% fatal 100% of the time.
And to return to your first quote....
Under GNU/Linux, you typically have better educated users.
Under BSD, you typically have better educated users.
There, fixed that for you.
(I don't use BSD, never have, but I do recognise that Linux has, for whatever reason, taken off in non-geek circles in a way BSD has yet to, and may never want to. Don't get me wrong, some of the BSD products seem downright amazing, but the user bases of BSD and Linux have diverged considerably, and for the moment Linux is winning the popularity contest. Does that make it better? No. Worse? No. Just more popular.)
I'm here EdgeKeep Inc.