Slashdot Mirror
Boot Sector Viruses & Rootkits Poised For Comeback
Ant writes "Ars Technica says Panda Labs' first quarter 2008 malware report raises a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible (pdf). Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive. The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future. Forecasting these trends is always tricky."
If we have hardware security support, this is not that easy..
Panda labs has a new product that protects just this? Call me a cynic, but ....
I prefer the "u" in honour as it seems to be missing these days.
GNU GRUB version 0.95 (638 lower / 288704K upper memory)
Ubuntu, kernel 2.6.12-9-386
Ubuntu, kernel 2.6.12-9-386 (recovery mode)
Ubuntu, memtest86+
Other operating systems:
Windows NT/2000/XP
omfgh4xorz-r00tk1tz3113
Use the up and down keys to select which entry is highlighted.
Press enter to boot the selected OS, 'e' to edit the commands
before booting, or 'c' for a command-line
hmm, something's not right here
I still check to make sure that there aren't any floppy disks left in the drives before I power-on (and I still have floppy drives, even an external one for the laptop); it seems now the old habits may have a reason. Of course, nowadays malware doesn't have to rely on floppy disks accidentally left in drives and sharing of executables from one computer to another because the Internet exists; but that doesn't stop the old threats working, just provides a more modern alternative that gets more attention.
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
Bill Clinton was president, the Nasdaq was at 5,000 or something like that and I was smoking pot. Maybe we'll go back to the old days in more ways than one!
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
I spit on thee, thou foul virus writing knaves.
Wilt it doth survive the lowly Format?
Truly I say unto thee, Real Men write CMOS infecting viruses.
A danger to be alert to is the possibility of viruses and rootkits that ship with the computer. Consider that most computers have a lot of parts made in China; suppose the Chinese government decides it's going to slip something into your BIOS? That is a major issue for national security, and it's not just speculation; I've seen test viruses that sit in the BIOS and do a SUID root on a specific file in /tmp on every bootup. EFI is just as vulnerable, because it's basically a complete Unix-like OS just for booting.
Klingon programs don't timeshare, they battle for supremacy.
just buy something from China. Perhaps Panda is aware of the new effort underway?
I prefer the "u" in honour as it seems to be missing these days.
I wonder why a virus writer would even want to do this? Nearly all have learned that instead of wreaking havoc for fun, they can wreak havoc and make money off it. There's a reason most writers stopped writing boot sector viruses. Viruses are more fun when they can perform click-fraud, and other long-term money making actions, instead of destroying a user's computer.
Sorry for being off topic, but it should be pointed out that Panda is strongly linked with the cult of Scientology. While it doesn't make them necessarily evil, the recent events of people being harassed for protesting against the cult and the tactics employed by the cult to obtain at any cost personal data of protesters, should suggest the use of different antivirus/antispam programs, especially in a close source environment like Windows where the user cannot easily monitor what the software does and what files it reads.
If you're against the cult of Scientology, and write about it in blogs or emails, it's probably much safer to avoid any software from Panda.
Your BIOS guards against that attack vector if you use BIOS-calls to write to the harddrive. Not very likely, and very easy to circumvent...
If well that kind of virus could be made, and work, the odds of getting infected looks so low (EVEN for windows users) that probably wont be very widespread.
In the other hand, if you have already something ugly running as admin/root in your box in a way or another, it could deploy the MBR part, but dont see the advantage of this if is anyway already in control (afaik some rootkits/trojans (?) for windows hide themselves from scanners intercepting network/disk drivers or something similar, so no big advantage there)
so what happens w/ all this virtualization (VMware, Xen, Microsoft/Kidaro, RingCube, Moka5,...) coming in... aren't bare metal vulnerabilities @ the hypervisor layer a bigger deal?
For a rootkit, the lower the level it can modify the system at, the better. We've seen this progression, from user-mode,to kernel mode hooks,to kernel mode data structures etc. So, obviously the rootkit authors know that their current methods will be obsolete in the near future, and have "lowered the bar" (pun intended ;) to the MBR. (Heh, that also rhymes ;) Anyway, if you think this is the last safe haven for rootkits, you're wrong -- really wrong. How about a rootkit that splits itself into tiny chunks, compresses them, and then inserts them into the free space available on the various BIOS's in your system eg. Video, Hard Drive, RAID Controller etc.? Impossible you say, well, I advise you to watch this presentation :
http://youtube.com/watch?v=G26oZtzluAQ&fmt=6
Systems with the ability to boot from a storage device other than a hard drive, say, a USB drive, are especially vulnerable, as the rootkit doesn't have to gain access to the BIOSs via the OS. Instead, it modifies the boot sector of the USB drive and then, upon bootup, after the BIOS boots off the USB drive, hides itself via the previously mentioned technique, so as to ensure it will run even if the boot sector of the USB drive is modified. This is possible as, upon bootup, the BIOS scans for memory mapped expansion ROMs (the previously mentioned BIOS's spread throughout your system) and then transfers control to each one.
Something to think about.
jdb2
On many computers the MBR can be locked in the computer's BIOS.
EFI / intel atm / amd Remote IT may be targets that are not part of the OS on the system and are tied to the NIC controllers, chipset , video and other hardware parts and there is not that many report tools for keeping the bios / firmware up to date.
EFI can use a partition on the hard disk to store Extensions and the Extensions can also come form add in cards / on board roms and other places.
The hardware based Remote IT tools may be holes that hackers can use and can be limited by flash rom space to store updates to them. The Remote IT tool can be used to take control of the host os and also the can trun off the build in NIC to do a DOS attack and other stuff to mess systems up.
if you run a LivePC virtual desktop, every time you reboot the system reverts to its clean state and malware is scrubbed clean
no worries!
My computer just got stoned.
Windows is a program which inserts code into the master boot record, often before the user has broken open the packaging of their new computer, resulting in loading of malicious code at power-on which causes the computer to phone-home and results in the gradual loss of available disk space on the affected drive. Multiple other vulnerabilities have also been reported.
Various removal tools are available free of charge. This is considered a critical and urgent update.
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
...which from my (limited) understanding, an MBR is set aside, but not actually used for booting anything. I guess technically it's free space, so another hiding place, but nothing normally accesses that record, so would this kind of thing have any effect? You know, on computers like Intel Macs, which all use EFI.
I hear there are are alot of Papists, Reformists, Muslims, Hindus, and even a few Sihks invested. They've been killing each other for centuries, only the FSM knows what they've got embedded in the code.
And you know what really helps is writing detailed how-to theory articles, saying it's inevitable, and repeating how effective it could be. That will ensure that all these gloom and doom virus articles come true! That must be what all these authors want or something or they'd all shut up.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Believe it or not, that's exactly what I resorted to to make a HP 8755C work again. (Yes, it's an old compy.) Something killed the XP it ran under, and no matter how many times I tried to restore with the XP install CD it refused to work. Pulled the drive, scanned and then moved the non executable files to another computer. After that, figured, "What the hey, the damn computer's hosed anyways!" Grabbed a Ubuntu disk just for kicks, to see if it'd actually work. Computer booted up no problems. Tried XP one more time. No go. (Would get past all the menus, but wouldn't read when it was supposed to. XP CD checked out ok otherwise.) Mmmm... Ok... It's completely borked on XP, and it works on 'buntu. So yeah, I went with the obvious choice. Now it's fully partitioned to run only on Ubuntu. Makes more sense than chucking electronics that still work.
My guess is that malware tried to do something on the boot sector, but didn't know what to do with a BIOS or some other controller that was too old for it to sneak around inside of. Thus killing the box instead of hijacking it. On a newer computer, I'd suspect a nasty like that would be able to hide pretty well - provided it didn't eat too many resources.
There are some really good comments here, (checks, sees if it's /.)
After the jump - read the comments, starting here:
Further:
http://www.securityfocus.com/comments/articles/11372/33017/threaded#33017
http://slashdot.org/comments.pl?sid=453034&cid=22412440
~hylas
"All this has happened before. All this will happen again"
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
Panda Labs talks up the malware scare to sell PRODUC~1 ..
"The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future"
Like, what kind of 'computers' does the vast majority of this malware run on.
davecb5620@gmail.com
New rootkits? Is Sony releasing some new gadget this year?
Take Nobody's Word For It.
Actually my BIOS supports Trend Chipaway Virus protection, so I should be protected.
Enlightenment is the elimination of that which is unnecessary.
...i say "Bring 'em on"
-:)
"Doing what i can, with what i have." ~ Burt Gummer
I predicted a comeback of the BSV (boot sector virus) immediately following the end of the DOS-based antivirus apps that could run from a floppy boot, and here we are today... as to WHY:
1) Wonderful place to hide your spyware. The MBR space is about 5k. Of this only about 500 bytes is typically in use; the remainder is large enough to host compact spyware with its own SMTP server (there are already malwares out there with these functions packed into only 3k of code).
2) Blackmail. Encrypting BSVs were at one time a serious issue. They'd encrypt your HD, and if you removed the BSV your data was toast. If you didn't remove the BSV, it infected every writeable media or networked machine that your machine touched. If you wanted your data back AND the virus removed, you had to pay the BSV's owners. I see no reason why this scam can't make a comeback. Imagine it hitting a bank or credit card company!!
3) Immunity from antivirus scanners. Once an OS -- and it doesn't matter what OS it is -- is loaded from the hard disk, it's too late to detect the BSV. It does you no good to install your AV into Windows or Linux of an already-compromised machine; you HAVE to boot from an OS that is independent of the machine itself.
Once the machine POSTs, the BSV can hide itself from the OS that loads from the hard disk. So to reliably detect a BSV, the OS *must* be on removeable media, and the simplest way to do that is the DOS floppy boot. (Not every machine will reliably boot from a CD, even today.) Once you've booted into DOS, or DamnSmallLinux, or what-have-you that runs from a WRITE-PROTECTED floppy or CDROM, then you can run your AV app from another floppy or CDROM, and reliably detect the BSV. Remember that a BSV and a rootkit are *functionally* the same thing.
The only reason BSVs fell out of favour is because trading floppies (the old-fashioned way to get a BSV) went out of fashion. People began trading internet stuff instead, so that's where the virus writers went. Now that a significant percentage of internet users are protected from email and drive-by-download viruses, and since antivirus apps that protect against such have become routine (often at the server, so the user's ignorance was not an issue), it was time to go back to a less-easily-detected type of virus.
The modern BSV/rootkit has all the advantages: the stealth of an old-fashioned DOS-era BSV, and the massive distribution potential of the internet. Either way, BSVs win.
Antivirus companies, I plead with you -- make a floppy-bootable or at least CD-bootable version of your AV app available, so we can scan for and clean these otherwise largely-invulnerable modern BSVs. Detection and cleaning CANNOT be *reliably* accomplished by booting from the compromised system, no matter HOW good your AV app is otherwise.
~REZ~ #43301. Who'd fake being me anyway?