Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boot Sector Viruses & Rootkits Poised For Comeback

Posted by ryuzaki0 on from the oldies-but-goodies dept.

Ant writes "Ars Technica says Panda Labs' first quarter 2008 malware report raises a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible (pdf). Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive. The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future. Forecasting these trends is always tricky."

14 of 95 comments (clear)

  1. Why? by Rurik · · Score: 5, Insightful

    I wonder why a virus writer would even want to do this? Nearly all have learned that instead of wreaking havoc for fun, they can wreak havoc and make money off it. There's a reason most writers stopped writing boot sector viruses. Viruses are more fun when they can perform click-fraud, and other long-term money making actions, instead of destroying a user's computer.

    1. Re:Why? by eldavojohn · · Score: 3, Insightful
      I don't think this article was talking about viruses that merely hose your hard drive. Granted, that's what most of those did, I think they are dreaming up something that writes your MBR to another piece of the hard drive and gains root access right when you start your computer. If virus writers are sophisticated enough, maybe the write something like an extended firmware interface that loads your operating system normally and you don't even know about it running in the background. Again, that's a high level of sophistication but I was blown away by what the virtual machines have been able to do.

      There's also evidence that I am skeptical of like:

      The problem with boot viruses is that their attack vector is fairly well-guarded. Any antivirus program worth beans will detect a suspicious attempt to modify the MBR and will alert the end user accordingly. Running as a user rather than an administrator should also prevent such modification even if you don't have an antivirus scanner installed. Panda implies that this kind of exploit could be an issue in Linux, and I suppose that's theoretically possible, but Linux always creates a user account without root access by default. If Panda's report really did imply that, they just lost a whole shitload of credibility in my book. I'm not stupid enough to think that Linux is impenetrable but I know that the Unix-like security scheme with users in userland and superusers in kerneland is always observed.
      --
      My work here is dung.
    2. Re:Why? by sjames · · Score: 3, Insightful

      Consider the MBR just one of several potential hooks into the system. It need not destroy the machine at all. It could (for example) install itself as ring 0, load the OS below itself and then the fun begins.

      Consider the havoc it could create if it can manage to get itself into the SMI handler by playing dirty tricks with the RAM controler that are only possible before the OS switches to protected mode.

    3. Re:Why? by darkmeridian · · Score: 3, Insightful

      I think the plan is to have a MBR virus plant a rootkit that pwns the OS and zombies the system without anyone realizing what's going on.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
  2. Re:The old ways still work by Tanman · · Score: 2, Insightful

    You can boot from a cd/dvd as well as a floppy.

  3. Re:The old ways still work by Digi-John · · Score: 2, Insightful

    Or a usb stick in many cases. Sneaky.

    --
    Klingon programs don't timeshare, they battle for supremacy.
  4. Virtualization complications by wheatking · · Score: 5, Insightful

    so what happens w/ all this virtualization (VMware, Xen, Microsoft/Kidaro, RingCube, Moka5,...) coming in... aren't bare metal vulnerabilities @ the hypervisor layer a bigger deal?

  5. Re:The old ways still work by Anonymous Coward · · Score: 3, Insightful

    Or just disable floppy, cdrom and usb from the boot order in your bios

  6. Re:Widespread? by AvitarX · · Score: 2, Insightful

    Where do you think Apples are made?

    And they have that fancy BIOS that could be a lot of fun too.

    It doesn't even need to be China. The potential payout is enough that organized crime anywhere could pull it off, though in a country like China it is probably easier to bribe enough people to slip your stuff into the assembly line.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  7. Re:Let me guess by Lumpy · · Score: 4, Insightful

    That's ok ASUS has had that protection for decades.

    MBR protection has been in every bios on ASUS motherboards for at least 12 years now. turn it on and NOTHING can write to the mbr.

    gotta love how old tech solves the "new hotness".

    --
    Do not look at laser with remaining good eye.
  8. Re:Bah! by MadnessASAP · · Score: 4, Insightful

    Speaking of which, I remember seeing a rather nifty POC for storing a rootkit in a video cards BIOS. I don't think anybody has taken advantage of it yet though.

    --
    I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
  9. Re:The old ways still work by LiquidCoooled · · Score: 2, Insightful

    Why do you have to boot it?
    Don't a lot of USB sticks have u3?

    u3 installs a device driver on Windows and creates a fake cd rom so that the memory stick can autorun.

    Fuck waiting for the autorun, its the device driver I would be worried about.

    --
    liqbase :: faster than paper
  10. Re:The old ways still work by Nullav · · Score: 2, Insightful

    And sometimes hard drives. (I know, I was shocked, too.)

    --
    I just read Slashdot for the articles.
  11. Re:The old ways still work by GigaplexNZ · · Score: 2, Insightful

    The fact that it is on a floppy drive is enough to corrupt it. None of my floppy disks have valid data anymore, it self-corrupts over time.