Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boot Sector Viruses & Rootkits Poised For Comeback

Posted by ryuzaki0 on from the oldies-but-goodies dept.

Ant writes "Ars Technica says Panda Labs' first quarter 2008 malware report raises a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible (pdf). Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive. The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future. Forecasting these trends is always tricky."

11 of 95 comments (clear)

  1. With or Without TPM? by sainttX · · Score: 4, Interesting

    If we have hardware security support, this is not that easy..

  2. Let me guess by WindBourne · · Score: 4, Interesting

    Panda labs has a new product that protects just this? Call me a cynic, but ....

    --
    I prefer the "u" in honour as it seems to be missing these days.
    1. Re:Let me guess by tlhIngan · · Score: 2, Interesting

      Not quite. It protects the bios from hard disk writes using int 13h. It won't protect from programs accessing the hard drive directly using I/O ports, which any modern MBR virus is likely to do.


      True, most protection does this, especially from 12 years ago when DOS was still a viable platform.

      However, I don't see why more modern systems can't store a copy of the MBR in the CMOS - it is, after all, only 512 bytes in size. On boot, it simply does a compare between the MBR on the hard disk and the one it stored in CMOS. On miscompare, it simply asks what you want to do - restore from CMOS, or use the modified MBR (and update CMOS).

      Other than GRUB and Lilo and other multi-OS boot systems, the MBR code is quite simple, simple enough that practically anything can restore it...
  3. The old ways still work by ais523 · · Score: 3, Interesting

    I still check to make sure that there aren't any floppy disks left in the drives before I power-on (and I still have floppy drives, even an external one for the laptop); it seems now the old habits may have a reason. Of course, nowadays malware doesn't have to rely on floppy disks accidentally left in drives and sharing of executables from one computer to another because the Internet exists; but that doesn't stop the old threats working, just provides a more modern alternative that gets more attention.

    --
    (1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
  4. Watch out for what you buy by Digi-John · · Score: 5, Interesting

    A danger to be alert to is the possibility of viruses and rootkits that ship with the computer. Consider that most computers have a lot of parts made in China; suppose the Chinese government decides it's going to slip something into your BIOS? That is a major issue for national security, and it's not just speculation; I've seen test viruses that sit in the BIOS and do a SUID root on a specific file in /tmp on every bootup. EFI is just as vulnerable, because it's basically a complete Unix-like OS just for booting.

    --
    Klingon programs don't timeshare, they battle for supremacy.
  5. Warning: Panda is linked to Scientology by Anonymous Coward · · Score: 2, Interesting

    Sorry for being off topic, but it should be pointed out that Panda is strongly linked with the cult of Scientology. While it doesn't make them necessarily evil, the recent events of people being harassed for protesting against the cult and the tactics employed by the cult to obtain at any cost personal data of protesters, should suggest the use of different antivirus/antispam programs, especially in a close source environment like Windows where the user cannot easily monitor what the software does and what files it reads.
    If you're against the cult of Scientology, and write about it in blogs or emails, it's probably much safer to avoid any software from Panda.

  6. Widespread? by gmuslera · · Score: 2, Interesting

    If well that kind of virus could be made, and work, the odds of getting infected looks so low (EVEN for windows users) that probably wont be very widespread.

    In the other hand, if you have already something ugly running as admin/root in your box in a way or another, it could deploy the MBR part, but dont see the advantage of this if is anyway already in control (afaik some rootkits/trojans (?) for windows hide themselves from scanners intercepting network/disk drivers or something similar, so no big advantage there)

    1. Re:Widespread? by Culture20 · · Score: 2, Interesting

      Imagine an MBR virus shipping from the factory on floppies, USB sticks, USB HDDs, or a BIOS or MBR virus/rootkit on new Lenovo machines (sorry, China's an easy target these days).

  7. Even worse threats on the horizon... by jdb2 · · Score: 4, Interesting

    For a rootkit, the lower the level it can modify the system at, the better. We've seen this progression, from user-mode,to kernel mode hooks,to kernel mode data structures etc. So, obviously the rootkit authors know that their current methods will be obsolete in the near future, and have "lowered the bar" (pun intended ;) to the MBR. (Heh, that also rhymes ;) Anyway, if you think this is the last safe haven for rootkits, you're wrong -- really wrong. How about a rootkit that splits itself into tiny chunks, compresses them, and then inserts them into the free space available on the various BIOS's in your system eg. Video, Hard Drive, RAID Controller etc.? Impossible you say, well, I advise you to watch this presentation :

    http://youtube.com/watch?v=G26oZtzluAQ&fmt=6

    Systems with the ability to boot from a storage device other than a hard drive, say, a USB drive, are especially vulnerable, as the rootkit doesn't have to gain access to the BIOSs via the OS. Instead, it modifies the boot sector of the USB drive and then, upon bootup, after the BIOS boots off the USB drive, hides itself via the previously mentioned technique, so as to ensure it will run even if the boot sector of the USB drive is modified. This is possible as, upon bootup, the BIOS scans for memory mapped expansion ROMs (the previously mentioned BIOS's spread throughout your system) and then transfers control to each one.

    Something to think about.

    jdb2

  8. Re:Why? by LowlyWorm · · Score: 2, Interesting

    I have often suspected antivirus companies themselves. They are the ones who always benefit from the never ending array of new viruses. Sure, there are a lot of hacker want-to-bes that write them but are there really that many malicious hackers? I am sure there are more viruses than hackers. Just look at the list of viruses you antivirus "protects" against. There must be a few virus writers making a LOT of viruses. Who would do that and what would their motivation be?

    --
    Time flies like an arrow. Fruit flies like a banana.
  9. How would this affect EFI-based computers... by analog_line · · Score: 2, Interesting

    ...which from my (limited) understanding, an MBR is set aside, but not actually used for booting anything. I guess technically it's free space, so another hiding place, but nothing normally accesses that record, so would this kind of thing have any effect? You know, on computers like Intel Macs, which all use EFI.