Slashdot Mirror
Boot Sector Viruses & Rootkits Poised For Comeback
Ant writes "Ars Technica says Panda Labs' first quarter 2008 malware report raises a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible (pdf). Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive. The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future. Forecasting these trends is always tricky."
If we have hardware security support, this is not that easy..
Panda labs has a new product that protects just this? Call me a cynic, but ....
I prefer the "u" in honour as it seems to be missing these days.
I still check to make sure that there aren't any floppy disks left in the drives before I power-on (and I still have floppy drives, even an external one for the laptop); it seems now the old habits may have a reason. Of course, nowadays malware doesn't have to rely on floppy disks accidentally left in drives and sharing of executables from one computer to another because the Internet exists; but that doesn't stop the old threats working, just provides a more modern alternative that gets more attention.
(1)DOCOMEFROM!2~.2'~#1WHILE:1<-"'?.1$.2'~'"':1/.1$.2'~#0"$#65535'"$"'"'&.1$.2'~'#0$#65535'"$#0'~#32767$#1"
A danger to be alert to is the possibility of viruses and rootkits that ship with the computer. Consider that most computers have a lot of parts made in China; suppose the Chinese government decides it's going to slip something into your BIOS? That is a major issue for national security, and it's not just speculation; I've seen test viruses that sit in the BIOS and do a SUID root on a specific file in /tmp on every bootup. EFI is just as vulnerable, because it's basically a complete Unix-like OS just for booting.
Klingon programs don't timeshare, they battle for supremacy.
For a rootkit, the lower the level it can modify the system at, the better. We've seen this progression, from user-mode,to kernel mode hooks,to kernel mode data structures etc. So, obviously the rootkit authors know that their current methods will be obsolete in the near future, and have "lowered the bar" (pun intended ;) to the MBR. (Heh, that also rhymes ;) Anyway, if you think this is the last safe haven for rootkits, you're wrong -- really wrong. How about a rootkit that splits itself into tiny chunks, compresses them, and then inserts them into the free space available on the various BIOS's in your system eg. Video, Hard Drive, RAID Controller etc.? Impossible you say, well, I advise you to watch this presentation :
http://youtube.com/watch?v=G26oZtzluAQ&fmt=6
Systems with the ability to boot from a storage device other than a hard drive, say, a USB drive, are especially vulnerable, as the rootkit doesn't have to gain access to the BIOSs via the OS. Instead, it modifies the boot sector of the USB drive and then, upon bootup, after the BIOS boots off the USB drive, hides itself via the previously mentioned technique, so as to ensure it will run even if the boot sector of the USB drive is modified. This is possible as, upon bootup, the BIOS scans for memory mapped expansion ROMs (the previously mentioned BIOS's spread throughout your system) and then transfers control to each one.
Something to think about.
jdb2