Slashdot Mirror

← Back to Stories (view on slashdot.org)

Boot Sector Viruses & Rootkits Poised For Comeback

Posted by ryuzaki0 on from the oldies-but-goodies dept.

Ant writes "Ars Technica says Panda Labs' first quarter 2008 malware report raises a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible (pdf). Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive. The report also covers a number of other topics and makes predictions about the types of attacks computer users may see in the future. Forecasting these trends is always tricky."

14 of 95 comments (clear)

  1. With or Without TPM? by sainttX · · Score: 4, Interesting

    If we have hardware security support, this is not that easy..

  2. Let me guess by WindBourne · · Score: 4, Interesting

    Panda labs has a new product that protects just this? Call me a cynic, but ....

    --
    I prefer the "u" in honour as it seems to be missing these days.
    1. Re:Let me guess by Lumpy · · Score: 4, Insightful

      That's ok ASUS has had that protection for decades.

      MBR protection has been in every bios on ASUS motherboards for at least 12 years now. turn it on and NOTHING can write to the mbr.

      gotta love how old tech solves the "new hotness".

      --
      Do not look at laser with remaining good eye.
    2. Re:Let me guess by Anonymous Coward · · Score: 5, Informative

      Not quite. It protects the bios from hard disk writes using int 13h. It won't protect from programs accessing the hard drive directly using I/O ports, which any modern MBR virus is likely to do.

  3. I can see it now by oni · · Score: 5, Funny

    GNU GRUB version 0.95 (638 lower / 288704K upper memory)

    Ubuntu, kernel 2.6.12-9-386
    Ubuntu, kernel 2.6.12-9-386 (recovery mode)
    Ubuntu, memtest86+
    Other operating systems:
    Windows NT/2000/XP
    omfgh4xorz-r00tk1tz3113

    Use the up and down keys to select which entry is highlighted.
    Press enter to boot the selected OS, 'e' to edit the commands
    before booting, or 'c' for a command-line

    hmm, something's not right here

    1. Re:I can see it now by maxch · · Score: 4, Funny

      call me crazy, but that Windows entry seems suspicious.

  4. Cool by dedazo · · Score: 4, Funny
    The last time any of my machines had anything resembling a virus, malware or trojans it came in a floppy boot sector and it was called "Natas" or something like that.

    Bill Clinton was president, the Nasdaq was at 5,000 or something like that and I was smoking pot. Maybe we'll go back to the old days in more ways than one!

    --
    Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
  5. Bah! by Well-Fed+Troll · · Score: 4, Funny

    I spit on thee, thou foul virus writing knaves.
    Wilt it doth survive the lowly Format?
    Truly I say unto thee, Real Men write CMOS infecting viruses.

    1. Re:Bah! by MadnessASAP · · Score: 4, Insightful

      Speaking of which, I remember seeing a rather nifty POC for storing a rootkit in a video cards BIOS. I don't think anybody has taken advantage of it yet though.

      --
      I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
  6. Watch out for what you buy by Digi-John · · Score: 5, Interesting

    A danger to be alert to is the possibility of viruses and rootkits that ship with the computer. Consider that most computers have a lot of parts made in China; suppose the Chinese government decides it's going to slip something into your BIOS? That is a major issue for national security, and it's not just speculation; I've seen test viruses that sit in the BIOS and do a SUID root on a specific file in /tmp on every bootup. EFI is just as vulnerable, because it's basically a complete Unix-like OS just for booting.

    --
    Klingon programs don't timeshare, they battle for supremacy.
  7. Why? by Rurik · · Score: 5, Insightful

    I wonder why a virus writer would even want to do this? Nearly all have learned that instead of wreaking havoc for fun, they can wreak havoc and make money off it. There's a reason most writers stopped writing boot sector viruses. Viruses are more fun when they can perform click-fraud, and other long-term money making actions, instead of destroying a user's computer.

  8. Virtualization complications by wheatking · · Score: 5, Insightful

    so what happens w/ all this virtualization (VMware, Xen, Microsoft/Kidaro, RingCube, Moka5,...) coming in... aren't bare metal vulnerabilities @ the hypervisor layer a bigger deal?

  9. Even worse threats on the horizon... by jdb2 · · Score: 4, Interesting

    For a rootkit, the lower the level it can modify the system at, the better. We've seen this progression, from user-mode,to kernel mode hooks,to kernel mode data structures etc. So, obviously the rootkit authors know that their current methods will be obsolete in the near future, and have "lowered the bar" (pun intended ;) to the MBR. (Heh, that also rhymes ;) Anyway, if you think this is the last safe haven for rootkits, you're wrong -- really wrong. How about a rootkit that splits itself into tiny chunks, compresses them, and then inserts them into the free space available on the various BIOS's in your system eg. Video, Hard Drive, RAID Controller etc.? Impossible you say, well, I advise you to watch this presentation :

    http://youtube.com/watch?v=G26oZtzluAQ&fmt=6

    Systems with the ability to boot from a storage device other than a hard drive, say, a USB drive, are especially vulnerable, as the rootkit doesn't have to gain access to the BIOSs via the OS. Instead, it modifies the boot sector of the USB drive and then, upon bootup, after the BIOS boots off the USB drive, hides itself via the previously mentioned technique, so as to ensure it will run even if the boot sector of the USB drive is modified. This is possible as, upon bootup, the BIOS scans for memory mapped expansion ROMs (the previously mentioned BIOS's spread throughout your system) and then transfers control to each one.

    Something to think about.

    jdb2

  10. Windows Malicious Software Removal Tool by mrbluze · · Score: 4, Funny

    Windows is a program which inserts code into the master boot record, often before the user has broken open the packaging of their new computer, resulting in loading of malicious code at power-on which causes the computer to phone-home and results in the gradual loss of available disk space on the affected drive. Multiple other vulnerabilities have also been reported.

    Various removal tools are available free of charge. This is considered a critical and urgent update.

    --
    Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]