Researchers Report Spike In Boot Time Malware

wiredmikey writes "In their most recent intelligence report, Symantec researchers pointed out a massive increase in the amount of boot time malware striking users, noting there have already been as many new boot time malware threats detected in the first seven months of 2011 as there were in the previous three years. Also known as MBR (master boot record) threats, the malware infect an area of the hard disk that makes them one of the first things to be read and executed when a computer is turned on. This enables the threats to effectively dodge many security defenses."

Everything old is new again

Soon you'll be telling me they're back to using TSR!

BIOS password

[ksd1337]

Could some form of encryption based on the BIOS password be used to lock the MBR?

Re:BIOS password

[The+MAZZTer]

Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.

Re:BIOS password

[SilentChasm]

Boot sector virus protection is available on most motherboards as far as I can tell. It prevents things from writing to the MBR without confirmation. Windows 7 also seems to popup UAC asking whether you really want to let something write to that area of the HDD from my experience.

Re:BIOS password

[Jahava]

Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Re:BIOS password

Your in idiot.

Try a TPM or BIOS-only flashrom.

Re:BIOS password

[Suferick]

Well that's all right then, because people always read UAC alerts and heed security warnings

Re:BIOS password

[Osgeld]

yea ok and just like those stupid horrible hard drive locks bios lockouts you look at it funny once and you bricked your drive

NO THANKS

Re:BIOS password

[mick_S3]

Your in idiot.

Try a TPM or BIOS-only flashrom.

Now that's some funny shit right there.

Re:BIOS password

[HermMunster]

Not correct. Most of the MBR infections seem to be on Win7 64bit.

These programs set themselves up before anyone notices and we have little opportunity to react by modifying the bios from the default.

These programs will also write virtual file (system) that is encrypted and hence the malware can't scan it to find and remove the viruses.

What they are also missing in their explanation of the increase is that these malware guys are doing far more than just modifying that portion of the drive. They will erase all your "all programs" folder contents and hide all your personal files and modify the registry and other permissions making it very difficult to recover from even when you discover they are there and try a removal procedure.

What Symantec also didn't explain was that it takes a lot of work to rid the computer of these viruses and that the average antivirus tools are highly unsuccessful at the removal. None of the antivirus software tries to correct the problems created even if they can get rid of the virus. I know some anti-malware apps try to reset some registry keys to default, but that's not what I'm talking about.

You can really screw things up unless you know what you are doing. Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

Of course this emboldens the malware authors because it tells them that they are headed in the right direction or are already successful. Hell, if you can get the biggest software company in the world to give up then you win.

Re:BIOS password

[IWantMoreSpamPlease]

>>...to give up then you win.

Win what?

Re:BIOS password

[GodInHell]

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

Re:BIOS password

Win what?

 
Money. Lots of money.

Re:BIOS password

[Joce640k]

Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

This is why they invented disk imaging software....

Re:BIOS password

You don't need to: just verify the MBR at least every boot (with a utility running late, in Windows), then rewrite it from a backup when changed. Then give the user a notification and the oportunity to undo this. Simple as hell, What's the fuss??

Re:BIOS password

[ksd1337]

So, like a version of Deep Freeze for the MBR?

Re:BIOS password

[Runaway1956]

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

Why does it have to be Knopix? And - doesn't EVERYONE have a copy lying around? Crap - my workstation has at least 30 *nix OS installation and/or LiveCD's lying around it. Some of them even mount NT drives by default!

Re:BIOS password

[HermMunster]

Unrealistic. Your response is disingenuous.

Re:BIOS password

Look in your BIOS configuration for something along the lines of "Boot Sector Virus Protection" or some similar name. This will need to be disabled when you install a new operating system, but then can be enabled again. The BIOS will block access to the boot sector at that point.

Re:BIOS password

[Hatta]

You don't need to: just verify the MBR at least every boot (with a utility running late, in Windows),

No good. You have to verify the MBR before the virus has loaded, or it can just fake it.

No Information - Just Fear

[sweatyboatman]

No actual information in the linked article. No way of verifying what they're saying is true or useful.

But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses.

Re:No Information - Just Fear

Symantec: Nice computer you got there...it'd be a...shame...if something were to happen to it...

Re:No Information - Just Fear

[MightyMartian]

Symantec: And now we've installed Symantec FireVirusWallMonsterApp2011. Don't worry, it's normal if every other process you try to run takes 15 minutes to start. At least your secure!!!! Now please pay us annually to keep those slow speeds coming.

Re:No Information - Just Fear

[fuzzyfuzzyfungus]

Obligatory image...

Re:No Information - Just Fear

[fuzzyfuzzyfungus]

Symantec's Advanced Pre-emptive Defense technology is some of the industry's finest. It is really very lax of you to be so flippant about these matters.

As computer scientists and security researchers have proven(with big scary math!), virtually all malware requires CPU cycles and memory in order to harm your system. By starving everything that might be a virus of these precious resources, Symantec keeps you safe from the malware scourge.

Re:No Information - Just Fear

[jonwil]

There is a reason I have vowed NEVER to install anything Symantec or McAfee make on ANY PC I own...

Re:No Information - Just Fear

[Osgeld]

Yea I love these stories, every single one of them is from a security firm, but never mention what the fuck they are going to do about it. as if they actually did anything in the first place except bog your computer down and beg for money cause they quarantined a word file

Re:No Information - Just Fear

I found an MBR virus about two weeks ago. Of the free products I've been pushing, MS Security Essentials was the only one to detect it. And the only way I could get rid of it was to use an XP install disk to rewrite the MBR.

I usually don't trust MS any further than I can throw a PC JR, but so far they seem to have their stuff together with Security Essentials.

Re:No Information - Just Fear

[rezalas]

Symantec Advanced Pre-emptive Defense tech... SAP'ed

http://en.wikipedia.org/wiki/Baton_(law_enforcement)#Sap

Re:No Information - Just Fear

[couchslug]

"But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses."

More nuke-and-paves for me. Mmmmm....pocket money.

Re:No Information - Just Fear

[LordLimecat]

What, have they decided to break into the market of effective Antivirus scanners?

Re:No Information - Just Fear

How would an XP install disk fix your grub installation?

Oh wait, you DO trust M$

Re:No Information - Just Fear

[Runaway1956]

Ditto. Way back, in the Win98 days, McAfee actually destroyed an installation of Windows. So, I swore off of McAfee. OnTrack seemed a likely candidate - but they sold out to someone. I flirted with Symantec for awhile, primarily because Norton's name was associated with them. Finally got tired of that stupidity. I branched out to some lesser knowns - Comodo, Tiny, and others. Tiny was actually pretty damned good - but complicated.

Ultimately, I gave up on all of them. Now, I'm a distro hopper. I just download a new version of Linux every week, and try it out. Not only is there no need for a "security solution" on Linux - but there is certainly no need for such a solution if you're just going to nuke from orbit every week or so!

"Set us up the bomb!"

Re:No Information - Just Fear

[Runaway1956]

Actually - I have to give MS a grudging "attaboy" for MS Security Essentials. I tested, and retested it a few times. It's pretty fast, pretty effective, light on resources, updated regularly - it's very nearly what McAfee, Symantec, and the others wish they could be! Given an administrator, and users, who actually READ those warnings from the OS and from their ant-malware app, MSE can be very effective.

Of course, as long as users just dismiss warnings, nothing can effectively secure their machines.

Re:No Information - Just Fear

[gatkinso]

>> Way back, in the Win98 days, McAfee actually destroyed an installation of Windows

For once McAfee worked!

Re:No Information - Just Fear

We are at war with Eurasia!! No, wait...!!

Re:No Information - Just Fear

Ditto. Way back, in the Win98 days, McAfee actually destroyed an installation of Windows. So, I swore off of McAfee. >Ultimately, I gave up on all of them. Now, I'm a distro hopper. I just download a new version of Linux every week, and try it out. Not only is there no need for a "security solution" on Linux - but there is certainly no need for such a solution if you're just going to nuke from orbit every week or so!

"Set us up the bomb!"

With XP I installed McAffee and rebooted...Computer sat there making a shrill sound and showing a black screen...
I was able to safe Windows..I sent them back their disk with a rant..never got a refund or so much as a kiss my ass...So after that,I'd go every Friday to House Call and run a scan.
  Also now a Linux distro user. You could not pay me to use Windows or the so called virus protectors...

Re:Figures

I'm sorry, but that is an incorrect answer. The correct answer is, "And then Obama will try to shift the blame onto Bush".

Ancient concept

MBR malware is ooooooooooooooold. They existed back in the DOS days. (yes, that clunky old substitute of a shell pretending to be a real OS while being shamelessly marketed as Bill Gates invention despite being written in Canada by someone else).

A few years ago they were deemed to be extincted.

The fix in those days (using the shell/command line) : fdisk /mbr
Done.

Re:Ancient concept

[kbolino]

I didn't know Seattle was in Canada.

Re:Ancient concept

[PPH]

Judging by the number of BC license plates, yes we are.

Boot knoppix, save copy of MBR

[sl4shd0rk]

Don't know for sure anymore, but it used to be that each partition on the disk had 512 bytes of meta-data associated with it. On boot slices, that 512 was the MBR. On non-boot slices that 512 held info about extended partitions and such. You could save that 512 bytes to some disk medium and write it back later. Cheaper than paying mcaffe/symantec/extorsion.

save MBR from first scsi (sata) disk
        dd if=/dev/sda of=/media/usb/mbr.bin bs=512 count=1

when you need to restore:
        dd if=/media/usb/mbr.bin of=/dev/sda bs=512 count=1

Re:Boot knoppix, save copy of MBR

[m50d]

If you're competent enough to figure out you need to boot a CD and remove it, you can then fdisk /mbr or equivalent - no need to have backed it up originally.

Re:Boot knoppix, save copy of MBR

True. But he's also using dd, which means he must have the sense to ALSO use linux outside of live CD's if he knows that much. So, fdisk /mbr might not be an option. Worst case scenario, he'll be wiping his Grub bootloader if he blindly uses the windows solution.

Re:Boot knoppix, save copy of MBR

[PPH]

Doesn't GRUB (and other bootloaders) offer the option to rewrite their first stage to the boot device MBR? And since every OS distro customizes the GRUB configuration (not to mention some people who like to fiddle with defaults 'just because') good luck to that malware finding the recovery copy to infect as well.

Re:Boot knoppix, save copy of MBR

If you're competent enough to figure out you need to boot a CD and remove it, you can then fdisk /mbr or equivalent - no need to have backed it up originally.

If you are competent enough to do that then you could avoid risky browsing behaviour all together.

Re:Boot knoppix, save copy of MBR

[m50d]

I don't think that's implied. Press F12, choose boot from CD is a lot simpler than constant vigilance.

Re:Boot knoppix, save copy of MBR

SImpler and more elegant: Move your /boot partiion on your USB stick, and install GRUB there. Then overwrite the HDD boot sector with zeroes and set your BIOS to ONLY boot from USB drives.

If you want to add security, encrypt the whole HDD with a key, then encrypt the key with your password and save that encrypted key in your boot partition. Now make a initrd that asks you for the password, uses it to decrypt they key, and uses the key to access your hard disk.
Now if somebody has the password, it's worthless. Same for the USB stick alone. And if somebody attacks you, destroy the stick in front of his eyes. (You can buy USB sticks that come with a built-in self-destruct mechanism.)
Of course, you will lose your data. Of course if you make any copies on other media that aren't encrypted the same way this whole thing worthless. And of course if somebody gets into your system while in's running, all of this is worthless too.
And finally, make sure your attacker understands the concept of having a encrypted key that's now gone, and doesn't beat you up anyway. ^^

fallback on old tech

No worries, I've got a DOS boot floppy with F-Prot on it right here. Now I just need to find a floppy drive...

Re:fallback on old tech

[couchslug]

"No worries, I've got a DOS boot floppy with F-Prot on it right here. Now I just need to find a floppy drive..."

No, just use Winimage to make a .IMA file then use that file to burn a floppy-emulation CD/DVD. Throw some utils in the root directory while you are at it.

This is the shit if you want a very well thought out live CD toolkit containing PE/Linux/DOS:

http://falconfour.wordpress.com/2011/03/12/falconfours-ultimate-boot-cdusb-4-5/

Re:fallback on old tech

[couchslug]

I should have added "download a boot floppy image" and convert it to a .IMA file. I use Win98SE images but you can Google plenty of choices.

Re:fallback on old tech

[LordLimecat]

Yall are doing it the hard way.

Grab ubuntu CD. Boot to live mode. Install "ms-sys". Issue command "ms-sys -m /dev/sda", or whatever the proper switch is for your edition of windows. Browse /dev/sda1, removing all executables from %appdata% and any suspicious drivers. Reboot, and perform a cleanup from safe mode.

No need for specialized disks, and if you really cant stand having to download ms-sys every time you can just re-roll your own custom ubuntu (or mint, or whatever) based distro.

viruses have been hiding in the MBR for long time

i remember in the early 90's catching a boot sector virus from a public library terminal

Of course

Of course it's Obama's fault. He's the current president and everybody always blames that guy for everything.

And this entire thread deserves to be modded offtopic.

why is this such a big deal

[loftwyr]

Get a bootable windows 95 disk with fdisk on it and type fdisk /mbr. That will rewrite the boot record and make things less nasty

Re:why is this such a big deal

[Osgeld]

yea go try it on your machine right now, NT (which is what we have been using for about a decade now) wont load

use your current windows boot cd and use the recovery console

Re:why is this such a big deal

[LordLimecat]

Pretty sure XP and Vista will refuse to boot once you do that. NT and especially 7/vista have very different bootloaders than 95.

Re:why is this such a big deal

I recently moved 7 to a new motherboard after my old one died and it refused to boot even after using the recovery console to run bootrec /fixmbr and all that jazz. NT based systems are very picky about the bootloader. On XP it would have been possible to fix it with a repair install, but no longer.

Re:why is this such a big deal

Should work fine on XP on fat32. I use gdisk (came w/an old copy of Norton Ghost - the only Norton prod I still use.) with the same switch. XP boots fine afterwards. It would wipe any grub install. Reinstalling grub would of course serve the same purpose.

Have noticed

[al0ha]

an increase in this type of malware in my occupation, I suppose it could be called a spike if +2 since January indicates a spike. Oh, part of my job is detecting and informing users of malware infections on a Class A network.

Re:Have noticed

...on a Class A network.

10.112.79.112/28 is a class A network. Mask matters.

EFI?

Got a good question..

I've noticed a lot of newer motherboards, especially "sandy bridge" generation Intel systems and later, are shipping with EFI firmware (Usually with a bios compatibility mode enabled by default, though*). If you went the EFI route and booted from a GPT partitioned disk, would you be immune to old style boot sector viruses?

I guess it would depend on how the machine's firmware handled boot.

*Actually a lot of motherboards have been EFI from since before then, but with bios compatibility mode forced on with no way to turn it off - See InsydeH20

Re:EFI?

If you were doing a *true* UEFI boot, with a GPT disk, you would probably be OK, though I wouldn't guarantee it. Now, the real question is, how do you know if you're doing a true UEFI boot or not? OEM installations probably aren't but if you installed Windows 7 yourself, and knew what to look for then you could be reasonably sure (hint: boot device override menu, choose "UEFI: CD-ROM" or similar)

Re:viruses have been hiding in the MBR for long ti

No, that was a Chinese whore.

Re:Figures

[Tsingi]

Who probably did it.

Why every device should come with a rescue plan

[davidwr]

PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options.

On machines sold as Windows machines this would include:
* An online virus check and remediation for common viruses that prevent booting into Windows "safe mode with networking" without the infection loading. Any other viruses can be remediated by booting into that mode
* Backing up the entire drive or portions of it to DVD, USB device, or other common devices.
* Reloading an authenticated copy of the "normal" (non-rescue) BIOS from a CD, memory stick, or the hardware vendor web site.
* Re-creating the MBR to factory settings, except leaving the partition table alone
* If there is a recovery partition, validating it and rebuilding it from the web or DVDs if it is corrupted. If there is not and the disk is not full, offer to create one.
* An option to rebuild the disk from scratch using data from the Internet, DVD, or USB device.

Rescue plans for other devices like Routers or PCs that don't ship with an OS could be much simpler - their read-only rescue bios should provide a means to reset a corrupted boot configuration or replace a corrupted BIOS. Their "rescue me" button would also likely be much more obscure - probably a set of jumpers on a PC motherboard or an "insert paper clip" button on a router.

Re:Why every device should come with a rescue plan

PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options.

are you suggesting something like the chromeos verified boot?

Re:Why every device should come with a rescue plan

[hoggoth]

They have this. It's called a Live-CD.
It just doesn't come with the PC.

Re:Why every device should come with a rescue plan

[davidwr]

They have this. It's called a Live-CD.
It just doesn't come with the PC.

Then it doesn't come with it.

Also, most PCs have modifiable, infectable BIOSes and they don't come with a read-only rescue BIOS.

Re:Why every device should come with a rescue plan

[davidwr]

Yes, but across the industry not just on a few computers.

The ability to recover from an infection should be available out-of-the-box on all boxes.

Re:Why every device should come with a rescue plan

"read-only BIOS"
You can prevent changes to the BIOS by setting a BIOS password.

"a locked-down, vendor-signed operating system"
We already have it, it's called Windows 7 x64. Standard users have little rights to do anything, and drivers need to be signed.

"local rescue options"
Yep, there are already rescue options. None to friendly, but they're there.

"if network-connected, some network-based rescue options"
To where exactly? If you're infected, you could be connecting to a malware site for the "rescue".

"* An online virus check and remediation for common viruses"
Have you tried to go to online virus checks when you're infected? Malware prevents you from going to those sites. They also block tools used to clean infections. Only the really simple ones are easy to clean.

"Any other viruses can be remediated by booting into that mode"
Assuming your anti-malware actually knows about the malware. I see new strains every day that don't get detected by any malware vendor.

"* Backing up the entire drive or portions of it to DVD, USB device, or other common devices."
Including backing up the malware? An infected backup is pretty useless. You can keep multiple copies of the drive, but do you know *when* you were infected and which backup is clean?

"* Reloading an authenticated copy of the "normal" (non-rescue) BIOS from a CD"
Do you know what a BIOS is and what it does? Corrupting a BIOS is pointless as it'll render the machine completely unusable.

"* Re-creating the MBR to factory settings"
What "factory settings"?

"* If there is a recovery partition, validating it and rebuilding it from the web or DVDs if it is corrupted."
Many OEM builds have hidden recovery partitions. You don't have access to them, because they don't want you to corrupt those partitions. Most PC vendors already allow you to create "rescue" DVDs so that you can rebuild your system. So what's the point of this bullet?

"If there is not and the disk is not full, offer to create one."
And create an infected recovery partition?

"* An option to rebuild the disk from scratch using data from the Internet, DVD, or USB device."
Yes, it's called a "recovery media", and most vendors already allow you build recovery media from secure locations and files that are not likely to get infected.

Re:Why every device should come with a rescue plan

[davidwr]

Your entire comment misses the point:

Devices need to ship with a "walled garden rescue mode" BIOS that is actually read-only and un-infectable. This BIOS would activate when the user powered on while holding down the "rescue me" button.

In this mode, the only code that could execute would be trusted code. This would specifically exclude malware of course.

Basically the BIOS would be broken down into 3 parts:

A read-only, un-infectable "BIOS loader" that would check to see if the "rescue me" button was pressed.
Normally, this would load what we think of as a BIOS. This code would be "flashable" as are most BIOSes today.
In "rescue mode" this would load a 3rd piece of code, a read-only, un-infectable rescue BIOS, that would have the features I mentioned.

Re:Why every device should come with a rescue plan

[anubi]

Let me run this up the flagpole...

For Windows machines... What if Microsoft, being they are the author of their code, released an image of a bootable CD that's only function was to verify the integrity of an installed version of Windows on the hard drive?

It would have the capability of restoring mangled kernel files.

For trust's sake, one would have to get it from Microsoft or one of their approved vendors. The disk would be insufficient to pirate a fullblown installation of Windows, but would be able to detect and restore the kernel to safe mode operations. If you have rogue programs in your machine, you may have to go as far as to delete every program you have ever installed to nab the one the virus infected, but at least the boot CDROM would give you an operable platform to launch your investigative and remedial efforts from.

I can hardly hold Microsoft responsible for malware installed by the user, but I do need the tools to let me at least clean up shop to the original as-purchased state should malware make such a mess as to make salvage of my executables impossible. At least I might be able to salvage some of the data files.

As far as I am concerned, Microsoft did good giving us a system restore option. One thing I miss is the option of just restoring system files sans all the "shovelware" various business interests got Microsoft and the computer manufacturers in their preloaded software.

Re:Why every device should come with a rescue plan

"PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options."

At the risk of enduring flames for having said something nice about Apple, this is a feature of OS X Lion. Boot while holding command-R, you boot from a read-only rescue partition. From there you can do tons of stuff including restoring your whole system.

Pretty easy to prevent infection on this one.

[idbeholda]

Taken directly from the article. "Ramnit spreads through removable drives and by infecting executable files such as .DLL, .EXE and .HTM extensions." Disable autoplay and don't allow the browser to run scripts. These are two basic security measures that users should implement by default anyways. Not doing so is just asking for trouble.

Re:Pretty easy to prevent infection on this one.

Why the heck would anything running in a web-browser be able to write to the MBR?!? If Browser and/or OS security has gotten to this (horrible) state, then we need to scrap everything and start over. How about sandboxing every single application, with no shared storage (unless specifically allowed by the user), and NOTHING has access to the physical disk directly unless it is a program coming off of the physical media that the machine was booted with (An OS installation ISO).

It is ridiculous that a modern OS would allow any program to write to the MBR. OS's don't let programs write to kernel-owned memory addresses, why would it be ANY DIFFERENT for storage?

Re:Pretty easy to prevent infection on this one.

[idbeholda]

A proper sandbox technique would be to explicitly allow all system reads, but explicitly deny all system writes. Any attempt to do a system write would instead copy the system file to a sandboxed area, and allow writes to the copied file, keeping the original one intact. Sandbox infection getting out of hand? /clearmem (or some other custom command used to restore the sandbox to a beginning state) Problem solved.

Re:Pretty easy to prevent infection on this one.

[0123456]

Why the heck would anything running in a web-browser be able to write to the MBR?!?

Well, if you're running on XP you're probably an administrator so a browser exploit can write to anything. And if you're a typical user running Windows 7 then you'll click 'Yes' when UAC asks 'Do you want to allow Internet Exploder to: do some shit you don't understand?'

Re:Pretty easy to prevent infection on this one.

[compgenius3]

NOTHING has access to the physical disk directly unless it is a program coming off of the physical media that the machine was booted with (An OS installation ISO).

Solution:
1. copy malware executable to system disk
2. relaunch
3. ???
4. write to MBR

Re:Pretty easy to prevent infection on this one.

[LordLimecat]

What happens when that virus also goes after mapped drives, as many viruses do? What happens when it "super-hides" all the folders, and places look-alike exe's with a folder icon in their place (remember, by default the .exe extension is hidden)?

Takes a little more security than "disable autoplay"; to really secure from these sorts of nasties you need to be working with NTFS permissions and/or GPOs to control which directories are executable.

Re:Pretty easy to prevent infection on this one.

[idbeholda]

I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening. It's not that hard to tell the difference between a folder and a file; I don't need windows group policy to tell me not to click on every executable that's lobbed in my general direction. While we're on the subject of security practices, look up NTFS/ADS. That's where the real problem lies, and it still hasn't been fixed since its inception, with the exception of the more recent versions of Windows Server.

I could waste my time compiling a list of these common sense tactics that pretty much guarantee that you won't get hit with a live infection, but it would just be easier and less of a waste of time on my part if you used google and learned some basic security practices without me having to further lecture you about this.

Re:Pretty easy to prevent infection on this one.

[LordLimecat]

I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening.

And my point was no, not always, sometimes users are browsing a network share, and click that exe-that-looks-like-a-folder, and it appears to open normally, except now theyre infected too.

While we're on the subject of security practices, look up NTFS/ADS

AD and NTFS are known for their remarkable security, actually; NTFS's ACLs are generally much much more granular than EXT3/4, or UFS, and I believe HFS+ (anything that uses basic chmod with 3-bit acls). You can sort of kludge on more advanced ACLs, but there nothing like the things you can do in NTFS, like allowing only "create directory" rights (which if you desired I could demonstrate a very easy use case for).

AD uses a lot of open standards, and Im really not aware of any good attacks on the authentication or encryption it uses.

Re:Pretty easy to prevent infection on this one.

[badkarmadayaccount]

I'd love a use case.

Re:Pretty easy to prevent infection on this one.

[LordLimecat]

A client recently requested this.

They wanted a setup where users could be members of groups such as Region1 and Region2, and each would have their OWN folder within their Region's share. Only that particular user would have access to their folder in that region, except for the manager who should be able to see everyones "personal" folder. Additionally, users must be able to have seperate folders in each region if they are members of more than one region.

My solution was to create a regional folder ("Region1", etc), and grant the manager modify rights, admins full rights, CreatorOwner modify rights (inheritable for subfolders), and members of that region only "traverse" and "create directory" rights, for "this folder only". On logon, a script attempts to create a %username% folder in the regional folder, which it is then the owner of and has full rights to. It them maps a drive to that folder.

They are unable to see who are members of their region, since they do not have the "list directory contents" right, and the manager gets a drive mapped to the root of the region, and is able to easily access all subordinate folders. No work is needed to switch users to a new region-- just change their group membership and the GPO takes over, as does the global "creator/owner" modify rights. They would be unable to access their old region's folder, as they would no longer have the traverse right.

A more simple use case is each user having their own private folder on the server; you set the permissions as stated above, and on logon the script tries to create their folder and maps it. New users automatically create a folder and map to it.

The worst thing that could happen would be a malicious user (eve) using mkdir to create someone else's (jsmith) folder prior to their initial logon; but of course, now Eve would be the owner, and jsmith's drive map would fail due to insufficient rights, and it would be immediately obvious what had happened.

Keeps you safe by

Symantec keeps you safe by hogging all the CPU cycles for itself. A buddy of mine bought a new laptop to run protools software for recording and Symantec keeps the app because its using too much memory. Great job!

Not single stage....

[DrYak]

The problem is that these viruses affect not only the master boot, but many other stages :
the bootloader,
they run rootkits,
etc.

If you just wipe out the boot record, the further stages of the virus are still here (only these stages will be less stealthy and won't necessarily come back after deletion, as there's a previous stage missing for hiding/respwanning).

And once the whole system and the whole virus are up and running, it can probably re-write the MBR again.

What you need, after restoring the MBR, is to perform enough system repairs :
restore the boot loader, and scan the OS for infected file, only *then* you can reboot into the OS. Until that point, it's considered infected...

1986 called.

[idontgno]

They want their boot-sector viruses back.

Re:1986 called.

Your PC is now Stoned!

Re:1986 called.

2011 is calling too: most software from Autodesk is messing with the first few HDD sectors (outside the NTFS partition). This makes checking of the boot sectors difficult since re-activation of any of there products will set of false alarms, and restoring these sectors could mess with the copy-protection of those programs.
Since Autodesk is a high-level Microsoft partner, this should be all legal and documented behavior for a Windows program, but it still gives boot-sector viruses a lot more freedom than they deserve.

Why does Windows need access to the MBR?

[Tetrarchy]

I don't even see a situation where windows would need to modify the MBR after installation - so why do they even allow it to?

Re:Why does Windows need access to the MBR?

[stderr_dk]

The MBR contains the partition table. If you want to resize or move a partition, you need to write a new partition table to the MBR.

Re:Why does Windows need access to the MBR?

[LordLimecat]

Truecrypt, OS installation /repair, changing partition table, etc.

Re:Why does Windows need access to the MBR?

[Billly+Gates]

An OS upgrade or menu options at boot time. Also how do you get into safe mode?

bad bios

[hesaigo999ca]

If a bios does not inherent security checking for the mbr of a drive, to see if malware or virus exists, then it is crap, and almost 99% of all bios out there do not have this.....hence...maybe if symantec gave out some free code for mbr checked to all bios writers, it would be a great day in paradise !

Re:bad bios

bullshit

how should the bios know which mbr is good and which is bad?

checking for some know bad values didn't work decades ago and will not work now
complex things will not fit and do not work that well anyway

let me guess, everything not win7 must obviously bad
but even windows fanatics will want to switch to win8

Re:bad bios

[LordLimecat]

Grats, your plan disallows booting to encrypted partitions, or for using updated, newer bootloaders; and if it does not, then it easily lets through updated, repacked mbr viruses.

Re:bad bios

[Billly+Gates]

Does EFI firmware offer that? Intel has been trying to get us to switch since the dawn of this century. Only the mac has truly adopted it and I wonder why? It is not like we need DOS compatibility anymore

Re:bad bios

[ksd1337]

Why the hell would you want to write antivirus software into a BIOS?

Re:bad bios

[hesaigo999ca]

rootkits my friend, rootkits....

Re:bad bios

[hesaigo999ca]

why would you say that, if the av checking the bios is kept up to date then there would be no problems detecting the repacked mbr viruses

Re:bad bios

[LordLimecat]

What happens when that detection marks a TrueCrypt MBR (which stores the decryption key for the whole drive) as a virus, and kills it? "Whoops, I accidentally all your data"?

What happens when a virus update kills the BIOS due to a bad write?

Re:bad bios

[ksd1337]

Perhaps, but when you say "antivirus software", I think of memory-, processor-, and time-draining.

If there is some way to optimize the software for pre-boot, then maybe I'd be less wary of it.

Re:bad bios

[hesaigo999ca]

>What happens when that detection marks a TrueCrypt MBR (which stores the decryption key for the whole drive) as a virus, and kills it? "Whoops, I accidentally all >your data"?
TrueCrypt has special markers within its headers to allow any know AV software know that it is encrypted with TrueCrypt...this would not be a problem.

>What happens when a virus update kills the BIOS due to a bad write
You make sure that the main BIOS chip is non editable due to a pin setting on the board, to allow a BIOS update you need to remove the pin setting to allow for it, then apply your update, then put the pin setting back to locked.....why is this so hard for people to understand....if you add a hardware variable to the equation, it means you need to physically be there for the update on a motherboard's BIOS...which I think should be standard, as not everyone should be playing with the BIOS....don't you agree?

PARITY BOOT B

PARITY BOOT B

Natch.

[GodInHell]

Who else?

Re:Natch.

[Tsingi]

Cheney and Rumsfeld.

Seriously . . . Takes me back to HS.

[GodInHell]

There was the one particularly ugly virus that got into the systems of the company I provided IT services for in HS. Back then it kept getting reinstalled with boot-leg versions of DOOM and Duke Nukem 3d that the users would install and uninstall after I went home for the evening. Took me months to figure out how it kept getting back on the systems.

You win your victim's computer

[davidwr]

Win what?

You p0wn it you 0wn it.

running A/V in the BIOS

If malware is infecting the boot sector, then wouldn't a reasonable anti-virus approach be to run the virus scanner in the BIOS?

Re:running A/V in the BIOS

[SmurfButcher+Bob]

No. By your own premise, virus scanners don't work... clearly, the exploit blew right through and overwrote the boot sector.

A technicality for certain, but "run in the bios" is a nonsense phrase. You most likely mean "as part of the POST"?

Piracy cracks

[Billly+Gates]

The laptop I am typing this on has such a rootkit installed. It was the only way to defeat the crazy DRM and WGA. It is called hacktook.killwpa.2 or something of that nature.

It does nothing bad, but using an alternative bootloader is the only way to get around the piracy prevention mechanisms as Windows 7 is pretty locked down. Of course the Windows 7 kernel will not work with a regular bootloader that is unsigned. Grub gets around this by providing a pointer to the MS bootloader, but that wont defeat the anti piracy controls. I bet you places like China or angry Vista users like myself skew the results.

Windows is too expensive for 30% of all pcs from that part of the world. ... however as a precautionary tale I never do any banking or financial transactions on this laptop just to be rather safe than sorry.

massive increase in Symantic malware FUD

[microphage]

There, the corrected headline .. why not just make the MBR read-only .. ?

Re:massive increase in Symantic malware FUD

How do you propose to do that?

It's no surprise

[Dunbal]

That this spike in malware co-incides with Symantec's declining sales of Norton anti-virus products. Why don't they just die quietly?

your live CD updates the BIOS?

[Chirs]

Cuz mine doesn't.

GPT the cure?

[sgt+scrub]

Drives set up to use the GPT will have an effect on this type of attack. Checking the first sector on boot for corruption/changes, hopefully, will tip the owner off to intrusion.

Why 7x64?

Seriously, why is 7 x64 having a higher infection rate? Lack of experience in 64bit malware operation? Bad OS design decisions during the move to 64bit, including some backwards compatibility modes? What's so special about x64?

In Soviet Russia

In Soviet Russia, master boots you!

cron to md5sum your mbr...

Kind of along the same lines, one could keep a cron going to check once in a while that nothing has changed:

60 12 * * * 'dd if=/dev/sda bs=512 count=1 | md5sum | grep "fc582407067ad7c6ecc6fa25af44330d" || mail -s "MBR on desktop Compromised!" my@email.com'

workaround

That's a legitimate use for my FDD. You can have a write-protected floppy as the first boot device. The BR code of the floppy checksums the first track on the HDD and then boots of the HDD.

why the confusion ?

yep. just use Linux ..

Do this vs. those types of rootkits

And, many of the "boot sector based threats" are just that: rootkits based from MBR$ infestations, in combinations with drivers sometimes (as the "indestructable botnet" was done, but was FAR from indestructable) for their operations done prior to UserMode/Ring 3/RPL 3 based ops (in Ring 0/RPL 0/KernelMode).

So, in Windows, you have this method & tools to remove such things from your systems quite easily (2-4 minutes of work tops):

This set of steps, executed in THIS order from the Windows installation media & its Recovery Console can kill even the "indestructable rootkit" of a few weeks ago (in its design then), guaranteed:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver (e.g. from above -> hello_tt.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* It eve worked vs. the current design of this "blended-threat" rootkit-botnet (the allegedly "indestructable rootkit/botnet" a few weeks ago (not, it's VERY "destructable" using the method outlined above))...

IT works, that is until the maker of it starts protecting the registry areas (that the hello_tt.sys loads from, that is)...

APK

P.S.=> Just some "FYI" for you... & IF one of these "hauls in" more malware that operates in "userland" (Ring 3/RPL 3), instead of Ring 0/RPL0/kernel mode (as hello_tt.sys does to protect the bogus bootsector from the example rootkit/botnet above)?

Then, you can use ProcessExplorer.exe to first suspend the bogus processes (even if hidden under other apps because they are implemented in libs/dlls or even services too) to kill it, & it works even when AntiVirus/AntiSpyware signatures based tools fail...

... apk

Re:Do this vs. those types of rootkits

[MrMatto]

This is correct. Mod parent up!!

No problem; who reboot's anymore?!

[An+anonymous+Frank]

I don't even remember the last time I've rebooted; I must be safe! ;)

It is... apk

Thank you!

APK