Researchers Report Spike In Boot Time Malware

wiredmikey writes "In their most recent intelligence report, Symantec researchers pointed out a massive increase in the amount of boot time malware striking users, noting there have already been as many new boot time malware threats detected in the first seven months of 2011 as there were in the previous three years. Also known as MBR (master boot record) threats, the malware infect an area of the hard disk that makes them one of the first things to be read and executed when a computer is turned on. This enables the threats to effectively dodge many security defenses."

BIOS password

[ksd1337]

Could some form of encryption based on the BIOS password be used to lock the MBR?

Re:BIOS password

[SilentChasm]

Boot sector virus protection is available on most motherboards as far as I can tell. It prevents things from writing to the MBR without confirmation. Windows 7 also seems to popup UAC asking whether you really want to let something write to that area of the HDD from my experience.

Re:BIOS password

[Jahava]

Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Re:BIOS password

[Suferick]

Well that's all right then, because people always read UAC alerts and heed security warnings

Re:BIOS password

[Osgeld]

yea ok and just like those stupid horrible hard drive locks bios lockouts you look at it funny once and you bricked your drive

NO THANKS

Re:BIOS password

[mick_S3]

Your in idiot.

Try a TPM or BIOS-only flashrom.

Now that's some funny shit right there.

Re:BIOS password

[HermMunster]

Not correct. Most of the MBR infections seem to be on Win7 64bit.

These programs set themselves up before anyone notices and we have little opportunity to react by modifying the bios from the default.

These programs will also write virtual file (system) that is encrypted and hence the malware can't scan it to find and remove the viruses.

What they are also missing in their explanation of the increase is that these malware guys are doing far more than just modifying that portion of the drive. They will erase all your "all programs" folder contents and hide all your personal files and modify the registry and other permissions making it very difficult to recover from even when you discover they are there and try a removal procedure.

What Symantec also didn't explain was that it takes a lot of work to rid the computer of these viruses and that the average antivirus tools are highly unsuccessful at the removal. None of the antivirus software tries to correct the problems created even if they can get rid of the virus. I know some anti-malware apps try to reset some registry keys to default, but that's not what I'm talking about.

You can really screw things up unless you know what you are doing. Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

Of course this emboldens the malware authors because it tells them that they are headed in the right direction or are already successful. Hell, if you can get the biggest software company in the world to give up then you win.

Re:BIOS password

[IWantMoreSpamPlease]

>>...to give up then you win.

Win what?

Re:BIOS password

[GodInHell]

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

Re:BIOS password

Win what?

 
Money. Lots of money.

Re:BIOS password

[Joce640k]

Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

This is why they invented disk imaging software....

Re:BIOS password

[ksd1337]

So, like a version of Deep Freeze for the MBR?

Re:BIOS password

[Runaway1956]

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

Why does it have to be Knopix? And - doesn't EVERYONE have a copy lying around? Crap - my workstation has at least 30 *nix OS installation and/or LiveCD's lying around it. Some of them even mount NT drives by default!

Re:BIOS password

[HermMunster]

Unrealistic. Your response is disingenuous.

Re:BIOS password

[Hatta]

You don't need to: just verify the MBR at least every boot (with a utility running late, in Windows),

No good. You have to verify the MBR before the virus has loaded, or it can just fake it.

No Information - Just Fear

[sweatyboatman]

No actual information in the linked article. No way of verifying what they're saying is true or useful.

But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses.

Re:No Information - Just Fear

[MightyMartian]

Symantec: And now we've installed Symantec FireVirusWallMonsterApp2011. Don't worry, it's normal if every other process you try to run takes 15 minutes to start. At least your secure!!!! Now please pay us annually to keep those slow speeds coming.

Re:No Information - Just Fear

[fuzzyfuzzyfungus]

Obligatory image...

Re:No Information - Just Fear

[fuzzyfuzzyfungus]

Symantec's Advanced Pre-emptive Defense technology is some of the industry's finest. It is really very lax of you to be so flippant about these matters.

As computer scientists and security researchers have proven(with big scary math!), virtually all malware requires CPU cycles and memory in order to harm your system. By starving everything that might be a virus of these precious resources, Symantec keeps you safe from the malware scourge.

Re:No Information - Just Fear

[jonwil]

There is a reason I have vowed NEVER to install anything Symantec or McAfee make on ANY PC I own...

Re:No Information - Just Fear

[Osgeld]

Yea I love these stories, every single one of them is from a security firm, but never mention what the fuck they are going to do about it. as if they actually did anything in the first place except bog your computer down and beg for money cause they quarantined a word file

Re:No Information - Just Fear

I found an MBR virus about two weeks ago. Of the free products I've been pushing, MS Security Essentials was the only one to detect it. And the only way I could get rid of it was to use an XP install disk to rewrite the MBR.

I usually don't trust MS any further than I can throw a PC JR, but so far they seem to have their stuff together with Security Essentials.

Re:No Information - Just Fear

[rezalas]

Symantec Advanced Pre-emptive Defense tech... SAP'ed

http://en.wikipedia.org/wiki/Baton_(law_enforcement)#Sap

Re:No Information - Just Fear

[couchslug]

"But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses."

More nuke-and-paves for me. Mmmmm....pocket money.

Re:No Information - Just Fear

[LordLimecat]

What, have they decided to break into the market of effective Antivirus scanners?

Re:No Information - Just Fear

[Runaway1956]

Ditto. Way back, in the Win98 days, McAfee actually destroyed an installation of Windows. So, I swore off of McAfee. OnTrack seemed a likely candidate - but they sold out to someone. I flirted with Symantec for awhile, primarily because Norton's name was associated with them. Finally got tired of that stupidity. I branched out to some lesser knowns - Comodo, Tiny, and others. Tiny was actually pretty damned good - but complicated.

Ultimately, I gave up on all of them. Now, I'm a distro hopper. I just download a new version of Linux every week, and try it out. Not only is there no need for a "security solution" on Linux - but there is certainly no need for such a solution if you're just going to nuke from orbit every week or so!

"Set us up the bomb!"

Re:No Information - Just Fear

[Runaway1956]

Actually - I have to give MS a grudging "attaboy" for MS Security Essentials. I tested, and retested it a few times. It's pretty fast, pretty effective, light on resources, updated regularly - it's very nearly what McAfee, Symantec, and the others wish they could be! Given an administrator, and users, who actually READ those warnings from the OS and from their ant-malware app, MSE can be very effective.

Of course, as long as users just dismiss warnings, nothing can effectively secure their machines.

Re:No Information - Just Fear

[gatkinso]

>> Way back, in the Win98 days, McAfee actually destroyed an installation of Windows

For once McAfee worked!

Boot knoppix, save copy of MBR

[sl4shd0rk]

Don't know for sure anymore, but it used to be that each partition on the disk had 512 bytes of meta-data associated with it. On boot slices, that 512 was the MBR. On non-boot slices that 512 held info about extended partitions and such. You could save that 512 bytes to some disk medium and write it back later. Cheaper than paying mcaffe/symantec/extorsion.

save MBR from first scsi (sata) disk
        dd if=/dev/sda of=/media/usb/mbr.bin bs=512 count=1

when you need to restore:
        dd if=/media/usb/mbr.bin of=/dev/sda bs=512 count=1

Re:Boot knoppix, save copy of MBR

[m50d]

If you're competent enough to figure out you need to boot a CD and remove it, you can then fdisk /mbr or equivalent - no need to have backed it up originally.

Re:Boot knoppix, save copy of MBR

[PPH]

Doesn't GRUB (and other bootloaders) offer the option to rewrite their first stage to the boot device MBR? And since every OS distro customizes the GRUB configuration (not to mention some people who like to fiddle with defaults 'just because') good luck to that malware finding the recovery copy to infect as well.

Re:Boot knoppix, save copy of MBR

[m50d]

I don't think that's implied. Press F12, choose boot from CD is a lot simpler than constant vigilance.

why is this such a big deal

[loftwyr]

Get a bootable windows 95 disk with fdisk on it and type fdisk /mbr. That will rewrite the boot record and make things less nasty

Re:why is this such a big deal

[Osgeld]

yea go try it on your machine right now, NT (which is what we have been using for about a decade now) wont load

use your current windows boot cd and use the recovery console

Re:why is this such a big deal

[LordLimecat]

Pretty sure XP and Vista will refuse to boot once you do that. NT and especially 7/vista have very different bootloaders than 95.

Re:Ancient concept

[kbolino]

I didn't know Seattle was in Canada.

Have noticed

[al0ha]

an increase in this type of malware in my occupation, I suppose it could be called a spike if +2 since January indicates a spike. Oh, part of my job is detecting and informing users of malware infections on a Class A network.

Re:Figures

[Tsingi]

Who probably did it.

Why every device should come with a rescue plan

[davidwr]

PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options.

On machines sold as Windows machines this would include:
* An online virus check and remediation for common viruses that prevent booting into Windows "safe mode with networking" without the infection loading. Any other viruses can be remediated by booting into that mode
* Backing up the entire drive or portions of it to DVD, USB device, or other common devices.
* Reloading an authenticated copy of the "normal" (non-rescue) BIOS from a CD, memory stick, or the hardware vendor web site.
* Re-creating the MBR to factory settings, except leaving the partition table alone
* If there is a recovery partition, validating it and rebuilding it from the web or DVDs if it is corrupted. If there is not and the disk is not full, offer to create one.
* An option to rebuild the disk from scratch using data from the Internet, DVD, or USB device.

Rescue plans for other devices like Routers or PCs that don't ship with an OS could be much simpler - their read-only rescue bios should provide a means to reset a corrupted boot configuration or replace a corrupted BIOS. Their "rescue me" button would also likely be much more obscure - probably a set of jumpers on a PC motherboard or an "insert paper clip" button on a router.

Re:Why every device should come with a rescue plan

[hoggoth]

They have this. It's called a Live-CD.
It just doesn't come with the PC.

Re:Why every device should come with a rescue plan

[davidwr]

They have this. It's called a Live-CD.
It just doesn't come with the PC.

Then it doesn't come with it.

Also, most PCs have modifiable, infectable BIOSes and they don't come with a read-only rescue BIOS.

Re:Why every device should come with a rescue plan

[davidwr]

Yes, but across the industry not just on a few computers.

The ability to recover from an infection should be available out-of-the-box on all boxes.

Re:Why every device should come with a rescue plan

[davidwr]

Your entire comment misses the point:

Devices need to ship with a "walled garden rescue mode" BIOS that is actually read-only and un-infectable. This BIOS would activate when the user powered on while holding down the "rescue me" button.

In this mode, the only code that could execute would be trusted code. This would specifically exclude malware of course.

Basically the BIOS would be broken down into 3 parts:

A read-only, un-infectable "BIOS loader" that would check to see if the "rescue me" button was pressed.
Normally, this would load what we think of as a BIOS. This code would be "flashable" as are most BIOSes today.
In "rescue mode" this would load a 3rd piece of code, a read-only, un-infectable rescue BIOS, that would have the features I mentioned.

Re:Why every device should come with a rescue plan

[anubi]

Let me run this up the flagpole...

For Windows machines... What if Microsoft, being they are the author of their code, released an image of a bootable CD that's only function was to verify the integrity of an installed version of Windows on the hard drive?

It would have the capability of restoring mangled kernel files.

For trust's sake, one would have to get it from Microsoft or one of their approved vendors. The disk would be insufficient to pirate a fullblown installation of Windows, but would be able to detect and restore the kernel to safe mode operations. If you have rogue programs in your machine, you may have to go as far as to delete every program you have ever installed to nab the one the virus infected, but at least the boot CDROM would give you an operable platform to launch your investigative and remedial efforts from.

I can hardly hold Microsoft responsible for malware installed by the user, but I do need the tools to let me at least clean up shop to the original as-purchased state should malware make such a mess as to make salvage of my executables impossible. At least I might be able to salvage some of the data files.

As far as I am concerned, Microsoft did good giving us a system restore option. One thing I miss is the option of just restoring system files sans all the "shovelware" various business interests got Microsoft and the computer manufacturers in their preloaded software.

Pretty easy to prevent infection on this one.

[idbeholda]

Taken directly from the article. "Ramnit spreads through removable drives and by infecting executable files such as .DLL, .EXE and .HTM extensions." Disable autoplay and don't allow the browser to run scripts. These are two basic security measures that users should implement by default anyways. Not doing so is just asking for trouble.

Re:Pretty easy to prevent infection on this one.

[idbeholda]

A proper sandbox technique would be to explicitly allow all system reads, but explicitly deny all system writes. Any attempt to do a system write would instead copy the system file to a sandboxed area, and allow writes to the copied file, keeping the original one intact. Sandbox infection getting out of hand? /clearmem (or some other custom command used to restore the sandbox to a beginning state) Problem solved.

Re:Pretty easy to prevent infection on this one.

[0123456]

Why the heck would anything running in a web-browser be able to write to the MBR?!?

Well, if you're running on XP you're probably an administrator so a browser exploit can write to anything. And if you're a typical user running Windows 7 then you'll click 'Yes' when UAC asks 'Do you want to allow Internet Exploder to: do some shit you don't understand?'

Re:Pretty easy to prevent infection on this one.

[compgenius3]

NOTHING has access to the physical disk directly unless it is a program coming off of the physical media that the machine was booted with (An OS installation ISO).

Solution:
1. copy malware executable to system disk
2. relaunch
3. ???
4. write to MBR

Re:Pretty easy to prevent infection on this one.

[LordLimecat]

What happens when that virus also goes after mapped drives, as many viruses do? What happens when it "super-hides" all the folders, and places look-alike exe's with a folder icon in their place (remember, by default the .exe extension is hidden)?

Takes a little more security than "disable autoplay"; to really secure from these sorts of nasties you need to be working with NTFS permissions and/or GPOs to control which directories are executable.

Re:Pretty easy to prevent infection on this one.

[idbeholda]

I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening. It's not that hard to tell the difference between a folder and a file; I don't need windows group policy to tell me not to click on every executable that's lobbed in my general direction. While we're on the subject of security practices, look up NTFS/ADS. That's where the real problem lies, and it still hasn't been fixed since its inception, with the exception of the more recent versions of Windows Server.

I could waste my time compiling a list of these common sense tactics that pretty much guarantee that you won't get hit with a live infection, but it would just be easier and less of a waste of time on my part if you used google and learned some basic security practices without me having to further lecture you about this.

Re:Pretty easy to prevent infection on this one.

[LordLimecat]

I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening.

And my point was no, not always, sometimes users are browsing a network share, and click that exe-that-looks-like-a-folder, and it appears to open normally, except now theyre infected too.

While we're on the subject of security practices, look up NTFS/ADS

AD and NTFS are known for their remarkable security, actually; NTFS's ACLs are generally much much more granular than EXT3/4, or UFS, and I believe HFS+ (anything that uses basic chmod with 3-bit acls). You can sort of kludge on more advanced ACLs, but there nothing like the things you can do in NTFS, like allowing only "create directory" rights (which if you desired I could demonstrate a very easy use case for).

AD uses a lot of open standards, and Im really not aware of any good attacks on the authentication or encryption it uses.

Re:Pretty easy to prevent infection on this one.

[badkarmadayaccount]

I'd love a use case.

Re:Pretty easy to prevent infection on this one.

[LordLimecat]

A client recently requested this.

They wanted a setup where users could be members of groups such as Region1 and Region2, and each would have their OWN folder within their Region's share. Only that particular user would have access to their folder in that region, except for the manager who should be able to see everyones "personal" folder. Additionally, users must be able to have seperate folders in each region if they are members of more than one region.

My solution was to create a regional folder ("Region1", etc), and grant the manager modify rights, admins full rights, CreatorOwner modify rights (inheritable for subfolders), and members of that region only "traverse" and "create directory" rights, for "this folder only". On logon, a script attempts to create a %username% folder in the regional folder, which it is then the owner of and has full rights to. It them maps a drive to that folder.

They are unable to see who are members of their region, since they do not have the "list directory contents" right, and the manager gets a drive mapped to the root of the region, and is able to easily access all subordinate folders. No work is needed to switch users to a new region-- just change their group membership and the GPO takes over, as does the global "creator/owner" modify rights. They would be unable to access their old region's folder, as they would no longer have the traverse right.

A more simple use case is each user having their own private folder on the server; you set the permissions as stated above, and on logon the script tries to create their folder and maps it. New users automatically create a folder and map to it.

The worst thing that could happen would be a malicious user (eve) using mkdir to create someone else's (jsmith) folder prior to their initial logon; but of course, now Eve would be the owner, and jsmith's drive map would fail due to insufficient rights, and it would be immediately obvious what had happened.

Not single stage....

[DrYak]

The problem is that these viruses affect not only the master boot, but many other stages :
the bootloader,
they run rootkits,
etc.

If you just wipe out the boot record, the further stages of the virus are still here (only these stages will be less stealthy and won't necessarily come back after deletion, as there's a previous stage missing for hiding/respwanning).

And once the whole system and the whole virus are up and running, it can probably re-write the MBR again.

What you need, after restoring the MBR, is to perform enough system repairs :
restore the boot loader, and scan the OS for infected file, only *then* you can reboot into the OS. Until that point, it's considered infected...

Re:fallback on old tech

[couchslug]

"No worries, I've got a DOS boot floppy with F-Prot on it right here. Now I just need to find a floppy drive..."

No, just use Winimage to make a .IMA file then use that file to burn a floppy-emulation CD/DVD. Throw some utils in the root directory while you are at it.

This is the shit if you want a very well thought out live CD toolkit containing PE/Linux/DOS:

http://falconfour.wordpress.com/2011/03/12/falconfours-ultimate-boot-cdusb-4-5/

Re:fallback on old tech

[couchslug]

I should have added "download a boot floppy image" and convert it to a .IMA file. I use Win98SE images but you can Google plenty of choices.

Re:Ancient concept

[PPH]

Judging by the number of BC license plates, yes we are.

1986 called.

[idontgno]

They want their boot-sector viruses back.

Why does Windows need access to the MBR?

[Tetrarchy]

I don't even see a situation where windows would need to modify the MBR after installation - so why do they even allow it to?

Re:Why does Windows need access to the MBR?

[stderr_dk]

The MBR contains the partition table. If you want to resize or move a partition, you need to write a new partition table to the MBR.

Re:Why does Windows need access to the MBR?

[LordLimecat]

Truecrypt, OS installation /repair, changing partition table, etc.

Re:Why does Windows need access to the MBR?

[Billly+Gates]

An OS upgrade or menu options at boot time. Also how do you get into safe mode?

bad bios

[hesaigo999ca]

If a bios does not inherent security checking for the mbr of a drive, to see if malware or virus exists, then it is crap, and almost 99% of all bios out there do not have this.....hence...maybe if symantec gave out some free code for mbr checked to all bios writers, it would be a great day in paradise !

Re:bad bios

[LordLimecat]

Grats, your plan disallows booting to encrypted partitions, or for using updated, newer bootloaders; and if it does not, then it easily lets through updated, repacked mbr viruses.

Re:bad bios

[Billly+Gates]

Does EFI firmware offer that? Intel has been trying to get us to switch since the dawn of this century. Only the mac has truly adopted it and I wonder why? It is not like we need DOS compatibility anymore

Re:bad bios

[ksd1337]

Why the hell would you want to write antivirus software into a BIOS?

Re:bad bios

[hesaigo999ca]

rootkits my friend, rootkits....

Re:bad bios

[hesaigo999ca]

why would you say that, if the av checking the bios is kept up to date then there would be no problems detecting the repacked mbr viruses

Re:bad bios

[LordLimecat]

What happens when that detection marks a TrueCrypt MBR (which stores the decryption key for the whole drive) as a virus, and kills it? "Whoops, I accidentally all your data"?

What happens when a virus update kills the BIOS due to a bad write?

Re:bad bios

[ksd1337]

Perhaps, but when you say "antivirus software", I think of memory-, processor-, and time-draining.

If there is some way to optimize the software for pre-boot, then maybe I'd be less wary of it.

Re:bad bios

[hesaigo999ca]

>What happens when that detection marks a TrueCrypt MBR (which stores the decryption key for the whole drive) as a virus, and kills it? "Whoops, I accidentally all >your data"?
TrueCrypt has special markers within its headers to allow any know AV software know that it is encrypted with TrueCrypt...this would not be a problem.

>What happens when a virus update kills the BIOS due to a bad write
You make sure that the main BIOS chip is non editable due to a pin setting on the board, to allow a BIOS update you need to remove the pin setting to allow for it, then apply your update, then put the pin setting back to locked.....why is this so hard for people to understand....if you add a hardware variable to the equation, it means you need to physically be there for the update on a motherboard's BIOS...which I think should be standard, as not everyone should be playing with the BIOS....don't you agree?

Natch.

[GodInHell]

Who else?

Re:Natch.

[Tsingi]

Cheney and Rumsfeld.

Seriously . . . Takes me back to HS.

[GodInHell]

There was the one particularly ugly virus that got into the systems of the company I provided IT services for in HS. Back then it kept getting reinstalled with boot-leg versions of DOOM and Duke Nukem 3d that the users would install and uninstall after I went home for the evening. Took me months to figure out how it kept getting back on the systems.

You win your victim's computer

[davidwr]

Win what?

You p0wn it you 0wn it.

Re:fallback on old tech

[LordLimecat]

Yall are doing it the hard way.

Grab ubuntu CD. Boot to live mode. Install "ms-sys". Issue command "ms-sys -m /dev/sda", or whatever the proper switch is for your edition of windows. Browse /dev/sda1, removing all executables from %appdata% and any suspicious drivers. Reboot, and perform a cleanup from safe mode.

No need for specialized disks, and if you really cant stand having to download ms-sys every time you can just re-roll your own custom ubuntu (or mint, or whatever) based distro.

Piracy cracks

[Billly+Gates]

The laptop I am typing this on has such a rootkit installed. It was the only way to defeat the crazy DRM and WGA. It is called hacktook.killwpa.2 or something of that nature.

It does nothing bad, but using an alternative bootloader is the only way to get around the piracy prevention mechanisms as Windows 7 is pretty locked down. Of course the Windows 7 kernel will not work with a regular bootloader that is unsigned. Grub gets around this by providing a pointer to the MS bootloader, but that wont defeat the anti piracy controls. I bet you places like China or angry Vista users like myself skew the results.

Windows is too expensive for 30% of all pcs from that part of the world. ... however as a precautionary tale I never do any banking or financial transactions on this laptop just to be rather safe than sorry.

massive increase in Symantic malware FUD

[microphage]

There, the corrected headline .. why not just make the MBR read-only .. ?

It's no surprise

[Dunbal]

That this spike in malware co-incides with Symantec's declining sales of Norton anti-virus products. Why don't they just die quietly?

Re:running A/V in the BIOS

[SmurfButcher+Bob]

No. By your own premise, virus scanners don't work... clearly, the exploit blew right through and overwrote the boot sector.

A technicality for certain, but "run in the bios" is a nonsense phrase. You most likely mean "as part of the POST"?

your live CD updates the BIOS?

[Chirs]

Cuz mine doesn't.

GPT the cure?

[sgt+scrub]

Drives set up to use the GPT will have an effect on this type of attack. Checking the first sector on boot for corruption/changes, hopefully, will tip the owner off to intrusion.

No problem; who reboot's anymore?!

[An+anonymous+Frank]

I don't even remember the last time I've rebooted; I must be safe! ;)

Re:Do this vs. those types of rootkits

[MrMatto]

This is correct. Mod parent up!!