Slashdot Mirror
Researchers Report Spike In Boot Time Malware
wiredmikey writes "In their most recent intelligence report, Symantec researchers pointed out a massive increase in the amount of boot time malware striking users, noting there have already been as many new boot time malware threats detected in the first seven months of 2011 as there were in the previous three years. Also known as MBR (master boot record) threats, the malware infect an area of the hard disk that makes them one of the first things to be read and executed when a computer is turned on. This enables the threats to effectively dodge many security defenses."
No actual information in the linked article. No way of verifying what they're saying is true or useful.
But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses.
It breaks my pluginses, my precious!
Who probably did it.
PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options.
On machines sold as Windows machines this would include:
* An online virus check and remediation for common viruses that prevent booting into Windows "safe mode with networking" without the infection loading. Any other viruses can be remediated by booting into that mode
* Backing up the entire drive or portions of it to DVD, USB device, or other common devices.
* Reloading an authenticated copy of the "normal" (non-rescue) BIOS from a CD, memory stick, or the hardware vendor web site.
* Re-creating the MBR to factory settings, except leaving the partition table alone
* If there is a recovery partition, validating it and rebuilding it from the web or DVDs if it is corrupted. If there is not and the disk is not full, offer to create one.
* An option to rebuild the disk from scratch using data from the Internet, DVD, or USB device.
Rescue plans for other devices like Routers or PCs that don't ship with an OS could be much simpler - their read-only rescue bios should provide a means to reset a corrupted boot configuration or replace a corrupted BIOS. Their "rescue me" button would also likely be much more obscure - probably a set of jumpers on a PC motherboard or an "insert paper clip" button on a router.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The problem is that these viruses affect not only the master boot, but many other stages :
the bootloader,
they run rootkits,
etc.
If you just wipe out the boot record, the further stages of the virus are still here (only these stages will be less stealthy and won't necessarily come back after deletion, as there's a previous stage missing for hiding/respwanning).
And once the whole system and the whole virus are up and running, it can probably re-write the MBR again.
What you need, after restoring the MBR, is to perform enough system repairs :
restore the boot loader, and scan the OS for infected file, only *then* you can reboot into the OS. Until that point, it's considered infected...
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
"No worries, I've got a DOS boot floppy with F-Prot on it right here. Now I just need to find a floppy drive..."
No, just use Winimage to make a .IMA file then use that file to burn a floppy-emulation CD/DVD. Throw some utils in the root directory while you are at it.
This is the shit if you want a very well thought out live CD toolkit containing PE/Linux/DOS:
http://falconfour.wordpress.com/2011/03/12/falconfours-ultimate-boot-cdusb-4-5/
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Not correct. Most of the MBR infections seem to be on Win7 64bit.
These programs set themselves up before anyone notices and we have little opportunity to react by modifying the bios from the default.
These programs will also write virtual file (system) that is encrypted and hence the malware can't scan it to find and remove the viruses.
What they are also missing in their explanation of the increase is that these malware guys are doing far more than just modifying that portion of the drive. They will erase all your "all programs" folder contents and hide all your personal files and modify the registry and other permissions making it very difficult to recover from even when you discover they are there and try a removal procedure.
What Symantec also didn't explain was that it takes a lot of work to rid the computer of these viruses and that the average antivirus tools are highly unsuccessful at the removal. None of the antivirus software tries to correct the problems created even if they can get rid of the virus. I know some anti-malware apps try to reset some registry keys to default, but that's not what I'm talking about.
You can really screw things up unless you know what you are doing. Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.
Of course this emboldens the malware authors because it tells them that they are headed in the right direction or are already successful. Hell, if you can get the biggest software company in the world to give up then you win.
You can lead a man with reason but you can't make him think.
There was the one particularly ugly virus that got into the systems of the company I provided IT services for in HS. Back then it kept getting reinstalled with boot-leg versions of DOOM and Duke Nukem 3d that the users would install and uninstall after I went home for the evening. Took me months to figure out how it kept getting back on the systems.
Pretty sure XP and Vista will refuse to boot once you do that. NT and especially 7/vista have very different bootloaders than 95.
What happens when that virus also goes after mapped drives, as many viruses do? What happens when it "super-hides" all the folders, and places look-alike exe's with a folder icon in their place (remember, by default the .exe extension is hidden)?
Takes a little more security than "disable autoplay"; to really secure from these sorts of nasties you need to be working with NTFS permissions and/or GPOs to control which directories are executable.
You don't need to: just verify the MBR at least every boot (with a utility running late, in Windows),
No good. You have to verify the MBR before the virus has loaded, or it can just fake it.
Give me Classic Slashdot or give me death!