This is an unrealistic attack and to present it as plausible and likely is laughable, since more mundane and common attacks are far more likely to be an actual problem. It's like recommending that I go outside every day with a hardhat to avoid falling meteors when the actual threat to my safety is people speeding through the neighborhood and not stopping at stop signs as I attempt to cross the street
You don't seem know much about malware and how it works. Here are some references about boot malware which UEFI secure boot can prevent.
TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.
The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.
The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.
The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.
TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.
All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.
Another bit:
The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo routine where it monitors for write operations. In case of write operation targeted at the MBR sector, it is changed to read operation. This way it is trying to bypass repair operation by Security Products.
I agree with you, but still want people like you to get an account because of abuse by ACs. Many a time I would get replies from ACs with foul and trolling language. If smart ACs got an account, I could change my settings to ignore ACs.
No longer, my friend. It's now all kids who think it's cool to hate on MS and then many run to buy the latest iDevices and then promote it to everyone around them.
It's more about hating on MS and bringing them down than fighting for true user and developer freedom. Since Apple is a rival to MS, it gets a free pass and even promotion on Slashdot even though it goes much farther than Secure Boot and implements the Palladium spec to the letter to all programs running on it with the App Store.
All this uninformed +5 INSIGHTFUL FUD in the thread is a reflection of that. People like BMO are completely out of their technical depth in understanding how keys, hashing, signing, asymmetric cryptography work. They just karmawhore the circlejerking groupthink and get +5 INFORMATIVE. It would be sad if it weren't so pathetically funny.
Why? Where are your rants against Apple locking down the iPad and selling tens of millions a year while PC and laptop sales are declining every quarter and the OEMs are going down? iOS is even worse, you can't run programs on your device without paying 30% to Apple even for content purchased inside the apps. Maybe you have some rants against the Kindle Fire?
crickets
No? That means you're not for Freedom, but just are an anti-MS troll, Apple fanboy or both.
Give it up,BMO is probably a PHB, he does not understand technical stuff, so he just trolls the karmawhoring Slashdot line by writing retarded anti-MS stuff and calling people paid shills. It's useless as trying to explain quantum mechanics to an amoeba.
Because Apple did it first and fanboys fell over themselves with the OOH SHINY stuff. And now, everyone points to Apple and says we need more security to keep malware out.
The battle is lost, the train has left the station the cat is out of the bag etc. and the reason is people like you are only fixated on gnashing teeth against Microsoft on Slashdot but give other companies a free pass.
I love it how Windows RT tablets(which are supposed to be DoA anyway according to Slashdotters) are somehow "ARM devices" but the iPads and Android tablets, Kindle Fires, Nooks with locked bootloaders with 99% marketshare in mobile are just iPads and Android tablets, Kindle Fires, Nooks. Win32 software which is a big reason for the monopoly won't even run on Windows RT. And then they call for government intervention. Meanwhile Apple is locking everything down but the fanboys keep the discussion down. Why do people get their panties in a twist when it's MS while Apple is decimating freedom by implementing Palladium(see app store) and unable to keep their locked iDevices in stock? Yelling in bold only makes you sound more retarded.
First of all, adding keys should NOT be with a simple click or else malware will just instruct users to do that to watch DancingBunnies.exe
Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".
If there are users incapable of doing that, do you really expect to be able to install Linux without blowing through the Windows partition or even search for and install drivers?
First, that's to get your own binary get signed with the default installed Microsoft key, so it's meant for distributors, not users who can add/remove keys without any cost.
Also, if you think Microsoft is trying to make any money from the $99 you're sorely mistaken.
Read this and I hope you have enough reading comprehension skills to under the reasoning behind Microsoft's fee.
If there was no fee, every Russian malware author will apply thousand times to get boot keys defeating the whole thing, not to mention the money can be tracked down in the future if the key is maliciously used.
In other words, another bog standard stupid uninformed kneejerk karmawhoring typical retarded Slashdot anti-MS post from you. lurn2read. Don't you feel stupid making such idiotic posts?
Second, you can turn off Secure Boot in the settings. So, I am guessing the young Mr. Torvalds would be smart enough to do that.
Third, the keys are editable, i.e you can remove Microsoft's key and add your own or Linux's key if you don't trust Microsoft and that'll stop your machine from ever booting Windows. Thus, you're really in control of your computer. The defaults are setup that way to stop undetectable bootkits infecting your mom's computers because just wants to run Excel and doesn't know or care about signing keys and hashes.
There is so much FUD and misinformation being spread by stupid people.
You couldn't be more right. I remember how much fuss was made against the DRM in Vista, which was fairly benign and had to be implemented to playback BluRay discs. Remember that debunked hitpiece of a paper written by an Australian professor? Many on Slashdot *still* believe that FUD and will say Windows 7 has a lot of DRM.
When Apple implemented lockdown DRM on *apps*, the Apple fans made sure to moderate and steer the discussion about the OH SHINY part and no one talks about it anymore.
Sailfish has to effectively fork the Android compatibility layer to get it working. Is there an example of an OS that is compatible with Android but Google doesn't ban the OEMs from shipping?
Tizen doesn't have Android compatibility AFAIK so it has nothing to do with this.
This is the first OS I've seen that has made sense; I could see myself buying. It could be a great product, potentially an even more open OS in the market; Android compatibility; multitasking done right
Isn't Android compatibility a death sentence for an OS because of Google's blackmail of the Android OEMs?
I am curious which OEM(s) Jolla lined up. It can't be any of Samsung, HTC, Acer, ASUS, Lenovo, LG, Sony, Motorola(cough), Huwaei, Toshiba, Dell, ZTE etc.
What major OEM is left to make the phones? Nokia? (har har) Apple? (Yeah right.) RIM?
Any other no-name OEM or even self manufacturing is going to cripple the adoption of Jolla making it stillborn in this competitive market. Other problems are lack of access to Google's Android apps and the Play Store, but they're not insurmountable, maybe they can get Amazon to share it's app store which has a decent collection of apps. So much for Android being open when even MS doesn't (probably cannot due to antitrust) block OEMs from shipping Linux machines with WINE preinstalled.
So the Linux Foundation, quite rightly, are trying to make available a signed bootloader which will then anyone boot whatever we want without having to disable secure boot - have I got that right? What stops someone monkeying around with the next level of abstraction?
Not exactly. It will require a physically present user to click though a warning message before booting the "next level of abstraction".
SecureBoot does not give that, it only attests the code image *started* as the one it was supposed to be, according to the trust anchor..
Secure boot can give that, if the code image checks the signatures of the drivers and the kernel it loads and the kernel can check the signatures of the executables it runs and not load anything else that is not signed. Lets say you set up such a system today, you can be sure after 1 year that the same binaries are loading and have not been replaced with malicious ones. Even if malware was loaded into memory at runtime, cleanup will just involve a reboot + replacing any drivers, executables, kernel etc that fail the signature check(ignoring changes to data i.e).
As of now we know that Win8 is vulnerable to a huge chunk of malware designed for older versions of Windows. This "UEFI Secure Boot" does not prevent it at all. I suspected earlier that UEFI Secure Boot wasn't designed to make PCs more secure but rather to lock down PCs, so novice users trying to check out some Linux distribution will have tough time doing so. This fiasco makes me sure that this was the case and makes me wonder why antitrust authorities don't do anything about this. This is potentially more harmful than MSIE case after all.
If you(and others here) really want to educate yourself instead of spreading karmawhoring FUD, please read on.
Here are some references about boot malware which UEFI secure boot will prevent.
TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.
The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.
The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.
The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.
TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.
All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.
Another bit:
The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo
Stop raking up shit with stupid karmawhoring paranoid crap.
If the UEFI binary was GPLv3 (not GPL like in your title, GPL v1 and v2 are good), then anyone distributing the binary will have to release the signing key, which defeats the whole purpose of UEFI secure boot signing since it will allow malware creators to sign their own malicious bootloaders with the key.
Why don't you GPL v3 your bank accounts and passwords and release them? OMG DGHARMON BANS GPL FOR HIS INFO. +5 INFORMATIVE
While the ignorance in the posts here is pathetic enough, even the moderators are clueless about UEFI secure boot.
Why dual boot when you can run both simultaneously since both run on the same Linux kernel? Kind of how Windows 8 runs both WinRT apps(for tablet use) and desktop apps simultaneously. Best of both worlds, use the Android apps when you want to use a tablet, and then switch to KDE apps for real work, all without messy rebooting.
Slashdot Mirror
Wow, what's up with prolific posters like you and BMO getting facts so wrong but still getting modded up? Slashdot has gone into full retard mode.
Please update your numbers, Windows 8 sales doubled during Thanksgiving.
http://microsoft-news.com/black-friday-boosts-windows-8-net-use-in-us-above-2/
Surface Pro will come with a pen and active digitizer.
This is an unrealistic attack and to present it as plausible and likely is laughable, since more mundane and common attacks are far more likely to be an actual problem. It's like recommending that I go outside every day with a hardhat to avoid falling meteors when the actual threat to my safety is people speeding through the neighborhood and not stopping at stop signs as I attempt to cross the street
You don't seem know much about malware and how it works. Here are some references about boot malware which UEFI secure boot can prevent.
http://www.chmag.in/article/sep2011/rootkits-are-back-boot-infection
http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/
http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft
I recommend reading atleast the first link.
Here's one juicy bit:
TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.
The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.
The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.
The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.
TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.
All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.
Another bit:
The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo routine where it monitors for write operations. In case of write operation targeted at the MBR sector, it is changed to read operation. This way it is trying to bypass repair operation by Security Products.
I agree with you, but still want people like you to get an account because of abuse by ACs. Many a time I would get replies from ACs with foul and trolling language. If smart ACs got an account, I could change my settings to ignore ACs.
which is a somewhat technically literate site
No longer, my friend. It's now all kids who think it's cool to hate on MS and then many run to buy the latest iDevices and then promote it to everyone around them.
It's more about hating on MS and bringing them down than fighting for true user and developer freedom. Since Apple is a rival to MS, it gets a free pass and even promotion on Slashdot even though it goes much farther than Secure Boot and implements the Palladium spec to the letter to all programs running on it with the App Store.
All this uninformed +5 INSIGHTFUL FUD in the thread is a reflection of that. People like BMO are completely out of their technical depth in understanding how keys, hashing, signing, asymmetric cryptography work. They just karmawhore the circlejerking groupthink and get +5 INFORMATIVE. It would be sad if it weren't so pathetically funny.
Why? Where are your rants against Apple locking down the iPad and selling tens of millions a year while PC and laptop sales are declining every quarter and the OEMs are going down? iOS is even worse, you can't run programs on your device without paying 30% to Apple even for content purchased inside the apps. Maybe you have some rants against the Kindle Fire?
crickets
No? That means you're not for Freedom, but just are an anti-MS troll, Apple fanboy or both.
Give it up,BMO is probably a PHB, he does not understand technical stuff, so he just trolls the karmawhoring Slashdot line by writing retarded anti-MS stuff and calling people paid shills. It's useless as trying to explain quantum mechanics to an amoeba.
Because Apple did it first and fanboys fell over themselves with the OOH SHINY stuff. And now, everyone points to Apple and says we need more security to keep malware out.
The battle is lost, the train has left the station the cat is out of the bag etc. and the reason is people like you are only fixated on gnashing teeth against Microsoft on Slashdot but give other companies a free pass.
I love it how Windows RT tablets(which are supposed to be DoA anyway according to Slashdotters) are somehow "ARM devices" but the iPads and Android tablets, Kindle Fires, Nooks with locked bootloaders with 99% marketshare in mobile are just iPads and Android tablets, Kindle Fires, Nooks. Win32 software which is a big reason for the monopoly won't even run on Windows RT. And then they call for government intervention. Meanwhile Apple is locking everything down but the fanboys keep the discussion down. Why do people get their panties in a twist when it's MS while Apple is decimating freedom by implementing Palladium(see app store) and unable to keep their locked iDevices in stock? Yelling in bold only makes you sound more retarded.
First of all, adding keys should NOT be with a simple click or else malware will just instruct users to do that to watch DancingBunnies.exe
Second of all, it isn't that bad, There are GUI screens navigatable with a mouse(unlike BIOS) where you can input/remove keys. Perhaps you have ideas to make it easier while still maintaining security, instead of just kneejerk bashing and conspiracy theories of "OH THEY'RE GONNA GET US OMG".
If there are users incapable of doing that, do you really expect to be able to install Linux without blowing through the Windows partition or even search for and install drivers?
First, that's to get your own binary get signed with the default installed Microsoft key, so it's meant for distributors, not users who can add/remove keys without any cost.
Also, if you think Microsoft is trying to make any money from the $99 you're sorely mistaken.
Read this and I hope you have enough reading comprehension skills to under the reasoning behind Microsoft's fee.
http://indiegames.com/2012/09/valves_solution_for_steam_gree.html
If there was no fee, every Russian malware author will apply thousand times to get boot keys defeating the whole thing, not to mention the money can be tracked down in the future if the key is maliciously used.
In other words, another bog standard stupid uninformed kneejerk karmawhoring typical retarded Slashdot anti-MS post from you. lurn2read. Don't you feel stupid making such idiotic posts?
First UEFI != UEFI Secure Boot.
Second, you can turn off Secure Boot in the settings. So, I am guessing the young Mr. Torvalds would be smart enough to do that.
Third, the keys are editable, i.e you can remove Microsoft's key and add your own or Linux's key if you don't trust Microsoft and that'll stop your machine from ever booting Windows. Thus, you're really in control of your computer. The defaults are setup that way to stop undetectable bootkits infecting your mom's computers because just wants to run Excel and doesn't know or care about signing keys and hashes.
There is so much FUD and misinformation being spread by stupid people.
You couldn't be more right. I remember how much fuss was made against the DRM in Vista, which was fairly benign and had to be implemented to playback BluRay discs. Remember that debunked hitpiece of a paper written by an Australian professor? Many on Slashdot *still* believe that FUD and will say Windows 7 has a lot of DRM.
When Apple implemented lockdown DRM on *apps*, the Apple fans made sure to moderate and steer the discussion about the OH SHINY part and no one talks about it anymore.
Journalists raised a hue and cry about the end times because TC was implemented by Microsoft.
In the meantime, Apple came in and implemented the same spec and the same journalists fell over each other extolling the virtues of the walled garden.
http://www.microsoftstore.com/store/msstore/html/pbPage.MicrosoftSignature
Vizio PCs dont have any crapware either.
What has this got to do with Windows 8?
If MS stopped OEMs from bundling Google toolbar, everyone here will be crying antitrust.
You want MS to make Windows a closed platform like iOS?
Freedom is not free.
I don't see how that follows.
Sailfish has to effectively fork the Android compatibility layer to get it working. Is there an example of an OS that is compatible with Android but Google doesn't ban the OEMs from shipping?
Tizen doesn't have Android compatibility AFAIK so it has nothing to do with this.
This is the first OS I've seen that has made sense; I could see myself buying. It could be a great product, potentially an even more open OS in the market; Android compatibility; multitasking done right
Isn't Android compatibility a death sentence for an OS because of Google's blackmail of the Android OEMs?
http://arstechnica.com/gadgets/2012/09/google-blocked-acers-rival-phone-to-prevent-android-fragmentation/
I am curious which OEM(s) Jolla lined up. It can't be any of Samsung, HTC, Acer, ASUS, Lenovo, LG, Sony, Motorola(cough), Huwaei, Toshiba, Dell, ZTE etc.
What major OEM is left to make the phones? Nokia? (har har) Apple? (Yeah right.) RIM?
Any other no-name OEM or even self manufacturing is going to cripple the adoption of Jolla making it stillborn in this competitive market. Other problems are lack of access to Google's Android apps and the Play Store, but they're not insurmountable, maybe they can get Amazon to share it's app store which has a decent collection of apps. So much for Android being open when even MS doesn't (probably cannot due to antitrust) block OEMs from shipping Linux machines with WINE preinstalled.
So the Linux Foundation, quite rightly, are trying to make available a signed bootloader which will then anyone boot whatever we want without having to disable secure boot - have I got that right? What stops someone monkeying around with the next level of abstraction?
Not exactly. It will require a physically present user to click though a warning message before booting the "next level of abstraction".
I thought Windows RT was supposed to fail spectacularly from all the articles and comments on Slashdot?
Why are people then worried about Surface RT etc. getting a monopoly and using it to squeeze out Android from ARM tablets?
Where is the outcry about Apple locking up "ARM systems" with >60% marketshare ?
Or even about Android tablets errr "ARM Systems" shipping with locked bootloaders?
SecureBoot does not give that, it only attests the code image *started* as the one it was supposed to be, according to the trust anchor..
Secure boot can give that, if the code image checks the signatures of the drivers and the kernel it loads and the kernel can check the signatures of the executables it runs and not load anything else that is not signed. Lets say you set up such a system today, you can be sure after 1 year that the same binaries are loading and have not been replaced with malicious ones. Even if malware was loaded into memory at runtime, cleanup will just involve a reboot + replacing any drivers, executables, kernel etc that fail the signature check(ignoring changes to data i.e).
As of now we know that Win8 is vulnerable to a huge chunk of malware designed for older versions of Windows. This "UEFI Secure Boot" does not prevent it at all. I suspected earlier that UEFI Secure Boot wasn't designed to make PCs more secure but rather to lock down PCs, so novice users trying to check out some Linux distribution will have tough time doing so. This fiasco makes me sure that this was the case and makes me wonder why antitrust authorities don't do anything about this. This is potentially more harmful than MSIE case after all.
If you(and others here) really want to educate yourself instead of spreading karmawhoring FUD, please read on.
Here are some references about boot malware which UEFI secure boot will prevent.
http://www.chmag.in/article/sep2011/rootkits-are-back-boot-infection
http://www.theregister.co.uk/2010/11/16/tdl_rootkit_does_64_bit_windows/
http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft
I recommend reading atleast the first link.
Here's one juicy bit:
TDL4 is the most recent high tech and widely spread member of the TDSS family rootkit, targeting x64 operating systems too such as Windows Vista and Windows 7. One of the most striking features of TDL4 is that it is able to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled.
When the driver is loaded into kernel-mode address space it overwrites the MBR (Master Boot Record) of the disk by sending SRB (SCSI Request Block) packets directly to the miniport device object, then it initializes its hidden file system. The bootkit’s modules are written into the hidden file system from the dropper.
The TDL4 bootkit controls two areas of the hard drive one is the MBR and other is the hidden file system created at the time of malware deployment. When any application reads the MBR, the bootkit changes data and returns the contents of the clean MBR i.e. prior to the infection, and also it takes care of Infected MBR by protecting it from overwriting.
The hidden file system with the malicious components also gets protected by the bootkit. So if any application is making an attempt to read sectors of the hard disk where the hidden file system is stored, It will return zeroed buffer instead of the original data.
The bootkit contains code that performs additional checks to prevent the malware from the cleanup. At every start of the system TDL4 bootkit driver gets loaded and initialized properly by performing tasks as follows: Reads the contents of the boot sector, compares it with the infected image stored in hidden file system, if it finds any difference between these two images it rewrites the infected image to the boot sector. Sets the DriverObject field of the miniport device object to point to the bootkit’s driver object and also hooks the DriverStartIo field of the miniport’s driver object. If kernel debugging is enabled then this TDL4 does not install any of it’s components.
TDL4 Rootkit hooks the ATAPI driver i.e. standard windows miniport drivers like atapi.sys. It keeps Device Object at lowest in the device stack, which makes a lot harder to dump TDL4 files.
All these striking features have made TDL4 most notorious Windows rootkit and it is also very important to mention that the key to its success is the boot sector infection.
Another bit:
The original MBR and driver component are stored in encrypted form using the same encryption. Driver component hooks ATAPI's DriverStartIo
Stop raking up shit with stupid karmawhoring paranoid crap.
If the UEFI binary was GPLv3 (not GPL like in your title, GPL v1 and v2 are good), then anyone distributing the binary will have to release the signing key, which defeats the whole purpose of UEFI secure boot signing since it will allow malware creators to sign their own malicious bootloaders with the key.
Why don't you GPL v3 your bank accounts and passwords and release them? OMG DGHARMON BANS GPL FOR HIS INFO. +5 INFORMATIVE
While the ignorance in the posts here is pathetic enough, even the moderators are clueless about UEFI secure boot.
Why dual boot when you can run both simultaneously since both run on the same Linux kernel? Kind of how Windows 8 runs both WinRT apps(for tablet use) and desktop apps simultaneously. Best of both worlds, use the Android apps when you want to use a tablet, and then switch to KDE apps for real work, all without messy rebooting.
They should have switched to their iPhone killing bubble UI instead.
http://www.youtube.com/watch?v=RSRuY_9ZMsY&feature=player_embedded