Forgot your password?
typodupeerror
Security Operating Systems Software Windows

Boot Record Rootkit Threatens Vista, XP, NT 261

Posted by kdawson
from the writing-to-zero dept.
Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."
This discussion has been archived. No new comments can be posted.

Boot Record Rootkit Threatens Vista, XP, NT

Comments Filter:
  • Messed up (Score:5, Funny)

    by Anonymous Coward on Monday January 07, 2008 @10:54PM (#21949506)

    Unfortunately, all the Windows NT family (including Vista) still have the same flaw -- incest.
    NT and ME were siblings who married to produce XP. It doesn't help any that NT's father, 95, produced NT via a union with his daughter, 98. XP then killed NT and had a child with ME. He later gouged his GUI out. The end result of all this is Vista. And you guys wonder why Vista has security issues? Poor guy must have complex on top of complex, not to mention more than a few birth defects.
    • by phrostie (121428)
      ROTFL

      i so wish i had mod points
    • by o'reor (581921) on Tuesday January 08, 2008 @04:52AM (#21951184) Journal

      It doesn't help any that NT's father, 95, produced NT via a union with his daughter, 98.
      Gross. Well actually, NT (going back to 3.xx) was not the daughter of W95xW98, but rather the (already) bastard child of Win3.11 who raped his mother VMS during the First War of the OS (ugly, ugly -- you don't really want to know).

      Therefore NT3.5 is W95's stepsister -- given that W95 is the legitimate heir of Win3.11. It turned out then that W95, who was a real pervert due to its dominant 16-bit gene, chkdsked his stepsister NT3.51 (they don't used words like "fscked" in that family, they have their own lingo), who begat NT4.0. Then NT4.0 and his aunt W98 both got drunk one night, and soon they gave birth to Win2K. Somehow at that point in the family tree, the 16-bit gene got culled out. But the inbreeding continues...

      • Re: (Score:3, Funny)

        by smchris (464899)
        Actually, the Ur-mother of the 32-bit desktop was probably OS2. Virtually unknown today and only spoken of among a small cult who cherish the old ways. There are rumors Microsoft itself indulged in the rites of OS2 before a conversion experience.

    • by Jugalator (259273)
      Hey now, what Vista can do [youtube.com], it can do damn well!
  • by snikulin (889460) on Monday January 07, 2008 @10:55PM (#21949512)
    It's not a troll. I just want to know. If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.
    • by MBCook (132727) <foobarsoft@foobarsoft.com> on Monday January 07, 2008 @11:18PM (#21949624) Homepage

      Yes. That's all LILO, GRUB, NTLDR, and such do. They call the BIOS functions to read partition tables and such, load code from a specific place, and execute it.

      You could easily install LILO on the last sector of a disk (or anywhere else, just a free sector you can protect from being used). Write a little tiny program that does nothing but read that sector into memory (having known the address ahead of time, finding that code is what makes GRUB and NTLDR slightly more complex than this), and execute it. LILO would then continue having no idea what happened before it.

      Amazing little things, boot loaders. Check out the Wikipedia article on Master Boot Records [wikipedia.org]. They talk about NTLDR where until XP/2K (when it got support for non-english error messages), the code was just a scant 139 bytes.

      Read about some of them. LILO [wikipedia.org] is simple (and kind of stupid) and fits in 512 bytes. GRUB [wikipedia.org] is smarter, and works by loading more code that it finds using it's first stage (which is under 512 bytes). It's a little tiny OS that only uses BIOS calls to load another OS. That's why you can edit entires, add new ones, etc. That couldn't fit in 512 bytes (and still be useful on most computers).

      • So, having RTFA, it seems to me that at the very least, the little nasty is designed to work with the windows boot process, and currently would at least cause a grub based system to puke, giving you notice of a situation. Then you could use ahref=http://supergrub.forjamari.linex.org//rel=url2html-8983 [slashdot.org]http://supergrub.forjamari.linex.org//>to fix your loader? On a sidenote, while SuperGrub isn't going to win any points for graphic style, it did an excellent job of fixing my Fully Ryobi'd windows/Fedora s
        • bootkey (Score:5, Informative)

          by Tumbleweed (3706) * on Tuesday January 08, 2008 @01:27AM (#21950248)
          If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.

          Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes.
      • by dbcad7 (771464)
        In order to run lilo, you need to be root.. correct ?
        so although you might be able to install it in some sector (giving you the benifit), ... how are you going to run it without being root ?

        If you were just explaining the flexibility of where Lilo can be installed, I understand that.. but it kind of seems you implied that a malware script could be made to just willy nilly install and run lilo.. maybe it can, but I'd have to have more proof.

    • Re: (Score:3, Informative)

      by burnin1965 (535071)

      If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.

      Are you root? If not then the answer is no.

      The real issue here is not whether an exploit like this would work with lilo or grub, the issue, as noted by TFA, is that "Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however,

  • Misleading... (Score:5, Informative)

    by SanityInAnarchy (655584) <ninja@slaphack.com> on Monday January 07, 2008 @11:03PM (#21949562) Journal
    Alright, I get the defense in depth concept, but I don't consider it to be a severe vulnerability that the MBR is writable while Windows is running. I consider that to be a feature, one I wish Microsoft did more of -- for example, I can install Linux from a Linux LiveCD, or I can install a second copy of it on another partition, etc. As far as I can tell, OS X is similarly flexible -- it forces you to type your password, but it can deliver a firmware update from within the OS -- think equivalent to a BIOS update, so even earlier than the MBR.

    So, to clarify: It's writable from userland, which is not the same as being writable by any user. If they have Admin access (which means you already clicked a "This program wants to modify your Master Boot Record, are you sure?"), you're already screwed -- kind of like how, on Linux, if they have root, you're already screwed.

    In other words, it's possible to modify your Master Boot Record without rebooting your computer. This is a good thing.

    What's more, this is not new [wikipedia.org]. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...
    • Re:Misleading... (Score:5, Interesting)

      by Jeffrey Baker (6191) on Tuesday January 08, 2008 @12:16AM (#21949942)
      In my admittedly limited experience, any user account can do some pretty scary stuff in Windows XP. I once was surprised to find out that I could load a firmware update onto a Plextor DVD burner using the guest account on a Windows XP machine. If you can program device firmware you can obviously subvert the entire operating system. I was appalled, and I showed it to the local Windows sysadmin, and he was appalled. It seemed to be a bit of clever programming on the part of the Plextor people, and there did not seem to be any way to defend against it.
      • by ajs318 (655362)
        You can firmware-upgrade many optical drives just by loading a disc with the firmware on it. The drive reads the TOC, spots a telltale filename, checks the file for telltale data and if it seems correct, loads up its new firmware. This doesn't involve the OS at all. You could plug the drive into just a PSU, no connection to a motherboard even, and upgrade it.

        The assumption is that if you have physical access to the machine, you can do what you want with it anyway.
      • I'm not sure if you can blame MS in this case though. If your machine is interfacing with the device through a plextor driver, which similarly allows the firmware update (as a non-privileged user), I'd say the weakness is Plextor's. Drivers need to be able to do their thing, and I'm not really sure that the OS could easily differentiate between a driver reading/writing a DVD or writing firmware. So if this were the case, MS wouldn't really be to blame unless it was actually their driver, or perhaps if the P
    • What's more, this is not new [wikipedia.org]. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...

      Actually Blue Pill is much more interesting then this. Blue Pill can actually trap a running instance of an OS inside a rootkit. The one from the article requires a reboot, and hoping you didn't detect it before
    • Beyond misleading. Not newsworthy.

      Overwriting your MBR is possible only with raw access to the hard drive, and is always possible with raw access to the hard drive. In other words, Vista shares this same flaw with nearly every operating system in existence. Raw device IO is a restricted operation specifically for this reason, because it circumvents all other protection. To gain this access, you need to already have unfettered administrative access, which means you stand to gain nothing further.

  • by Anonymous Coward on Monday January 07, 2008 @11:14PM (#21949602)
    I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.
    • Re: (Score:3, Funny)

      by ScrewMaster (602015)
      The jellied gasoline salvo is on the way, with a thermite chaser.
    • It's exactly the sort of problem any decent OS can solve. Untrusted code says "hey, I'd like to write this to the MBR", OS says "hell no!". Why is any special hardware needed, beyond basic memory protection?
    • Re: (Score:3, Insightful)

      by kvezach (1199717)
      Initiating flame... done!

      I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

      And you can "solve" crime with a ubiquitous secret police, but would you want to?
  • by figleaf (672550) on Monday January 07, 2008 @11:18PM (#21949620) Homepage
    ... to write to the MBR.
    For all other sectors Vista prevents writes to raw disk sectors even with admin permissions.

    Users withouts admin permissions/without elevation cannot write to the MBR in Vista.
  • by Purity Of Essence (1007601) on Monday January 07, 2008 @11:26PM (#21949666)
    It's more likely than you think.

    What is this? 1986?
  • by DigiShaman (671371) on Tuesday January 08, 2008 @12:01AM (#21949866) Homepage
    As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

    Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.
    • by tlhIngan (30335) <slashdot@wSLACKWAREorf.net minus distro> on Tuesday January 08, 2008 @12:42AM (#21950076)

      As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

      Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.


      Ah, but these things only work in two ways:

      1) The write protect only works if the OS makes a BIOS call to the MBR. The BIOS then traps this request and asks if you mean to write to the MBR. This works pretty well as most boot sector virii exist in DOS, which uses the BIOS, rather than Windows.

      2) The BIOS makes a copy of the MBR and saves it in the CMOS. On boot, it loads the boot sector as normal, and does a quick comparison (it's only 512 bytes). If it differs (because someone overwrote the MBR code, or someone changed the partition table), it asks what you want to do - restore from backup, or accept the modifications.

      No good filesystem should need the MBR once the system is booted. Other than reading the partition table. (The MBR, being 446 bytes in size, is also pretty standardized, which is why any utility that rewrites the MBR code can get your system booting again. Linux rewrites MBR can boot Windows, Windows fdisk can make Linux bootable again, etc. Basically, the MBR code just examines the partition table (in RAM - the BIOS doesn't care or know about the last 66 bytes being partition table. It loads the entire 512 byte sector into RAM), finds an entry marked with an "active" flag, and copies the first sector out of that partition into RAM and jumps into that code.

      Extended partitions are the devil, which is why most MBRs can't boot from an extended partition.
  • by Myria (562655) on Tuesday January 08, 2008 @12:18AM (#21949958)
    A program running as root takes over a machine. News at 11!

    It's really annoyed me that security companies continually report these things when they have no relevance to actual security. The concentration should always be on preventing malware from acquiring root access in the first place. Vista, despite its faults, actually does a much better job of this than its predecessors.

    Also, this is Slashdot. Slashdot has Linux users, and wouldn't Linux users know that overwriting is even easier to do in Linux than NT? "dd if=trojan.bin of=/dev/hda", anyone?

    By the way, there are many more bad things you can do as Administrator than just hack the boot sector. You can use bcdedit to create a fake Windows XP boot entry then put your Trojan kernel there.
    • by PPH (736903)

      By the way, there are many more bad things you can do as Administrator than just hack the boot sector.
      I guess that's why Administrator (root) is a completely separate user on *NIX systems, not just an attribute of some logged in user.
    • by WK2 (1072560)
      To be fair, I inferred from the summary and article that this was possible by an ordinary user. After I read several comments on slashdot that say something similar to what you say, I checked the article, and read it carefully. Nowhere does it say whether or not Administrator access is required to use their rootkit. I would have assumed that it was not.

      If you are right, and Administrator access is required to write to the MBR, then this is certainly not a security-related issue.
  • by Fizzl (209397) <[fizzl] [at] [fizzl.net]> on Tuesday January 08, 2008 @02:42AM (#21950626) Homepage Journal
    MBR was THE attack vector for viruses back in the good old times of MS-DOS and floppies. Now it's new again?
  • ... it wants its viruses back!

    If you read the OP this is pretty much what DOS viruses were doing 20 years ago. Wow.
  • The MBR is a vulnerability by definition. Almost the only way to protect it is by having a jumper on the HDD itself, which must be fitted to enable writing to the MBR and must be removed to enable booting. That means that everytime you want to install a bootstrap loader, you will have to open up the machine and muck about inside it.

    Question is, is the threat from the MBR vulnerability significant enough to warrant such a drastic solution?

"How do I love thee? My accumulator overflows."

Working...