Boot Record Rootkit Threatens Vista, XP, NT

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."

How is it different from LILIO and Grub?

[snikulin]

It's not a troll. I just want to know. If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.

Of course..

[Junta]

Whether it's a an MBR record or an executable file stored on a filesystem the firmware may understand, the concepts are the same. Any sane operating system will allow you to modify boot files (after all, how else do you upgrade early-execution code). Whether it's an MBR or a more sophisticate piece of firmware, the principle is the same. The question is whether users have been trained to always be administrator, or if they've been trained the more disciplined way where uncommon (at least should be)/privileged operations can only be executed at significant obious pain.

Under linux even, a number of distributions have on occasion ventured down the very dangerous/wrong approach of skipping user accounts and going all root for the sake of convenience. However, the mainstream usage of linux (and OSX) is thankfully non-root users, and as such any *serious* applications accomodate that usage pattern (with the bonus of being sanely multi-user.

Meanwhile, Windows heritage has been less optimal. The consumer oriented MS platforms right up until XP didn't have a meaningful non-administrator concept, as well as much of a multi-user concept. As a consequence, many application developers did bad things that would break (i.e. using registry entries that are machine specific rather than user specific, or even writing things like saved documents/games to the application Program Files directory. Win9x even provided relevant spots that would evolve to something meaningful, but without significant meaning, many third parties ignored it, especially after Win3.x training. XP was the first definitive wake up call to a WIDE variety of developers. Even so, the majority of users ended up being administrative users to make up for the gap (as well as having no easy automatic privilege escalation). Hell, even a customized preload I saw sets up one user, renaming the administrator user (and in fact, calls an un-renamed administrator account a security risk... indeed).

OSX made a clean break with OSX (relegating "classic" applications to a relatively severe sandbox"), Linux never had such an unclean history to overcome. So while OSX implementing clean privilege escalation, and Linux has been working on facilities that lend itself well to that (i.e. DBus). Windows XP did not make a clean break, and Vista didn't etiher, but Vista's UAC is an attempt at giving users a facility to do privilege escalation. It's annoying because of bad programs and bad habits. But non-admin default usage + UAC is the only way they have of maintaining a sane featureset without being considered so vulnerable.

It also doesn't help that so many Windows users see "click here for free smilies" and think it's a good idea to do so.

Re:Misleading...

[Jeffrey Baker]

In my admittedly limited experience, any user account can do some pretty scary stuff in Windows XP. I once was surprised to find out that I could load a firmware update onto a Plextor DVD burner using the guest account on a Windows XP machine. If you can program device firmware you can obviously subvert the entire operating system. I was appalled, and I showed it to the local Windows sysadmin, and he was appalled. It seemed to be a bit of clever programming on the part of the Plextor people, and there did not seem to be any way to defend against it.

Re:A boot sector virus? In my PC?

[Keruo]

All you need is a call to certain point of disk to run the code right?
Remember that almost all current Windows systems reserve 1-8Mb space [microsoft.com] for converting the drive to dynamic disk.
8Mb is likely enough to run almost fullblown virtual machine, atleast versatile enough to hide beneath the "primary" os and act as a spam/ddos drone/keylogging trojan unnoticed.
Sure, it'll eat some resources sitting there, but your average Joe/Jill won't really notice that. They just curse their damn slow computer.

Okay, found some documentation on this

[yeremein]

Here [microsoft.com].

It actually looks reasonable - you can still perform raw disk writes from userland (with admin rights, of course) - you just can't write over a mounted volume. Disk imaging utilities will still work, provided they dismount any volumes before they overwrite them (which they ought to be doing anyway; I should know, I wrote a Windows disk imaging utility at my last job).

And of course, you can't dismount a disk with an active pagefile on it, so it solves that vulnerability. But it does so in a reasonable way--I can't really imagine why a well-behaved program would want to scribble over a mounted volume; you don't know whether the cache is just going to clobber what you wrote in a second anyway. So I apologize for my FUD in the parent message; this security feature actually seems to strike a good balance.

Now the FUD in TFA is another story...

Re:Misleading...

[ajs318]

Yeah, there's that. Carry a boot CD (maybe with several kernels) on an actual disc (in case you can't use a USB key ..... maybe better to use a cheap MP3 player preloaded with a repetitive techno track that can be played to anyone who asks), and a minimal tool kit (screwdriver handle with interchangeable bits, needle nose pliers, wire cutters, tweezers, a few motherboard jumpers, a few known good 13 Amp plug fuses, powerfinder screwdriver ..... I'd say a cordless soldering iron, solder and a canister of fuel if I didn't think that I really meant minimal ..... weigh the probability of needing a tool against the drawbacks of having to carry it) with you. You can then reset the BIOS password, fix the boot order, boot a kernel that works, mount the drives and chroot into the system, if you have to.


"The worst case? Well ..... let's see. Have you got any CD burners in there?"
"Yes, in the management suite, behind digital door locks. Or in the IT department. Digital locks again."
"And do those management machines have a high-speed internet connection as well?"
"Oh, yes."
"Well, in that case ..... I reckon, in the absolute worst case, your friend could be doing whatever he wanted with your computer systems in about one hour."
"One hour? That's not so bad. That gives us something. You say that's the worst case, right?"
"Oh, yeah, from his point of view, one hour is the worst case. But if he's smart, he's probably already been and gone."