Forgot your password?
typodupeerror
Security IT

Researchers Report Spike In Boot Time Malware 132

Posted by CmdrTaco
from the can't-fight-the-fever dept.
wiredmikey writes "In their most recent intelligence report, Symantec researchers pointed out a massive increase in the amount of boot time malware striking users, noting there have already been as many new boot time malware threats detected in the first seven months of 2011 as there were in the previous three years. Also known as MBR (master boot record) threats, the malware infect an area of the hard disk that makes them one of the first things to be read and executed when a computer is turned on. This enables the threats to effectively dodge many security defenses."
This discussion has been archived. No new comments can be posted.

Researchers Report Spike In Boot Time Malware

Comments Filter:
  • Could some form of encryption based on the BIOS password be used to lock the MBR?
    • Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.
      • by Jahava (946858)

        Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.

        Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

        • by Osgeld (1900440)

          yea ok and just like those stupid horrible hard drive locks bios lockouts you look at it funny once and you bricked your drive

          NO THANKS

        • by GodInHell (258915)

          Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

          Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

          • Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

            Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

            Why does it have to be Knopix? And - doesn't EVERYONE have a copy lying around? Crap - my workstation has at least 30 *nix OS installation and/or LiveCD's lying around it. Some of them even mount NT drives by default!

    • Boot sector virus protection is available on most motherboards as far as I can tell. It prevents things from writing to the MBR without confirmation. Windows 7 also seems to popup UAC asking whether you really want to let something write to that area of the HDD from my experience.

      • by Suferick (2438038)
        Well that's all right then, because people always read UAC alerts and heed security warnings
      • Re:BIOS password (Score:5, Interesting)

        by HermMunster (972336) on Wednesday August 24, 2011 @11:56AM (#37192990)

        Not correct. Most of the MBR infections seem to be on Win7 64bit.

        These programs set themselves up before anyone notices and we have little opportunity to react by modifying the bios from the default.

        These programs will also write virtual file (system) that is encrypted and hence the malware can't scan it to find and remove the viruses.

        What they are also missing in their explanation of the increase is that these malware guys are doing far more than just modifying that portion of the drive. They will erase all your "all programs" folder contents and hide all your personal files and modify the registry and other permissions making it very difficult to recover from even when you discover they are there and try a removal procedure.

        What Symantec also didn't explain was that it takes a lot of work to rid the computer of these viruses and that the average antivirus tools are highly unsuccessful at the removal. None of the antivirus software tries to correct the problems created even if they can get rid of the virus. I know some anti-malware apps try to reset some registry keys to default, but that's not what I'm talking about.

        You can really screw things up unless you know what you are doing. Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

        Of course this emboldens the malware authors because it tells them that they are headed in the right direction or are already successful. Hell, if you can get the biggest software company in the world to give up then you win.

  • by sweatyboatman (457800) <sweatyboatman AT hotmail DOT com> on Wednesday August 24, 2011 @10:24AM (#37191720) Homepage Journal

    No actual information in the linked article. No way of verifying what they're saying is true or useful.

    But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses.

    • by jonwil (467024)

      There is a reason I have vowed NEVER to install anything Symantec or McAfee make on ANY PC I own...

      • Ditto. Way back, in the Win98 days, McAfee actually destroyed an installation of Windows. So, I swore off of McAfee. OnTrack seemed a likely candidate - but they sold out to someone. I flirted with Symantec for awhile, primarily because Norton's name was associated with them. Finally got tired of that stupidity. I branched out to some lesser knowns - Comodo, Tiny, and others. Tiny was actually pretty damned good - but complicated.

        Ultimately, I gave up on all of them. Now, I'm a distro hopper. I ju

        • by gatkinso (15975)

          >> Way back, in the Win98 days, McAfee actually destroyed an installation of Windows

          For once McAfee worked!

    • by Osgeld (1900440)

      Yea I love these stories, every single one of them is from a security firm, but never mention what the fuck they are going to do about it. as if they actually did anything in the first place except bog your computer down and beg for money cause they quarantined a word file

    • by Anonymous Coward

      I found an MBR virus about two weeks ago. Of the free products I've been pushing, MS Security Essentials was the only one to detect it. And the only way I could get rid of it was to use an XP install disk to rewrite the MBR.

      I usually don't trust MS any further than I can throw a PC JR, but so far they seem to have their stuff together with Security Essentials.

      • Actually - I have to give MS a grudging "attaboy" for MS Security Essentials. I tested, and retested it a few times. It's pretty fast, pretty effective, light on resources, updated regularly - it's very nearly what McAfee, Symantec, and the others wish they could be! Given an administrator, and users, who actually READ those warnings from the OS and from their ant-malware app, MSE can be very effective.

        Of course, as long as users just dismiss warnings, nothing can effectively secure their machines.

    • by couchslug (175151)

      "But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses."

      More nuke-and-paves for me. Mmmmm....pocket money.

    • What, have they decided to break into the market of effective Antivirus scanners?

  • Don't know for sure anymore, but it used to be that each partition on the disk had 512 bytes of meta-data associated with it. On boot slices, that 512 was the MBR. On non-boot slices that 512 held info about extended partitions and such. You could save that 512 bytes to some disk medium and write it back later. Cheaper than paying mcaffe/symantec/extorsion.

    save MBR from first scsi (sata) disk
    dd if=/dev/sda of=/media/usb/mbr.bin bs=512 count=1

    when you need to restore:

    • by m50d (797211)
      If you're competent enough to figure out you need to boot a CD and remove it, you can then fdisk /mbr or equivalent - no need to have backed it up originally.
    • The problem is that these viruses affect not only the master boot, but many other stages :
      the bootloader,
      they run rootkits,
      etc.

      If you just wipe out the boot record, the further stages of the virus are still here (only these stages will be less stealthy and won't necessarily come back after deletion, as there's a previous stage missing for hiding/respwanning).

      And once the whole system and the whole virus are up and running, it can probably re-write the MBR again.

      What you need, after restoring the MBR, is to

    • by PPH (736903)

      Doesn't GRUB (and other bootloaders) offer the option to rewrite their first stage to the boot device MBR? And since every OS distro customizes the GRUB configuration (not to mention some people who like to fiddle with defaults 'just because') good luck to that malware finding the recovery copy to infect as well.

  • Get a bootable windows 95 disk with fdisk on it and type fdisk /mbr. That will rewrite the boot record and make things less nasty

    • by Osgeld (1900440)

      yea go try it on your machine right now, NT (which is what we have been using for about a decade now) wont load

      use your current windows boot cd and use the recovery console

    • Pretty sure XP and Vista will refuse to boot once you do that. NT and especially 7/vista have very different bootloaders than 95.

  • an increase in this type of malware in my occupation, I suppose it could be called a spike if +2 since January indicates a spike. Oh, part of my job is detecting and informing users of malware infections on a Class A network.
  • PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options.

    On machines sold as Windows machines this would include:
    * An online virus check and remediation for common viruses that prevent booting into Windows "safe mode with networking" without the infection loading. Any other viruses can be remediated by

    • by hoggoth (414195)

      They have this. It's called a Live-CD.
      It just doesn't come with the PC.

  • Taken directly from the article. "Ramnit spreads through removable drives and by infecting executable files such as .DLL, .EXE and .HTM extensions." Disable autoplay and don't allow the browser to run scripts. These are two basic security measures that users should implement by default anyways. Not doing so is just asking for trouble.
    • What happens when that virus also goes after mapped drives, as many viruses do? What happens when it "super-hides" all the folders, and places look-alike exe's with a folder icon in their place (remember, by default the .exe extension is hidden)?

      Takes a little more security than "disable autoplay"; to really secure from these sorts of nasties you need to be working with NTFS permissions and/or GPOs to control which directories are executable.

      • I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening. It's not that hard to tell the difference between a folder and a file; I don't need windows group policy to tell me not to click on every executable that's lobbed in my general direction. While we're on the subject of security practices, look up NTFS/ADS. That's where the real problem lies, and it still hasn't been fixed since its inception, with the exception of the more rec
        • I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening.

          And my point was no, not always, sometimes users are browsing a network share, and click that exe-that-looks-like-a-folder, and it appears to open normally, except now theyre infected too.

          While we're on the subject of security practices, look up NTFS/ADS

          AD and NTFS are known for their remarkable security, actually; NTFS's ACLs are generally much much more granular than EXT3/4, or UFS, and I believe HFS+ (anything that uses basic chmod with 3-bit acls). You can sort of kludge on more advanced ACLs, but there nothing like the things you can do in NTFS, like allowing only

          • I'd love a use case.
            • A client recently requested this.

              They wanted a setup where users could be members of groups such as Region1 and Region2, and each would have their OWN folder within their Region's share. Only that particular user would have access to their folder in that region, except for the manager who should be able to see everyones "personal" folder. Additionally, users must be able to have seperate folders in each region if they are members of more than one region.

              My solution was to create a regional folder ("Region

  • 1986 called. (Score:2, Insightful)

    by idontgno (624372)
    They want their boot-sector viruses back.
  • I don't even see a situation where windows would need to modify the MBR after installation - so why do they even allow it to?
  • If a bios does not inherent security checking for the mbr of a drive, to see if malware or virus exists, then it is crap, and almost 99% of all bios out there do not have this.....hence...maybe if symantec gave out some free code for mbr checked to all bios writers, it would be a great day in paradise !

    • Grats, your plan disallows booting to encrypted partitions, or for using updated, newer bootloaders; and if it does not, then it easily lets through updated, repacked mbr viruses.

      • why would you say that, if the av checking the bios is kept up to date then there would be no problems detecting the repacked mbr viruses

        • What happens when that detection marks a TrueCrypt MBR (which stores the decryption key for the whole drive) as a virus, and kills it? "Whoops, I accidentally all your data"?

          What happens when a virus update kills the BIOS due to a bad write?

          • >What happens when that detection marks a TrueCrypt MBR (which stores the decryption key for the whole drive) as a virus, and kills it? "Whoops, I accidentally all >your data"?
            TrueCrypt has special markers within its headers to allow any know AV software know that it is encrypted with TrueCrypt...this would not be a problem.

            >What happens when a virus update kills the BIOS due to a bad write
            You make sure that the main BIOS chip is non editable due to a pin setting on the board, to allow a BIOS updat

    • Does EFI firmware offer that? Intel has been trying to get us to switch since the dawn of this century. Only the mac has truly adopted it and I wonder why? It is not like we need DOS compatibility anymore

    • by ksd1337 (1029386)
      Why the hell would you want to write antivirus software into a BIOS?
      • rootkits my friend, rootkits....

        • by ksd1337 (1029386)

          Perhaps, but when you say "antivirus software", I think of memory-, processor-, and time-draining.

          If there is some way to optimize the software for pre-boot, then maybe I'd be less wary of it.

  • The laptop I am typing this on has such a rootkit installed. It was the only way to defeat the crazy DRM and WGA. It is called hacktook.killwpa.2 or something of that nature.

    It does nothing bad, but using an alternative bootloader is the only way to get around the piracy prevention mechanisms as Windows 7 is pretty locked down. Of course the Windows 7 kernel will not work with a regular bootloader that is unsigned. Grub gets around this by providing a pointer to the MS bootloader, but that wont defeat the a

  • There, the corrected headline .. why not just make the MBR read-only .. ?
  • That this spike in malware co-incides with Symantec's declining sales of Norton anti-virus products. Why don't they just die quietly?
  • Drives set up to use the GPT will have an effect on this type of attack. Checking the first sector on boot for corruption/changes, hopefully, will tip the owner off to intrusion.

  • I don't even remember the last time I've rebooted; I must be safe! ;)

"The hottest places in Hell are reserved for those who, in times of moral crisis, preserved their neutrality." -- Dante

Working...