Researchers Report Spike In Boot Time Malware

wiredmikey writes "In their most recent intelligence report, Symantec researchers pointed out a massive increase in the amount of boot time malware striking users, noting there have already been as many new boot time malware threats detected in the first seven months of 2011 as there were in the previous three years. Also known as MBR (master boot record) threats, the malware infect an area of the hard disk that makes them one of the first things to be read and executed when a computer is turned on. This enables the threats to effectively dodge many security defenses."

Seriously . . . Takes me back to HS.

[GodInHell]

There was the one particularly ugly virus that got into the systems of the company I provided IT services for in HS. Back then it kept getting reinstalled with boot-leg versions of DOOM and Duke Nukem 3d that the users would install and uninstall after I went home for the evening. Took me months to figure out how it kept getting back on the systems.

BIOS password

[ksd1337]

Could some form of encryption based on the BIOS password be used to lock the MBR?

Re:

[The MAZZTer]

Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.

Re:

[Jahava]

Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Re:

[Osgeld]

yea ok and just like those stupid horrible hard drive locks bios lockouts you look at it funny once and you bricked your drive

NO THANKS

Re:

[GodInHell]

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

Re:

[Runaway1956]

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

Why does it have to be Knopix? And - doesn't EVERYONE have a copy lying around? Crap - my workstation has at least 30 *nix OS installation and/or LiveCD's lying around it. Some of them even mount NT drives by default!

Re:

[mick_S3]

Your in idiot.

Try a TPM or BIOS-only flashrom.

Now that's some funny shit right there.

Re:

[SilentChasm]

Boot sector virus protection is available on most motherboards as far as I can tell. It prevents things from writing to the MBR without confirmation. Windows 7 also seems to popup UAC asking whether you really want to let something write to that area of the HDD from my experience.

Re:

[Suferick]

Well that's all right then, because people always read UAC alerts and heed security warnings

Re:BIOS password

[HermMunster]

Not correct. Most of the MBR infections seem to be on Win7 64bit.

These programs set themselves up before anyone notices and we have little opportunity to react by modifying the bios from the default.

These programs will also write virtual file (system) that is encrypted and hence the malware can't scan it to find and remove the viruses.

What they are also missing in their explanation of the increase is that these malware guys are doing far more than just modifying that portion of the drive. They will erase all your "all programs" folder contents and hide all your personal files and modify the registry and other permissions making it very difficult to recover from even when you discover they are there and try a removal procedure.

What Symantec also didn't explain was that it takes a lot of work to rid the computer of these viruses and that the average antivirus tools are highly unsuccessful at the removal. None of the antivirus software tries to correct the problems created even if they can get rid of the virus. I know some anti-malware apps try to reset some registry keys to default, but that's not what I'm talking about.

You can really screw things up unless you know what you are doing. Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

Of course this emboldens the malware authors because it tells them that they are headed in the right direction or are already successful. Hell, if you can get the biggest software company in the world to give up then you win.

Re:

[IWantMoreSpamPlease]

>>...to give up then you win.

Win what?

Re:

[Anonymous Coward]

Win what?

 
Money. Lots of money.

You win your victim's computer

[davidwr]

Win what?

You p0wn it you 0wn it.

Re:

[Joce640k]

Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

This is why they invented disk imaging software....

Re:

[HermMunster]

Unrealistic. Your response is disingenuous.

Re:

[MrMatto]

This is correct. Mod parent up!!

Re:

[ksd1337]

So, like a version of Deep Freeze for the MBR?

Re:BIOS password

[Hatta]

You don't need to: just verify the MBR at least every boot (with a utility running late, in Windows),

No good. You have to verify the MBR before the virus has loaded, or it can just fake it.

No Information - Just Fear

[sweatyboatman]

No actual information in the linked article. No way of verifying what they're saying is true or useful.

But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses.

Re:

[MightyMartian]

Symantec: And now we've installed Symantec FireVirusWallMonsterApp2011. Don't worry, it's normal if every other process you try to run takes 15 minutes to start. At least your secure!!!! Now please pay us annually to keep those slow speeds coming.

Re:

[fuzzyfuzzyfungus]

Symantec's Advanced Pre-emptive Defense technology is some of the industry's finest. It is really very lax of you to be so flippant about these matters.

As computer scientists and security researchers have proven(with big scary math!), virtually all malware requires CPU cycles and memory in order to harm your system. By starving everything that might be a virus of these precious resources, Symantec keeps you safe from the malware scourge.

Re:

[rezalas]

Symantec Advanced Pre-emptive Defense tech... SAP'ed

http://en.wikipedia.org/wiki/Baton_(law_enforcement)#Sap [wikipedia.org]

Re:

[fuzzyfuzzyfungus]

Obligatory image [flickr.com]...

Re:

[jonwil]

There is a reason I have vowed NEVER to install anything Symantec or McAfee make on ANY PC I own...

Re:

[Runaway1956]

Ditto. Way back, in the Win98 days, McAfee actually destroyed an installation of Windows. So, I swore off of McAfee. OnTrack seemed a likely candidate - but they sold out to someone. I flirted with Symantec for awhile, primarily because Norton's name was associated with them. Finally got tired of that stupidity. I branched out to some lesser knowns - Comodo, Tiny, and others. Tiny was actually pretty damned good - but complicated.

Ultimately, I gave up on all of them. Now, I'm a distro hopper. I ju

Re:

[gatkinso]

>> Way back, in the Win98 days, McAfee actually destroyed an installation of Windows

For once McAfee worked!

Re:

[Osgeld]

Yea I love these stories, every single one of them is from a security firm, but never mention what the fuck they are going to do about it. as if they actually did anything in the first place except bog your computer down and beg for money cause they quarantined a word file

Re:

[Anonymous Coward]

I found an MBR virus about two weeks ago. Of the free products I've been pushing, MS Security Essentials was the only one to detect it. And the only way I could get rid of it was to use an XP install disk to rewrite the MBR.

I usually don't trust MS any further than I can throw a PC JR, but so far they seem to have their stuff together with Security Essentials.

Re:

[Runaway1956]

Actually - I have to give MS a grudging "attaboy" for MS Security Essentials. I tested, and retested it a few times. It's pretty fast, pretty effective, light on resources, updated regularly - it's very nearly what McAfee, Symantec, and the others wish they could be! Given an administrator, and users, who actually READ those warnings from the OS and from their ant-malware app, MSE can be very effective.

Of course, as long as users just dismiss warnings, nothing can effectively secure their machines.

Re:

[couchslug]

"But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses."

More nuke-and-paves for me. Mmmmm....pocket money.

Re:

[LordLimecat]

What, have they decided to break into the market of effective Antivirus scanners?

Re:

[kbolino]

I didn't know Seattle [wikipedia.org] was in Canada.

Re:

[PPH]

Judging by the number of BC license plates, yes we are.

Boot knoppix, save copy of MBR

[sl4shd0rk]

Don't know for sure anymore, but it used to be that each partition on the disk had 512 bytes of meta-data associated with it. On boot slices, that 512 was the MBR. On non-boot slices that 512 held info about extended partitions and such. You could save that 512 bytes to some disk medium and write it back later. Cheaper than paying mcaffe/symantec/extorsion.

save MBR from first scsi (sata) disk
dd if=/dev/sda of=/media/usb/mbr.bin bs=512 count=1

when you need to restore:

Re:

[m50d]

If you're competent enough to figure out you need to boot a CD and remove it, you can then fdisk /mbr or equivalent - no need to have backed it up originally.

Re:

[m50d]

I don't think that's implied. Press F12, choose boot from CD is a lot simpler than constant vigilance.

Not single stage....

[DrYak]

The problem is that these viruses affect not only the master boot, but many other stages :
the bootloader,
they run rootkits,
etc.

If you just wipe out the boot record, the further stages of the virus are still here (only these stages will be less stealthy and won't necessarily come back after deletion, as there's a previous stage missing for hiding/respwanning).

And once the whole system and the whole virus are up and running, it can probably re-write the MBR again.

What you need, after restoring the MBR, is to

Re:

[PPH]

Doesn't GRUB (and other bootloaders) offer the option to rewrite their first stage to the boot device MBR? And since every OS distro customizes the GRUB configuration (not to mention some people who like to fiddle with defaults 'just because') good luck to that malware finding the recovery copy to infect as well.

Re:

[couchslug]

"No worries, I've got a DOS boot floppy with F-Prot on it right here. Now I just need to find a floppy drive..."

No, just use Winimage to make a .IMA file then use that file to burn a floppy-emulation CD/DVD. Throw some utils in the root directory while you are at it.

This is the shit if you want a very well thought out live CD toolkit containing PE/Linux/DOS:

http://falconfour.wordpress.com/2011/03/12/falconfours-ultimate-boot-cdusb-4-5/ [wordpress.com]

Re:

[couchslug]

I should have added "download a boot floppy image" and convert it to a .IMA file. I use Win98SE images but you can Google plenty of choices.

Re:

[LordLimecat]

Yall are doing it the hard way.

Grab ubuntu CD. Boot to live mode. Install "ms-sys". Issue command "ms-sys -m /dev/sda", or whatever the proper switch is for your edition of windows. Browse /dev/sda1, removing all executables from %appdata% and any suspicious drivers. Reboot, and perform a cleanup from safe mode.

No need for specialized disks, and if you really cant stand having to download ms-sys every time you can just re-roll your own custom ubuntu (or mint, or whatever) based distro.

why is this such a big deal

[loftwyr]

Get a bootable windows 95 disk with fdisk on it and type fdisk /mbr. That will rewrite the boot record and make things less nasty

Re:

[Osgeld]

yea go try it on your machine right now, NT (which is what we have been using for about a decade now) wont load

use your current windows boot cd and use the recovery console

Re:

[LordLimecat]

Pretty sure XP and Vista will refuse to boot once you do that. NT and especially 7/vista have very different bootloaders than 95.

Have noticed

[al0ha]

an increase in this type of malware in my occupation, I suppose it could be called a spike if +2 since January indicates a spike. Oh, part of my job is detecting and informing users of malware infections on a Class A network.

Why every device should come with a rescue plan

[davidwr]

PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options.

On machines sold as Windows machines this would include:
* An online virus check and remediation for common viruses that prevent booting into Windows "safe mode with networking" without the infection loading. Any other viruses can be remediated by

Re:

[hoggoth]

They have this. It's called a Live-CD.
It just doesn't come with the PC.

Re:

[davidwr]

They have this. It's called a Live-CD.
It just doesn't come with the PC.

Then it doesn't come with it.

Also, most PCs have modifiable, infectable BIOSes and they don't come with a read-only rescue BIOS.

your live CD updates the BIOS?

[Chirs]

Cuz mine doesn't.

Re:

[davidwr]

Yes, but across the industry not just on a few computers.

The ability to recover from an infection should be available out-of-the-box on all boxes.

Re:

[davidwr]

Your entire comment misses the point:

Devices need to ship with a "walled garden rescue mode" BIOS that is actually read-only and un-infectable. This BIOS would activate when the user powered on while holding down the "rescue me" button.

In this mode, the only code that could execute would be trusted code. This would specifically exclude malware of course.

Basically the BIOS would be broken down into 3 parts:

A read-only, un-infectable "BIOS loader" that would check to see if the "rescue me" button was presse

Re:

[anubi]

Let me run this up the flagpole...

For Windows machines... What if Microsoft, being they are the author of their code, released an image of a bootable CD that's only function was to verify the integrity of an installed version of Windows on the hard drive?

It would have the capability of restoring mangled kernel files.

For trust's sake, one would have to get it from Microsoft or one of their approved vendors. The disk would be insufficient to pirate a fullblown installation of Windows, but would be able

Pretty easy to prevent infection on this one.

[idbeholda]

Taken directly from the article. "Ramnit spreads through removable drives and by infecting executable files such as .DLL, .EXE and .HTM extensions." Disable autoplay and don't allow the browser to run scripts. These are two basic security measures that users should implement by default anyways. Not doing so is just asking for trouble.

Re:

[idbeholda]

A proper sandbox technique would be to explicitly allow all system reads, but explicitly deny all system writes. Any attempt to do a system write would instead copy the system file to a sandboxed area, and allow writes to the copied file, keeping the original one intact. Sandbox infection getting out of hand? /clearmem (or some other custom command used to restore the sandbox to a beginning state) Problem solved.

Re:

[0123456]

Why the heck would anything running in a web-browser be able to write to the MBR?!?

Well, if you're running on XP you're probably an administrator so a browser exploit can write to anything. And if you're a typical user running Windows 7 then you'll click 'Yes' when UAC asks 'Do you want to allow Internet Exploder to: do some shit you don't understand?'

Re:

[compgenius3]

NOTHING has access to the physical disk directly unless it is a program coming off of the physical media that the machine was booted with (An OS installation ISO).

Solution:
1. copy malware executable to system disk
2. relaunch
3. ???
4. write to MBR

Re:

[LordLimecat]

What happens when that virus also goes after mapped drives, as many viruses do? What happens when it "super-hides" all the folders, and places look-alike exe's with a folder icon in their place (remember, by default the .exe extension is hidden)?

Takes a little more security than "disable autoplay"; to really secure from these sorts of nasties you need to be working with NTFS permissions and/or GPOs to control which directories are executable.

Re:

[idbeholda]

I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening. It's not that hard to tell the difference between a folder and a file; I don't need windows group policy to tell me not to click on every executable that's lobbed in my general direction. While we're on the subject of security practices, look up NTFS/ADS. That's where the real problem lies, and it still hasn't been fixed since its inception, with the exception of the more rec

Re:

[LordLimecat]

I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening.

And my point was no, not always, sometimes users are browsing a network share, and click that exe-that-looks-like-a-folder, and it appears to open normally, except now theyre infected too.

While we're on the subject of security practices, look up NTFS/ADS

AD and NTFS are known for their remarkable security, actually; NTFS's ACLs are generally much much more granular than EXT3/4, or UFS, and I believe HFS+ (anything that uses basic chmod with 3-bit acls). You can sort of kludge on more advanced ACLs, but there nothing like the things you can do in NTFS, like allowing only

Re:

[badkarmadayaccount]

I'd love a use case.

Re:

[LordLimecat]

A client recently requested this.

They wanted a setup where users could be members of groups such as Region1 and Region2, and each would have their OWN folder within their Region's share. Only that particular user would have access to their folder in that region, except for the manager who should be able to see everyones "personal" folder. Additionally, users must be able to have seperate folders in each region if they are members of more than one region.

My solution was to create a regional folder ("Region

1986 called.

[idontgno]

They want their boot-sector viruses back.

Why does Windows need access to the MBR?

[Tetrarchy]

I don't even see a situation where windows would need to modify the MBR after installation - so why do they even allow it to?

Re:

[stderr_dk]

The MBR contains the partition table. If you want to resize or move a partition, you need to write a new partition table to the MBR.

Re:

[LordLimecat]

Truecrypt, OS installation /repair, changing partition table, etc.

Re:

[Billly Gates]

An OS upgrade or menu options at boot time. Also how do you get into safe mode?

bad bios

[hesaigo999ca]

If a bios does not inherent security checking for the mbr of a drive, to see if malware or virus exists, then it is crap, and almost 99% of all bios out there do not have this.....hence...maybe if symantec gave out some free code for mbr checked to all bios writers, it would be a great day in paradise !

Re:

[LordLimecat]

Grats, your plan disallows booting to encrypted partitions, or for using updated, newer bootloaders; and if it does not, then it easily lets through updated, repacked mbr viruses.

Re:

[hesaigo999ca]

why would you say that, if the av checking the bios is kept up to date then there would be no problems detecting the repacked mbr viruses

Re:

[LordLimecat]

What happens when that detection marks a TrueCrypt MBR (which stores the decryption key for the whole drive) as a virus, and kills it? "Whoops, I accidentally all your data"?

What happens when a virus update kills the BIOS due to a bad write?

Re:

[hesaigo999ca]

>What happens when that detection marks a TrueCrypt MBR (which stores the decryption key for the whole drive) as a virus, and kills it? "Whoops, I accidentally all >your data"?
TrueCrypt has special markers within its headers to allow any know AV software know that it is encrypted with TrueCrypt...this would not be a problem.

>What happens when a virus update kills the BIOS due to a bad write
You make sure that the main BIOS chip is non editable due to a pin setting on the board, to allow a BIOS updat

Re:

[Billly Gates]

Does EFI firmware offer that? Intel has been trying to get us to switch since the dawn of this century. Only the mac has truly adopted it and I wonder why? It is not like we need DOS compatibility anymore

Re:

[ksd1337]

Why the hell would you want to write antivirus software into a BIOS?

Re:

[hesaigo999ca]

rootkits my friend, rootkits....

Re:

[ksd1337]

Perhaps, but when you say "antivirus software", I think of memory-, processor-, and time-draining.

If there is some way to optimize the software for pre-boot, then maybe I'd be less wary of it.

Piracy cracks

[Billly Gates]

The laptop I am typing this on has such a rootkit installed. It was the only way to defeat the crazy DRM and WGA. It is called hacktook.killwpa.2 or something of that nature.

It does nothing bad, but using an alternative bootloader is the only way to get around the piracy prevention mechanisms as Windows 7 is pretty locked down. Of course the Windows 7 kernel will not work with a regular bootloader that is unsigned. Grub gets around this by providing a pointer to the MS bootloader, but that wont defeat the a

massive increase in Symantic malware FUD

[microphage]

There, the corrected headline .. why not just make the MBR read-only .. ?

It's no surprise

[Dunbal]

That this spike in malware co-incides with Symantec's declining sales of Norton anti-virus products. Why don't they just die quietly?

GPT the cure?

[sgt scrub]

Drives set up to use the GPT will have an effect on this type of attack. Checking the first sector on boot for corruption/changes, hopefully, will tip the owner off to intrusion.

No problem; who reboot's anymore?!

[An anonymous Frank]

I don't even remember the last time I've rebooted; I must be safe! ;)

Re:Figures

[Tsingi]

Who probably did it.

Natch.

[GodInHell]

Who else?

Re:

[Tsingi]

Cheney and Rumsfeld.

Re:

[SmurfButcher Bob]

No. By your own premise, virus scanners don't work... clearly, the exploit blew right through and overwrote the boot sector.

A technicality for certain, but "run in the bios" is a nonsense phrase. You most likely mean "as part of the POST"?