Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Report Spike In Boot Time Malware

CmdrTaco posted more than 2 years ago | from the can't-fight-the-fever dept.

Security 132

wiredmikey writes "In their most recent intelligence report, Symantec researchers pointed out a massive increase in the amount of boot time malware striking users, noting there have already been as many new boot time malware threats detected in the first seven months of 2011 as there were in the previous three years. Also known as MBR (master boot record) threats, the malware infect an area of the hard disk that makes them one of the first things to be read and executed when a computer is turned on. This enables the threats to effectively dodge many security defenses."

cancel ×

132 comments

Sorry! There are no comments related to the filter you selected.

Figures (-1, Flamebait)

dmmiller2k (414630) | more than 2 years ago | (#37191662)

I suppose the Tea Party will try to make this Obama's fault as well.

Re:Figures (-1)

Anonymous Coward | more than 2 years ago | (#37191704)

I suspect someone will blame tea party...

Re:Figures (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#37191724)

Great, a political discussion on the internet!

>Damn libtards!
>>Damn conservatards!
>Damn libtards!
>>Damn conservatards!
>Damn libtards!
>>Damn conservatards!
>Damn libtards!
>>Damn conservatards!
>Damn libtards!
>>Damn conservatards!

Re:Figures (0)

Anonymous Coward | more than 2 years ago | (#37191742)

I'm sorry, but that is an incorrect answer. The correct answer is, "And then Obama will try to shift the blame onto Bush".

Re:Figures (3, Insightful)

Tsingi (870990) | more than 2 years ago | (#37192116)

Who probably did it.

Natch. (1)

GodInHell (258915) | more than 2 years ago | (#37193254)

Who else?

Re:Natch. (1)

Tsingi (870990) | more than 2 years ago | (#37193394)

Cheney and Rumsfeld.

Of course (0)

Anonymous Coward | more than 2 years ago | (#37191826)

Of course it's Obama's fault. He's the current president and everybody always blames that guy for everything.

And this entire thread deserves to be modded offtopic.

Everything old is new again (0)

Anonymous Coward | more than 2 years ago | (#37191672)

Soon you'll be telling me they're back to using TSR!

Seriously . . . Takes me back to HS. (2)

GodInHell (258915) | more than 2 years ago | (#37193334)

There was the one particularly ugly virus that got into the systems of the company I provided IT services for in HS. Back then it kept getting reinstalled with boot-leg versions of DOOM and Duke Nukem 3d that the users would install and uninstall after I went home for the evening. Took me months to figure out how it kept getting back on the systems.

BIOS password (1)

ksd1337 (1029386) | more than 2 years ago | (#37191676)

Could some form of encryption based on the BIOS password be used to lock the MBR?

Re:BIOS password (0)

The MAZZTer (911996) | more than 2 years ago | (#37191730)

Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.

Re:BIOS password (1)

Jahava (946858) | more than 2 years ago | (#37191858)

Modern OSs bypass the BIOS when accessing hardware such as hard drives, where the MBR is stored.

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Re:BIOS password (1)

MichaelKristopeit422 (2018884) | more than 2 years ago | (#37191926)

you could sign the MBR block, sure, but then the vulnerability moves from the MBR block to the MBR key block... if the malware could already write to the MBR, they could also write to the MBR key block.

you're an idiot.

Re:BIOS password (0)

Anonymous Coward | more than 2 years ago | (#37192010)

Your in idiot.

Try a TPM or BIOS-only flashrom.

Re:BIOS password (1)

mick_S3 (871725) | more than 2 years ago | (#37192534)

Your in idiot.

Try a TPM or BIOS-only flashrom.

Now that's some funny shit right there.

Re:BIOS password (0)

PenisLands (930247) | more than 2 years ago | (#37193524)

Hahah, Michael Kristopeit. I hadn't seen you for a while. I'm really glad to see you around again.

PENIS FOREVER!!! !!! !!!

Re:BIOS password (1)

Osgeld (1900440) | more than 2 years ago | (#37192218)

yea ok and just like those stupid horrible hard drive locks bios lockouts you look at it funny once and you bricked your drive

NO THANKS

Re:BIOS password (1)

GodInHell (258915) | more than 2 years ago | (#37193366)

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

Re:BIOS password (1)

Runaway1956 (1322357) | more than 2 years ago | (#37194514)

Writing, sure, but you could have the BIOS refuse to boot any MBR not signed by its password/key.

Why bother? If the MBR is infected you can fix it and eventually unwind the damage. If you refuse to boot from the MBR you lock yourself out of the system until you find a copy of Knopix.

Why does it have to be Knopix? And - doesn't EVERYONE have a copy lying around? Crap - my workstation has at least 30 *nix OS installation and/or LiveCD's lying around it. Some of them even mount NT drives by default!

Re:BIOS password (1)

SilentChasm (998689) | more than 2 years ago | (#37191776)

Boot sector virus protection is available on most motherboards as far as I can tell. It prevents things from writing to the MBR without confirmation. Windows 7 also seems to popup UAC asking whether you really want to let something write to that area of the HDD from my experience.

Re:BIOS password (1)

Suferick (2438038) | more than 2 years ago | (#37192136)

Well that's all right then, because people always read UAC alerts and heed security warnings

Re:BIOS password (4, Interesting)

HermMunster (972336) | more than 2 years ago | (#37192990)

Not correct. Most of the MBR infections seem to be on Win7 64bit.

These programs set themselves up before anyone notices and we have little opportunity to react by modifying the bios from the default.

These programs will also write virtual file (system) that is encrypted and hence the malware can't scan it to find and remove the viruses.

What they are also missing in their explanation of the increase is that these malware guys are doing far more than just modifying that portion of the drive. They will erase all your "all programs" folder contents and hide all your personal files and modify the registry and other permissions making it very difficult to recover from even when you discover they are there and try a removal procedure.

What Symantec also didn't explain was that it takes a lot of work to rid the computer of these viruses and that the average antivirus tools are highly unsuccessful at the removal. None of the antivirus software tries to correct the problems created even if they can get rid of the virus. I know some anti-malware apps try to reset some registry keys to default, but that's not what I'm talking about.

You can really screw things up unless you know what you are doing. Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

Of course this emboldens the malware authors because it tells them that they are headed in the right direction or are already successful. Hell, if you can get the biggest software company in the world to give up then you win.

Re:BIOS password (1)

IWantMoreSpamPlease (571972) | more than 2 years ago | (#37193338)

>>...to give up then you win.

Win what?

Re:BIOS password (1)

Anonymous Coward | more than 2 years ago | (#37193492)

Win what?

 
Money. Lots of money.

You win your victim's computer (1)

davidwr (791652) | more than 2 years ago | (#37193904)

Win what?

You p0wn it you 0wn it.

Re:BIOS password (1)

Joce640k (829181) | more than 2 years ago | (#37193608)

Even Microsoft has thrown their arms up at times giving up with the directive that you should erase first in some cases because you just can't be sure you got rid of the malware.

This is why they invented disk imaging software....

Re:BIOS password (1)

HermMunster (972336) | more than 2 years ago | (#37194568)

Unrealistic. Your response is disingenuous.

Re:BIOS password (0)

Anonymous Coward | more than 2 years ago | (#37194406)

You don't need to: just verify the MBR at least every boot (with a utility running late, in Windows), then rewrite it from a backup when changed. Then give the user a notification and the oportunity to undo this. Simple as hell, What's the fuss??

Re:BIOS password (1)

ksd1337 (1029386) | more than 2 years ago | (#37194454)

So, like a version of Deep Freeze for the MBR?

No Information - Just Fear (5, Insightful)

sweatyboatman (457800) | more than 2 years ago | (#37191720)

No actual information in the linked article. No way of verifying what they're saying is true or useful.

But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses.

Re:No Information - Just Fear (0)

Anonymous Coward | more than 2 years ago | (#37191846)

Symantec: Nice computer you got there...it'd be a...shame...if something were to happen to it...

Re:No Information - Just Fear (1)

MightyMartian (840721) | more than 2 years ago | (#37191934)

Symantec: And now we've installed Symantec FireVirusWallMonsterApp2011. Don't worry, it's normal if every other process you try to run takes 15 minutes to start. At least your secure!!!! Now please pay us annually to keep those slow speeds coming.

Re:No Information - Just Fear (2)

fuzzyfuzzyfungus (1223518) | more than 2 years ago | (#37192020)

Symantec's Advanced Pre-emptive Defense technology is some of the industry's finest. It is really very lax of you to be so flippant about these matters.

As computer scientists and security researchers have proven(with big scary math!), virtually all malware requires CPU cycles and memory in order to harm your system. By starving everything that might be a virus of these precious resources, Symantec keeps you safe from the malware scourge.

Keeps you safe by (0)

Anonymous Coward | more than 2 years ago | (#37192244)

Symantec keeps you safe by hogging all the CPU cycles for itself. A buddy of mine bought a new laptop to run protools software for recording and Symantec keeps the app because its using too much memory. Great job!

Re:No Information - Just Fear (1)

jonwil (467024) | more than 2 years ago | (#37192234)

There is a reason I have vowed NEVER to install anything Symantec or McAfee make on ANY PC I own...

Re:No Information - Just Fear (1)

Runaway1956 (1322357) | more than 2 years ago | (#37194648)

Ditto. Way back, in the Win98 days, McAfee actually destroyed an installation of Windows. So, I swore off of McAfee. OnTrack seemed a likely candidate - but they sold out to someone. I flirted with Symantec for awhile, primarily because Norton's name was associated with them. Finally got tired of that stupidity. I branched out to some lesser knowns - Comodo, Tiny, and others. Tiny was actually pretty damned good - but complicated.

Ultimately, I gave up on all of them. Now, I'm a distro hopper. I just download a new version of Linux every week, and try it out. Not only is there no need for a "security solution" on Linux - but there is certainly no need for such a solution if you're just going to nuke from orbit every week or so!

"Set us up the bomb!"

Re:No Information - Just Fear (2)

gatkinso (15975) | more than 2 years ago | (#37194764)

>> Way back, in the Win98 days, McAfee actually destroyed an installation of Windows

For once McAfee worked!

Re:No Information - Just Fear (1)

Osgeld (1900440) | more than 2 years ago | (#37192236)

Yea I love these stories, every single one of them is from a security firm, but never mention what the fuck they are going to do about it. as if they actually did anything in the first place except bog your computer down and beg for money cause they quarantined a word file

Re:No Information - Just Fear (1)

Anonymous Coward | more than 2 years ago | (#37192500)

I found an MBR virus about two weeks ago. Of the free products I've been pushing, MS Security Essentials was the only one to detect it. And the only way I could get rid of it was to use an XP install disk to rewrite the MBR.

I usually don't trust MS any further than I can throw a PC JR, but so far they seem to have their stuff together with Security Essentials.

Re:No Information - Just Fear (0)

Anonymous Coward | more than 2 years ago | (#37194342)

How would an XP install disk fix your grub installation?

Oh wait, you DO trust M$

Re:No Information - Just Fear (1)

Runaway1956 (1322357) | more than 2 years ago | (#37194698)

Actually - I have to give MS a grudging "attaboy" for MS Security Essentials. I tested, and retested it a few times. It's pretty fast, pretty effective, light on resources, updated regularly - it's very nearly what McAfee, Symantec, and the others wish they could be! Given an administrator, and users, who actually READ those warnings from the OS and from their ant-malware app, MSE can be very effective.

Of course, as long as users just dismiss warnings, nothing can effectively secure their machines.

Re:No Information - Just Fear (1)

couchslug (175151) | more than 2 years ago | (#37193326)

"But don't worry. I am sure Symantec will happily sell you something that will "protect" you from this flood of MBR viruses."

More nuke-and-paves for me. Mmmmm....pocket money.

Re:No Information - Just Fear (1)

LordLimecat (1103839) | more than 2 years ago | (#37193602)

What, have they decided to break into the market of effective Antivirus scanners?

truth telling, disarming becomes topical, relevant (-1)

Anonymous Coward | more than 2 years ago | (#37191726)

not here of course, but there's plenty of interest in not dying in most of the rest of the wwworld today. we'll catch up?

Ancient concept (0)

Anonymous Coward | more than 2 years ago | (#37191774)

MBR malware is ooooooooooooooold. They existed back in the DOS days. (yes, that clunky old substitute of a shell pretending to be a real OS while being shamelessly marketed as Bill Gates invention despite being written in Canada by someone else).

A few years ago they were deemed to be extincted.

The fix in those days (using the shell/command line) : fdisk /mbr
Done.

Re:Ancient concept (1)

kbolino (920292) | more than 2 years ago | (#37191854)

I didn't know Seattle [wikipedia.org] was in Canada.

Re:Ancient concept (1)

PPH (736903) | more than 2 years ago | (#37192494)

Judging by the number of BC license plates, yes we are.

Boot knoppix, save copy of MBR (1)

sl4shd0rk (755837) | more than 2 years ago | (#37191784)

Don't know for sure anymore, but it used to be that each partition on the disk had 512 bytes of meta-data associated with it. On boot slices, that 512 was the MBR. On non-boot slices that 512 held info about extended partitions and such. You could save that 512 bytes to some disk medium and write it back later. Cheaper than paying mcaffe/symantec/extorsion.

save MBR from first scsi (sata) disk
        dd if=/dev/sda of=/media/usb/mbr.bin bs=512 count=1

when you need to restore:
        dd if=/media/usb/mbr.bin of=/dev/sda bs=512 count=1

Re:Boot knoppix, save copy of MBR (1)

m50d (797211) | more than 2 years ago | (#37191808)

If you're competent enough to figure out you need to boot a CD and remove it, you can then fdisk /mbr or equivalent - no need to have backed it up originally.

Re:Boot knoppix, save copy of MBR (0)

Anonymous Coward | more than 2 years ago | (#37192006)

True. But he's also using dd, which means he must have the sense to ALSO use linux outside of live CD's if he knows that much. So, fdisk /mbr might not be an option. Worst case scenario, he'll be wiping his Grub bootloader if he blindly uses the windows solution.

Re:Boot knoppix, save copy of MBR (0)

Anonymous Coward | more than 2 years ago | (#37192588)

If you're competent enough to figure out you need to boot a CD and remove it, you can then fdisk /mbr or equivalent - no need to have backed it up originally.

If you are competent enough to do that then you could avoid risky browsing behaviour all together.

Re:Boot knoppix, save copy of MBR (1)

m50d (797211) | more than 2 years ago | (#37194666)

I don't think that's implied. Press F12, choose boot from CD is a lot simpler than constant vigilance.

Not single stage.... (2)

DrYak (748999) | more than 2 years ago | (#37192270)

The problem is that these viruses affect not only the master boot, but many other stages :
the bootloader,
they run rootkits,
etc.

If you just wipe out the boot record, the further stages of the virus are still here (only these stages will be less stealthy and won't necessarily come back after deletion, as there's a previous stage missing for hiding/respwanning).

And once the whole system and the whole virus are up and running, it can probably re-write the MBR again.

What you need, after restoring the MBR, is to perform enough system repairs :
restore the boot loader, and scan the OS for infected file, only *then* you can reboot into the OS. Until that point, it's considered infected...

Re:Boot knoppix, save copy of MBR (1)

PPH (736903) | more than 2 years ago | (#37192414)

Doesn't GRUB (and other bootloaders) offer the option to rewrite their first stage to the boot device MBR? And since every OS distro customizes the GRUB configuration (not to mention some people who like to fiddle with defaults 'just because') good luck to that malware finding the recovery copy to infect as well.

fallback on old tech (0)

Anonymous Coward | more than 2 years ago | (#37191814)

No worries, I've got a DOS boot floppy with F-Prot on it right here. Now I just need to find a floppy drive...

Re:fallback on old tech (2)

couchslug (175151) | more than 2 years ago | (#37192278)

"No worries, I've got a DOS boot floppy with F-Prot on it right here. Now I just need to find a floppy drive..."

No, just use Winimage to make a .IMA file then use that file to burn a floppy-emulation CD/DVD. Throw some utils in the root directory while you are at it.

This is the shit if you want a very well thought out live CD toolkit containing PE/Linux/DOS:

http://falconfour.wordpress.com/2011/03/12/falconfours-ultimate-boot-cdusb-4-5/ [wordpress.com]

Re:fallback on old tech (1)

couchslug (175151) | more than 2 years ago | (#37192340)

I should have added "download a boot floppy image" and convert it to a .IMA file. I use Win98SE images but you can Google plenty of choices.

Re:fallback on old tech (1)

LordLimecat (1103839) | more than 2 years ago | (#37194106)

Yall are doing it the hard way.

Grab ubuntu CD. Boot to live mode. Install "ms-sys". Issue command "ms-sys -m /dev/sda", or whatever the proper switch is for your edition of windows. Browse /dev/sda1, removing all executables from %appdata% and any suspicious drivers. Reboot, and perform a cleanup from safe mode.

No need for specialized disks, and if you really cant stand having to download ms-sys every time you can just re-roll your own custom ubuntu (or mint, or whatever) based distro.

viruses have been hiding in the MBR for long time (0)

Anonymous Coward | more than 2 years ago | (#37191824)

i remember in the early 90's catching a boot sector virus from a public library terminal

Re:viruses have been hiding in the MBR for long ti (0)

Anonymous Coward | more than 2 years ago | (#37192094)

No, that was a Chinese whore.

why is this such a big deal (1)

loftwyr (36717) | more than 2 years ago | (#37191848)

Get a bootable windows 95 disk with fdisk on it and type fdisk /mbr. That will rewrite the boot record and make things less nasty

Re:why is this such a big deal (1)

Osgeld (1900440) | more than 2 years ago | (#37192464)

yea go try it on your machine right now, NT (which is what we have been using for about a decade now) wont load

use your current windows boot cd and use the recovery console

Re:why is this such a big deal (2)

LordLimecat (1103839) | more than 2 years ago | (#37194124)

Pretty sure XP and Vista will refuse to boot once you do that. NT and especially 7/vista have very different bootloaders than 95.

Re:why is this such a big deal (0)

Anonymous Coward | more than 2 years ago | (#37194418)

I recently moved 7 to a new motherboard after my old one died and it refused to boot even after using the recovery console to run bootrec /fixmbr and all that jazz. NT based systems are very picky about the bootloader. On XP it would have been possible to fix it with a repair install, but no longer.

Have noticed (1)

al0ha (1262684) | more than 2 years ago | (#37191898)

an increase in this type of malware in my occupation, I suppose it could be called a spike if +2 since January indicates a spike. Oh, part of my job is detecting and informing users of malware infections on a Class A network.

EFI? (0)

Anonymous Coward | more than 2 years ago | (#37192052)

Got a good question..

I've noticed a lot of newer motherboards, especially "sandy bridge" generation Intel systems and later, are shipping with EFI firmware (Usually with a bios compatibility mode enabled by default, though*). If you went the EFI route and booted from a GPT partitioned disk, would you be immune to old style boot sector viruses?

I guess it would depend on how the machine's firmware handled boot.

*Actually a lot of motherboards have been EFI from since before then, but with bios compatibility mode forced on with no way to turn it off - See InsydeH20

Re:EFI? (0)

Anonymous Coward | more than 2 years ago | (#37192440)

If you were doing a *true* UEFI boot, with a GPT disk, you would probably be OK, though I wouldn't guarantee it. Now, the real question is, how do you know if you're doing a true UEFI boot or not? OEM installations probably aren't but if you installed Windows 7 yourself, and knew what to look for then you could be reasonably sure (hint: boot device override menu, choose "UEFI: CD-ROM" or similar)

Why every device should come with a rescue plan (2)

davidwr (791652) | more than 2 years ago | (#37192144)

PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options.

On machines sold as Windows machines this would include:
* An online virus check and remediation for common viruses that prevent booting into Windows "safe mode with networking" without the infection loading. Any other viruses can be remediated by booting into that mode
* Backing up the entire drive or portions of it to DVD, USB device, or other common devices.
* Reloading an authenticated copy of the "normal" (non-rescue) BIOS from a CD, memory stick, or the hardware vendor web site.
* Re-creating the MBR to factory settings, except leaving the partition table alone
* If there is a recovery partition, validating it and rebuilding it from the web or DVDs if it is corrupted. If there is not and the disk is not full, offer to create one.
* An option to rebuild the disk from scratch using data from the Internet, DVD, or USB device.

Rescue plans for other devices like Routers or PCs that don't ship with an OS could be much simpler - their read-only rescue bios should provide a means to reset a corrupted boot configuration or replace a corrupted BIOS. Their "rescue me" button would also likely be much more obscure - probably a set of jumpers on a PC motherboard or an "insert paper clip" button on a router.

Re:Why every device should come with a rescue plan (0)

Anonymous Coward | more than 2 years ago | (#37192690)

PCs should come with a button that says "RESCUE ME" that if pressed on power-on boots to a read-only BIOS that boots a locked-down, vendor-signed operating system that gives the user local rescue options and, if network-connected, some network-based rescue options.

are you suggesting something like the chromeos verified boot?

Re:Why every device should come with a rescue plan (1)

davidwr (791652) | more than 2 years ago | (#37193874)

Yes, but across the industry not just on a few computers.

The ability to recover from an infection should be available out-of-the-box on all boxes.

Re:Why every device should come with a rescue plan (1)

hoggoth (414195) | more than 2 years ago | (#37193698)

They have this. It's called a Live-CD.
It just doesn't come with the PC.

Re:Why every device should come with a rescue plan (1)

davidwr (791652) | more than 2 years ago | (#37193816)

They have this. It's called a Live-CD.
It just doesn't come with the PC.

Then it doesn't come with it.

Also, most PCs have modifiable, infectable BIOSes and they don't come with a read-only rescue BIOS.

Re:Why every device should come with a rescue plan (0)

Anonymous Coward | more than 2 years ago | (#37194812)

"read-only BIOS"
You can prevent changes to the BIOS by setting a BIOS password.

"a locked-down, vendor-signed operating system"
We already have it, it's called Windows 7 x64. Standard users have little rights to do anything, and drivers need to be signed.

"local rescue options"
Yep, there are already rescue options. None to friendly, but they're there.

"if network-connected, some network-based rescue options"
To where exactly? If you're infected, you could be connecting to a malware site for the "rescue".

"* An online virus check and remediation for common viruses"
Have you tried to go to online virus checks when you're infected? Malware prevents you from going to those sites. They also block tools used to clean infections. Only the really simple ones are easy to clean.

"Any other viruses can be remediated by booting into that mode"
Assuming your anti-malware actually knows about the malware. I see new strains every day that don't get detected by any malware vendor.

"* Backing up the entire drive or portions of it to DVD, USB device, or other common devices."
Including backing up the malware? An infected backup is pretty useless. You can keep multiple copies of the drive, but do you know *when* you were infected and which backup is clean?

"* Reloading an authenticated copy of the "normal" (non-rescue) BIOS from a CD"
Do you know what a BIOS is and what it does? Corrupting a BIOS is pointless as it'll render the machine completely unusable.

"* Re-creating the MBR to factory settings"
What "factory settings"?

"* If there is a recovery partition, validating it and rebuilding it from the web or DVDs if it is corrupted."
Many OEM builds have hidden recovery partitions. You don't have access to them, because they don't want you to corrupt those partitions. Most PC vendors already allow you to create "rescue" DVDs so that you can rebuild your system. So what's the point of this bullet?

"If there is not and the disk is not full, offer to create one."
And create an infected recovery partition?

"* An option to rebuild the disk from scratch using data from the Internet, DVD, or USB device."
Yes, it's called a "recovery media", and most vendors already allow you build recovery media from secure locations and files that are not likely to get infected.

Pretty easy to prevent infection on this one. (1)

idbeholda (2405958) | more than 2 years ago | (#37192166)

Taken directly from the article. "Ramnit spreads through removable drives and by infecting executable files such as .DLL, .EXE and .HTM extensions." Disable autoplay and don't allow the browser to run scripts. These are two basic security measures that users should implement by default anyways. Not doing so is just asking for trouble.

Re:Pretty easy to prevent infection on this one. (0)

Anonymous Coward | more than 2 years ago | (#37192342)

Why the heck would anything running in a web-browser be able to write to the MBR?!? If Browser and/or OS security has gotten to this (horrible) state, then we need to scrap everything and start over. How about sandboxing every single application, with no shared storage (unless specifically allowed by the user), and NOTHING has access to the physical disk directly unless it is a program coming off of the physical media that the machine was booted with (An OS installation ISO).

It is ridiculous that a modern OS would allow any program to write to the MBR. OS's don't let programs write to kernel-owned memory addresses, why would it be ANY DIFFERENT for storage?

Re:Pretty easy to prevent infection on this one. (1)

idbeholda (2405958) | more than 2 years ago | (#37192452)

A proper sandbox technique would be to explicitly allow all system reads, but explicitly deny all system writes. Any attempt to do a system write would instead copy the system file to a sandboxed area, and allow writes to the copied file, keeping the original one intact. Sandbox infection getting out of hand? /clearmem (or some other custom command used to restore the sandbox to a beginning state) Problem solved.

Re:Pretty easy to prevent infection on this one. (1)

0123456 (636235) | more than 2 years ago | (#37192466)

Why the heck would anything running in a web-browser be able to write to the MBR?!?

Well, if you're running on XP you're probably an administrator so a browser exploit can write to anything. And if you're a typical user running Windows 7 then you'll click 'Yes' when UAC asks 'Do you want to allow Internet Exploder to: do some shit you don't understand?'

Re:Pretty easy to prevent infection on this one. (1)

compgenius3 (726265) | more than 2 years ago | (#37192514)

NOTHING has access to the physical disk directly unless it is a program coming off of the physical media that the machine was booted with (An OS installation ISO).

Solution:
1. copy malware executable to system disk
2. relaunch
3. ???
4. write to MBR

Re:Pretty easy to prevent infection on this one. (2)

LordLimecat (1103839) | more than 2 years ago | (#37194164)

What happens when that virus also goes after mapped drives, as many viruses do? What happens when it "super-hides" all the folders, and places look-alike exe's with a folder icon in their place (remember, by default the .exe extension is hidden)?

Takes a little more security than "disable autoplay"; to really secure from these sorts of nasties you need to be working with NTFS permissions and/or GPOs to control which directories are executable.

Re:Pretty easy to prevent infection on this one. (1)

idbeholda (2405958) | more than 2 years ago | (#37195422)

I'm not saying that disabling autoplay will stop an active infection, but I'm saying that it WILL help prevent it from happening. It's not that hard to tell the difference between a folder and a file; I don't need windows group policy to tell me not to click on every executable that's lobbed in my general direction. While we're on the subject of security practices, look up NTFS/ADS. That's where the real problem lies, and it still hasn't been fixed since its inception, with the exception of the more recent versions of Windows Server.

I could waste my time compiling a list of these common sense tactics that pretty much guarantee that you won't get hit with a live infection, but it would just be easier and less of a waste of time on my part if you used google and learned some basic security practices without me having to further lecture you about this.

1986 called. (1, Insightful)

idontgno (624372) | more than 2 years ago | (#37192586)

They want their boot-sector viruses back.

Re:1986 called. (0)

Anonymous Coward | more than 2 years ago | (#37194178)

Your PC is now Stoned!

Why does Windows need access to the MBR? (1)

Tetrarchy (1651907) | more than 2 years ago | (#37192680)

I don't even see a situation where windows would need to modify the MBR after installation - so why do they even allow it to?

Re:Why does Windows need access to the MBR? (1)

stderr_dk (902007) | more than 2 years ago | (#37193260)

The MBR contains the partition table. If you want to resize or move a partition, you need to write a new partition table to the MBR.

Re:Why does Windows need access to the MBR? (1)

LordLimecat (1103839) | more than 2 years ago | (#37194180)

Truecrypt, OS installation /repair, changing partition table, etc.

Re:Why does Windows need access to the MBR? (1)

Billly Gates (198444) | more than 2 years ago | (#37194278)

An OS upgrade or menu options at boot time. Also how do you get into safe mode?

bad bios (1)

hesaigo999ca (786966) | more than 2 years ago | (#37192912)

If a bios does not inherent security checking for the mbr of a drive, to see if malware or virus exists, then it is crap, and almost 99% of all bios out there do not have this.....hence...maybe if symantec gave out some free code for mbr checked to all bios writers, it would be a great day in paradise !

Re:bad bios (0)

Anonymous Coward | more than 2 years ago | (#37193624)

bullshit

how should the bios know which mbr is good and which is bad?

checking for some know bad values didn't work decades ago and will not work now
complex things will not fit and do not work that well anyway

let me guess, everything not win7 must obviously bad
but even windows fanatics will want to switch to win8

Re:bad bios (1)

LordLimecat (1103839) | more than 2 years ago | (#37194206)

Grats, your plan disallows booting to encrypted partitions, or for using updated, newer bootloaders; and if it does not, then it easily lets through updated, repacked mbr viruses.

Re:bad bios (1)

Billly Gates (198444) | more than 2 years ago | (#37194296)

Does EFI firmware offer that? Intel has been trying to get us to switch since the dawn of this century. Only the mac has truly adopted it and I wonder why? It is not like we need DOS compatibility anymore

PARITY BOOT B (0)

Anonymous Coward | more than 2 years ago | (#37193246)

PARITY BOOT B

running A/V in the BIOS (0)

Anonymous Coward | more than 2 years ago | (#37194062)

If malware is infecting the boot sector, then wouldn't a reasonable anti-virus approach be to run the virus scanner in the BIOS?

Re:running A/V in the BIOS (1)

SmurfButcher Bob (313810) | more than 2 years ago | (#37195066)

No. By your own premise, virus scanners don't work... clearly, the exploit blew right through and overwrote the boot sector.

A technicality for certain, but "run in the bios" is a nonsense phrase. You most likely mean "as part of the POST"?

Piracy cracks (1)

Billly Gates (198444) | more than 2 years ago | (#37194246)

The laptop I am typing this on has such a rootkit installed. It was the only way to defeat the crazy DRM and WGA. It is called hacktook.killwpa.2 or something of that nature.

It does nothing bad, but using an alternative bootloader is the only way to get around the piracy prevention mechanisms as Windows 7 is pretty locked down. Of course the Windows 7 kernel will not work with a regular bootloader that is unsigned. Grub gets around this by providing a pointer to the MS bootloader, but that wont defeat the anti piracy controls. I bet you places like China or angry Vista users like myself skew the results.

Windows is too expensive for 30% of all pcs from that part of the world. ... however as a precautionary tale I never do any banking or financial transactions on this laptop just to be rather safe than sorry.

massive increase in Symantic malware FUD (1)

microphage (2429016) | more than 2 years ago | (#37194622)

There, the corrected headline .. why not just make the MBR read-only .. ?

It's no surprise (1)

Dunbal (464142) | more than 2 years ago | (#37194848)

That this spike in malware co-incides with Symantec's declining sales of Norton anti-virus products. Why don't they just die quietly?

mod 0p (-1)

Anonymous Coward | more than 2 years ago | (#37194858)

The fut0re holds pro-homosexual exactly what you've
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>