Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Boot Record Rootkit Threatens Vista, XP, NT

kdawson posted more than 6 years ago | from the writing-to-zero dept.

Security 261

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."

Sorry! There are no comments related to the filter you selected.

Like it matters (1, Troll)

ILuvRamen (1026668) | more than 6 years ago | (#21949462)

They can fix the hell out of it and it would still be vulnerable. What if someone wrote a super small bootable virus, then the virus' initial form used Partition Magic-like functionality to write its own partition and stick the virus on it then tell the computer before restarting to boot from that one. Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open. I'm pretty sure Windows can't protect the MBR if it isn't running.

Re:Like it matters (3, Informative)

Anonymous Coward | more than 6 years ago | (#21949482)

That'd require changes to the partition table, which is protected from NT's usermode IIRC.

Re:Like it matters (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21949488)

Is it true that everybody loves ramen?

Re:Like it matters (1)

Vaticus (1000378) | more than 6 years ago | (#21949594)

How on earth does Ramen relate to MBR and Windows variants?

Re:Like it matters (4, Funny)

Nimey (114278) | more than 6 years ago | (#21949604)

I see that you are not an adherent of the True Church of the Flying Spaghetti Monster. The FSM has *everything* to do with Windows; we don't call it spaghetti code for nothing!

Re:Like it matters (1)

Leto-II (1509) | more than 6 years ago | (#21949672)

How on earth does Ramen relate to MBR and Windows variants?
While I do wish it had something to do with his holiness the Flying Spaghetti Monster, in this case I believe it has to do with the original poster's name: ILuvRamen.

Re:Like it matters (1)

Dramacrat (1052126) | more than 6 years ago | (#21949758)

Raymond? I hate that guy!

Re:Like it matters (5, Funny)

Nimey (114278) | more than 6 years ago | (#21949508)

The slashot discussion system is a joke run by arrogant, biased, opinion nazis
Tutorial:

1) That's "Slashdot". -1 for capitalization, -5 for spelling.
2) Nazi is capitalized.
3) Your sig is an automatic Godwin. Might want to fix that.
4) You didn't end your sentence with punctuation. This one calls for a period.
5) Arrogant? You bet!

Re:Like it matters (0)

Anonymous Coward | more than 6 years ago | (#21949742)

Also, "opinion Nazis" is a noun and should probably be spelled "opinion-Nazis" (or Opinion Nazis? Opinion-Nazis?)... and therefore, the use of commas is incorrect.

The Slashdot discussion system is a joke run by arrogant and biased opinion-Nazis.

Re:Like it matters (3, Informative)

Entropius (188861) | more than 6 years ago | (#21949878)

Two-word noun phrases are only hyphenated when used in adjective form. For instance:

Gamma rays are a type of ionizing radiation.

but

The gamma-ray burst released 4.3 blargajoules of energy.

Re:Like it matters (0)

Anonymous Coward | more than 6 years ago | (#21950084)

So, is it "Fuck-off, you git" or "Fuck off, you git"?

Re:Like it matters (5, Funny)

Anonymous Coward | more than 6 years ago | (#21950186)

The latter, because "Fuck off" is an imperative verb form and has nothing to do with adjectives.

Re:Like it matters (0, Troll)

ILuvRamen (1026668) | more than 6 years ago | (#21949910)

the slashdot discussion system is such a load of bullshit, I don't really care what people think. I've been up and down between -1 and +2 about 3 times now. Maybe I don't get how this works but I like to actually post what I think about the story instead of some fluffy, karma magnet bullshit. If some Linux assholes wanna mod me down cuz I merely said I don't use Linux then they should be banned as far as I'm concerned. But I did change my sig for you. That's how it is and you know it cuz I keep it real

Re:Like it matters (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21949980)

You get moderated down because you open your fool mouth without thinking. Remember the molten salt solar plant post [slashdot.org] ? You basically repeatedly opened your gob to say, "I have no idea how all this works, but I'm much smarter than the guys who get paid megabux to design this stuff so <idiocy/>, <idiocy/>, <idiocy/>."

Re:Like it matters (0, Offtopic)

Anonymous Coward | more than 6 years ago | (#21950068)

the slashdot discussion system is such a load of bullshit, I don't really care what people think. I've been up and down between -1 and +2 about 3 times now.
that's because you're a retard. you don't actually think about what you are saying. just look at the comments you've made lately:

yeah, especially when they figure out that it always takes more energy to build a complex mollecule than to burn it. Seriously, some scientists are just dumb. Plants use nutrients to build complex mollecules from CO2

if they ever want to improve their crappy economy, they should all just learn english. In case you haven't noticed, every country that does international business has like 50% of the people know fluent english. Plus who the heck else in the world uses cyrillic?
see? TEH STUPID YOU ARE? it's simple: learn to spell, think about what you post [stupidity lives online forever you know] and quite whining about how abused you are because you post idiotic comments and get modded into the ground for it, I mean really, quit being such a whiny bitch.

Re:Like it matters (0, Offtopic)

ILuvRamen (1026668) | more than 6 years ago | (#21950242)

you're posting at a 0 too so why would I take advice from you? I've gotten first posts marked as Redundant twice. I've gotten 100% on topic posts rated off topic. I've gotten unrated posts modded "overrated". And if I say anything good about Microsoft I get modded a troll. The whole system is a joke.

Re:Like it matters (0)

alshithead (981606) | more than 6 years ago | (#21950244)

Dude, your attitude may very well be a significant reason for being modded into oblivion.

"the slashdot discussion system is such a load of bullshit, I don't really care what people think. I've been up and down between -1 and +2 about 3 times now"

-good, learn, leave, or at least keep quiet...if you don't care what people think then why do you care about how you are modded?

"Maybe I don't get how this works but I like to actually post what I think about the story instead of some fluffy, karma magnet bullshit."

-right, you don't get how this works. No one cares what you think if you can't post your opinion intelligently or at least in a form that also asks a question (as in seeking enlightenment or other opinions).

"If some Linux assholes wanna mod me down cuz I merely said I don't use Linux then they should be banned as far as I'm concerned."

-way to go dude, this is Slashdot so calling folks who use Linux assholes is not a good way to win friends. While we're at it, most Linux users won't mod you down just because you don't use Linux. They may pity you or consider you an IT novice, but they won't mod you down just for not using Linux. If you think Slashdot users should be banned for any reason then you obviously don't get Slashdot. That's why we have a moderation system. Go back to Yahoo or AOL maybe?

"But I did change my sig for you. That's how it is and you know it cuz I keep it real"

-No one gives a crap about your sig although you might get bonus points if your sig is creative enough. A lot of Slashdot folks may consider you irrelevant just for saying, "cuz I keep it real".

As a final note...try reading the FAQ. While you're at it, please reread your post and see if you really even deserved my tongue in cheek reply much less whether if it was even worth anyone else's time to read. Get a grip and think before you post.

alshithead

Re:Like it matters (5, Insightful)

Opportunist (166417) | more than 6 years ago | (#21949514)

Hen and egg. How does the virus get there in the first place. SOMEONE must first of all get it to execution. Malware doesn't suddenly jump in and exists. It has to be brought into the machine. A virus or trojan does jack when it just sits on your machine. It is a program. It has to be executed to do its "magic".

There are exactly three ways to get this done. First, remote (RPC) exploits, which is easy to defeat with a router that does not allow any packets in to sensitive ports. Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability. Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.

Re:Like it matters (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21949630)

Well thank you Captain Fucking Obvious for such an insightful analysis! Do you have any more gems for us, like the observation that grass is green or the sky is blue? Jackass. Save this shit for the 20-second sound bites on the evening news, where it belongs.

I'm right, everyone can see that I am right. But that's okay. Mod me down anyway you bitches, you know you want to!

Re:Like it matters (0)

EmperorKagato (689705) | more than 6 years ago | (#21949690)

If you knew you were right you wouldn't post as Anonymous Coward.

Re:Like it matters (0)

Anonymous Coward | more than 6 years ago | (#21949760)

I'm too lazy to create an account, you insensitive clod!

Re:Like it matters (0)

Anonymous Coward | more than 6 years ago | (#21949880)

Yeah, because painful truth always gets modded up because it's true, and never modded down because it's painful. Dumbass.

Re:Like it matters (0)

Anonymous Coward | more than 6 years ago | (#21949824)

Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).

What? Have you ever seen the Witty Worm [wikipedia.org] ? You know, that worm that proves just because you try to have security through obscurity you can still be vulnerable if you don't keep up to date? Best practices keep systems secure, not some "ultimate solution."

Re:Like it matters (0)

Anonymous Coward | more than 6 years ago | (#21950090)

I work for them, and that worm has been thought to have been written by a previous employee due to the high level of product knowledge demonstrated in the worm's code - so it was most likely for malicious intent towards the company.

Any your example doesn't have any bearing on if using products with no market share is safer or not, unless you're trying to suggest we don't have any market share or something stupid.

Re:Like it matters (1, Funny)

Anonymous Coward | more than 6 years ago | (#21949860)

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.
I knew it all along.... CURSE YOU KEYBOARD!!! *punches keyboard* h fdsjkl hs

Re:Like it matters (1)

david_thornley (598059) | more than 6 years ago | (#21949882)

Second, exploits in programs. This is harder to secure, since you can never know whether your mail client or your web browser (or one of its myriad plugins) has such a vulnerability.

This is much less important in real operating systems, which don't allow mail clients or web browsers to muck up boot sectors and the like. Unfortunately, a whole lot of people are using toy operating systems by this criterion.

Re:Like it matters (1)

jhol13 (1087781) | more than 6 years ago | (#21949920)

You, sir, are truly a Windows man: "Any attempt to separate users and administrators is a bad thing".

Back in the day (1)

AndGodSed (968378) | more than 6 years ago | (#21950314)

(which was only a few years ago 1999ish :)) we used to refer to it as PEBCAC errors. Problem Exists Between Keyboard And Chair.

Also of course was the prevalent ID10T virus. I swear, we once actually told a guy that after he wiped his pc for the n'th time, and he ate it all up...

Re:Like it matters (3, Insightful)

burnin1965 (535071) | more than 6 years ago | (#21950494)

since you can never know whether your mail client or your web browser
word processor, spreadsheet, presentation software, desktop database software, etc, etc. Since the whole idea of using a computer is to run code there are a miriad of exploit possibilities in just about any application that has scripting capabilities or simply an bug in the code which can be used to execute code. This is the reason applications should not be running with permissions that allow operations like writing to the MBR when there is no reason to.

Your best bet is to use something that has nearly no market share (and is thus not interesting for commercial malware users).
Like Windows ME? While it has virtually no market share I'd hardly recommend it for use in any application. Actually your best bet is to use something that has a good secure design which trys to reduce the potential for exploits. My personal choice is linux and while it does not have the desktop market share of Windows NT variants it does have a massive server/router/appliance install base and it is continually under attack, however, over the years of using linux for my desktop solutions I've yet to have any issues related to exploits.

And finally, the user himself can execute it. And, believe it or not, this is the most used and most successful way of infecting a machine. In other words, the main security problem is not in the machine. It's in front of it.
Can you provide a link to the statistics showing "the most used and most successful way of infecting a machine" is by users executing the code themselves? Visiting a web page with a browser you are executing or reading e-mail with a mail reader you executed either of which may have an exploit via a code bug or scripting is not the same thing as a user executing the code themselves. I assume your suggesting that the users are actually clicking on the executable and intentionally running the code which infects their system, which does happen but I'd like to see the study before I believe that is the #1 successful attack vector.

Re:Like it matters (5, Informative)

MBCook (132727) | more than 6 years ago | (#21949524)

What if someone wrote a super small bootable virus,

Yeah, like something that could fit in a 512 byte MBR...

, then the virus' initial form used Partition Magic-like functionality to write its own partition

Why bother?

and stick the virus on it then tell the computer before restarting to boot from that one.

That's what this does. It modifies the MBR to load the virus as a driver out of a pair of sectors.

Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open.

This already does whatever it wants. And the "files open" comment is non-sensical, the pre-boot environment has no concept of "open files", it's just a little 512 byte loader.

I'm pretty sure Windows can't protect the MBR if it isn't running.

There isn't much Windows (or any) OS can do when it isn't running.

If you read the article (it contains scary things like x86 assembly, I know, but you can skip that) you'd see that the describe this hooks into the load routines used by Windows. By intercepting these calls and redirecting them, it prevents you from overwriting the MBR or even detecting that it's changed (to a degree). To fix this you have to open a clean environment (like the recovery console off the Windows CD) and have it fix the MBR.

Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2.

I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

PS: Whoever modded the parent as informative either doesn't know what they're talking about, is drunk, or is in cahoots.

PPS: Sorry. I've been looking for an excuse to use the word "cahoots" all day.

Re:Like it matters (2, Insightful)

m50d (797211) | more than 6 years ago | (#21949632)

I wonder if this would be so easily possible with EFI based booting. OS X uses it. Vista SP1 supports booting using EFI off disks don't partitioned with the old DOS partition format.

I can't imagine that would make any difference. The computer needs to boot somehow, there are legitimate reasons for modifying the boot code (such as installing a new OS, or fixing flaws in it) so you can't just block it wholesale, and any program that runs at the boot stage will necessarily have complete control of your computer. About the best you can do is require the user to confirm before overwriting the MBR - something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof.

Foolproof Windows? (0, Troll)

Archangel Michael (180766) | more than 6 years ago | (#21949768)

"something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof."

Windows is made for fools ... and grandmas ... and CEOs. Besides, If you make something foolproof (VISTA) only fools will use it.

Re:Like it matters (1)

banished (911141) | more than 6 years ago | (#21949994)

Amazing how even with all we've got, things go back to the same kind of viruses that were written back in the days of DOS 2.

Indeed, the common cold has been around slightly longer, and we still haven't figured out how to prevent that, either.

Re:Like it matters (0)

Anonymous Coward | more than 6 years ago | (#21950032)

Nuke sick people from orbit. It is the only way to be sure.

Re:Like it matters (1)

wizardforce (1005805) | more than 6 years ago | (#21949596)

well if it's going to attack liek that it would need higher privilages- that is it needs to exploit another flaw to exploit this one. That being said, it appears that pretty much any OS that has that particular method used [seperate partition + virus] would be affected. No doubt delivered in the same way it has always been, users downloading a new program. you can patch the OS all you want, you still can't patch the user.

Re:Like it matters (2, Informative)

Lumpy (12016) | more than 6 years ago | (#21949608)

Almost all BIOSes released in the past 5 years had MBR protection. Install your OS, turn on MBR protection and let the virus try.

I hated it at first, Linux installs failing as LILO not getting to write to the MBR until you turned it off.

Re:Like it matters (1)

infonography (566403) | more than 6 years ago | (#21950340)

Almost all BIOSes released in the past 5 years had MBR protection. Install your OS, turn on MBR protection and let the virus try.

SNIP
consider the average user^H^H^H^H^H^H^H^H^H Windows user has to rely on AOL for their anti-virus.

[I am shaking my head while my hand are vigorously rubbing my brow in shock, sadness, and disbelief. Later I will pull out some hair. ]

Re:Like it matters (4, Funny)

cgenman (325138) | more than 6 years ago | (#21949626)

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

http://www.nuklearpower.com/daily.php?date=080103 [nuklearpower.com]

Re:Like it matters (1, Funny)

Anonymous Coward | more than 6 years ago | (#21949754)

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

You keep using that word. I do not think it means what you think it means. [reference.com]

Re:Like it matters (0)

Mistshadow2k4 (748958) | more than 6 years ago | (#21949766)

Because they're invisible?

Re:Like it matters (1)

The Analog Kid (565327) | more than 6 years ago | (#21950092)

If these so-called invisible rootkits are so effective, why aren't we seeing them everywhere? Huh?

You forgot to select the tachyon detection grid option in your virus scanner. Duh.

Re:Like it matters (1)

neo8750 (566137) | more than 6 years ago | (#21949662)

I don't know about you but my motherboard gives me a warning any time a program tries to mess with the MBR. Sure it could be worked around but its 1 extra step they have to work around.

Please correct me if this isn't a good way to prevent this

woops (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21949480)

better put a rubber on when i start fapping to vista again! damn unprotected shit.

fap fap fap

Why is Windows still using MBR? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21949490)

OS X works great without.

Re:Why is Windows still using MBR? (2, Insightful)

Lost Engineer (459920) | more than 6 years ago | (#21949500)

Are you trolling?

Macs use EFI and PC's use BIOS. That's why.

Re:Why is Windows still using MBR? (0)

Anonymous Coward | more than 6 years ago | (#21949572)

All ACs are trolls.

We're also all inveterate liars.

Re:Why is Windows still using MBR? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21949656)

Don't forget jewniggers and wopcocks.

Of course.. (5, Interesting)

Junta (36770) | more than 6 years ago | (#21949792)

Whether it's a an MBR record or an executable file stored on a filesystem the firmware may understand, the concepts are the same. Any sane operating system will allow you to modify boot files (after all, how else do you upgrade early-execution code). Whether it's an MBR or a more sophisticate piece of firmware, the principle is the same. The question is whether users have been trained to always be administrator, or if they've been trained the more disciplined way where uncommon (at least should be)/privileged operations can only be executed at significant obious pain.

Under linux even, a number of distributions have on occasion ventured down the very dangerous/wrong approach of skipping user accounts and going all root for the sake of convenience. However, the mainstream usage of linux (and OSX) is thankfully non-root users, and as such any *serious* applications accomodate that usage pattern (with the bonus of being sanely multi-user.

Meanwhile, Windows heritage has been less optimal. The consumer oriented MS platforms right up until XP didn't have a meaningful non-administrator concept, as well as much of a multi-user concept. As a consequence, many application developers did bad things that would break (i.e. using registry entries that are machine specific rather than user specific, or even writing things like saved documents/games to the application Program Files directory. Win9x even provided relevant spots that would evolve to something meaningful, but without significant meaning, many third parties ignored it, especially after Win3.x training. XP was the first definitive wake up call to a WIDE variety of developers. Even so, the majority of users ended up being administrative users to make up for the gap (as well as having no easy automatic privilege escalation). Hell, even a customized preload I saw sets up one user, renaming the administrator user (and in fact, calls an un-renamed administrator account a security risk... indeed).

OSX made a clean break with OSX (relegating "classic" applications to a relatively severe sandbox"), Linux never had such an unclean history to overcome. So while OSX implementing clean privilege escalation, and Linux has been working on facilities that lend itself well to that (i.e. DBus). Windows XP did not make a clean break, and Vista didn't etiher, but Vista's UAC is an attempt at giving users a facility to do privilege escalation. It's annoying because of bad programs and bad habits. But non-admin default usage + UAC is the only way they have of maintaining a sane featureset without being considered so vulnerable.

It also doesn't help that so many Windows users see "click here for free smilies" and think it's a good idea to do so.

VISTA (0)

Anonymous Coward | more than 6 years ago | (#21949492)

I have a hard time taking seriously someone who can't bother with proper capitalization.

Re:VISTA (0)

Anonymous Coward | more than 6 years ago | (#21949600)

seriously take the stick out of your ass...

You didn't capitalize your sentence. (0)

Anonymous Coward | more than 6 years ago | (#21949746)

So I guess he'll ignore you too. :-P

Messed up (5, Funny)

Anonymous Coward | more than 6 years ago | (#21949506)

Unfortunately, all the Windows NT family (including Vista) still have the same flaw -- incest.
NT and ME were siblings who married to produce XP. It doesn't help any that NT's father, 95, produced NT via a union with his daughter, 98. XP then killed NT and had a child with ME. He later gouged his GUI out. The end result of all this is Vista. And you guys wonder why Vista has security issues? Poor guy must have complex on top of complex, not to mention more than a few birth defects.

Re:Messed up (1)

phrostie (121428) | more than 6 years ago | (#21949854)

ROTFL

i so wish i had mod points

How is it different from LILIO and Grub? (4, Interesting)

snikulin (889460) | more than 6 years ago | (#21949512)

It's not a troll. I just want to know. If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.

Re:How is it different from LILIO and Grub? (5, Informative)

MBCook (132727) | more than 6 years ago | (#21949624)

Yes. That's all LILO, GRUB, NTLDR, and such do. They call the BIOS functions to read partition tables and such, load code from a specific place, and execute it.

You could easily install LILO on the last sector of a disk (or anywhere else, just a free sector you can protect from being used). Write a little tiny program that does nothing but read that sector into memory (having known the address ahead of time, finding that code is what makes GRUB and NTLDR slightly more complex than this), and execute it. LILO would then continue having no idea what happened before it.

Amazing little things, boot loaders. Check out the Wikipedia article on Master Boot Records [wikipedia.org] . They talk about NTLDR where until XP/2K (when it got support for non-english error messages), the code was just a scant 139 bytes.

Read about some of them. LILO [wikipedia.org] is simple (and kind of stupid) and fits in 512 bytes. GRUB [wikipedia.org] is smarter, and works by loading more code that it finds using it's first stage (which is under 512 bytes). It's a little tiny OS that only uses BIOS calls to load another OS. That's why you can edit entires, add new ones, etc. That couldn't fit in 512 bytes (and still be useful on most computers).

Re:How is it different from LILIO and Grub? (1)

snikulin (889460) | more than 6 years ago | (#21949686)

> Yes. That's all LILO, GRUB, NTLDR, and such do.
So, the submission is a FUD attempt, then?

Re:How is it different from LILIO and Grub? (3, Informative)

Anonymous Coward | more than 6 years ago | (#21950102)

No. LILO, GRUB and (joking aside) the Microsoft bootloader are not malicious (the microsoft one is stupid, but not malicious). If the 512 bytes does something else - like, oh, jump to the main part of the virus stashed in the filesystem, then it's a problem. The real craziness here is windows letting userspace write to the MBR without so much as a "uh, you sure you want to do that?". It'll pop up 50 UAC requesters asking about trivialities, but when it comes to something that can totally hose your system's ability to restart in a fraction of a second? Not a peep.

Now, linux will actually let you do that as root, too, but not otherwise. The problem is most people run windows as the equivalent of root.

Re:How is it different from LILIO and Grub? (1)

Alpha830RulZ (939527) | more than 6 years ago | (#21949940)

So, having RTFA, it seems to me that at the very least, the little nasty is designed to work with the windows boot process, and currently would at least cause a grub based system to puke, giving you notice of a situation. Then you could use ahref=http://supergrub.forjamari.linex.org//rel=url2html-8983 [slashdot.org] http://supergrub.forjamari.linex.org//>to fix your loader? On a sidenote, while SuperGrub isn't going to win any points for graphic style, it did an excellent job of fixing my Fully Ryobi'd windows/Fedora situation, and is a nice little tool written by some nice folks in Italy, http://forja.linex.org/ [linex.org] .

Obviously, a bad guy could extend the approach and anticipate Grub as well, trying to side step that, but it would probably be a much more complicated task, figuring out how to hide from all the kernel variants of Linux.

If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.

bootkey (4, Informative)

Tumbleweed (3706) | more than 6 years ago | (#21950248)

If a person wanted to be sure, couldn't you burn a boot loader onto a CD, have the CD boot first, and have that direct the loading? IANLWK (I am no Linux Whiz Kid), but in my imperfect knowledge of the world, that seems like it would completely defend against this type of attack. I yearn for correction of my ways if this wouldn't work.

Or better yet, a USB key - an key that lets you start your computer. No key, no start. Faster than a CD, no moving parts, etc. Me likes.

Re:How is it different from LILIO and Grub? (1)

dbcad7 (771464) | more than 6 years ago | (#21950116)

In order to run lilo, you need to be root.. correct ?
so although you might be able to install it in some sector (giving you the benifit), ... how are you going to run it without being root ?

If you were just explaining the flexibility of where Lilo can be installed, I understand that.. but it kind of seems you implied that a malware script could be made to just willy nilly install and run lilo.. maybe it can, but I'd have to have more proof.

Re:How is it different from LILIO and Grub? (1)

snikulin (889460) | more than 6 years ago | (#21950126)

> In order to run lilo, you need to be root.. correct ? Nope. There is not user/kernel space at this time.

Re:How is it different from LILIO and Grub? (0)

Anonymous Coward | more than 6 years ago | (#21949684)

It's not a troll. I just want to know. If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.


On a Linux system, you must supply the root password before you are allowed to modify the MBR. On Windows AFAIK, you just have to click "OK" when the system asks you a question similar to "You are about to modify the MBR, is this OK?".

On a Windows system then, anyone with two minutes unsupervised access to a machine can compromise it yet leave it in the same state as it was left in from all outward appearances.

On Linux, you would have to have two minutes unsupervised access plus knowledge of the root password ... and your activity would be logged anyway. You could always boot a Linux LiveCD (so that you know the root passwrod) ... but doing that you could not leave the machine in the same state you had left it in ... because you had to reboot.

Re:How is it different from LILIO and Grub? (2, Informative)

burnin1965 (535071) | more than 6 years ago | (#21950334)

If I put my code to MBR and LILO loader somewhere else and then start it, will it work? I guess so.
Are you root? If not then the answer is no.

The real issue here is not whether an exploit like this would work with lilo or grub, the issue, as noted by TFA, is that "Unfortunately, all the Windows NT family (including VISTA) still have the same security flaw - MBR can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected !"

Note: MBR can be modified from usermode, the first sectors of disk are still unprotected

Yikes!!!

Misleading... (5, Informative)

SanityInAnarchy (655584) | more than 6 years ago | (#21949562)

Alright, I get the defense in depth concept, but I don't consider it to be a severe vulnerability that the MBR is writable while Windows is running. I consider that to be a feature, one I wish Microsoft did more of -- for example, I can install Linux from a Linux LiveCD, or I can install a second copy of it on another partition, etc. As far as I can tell, OS X is similarly flexible -- it forces you to type your password, but it can deliver a firmware update from within the OS -- think equivalent to a BIOS update, so even earlier than the MBR.

So, to clarify: It's writable from userland, which is not the same as being writable by any user. If they have Admin access (which means you already clicked a "This program wants to modify your Master Boot Record, are you sure?"), you're already screwed -- kind of like how, on Linux, if they have root, you're already screwed.

In other words, it's possible to modify your Master Boot Record without rebooting your computer. This is a good thing.

What's more, this is not new [wikipedia.org] . All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...

Re:Misleading... (4, Interesting)

Jeffrey Baker (6191) | more than 6 years ago | (#21949942)

In my admittedly limited experience, any user account can do some pretty scary stuff in Windows XP. I once was surprised to find out that I could load a firmware update onto a Plextor DVD burner using the guest account on a Windows XP machine. If you can program device firmware you can obviously subvert the entire operating system. I was appalled, and I showed it to the local Windows sysadmin, and he was appalled. It seemed to be a bit of clever programming on the part of the Plextor people, and there did not seem to be any way to defend against it.

Re:Misleading... (-1)

Anonymous Coward | more than 6 years ago | (#21950202)

Thats because your user account in XP (like most home users) is probably an admin account, not a limited user account. Which means you can do what you like to your machine - install/uninstall software, viruses and usb keys :P

Re:Misleading... (1)

hcmtnbiker (925661) | more than 6 years ago | (#21950208)

What's more, this is not new [wikipedia.org]. All that's new is that it's both in the wild (Blue Pill does the same thing), and that it's a rootkit (MBR Viruses have been around for a very long time now). If someone was trying to apply for a patent, you'd be jumping all over them with prior art...

Actually Blue Pill is much more interesting then this. Blue Pill can actually trap a running instance of an OS inside a rootkit. The one from the article requires a reboot, and hoping you didn't detect it before then. Blue Pill can also be used to attack any operating system, the one from the article only works with systems that use NTLDR.

Re:Misleading... (0)

Anonymous Coward | more than 6 years ago | (#21950326)

"In other words, it's possible to modify your Master Boot Record without rebooting your computer. This is a good thing."

Yeah but its not possible to install a patch without rebooting :)

Re:Misleading... (1)

mcmaddog (732436) | more than 6 years ago | (#21950448)

Macintosh computers not only require an admin password to update the firmware, but also require you to shut down and then startup holding the power button for about 5 seconds to trigger the update process so physical access and intention are required.

Treacherous Computing to the rescue! (4, Insightful)

Anonymous Coward | more than 6 years ago | (#21949602)

I know I'll get flamed for saying it, but this is exactly the sort of problem that a TPM can solve.

Re:Treacherous Computing to the rescue! (2, Funny)

ScrewMaster (602015) | more than 6 years ago | (#21949670)

The jellied gasoline salvo is on the way, with a thermite chaser.

Re:Treacherous Computing to the rescue! (1, Informative)

Anonymous Coward | more than 6 years ago | (#21950262)

The cure is worse than the disease.

You have run Vista with elevated administrative... (5, Informative)

figleaf (672550) | more than 6 years ago | (#21949620)

... to write to the MBR.
For all other sectors Vista prevents writes to raw disk sectors even with admin permissions.

Users withouts admin permissions/without elevation cannot write to the MBR in Vista.

Re:You have run Vista with elevated administrative (0, Redundant)

jamstar7 (694492) | more than 6 years ago | (#21949902)

So how hard is it to exploit a flaw that gives a program elevated admin permissions?

Re:You have run Vista with elevated administrative (1)

Mr2001 (90979) | more than 6 years ago | (#21950026)

Not as hard as finding such a flaw in the first place. Why, have you found one?

The perfect virus (1)

arotenbe (1203922) | more than 6 years ago | (#21949646)

Unfortunately, all the Windows NT family (including Vista) still have the same security flaw -- MBR [Master Boot Record] can be modified from usermode.

"Security flaw"? Heck, I'm almost finished with the virus that overwrites the MBR with GRUB stage 1!

Alright, I guess I'm forced to admit I'm just kidding.

Re:The perfect virus (1)

Cassini2 (956052) | more than 6 years ago | (#21950008)

I'm almost finished with the virus that overwrites the MBR with GRUB stage 1!

You must work for Microsoft. Almost every Linux distribution in existence uses GRUB for a bootloader. Only Microsoft calls Linux "an evil virus-like plague," as it sweeps the world, eliminating proprietary software, vaporizing multinational corporations, and saving the poor from the ravages of the new generation of software robber barons.

A boot sector virus? In my PC? (4, Funny)

Purity Of Essence (1007601) | more than 6 years ago | (#21949666)

It's more likely than you think.

What is this? 1986?

Re:A boot sector virus? In my PC? (4, Funny)

Nimey (114278) | more than 6 years ago | (#21949722)

Your computer is now stoned.

Re:A boot sector virus? In my PC? (0)

Anonymous Coward | more than 6 years ago | (#21949948)

That's because marijuana is good stuff. You hear me?! GOOD STUFF!! Even computers think so. I guess you have to be a politician to get your head so far up your ass that you actually think it's bad. Tell me, how do the conservative pro-lifers reconcile drug prohibition with the fact that GOD created marijuana??

To quote Bill Hicks, after the Creation God said "oh my .. ME... I left fuckin' pot everywhere. Now people might think they're supposed to USE it ... now I'll have to create Republicans..."

Re:A boot sector virus? In my PC? (1)

Architect_sasyr (938685) | more than 6 years ago | (#21949966)

Oh damn that took me back... Thanks for reminding me of the moment where I looked at my computer and thought 'It too huh... wonder where it got its trip from'

Re:A boot sector virus? In my PC? (0)

Anonymous Coward | more than 6 years ago | (#21950190)

I preferred the Monkey virus, thanks. Or a combination of them. Stoned Monkey, anyone?

Re:A boot sector virus? In my PC? (1)

Thing 1 (178996) | more than 6 years ago | (#21950270)

A corollary to bricked, I suppose.

Re:A boot sector virus? In my PC? (1)

Technician (215283) | more than 6 years ago | (#21950362)

Your computer is now stoned.

Wow, talk about an old virus. I think I still have that one on a floppy somewhere. I remember studying that one. I did a fresh DOS install to infect. When I was done, it was removed by booting a clean floppy and re-partitioning, formatting and reinstalling. I took no chances with that one. For those who are not familiar with the phrase;

http://en.wikipedia.org/wiki/Stoned_(computer_virus) [wikipedia.org]

Re:A boot sector virus? In my PC? (4, Funny)

Jeffrey Baker (6191) | more than 6 years ago | (#21949916)

Yeah right. Do you think the virus idiots know how to program a virus into 512 bytes these days? I've seen self-styled viruses that are carrying around msvcrt.dll. Those guys should be embarrassed.

Re:A boot sector virus? In my PC? (4, Funny)

shdwtek (898320) | more than 6 years ago | (#21950024)

512 bytes should be enough for any virus.

Re:A boot sector virus? In my PC? (3, Informative)

tlhIngan (30335) | more than 6 years ago | (#21950038)

Yeah right. Do you think the virus idiots know how to program a virus into 512 bytes these days? I've seen self-styled viruses that are carrying around msvcrt.dll. Those guys should be embarrassed.


Actually, it's a bit less. The first sector of a hard disk contains the MBR code and the partition table.

The partition table takes 64 bytes (16 bytes x 4 entries), and there's a two-byte signature that the BIOS checks to ensure the MBR is valid.

That gives you roughly 446 bytes of code that you can actually run. Most MBR code basically reads the partition table, finds a partition with the "active" flag set, then loads the first sector of that partition into memory. The partition loader then copies more sectors from disk so it can load the OS.

That's why you can install GRUB and LILO into either the partition or MBR. The MBR version basically overwrites the existing MBR to always load LILO or GRUB regardless of what the partition table says. The partition version relies on the MBR code passing it control.

Of course, having the first cylinder of a disk unused makes it convenient to stash away the extra code you need.

Re:A boot sector virus? In my PC? (4, Interesting)

Keruo (771880) | more than 6 years ago | (#21950224)

All you need is a call to certain point of disk to run the code right?
Remember that almost all current Windows systems reserve 1-8Mb space [microsoft.com] for converting the drive to dynamic disk.
8Mb is likely enough to run almost fullblown virtual machine, atleast versatile enough to hide beneath the "primary" os and act as a spam/ddos drone/keylogging trojan unnoticed.
Sure, it'll eat some resources sitting there, but your average Joe/Jill won't really notice that. They just curse their damn slow computer.

type help for available commands. (0)

Anonymous Coward | more than 6 years ago | (#21949692)

boot /dev/null

Solution is in your BIOS settings (2, Informative)

DigiShaman (671371) | more than 6 years ago | (#21949866)

As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.

Re:Solution is in your BIOS settings (3, Informative)

tlhIngan (30335) | more than 6 years ago | (#21950076)

As I know, most 3rd party motherboards offer "anti-virus" or the "write protect MBR" options. Even if available I doubt they will work when using onboard RAID features.

Basically, you leaves these options off when installing the OS. Once you're finished, you can safely turn them on. I'm not sure how often NTFS needs access to the MBR, but I know I've never had trouble leaving these features enabled with FAT32.


Ah, but these things only work in two ways:

1) The write protect only works if the OS makes a BIOS call to the MBR. The BIOS then traps this request and asks if you mean to write to the MBR. This works pretty well as most boot sector virii exist in DOS, which uses the BIOS, rather than Windows.

2) The BIOS makes a copy of the MBR and saves it in the CMOS. On boot, it loads the boot sector as normal, and does a quick comparison (it's only 512 bytes). If it differs (because someone overwrote the MBR code, or someone changed the partition table), it asks what you want to do - restore from backup, or accept the modifications.

No good filesystem should need the MBR once the system is booted. Other than reading the partition table. (The MBR, being 446 bytes in size, is also pretty standardized, which is why any utility that rewrites the MBR code can get your system booting again. Linux rewrites MBR can boot Windows, Windows fdisk can make Linux bootable again, etc. Basically, the MBR code just examines the partition table (in RAM - the BIOS doesn't care or know about the last 66 bytes being partition table. It loads the entire 512 byte sector into RAM), finds an entry marked with an "active" flag, and copies the first sector out of that partition into RAM and jumps into that code.

Extended partitions are the devil, which is why most MBRs can't boot from an extended partition.

Hmm! (0)

Anonymous Coward | more than 6 years ago | (#21949938)

some words come to mind, in particular:

"I came for a colossal doughnut, and I'm gonna get a colossal doughnut"

This is a security flaw...why? (3, Insightful)

Myria (562655) | more than 6 years ago | (#21949958)

A program running as root takes over a machine. News at 11!

It's really annoyed me that security companies continually report these things when they have no relevance to actual security. The concentration should always be on preventing malware from acquiring root access in the first place. Vista, despite its faults, actually does a much better job of this than its predecessors.

Also, this is Slashdot. Slashdot has Linux users, and wouldn't Linux users know that overwriting is even easier to do in Linux than NT? "dd if=trojan.bin of=/dev/hda", anyone?

By the way, there are many more bad things you can do as Administrator than just hack the boot sector. You can use bcdedit to create a fake Windows XP boot entry then put your Trojan kernel there.

Re:This is a security flaw...why? (1)

PPH (736903) | more than 6 years ago | (#21950294)

By the way, there are many more bad things you can do as Administrator than just hack the boot sector.
I guess that's why Administrator (root) is a completely separate user on *NIX systems, not just an attribute of some logged in user.

Re:This is a security flaw...why? (1)

WK2 (1072560) | more than 6 years ago | (#21950492)

To be fair, I inferred from the summary and article that this was possible by an ordinary user. After I read several comments on slashdot that say something similar to what you say, I checked the article, and read it carefully. Nowhere does it say whether or not Administrator access is required to use their rootkit. I would have assumed that it was not.

If you are right, and Administrator access is required to write to the MBR, then this is certainly not a security-related issue.

Code written to the last sectors of the disk (0)

Anonymous Coward | more than 6 years ago | (#21949996)

It ocurred to me that these last sectors are also (sometimes) use to store mirror info in gmirror, a GEOM "layer" I use to mirror my FreeBSD system. Just where the info is stored depends on the logical layout of your mirror devices, and are you really dual booting between Windows and a gmirrored BSD system? And blah, blah, blah.

But I'm going to look into it.

Can't write sectors anymore? Lame... (0)

yeremein (678037) | more than 6 years ago | (#21950226)

The newest victim of DRM: disk imaging utilities.

IIRC, that's what the "pagefile attack" was all about - getting the kernel to run unsigned code. To close that loophole, MS prevents you from performing raw writes.

Oh well, dd on a Knoppix CD still works.

Actually, come to think of it, if this raw-write-disallowing only applies to disks that have pagefiles on them, then this wouldn't be a real loss, because you'd be unable to lock the volume anyway--and restoring over the existing pagefile would be a Bad Thing in terms of system reliability and such.

Okay, found some documentation on this (2, Interesting)

yeremein (678037) | more than 6 years ago | (#21950312)

Here [microsoft.com] .

It actually looks reasonable - you can still perform raw disk writes from userland (with admin rights, of course) - you just can't write over a mounted volume. Disk imaging utilities will still work, provided they dismount any volumes before they overwrite them (which they ought to be doing anyway; I should know, I wrote a Windows disk imaging utility at my last job).

And of course, you can't dismount a disk with an active pagefile on it, so it solves that vulnerability. But it does so in a reasonable way--I can't really imagine why a well-behaved program would want to scribble over a mounted volume; you don't know whether the cache is just going to clobber what you wrote in a second anyway. So I apologize for my FUD in the parent message; this security feature actually seems to strike a good balance.

Now the FUD in TFA is another story...

I Thought Vista Was a Re-Write? (1)

BigAssRat (724675) | more than 6 years ago | (#21950458)

Once again, I thought Vista was supposed to be a complete re-write of Windows code. How do they manage to keep the same old buggy code from NT 4.0?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?