Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New "Mebroot" MBR-Modifying Rootkit Analyzed

kdawson posted more than 6 years ago | from the ready-or-not-here-i-come dept.

Security 65

I Don't Believe in Imaginary Property writes "F-Secure has a writeup on a highly obfuscated, advanced new rootkit they recently discovered which uses a number of old techniques like MBR modification in new ways. It modifies the MBR, starts up its downloader with an ntoskrnl.exe hook set to nt!Phase1Initialization (which conveniently removes it from memory afterwards), and hooks IRP_MJ_READ and IRP_MJ_WRITE in disk.sys to hide itself in empty sectors. It also bypasses software firewalls by calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs. F-Secure believes it was written by professionals who are after financial information."

cancel ×

65 comments

But... (0)

Anonymous Coward | more than 6 years ago | (#22632966)

Didn't Sony learn their lesson last time?

Would these issues affect EFI to the same degree? (3, Interesting)

The Ancients (626689) | more than 6 years ago | (#22632984)

After seeing rootkits spring from many sources (yes - including Sony) would the introduction of EFI bring greater barriers to this sort of exploit, or would it just be a matter of time before the crackers have their hooks into this to the same extent as well?

Re:Would these issues affect EFI to the same degre (1, Funny)

ILuvRamen (1026668) | more than 6 years ago | (#22633052)

the originators should have no reason to sell this technology. The more crackers that use it for their purposes, the more likely antivirus companies are going to take notice and take more immediate, drastic steps to stop it. If it's just one group using one new rootkit that's different than a bunch of people using it for all different stuff. Btw that sounded so racist lol. CRACKER!

Re:Would these issues affect EFI to the same degre (1, Funny)

Anonymous Coward | more than 6 years ago | (#22633088)

Btw that sounded so racist lol. CRACKER!
We prefer the term "honky".

Re:Would these issues affect EFI to the same degre (0)

Anonymous Coward | more than 6 years ago | (#22634284)

That, or "Just plain American because that's where I was fucking born" American.

Re:Would these issues affect EFI to the same degre (3, Insightful)

VitaminB52 (550802) | more than 6 years ago | (#22633612)

the originators should have no reason to sell this technology. The more crackers that use it for their purposes, the more likely antivirus companies are going to take notice and take more immediate, drastic steps to stop it.

That sounds a little naive. It's wrong for several reasons:

  • Not all computer users use (up-to-date) anti-virus software
  • Even fewer computer users use (up-to-date) anti-malware software
  • And, even if computer users use both up-to-date anti-virus and anti-malware software, they will be vulnerable in the time frame between the release of the rootkit and the release of the anti-rootkit software upgrade that fights it - in this time frame the rootkit writers will 'make' more money than most Slashdot users during their whole life

Re:Would these issues affect EFI to the same degre (2, Interesting)

stonecypher (118140) | more than 6 years ago | (#22636312)

Naivity belongs to you, not grandparent.

Not all computer users use (up-to-date) anti-virus software
No, but about 85% of computer users do, and financial information is a question of hitting as many people as possible.

Even fewer computer users use (up-to-date) anti-malware software
This isn't worth saying seperately, and this is an AV issue.

And, even if computer users use both up-to-date anti-virus and anti-malware software, they will be vulnerable in the time frame between the release of the rootkit and the release of the anti-rootkit software upgrade that fights it
And since time and the physical universe stop forever when a rootkit gets defeated, it doesn't matter that they'll lose enormous amounts of money afterwards by being shut out afterwards.

in this time frame the rootkit writers will 'make' more money than most Slashdot users during their whole life
Since we're talking hours here, then if you really believe there's that rate of transfer (there isn't - the more you take per day, the higher the chance you get detected by other means) - then surely you can see why they'd want this door open for months instead of hours?

Honestly. Whoever modded that insightful wasn't thinking at all.

Re:Would these issues affect EFI to the same degre (1)

BobPaul (710574) | more than 6 years ago | (#22639100)

No, but about 85% of computer users do, and financial information is a question of hitting as many people as possible.


Bullshit. AV penetration might be that high, but what's the percentage when expired 90-day "came with my computer" trials are excluded? I work at a University, and if college students are any indicator of what they're parents are doing, even with our best efforts to educate them and provide campus purchased AV for use on personal computers, a large number either have nothing or don't realize AV can expire. I don't have statistics, but it's something I see daily. I can only imagine their parents are at least as clueless as they are.

Regardless of that, even with your stats, that leaves 15% of internet users, or some 150 million, completely unprotected. That's a lot of credit cards, especially when you can steal the same person's identity over and over until they finally clean the virus off their computer.

And since time and the physical universe stop forever when a rootkit gets defeated, it doesn't matter that they'll lose enormous amounts of money afterwards by being shut out afterwards.


Huh? You're reading about this on Slashdot. The AV companies are going to take notice and do something about this. That will happen to the same degree regardless of how many customers the virus authors take.

Don't forget--botnet owners often sell out usage of their networks to many customers, and they're working entirely within the percentage of unprotected internet users. (As defined by no AV or out of date AV).

Re:Would these issues affect EFI to the same degre (1)

stonecypher (118140) | more than 6 years ago | (#22663610)

Bullshit.
You're guessing. Acting like you know someone else is wrong, when you don't, makes you look like an asshole.

I work at a University
As a janitor, maybe. People don't get university jobs of quality when they can't sort out the difference between "they're", "there" and "their".

and if college students are any indicator of what they're parents are doing
They aren't.

even with our best efforts to educate them
Given your surreal quality of language and your seeming unawareness that you're supposed to bring proof to the table when getting on the podium, I'm hoping that when you say "our efforts to educate" that you're taking credit for someone else's work.

I don't have statistics
Obviously. That's what makes you acting like you know so funny.

but it's something I see daily
In your highly representative sample of several hundred individuals putting out tens of thousand dollars on tuition and booze without jobs? Yeah, that's definately a sane sample. You couldn't be in, like, the worst possible position to judge, or anything. Unlike you, I actually checked the numbers before I pretended to know shit. My numbers come from CERT, not some pompous lab jockey's imagination. Chances are they know a hell of a lot more about the matter than you do.

Regardless of that, even with your stats, that leaves 15% of internet users, or some 150 million, completely unprotected. That's a lot of credit cards
God, you're dumb. You seem to have completely missed the point of my post. Do us both a favor and don't reply to me again.

Huh? You're reading about this on Slashdot.
Actually, I've known about this for three weeks, since the first CERT notice was dispatched. Thanks for playing the "making arguments based on guesswork game"; try not to fail too hard on the way out of the TV studio, stupid.

That will happen to the same degree regardless of how many customers the virus authors take.
If only this had something to do with what I said, I might be able to mock it usefully.

Don't forget--botnet owners often sell out usage of their networks to many customers
Don't forget, Toyota makes their tires from synthetic rubber. (See how it feels when you say "don't forget, {thing that has nothing to do with it}? Not too pleasant, is it?)

Don't bother replying. It won't get read.

Re:Would these issues affect EFI to the same degre (1)

BobPaul (710574) | more than 6 years ago | (#22670072)

Give me back my jacket, you fat lard! I said you could borrow it, not keep it!

Re:Would these issues affect EFI to the same degre (1)

stonecypher (118140) | more than 6 years ago | (#22671330)

That's one of the dumbest things I've ever seen anyone say on slashdot, including trolls, and I've been here for more than a decade.

Congratulations: you're the first slashdotter to genuinely disappoint me in more than a year.

Re:Would these issues affect EFI to the same degre (1)

BobPaul (710574) | more than 6 years ago | (#22671416)

Ha! I knew you were at least as much of a pedant as I am. "Don't bother replying because I won't read it" my ass. You even replied!

Re:Would these issues affect EFI to the same degre (1)

VitaminB52 (550802) | more than 6 years ago | (#22648430)

Naivity belongs to you, not grandparent.

Not all computer users use (up-to-date) anti-virus software
No, but about 85% of computer users do, and financial information is a question of hitting as many people as possible.

According a recent survey only about 50% of computer users do use AV software, the % of up-to-date AV software is even lower.

Even fewer computer users use (up-to-date) anti-malware software
This isn't worth saying seperately, and this is an AV issue.

According to afore mentioned survey, far less than 50% of computer users do use anti malware software.
Anti malware isn't a AV issue. Yes, sometimes anti malware comes bundled with an AV package, but it isn't the same as AV software.

And, even if computer users use both up-to-date anti-virus and anti-malware software, they will be vulnerable in the time frame between the release of the rootkit and the release of the anti-rootkit software upgrade that fights it
And since time and the physical universe stop forever when a rootkit gets defeated, it doesn't matter that they'll lose enormous amounts of money afterwards by being shut out afterwards.

Most rootkits spread in a random way, and sooner or later they infect a honeypot run by an AV / anti malware vendor. That's when the AV / anti malware vendor starts analysing the rootkit. If a rootkit writer can't prevent the rootkit to infect a honeypot, then there is a real chance one of the first infected machines is a honeypot.
Another way AV / anti malware vendors get informed about new rootkits is the new-malware-reporting functionality built into most packages. If the rootkit spreads to a machine protected with such a AV / anti malware package, then the AV / anti malware vendor get's a report about the rootkit. And this could be one of the first machines the rootkit spreads to.
So the rootkit writer wants to spread fast and wide before the AV / anti malware vendors have a fix for the rootkit.

in this time frame the rootkit writers will 'make' more money than most Slashdot users during their whole life
Since we're talking hours here, then if you really believe there's that rate of transfer (there isn't - the more you take per day, the higher the chance you get detected by other means) - then surely you can see why they'd want this door open for months instead of hours?

My Symantec AV updates itself once every day - as do most other AV packages. And the time between discovering a rootkit and writing a cure against it can take weeks - so the timeframe is larger than you think.


Honestly. Whoever modded that insightful wasn't thinking at all.

Re:Would these issues affect EFI to the same degre (1)

stonecypher (118140) | more than 6 years ago | (#22663680)

According a recent survey only about 50% of computer users do use AV software, the % of up-to-date AV software is even lower.
Please show me this survey that contradicts CERT by 35%.

According to afore mentioned survey, far less than 50% of computer users do use anti malware software.
Please show me this survey that contradicts CERT by 35%.

Anti malware isn't a AV issue.
That's funny, MBR viruses like this show up all over Norton's and Kaspersky's lists. Funny how the antivirus authors seem to disagree with you.

Most rootkits spread in a random way, and sooner or later they infect a honeypot run by an AV / anti malware vendor.
And this one doesn't. RTFA.

If a rootkit writer can't prevent the rootkit to infect a honeypot
And this if clause fails. RTFA.

So the rootkit writer wants to spread fast
Not this one. RTFA.

My Symantec AV updates itself once every day - as do most other AV packages
Meaning that the average deployment time to users is twelve hours. Or did you think that all those machines were connecting to Symantec at the same time? (Incidentally, Kaspersky is hourly, Macafee is every three hours, and F-Secure is every half hour. Maybe you should say fewer things like "most" if you don't actually know which ones don't work the way yours do.)

And the time between discovering a rootkit and writing a cure against it can take weeks
Yet if you'd bother to check, instead of guessing, you'd find that AV companies brag about how quickly they respond to any given threat as a sales tactic, and that the average response time to rootkits for most vendors is less than six hours. Kaspersky responded to this particular kit in two and a half.

Jesus, I get sick of people who do their argument based on assumptions and guesswork. Slashdot would be so much nicer a place if people like you had the good sense to be ashamed when caught this way.

Re:Would these issues affect EFI to the same degre (4, Informative)

jmorris42 (1458) | more than 6 years ago | (#22633126)

> ...would the introduction of EFI bring greater barriers to this sort of exploit...

EFI is more complex than the simple boot block / partition table that fits in a single disk sector. More complex means fewer people who will fully understand it, more bad implementations in firmware with potential security problems, etc.

Of course there are good reasons for it to replace the MBR/partion table, like running into a brick wall on the max drive size.

Re:Would these issues affect EFI to the same degre (5, Informative)

Hal_Porter (817932) | more than 6 years ago | (#22633660)

Of course there are good reasons for it to replace the MBR/partion table, like running into a brick wall on the max drive size.
Actually you don't need to change the Bios to get that. Currently the Bios loads sector 0 into memory and jumps into it. There's no reason why sector 0 couldn't be a GPT MBR. Pre GPT people worked out ways to allow for 64 bit LBA addresses in the partition table

http://home.no.net/tkos/info/embr.html [no.net]

And the Bios has supported 64 bit LBA addresses in int 13 for ages, so there is no disk size problem for a very long time - probably many decades. Seriously, you don't need EFI to get 64 bit LBA support.

Re:Would these issues affect EFI to the same degre (3, Interesting)

CastrTroy (595695) | more than 6 years ago | (#22634874)

Couldn't you just have a USB stick with a physical switch to set it as readonly, and then set the computer to only boot off that device? Most (all?) new computers support booting off the USB device. Using this method of booting, along with having /usr and other places mounted as write only, you could probably stop most stuff from infecting the system. You might still have a problem with things infecting your home directory, but that can be more easily removed.

Re:Would these issues affect EFI to the same degre (1)

speculatrix (678524) | more than 6 years ago | (#22643552)

aren't some of these usb memory device's read-only switch just an indicator to the OS to not allow writing, so that it's possible for malware to override it?

Re:Would these issues affect EFI to the same degre (1)

networkBoy (774728) | more than 6 years ago | (#22644678)

If you're paranoid enough (or if like me your USB key is a cheapie that doesn't have a switch), load your image, make sure it works, crack open the key, then lift the WE# pins from the TSOP flash devices (specs on-line, just look up the respective chip).
That way my boot & nuke / clean-up key never gets accidentally formatted by someone.
-nB

Re:Would these issues affect EFI to the same degre (1)

freedom_india (780002) | more than 6 years ago | (#22633128)

including Sony
So, you recommend i incorporate myself as a corporate so that i may successfully produce rootkits without fear of conviction?

Lawyer for victim: "The accused here caused massive financial damages to my client by putting in a rootkit and stealing bank account information thus enabling 3rd parties who used the rootkit to steal money from my client's accounts."

Lawyer for accused: "Your honor, i present for your perusal, information from earlier such cases where the corporate was trying to protect intellectual property and was as much a victim. Request dismissal of case."

Judge: "This accused being a corporation, i cannot sentence it to jail or sentence it to hang. I hereby ORDER the corporation to pay the victim an amount of $300/- towards computer repair and to tender an apology in writing to court."

Re:Would these issues affect EFI to the same degre (1)

Hal_Porter (817932) | more than 6 years ago | (#22633676)

Except corporations can be sued for millions if they damage other people's computers. They are a much more inviting lawsuit target than some penniless hacker. Particularly class action lawsuits which allow people to sue them without being individually able to afford lawyers.

Re:Would these issues affect EFI to the same degre (1)

freedom_india (780002) | more than 6 years ago | (#22633912)

They are a much more inviting lawsuit target than some penniless hacker
Righhht ! And how many have paid millions out as a result of lawsuit judgements going out against them?
Name one case where a corporation was convicted of being a hacker and made to pay out millions.

Now go and count the cases where a poor individual hacker was convicted of hacking?

Re:Would these issues affect EFI to the same degre (1)

Hal_Porter (817932) | more than 6 years ago | (#22637842)

Name one case where a corporation was convicted of being a hacker and made to pay out millions
Large companies with deep pockets are hit with lawsuits all the time. This one seems frivolous to me, someone sued Apple because the battery in the iPhone was non replaceable. But that's something he should have checked before he bought it. I don't like my iPod touch, but there's no way I'd sue Apple for all the misfeatures.

http://www.techcrunch.com/2007/07/27/iphone-class-action-lawsuit/ [techcrunch.com]

This one seems more sympathetic - a judge ordered a bunch of spam companies to pay $1bn, presumably bankrupting them. As far as I can tell the guy they spammed had given them the opportunity to stop earlier.

http://www.computerweekly.com/Articles/2004/12/22/207606/judge-awards-isp-1bn-in-spam-damages.htm [computerweekly.com]

My guess is it would be hard to find a big company that actually let it go this far though, and that the spammers had a bunch of disposable companies they could afford to ditch because their business model only worked if they could ignore lawsuits like this.

If you are a big company it's cheaper to pay off anyone who complains early than to risk being obliterated if they actually win the lawsuit. Of course, it's cheaper still to not be evil. And it's interesting that the few evil companies I've personally dealt with tend to collapse suddenly due to a dispute with some third party, whereas the more pragmatic ones tend to survive.

Deep pockets is a recognized legal term by the way, meant to describe the sort of companies that are plagued by class action lawsuits. My point is that once you get big your lawyers will hopefully advise you not to piss off people who might sue you, and you'd be well advised to take that advice.

And individual hackers get away with a lot more than you'd think from reading slashdot. I've dealt with big pragmatic companies who've been advised not to sue 'hobby' hackers, even though their hacks leak to other commercial entities and end up costing the big company a fortune. Actually my point is that the real world works very differently than slashdot would have you believe.

Nice Job (2, Interesting)

QuantumG (50515) | more than 6 years ago | (#22633022)

Of course, back in the day we called it "stealth" and a "root kit" was what you used to "get root" on a unix box.. but hey, language changes. How about adding some infection routines to that puppy and letting it live?

Not that I'd ever encourage such behavior.

Re:Nice Job (2, Interesting)

Gideon Fubar (833343) | more than 6 years ago | (#22633236)

you know, that's one piece of language drift i don't mind.. the windows rootkit is a totally different beast to an elevation exploit..

you're totally right tho. Back in the day, this would have just been called a boot infector with some interesting stealth. I gotta say, i'm really surprised that stuff like this still works..

Re:Nice Job (1)

ledow (319597) | more than 6 years ago | (#22633670)

Back in my day, Windows was a WIMP GUI. Now they call it an operating system.

But yes, the old-style viruses tend to have lost out the past few years. I can remember quaking in fear when I read about a virus that was polymorphic, stealth, boot-sector infecting, "hold your partition table to ransom", able to transfer to floppies, hard disks and even CD's (WOW!), plus across IPX networks, randomising data destruction etc.

Now THAT was a virus to be scared of.

Re:Nice Job (1)

Corporate Troll (537873) | more than 6 years ago | (#22634080)

I can remember quaking in fear when I read about a virus that was polymorphic, stealth, boot-sector infecting, "hold your partition table to ransom", able to transfer to floppies, hard disks and even CD's (WOW!), plus across IPX networks, randomising data destruction etc.
And all that in less than 512 *bytes* code...

Re:Nice Job (1)

smallfries (601545) | more than 6 years ago | (#22635022)

How far back are you talking? I'd always heard the phrase rootkit as the code you downloaded after an exploit to hide your tracks and make sure that you keep root. Of course on windows getting root in the firtst place isn't such a big deal so some language drift is understandable...

Re:Nice Job (1)

WaXHeLL (452463) | more than 6 years ago | (#22637540)

A "root kit" has never been what you used to get root on a box.

Originally a root kit was a set of tools to hide your tracks, like replaced versions of 'ls', 'ps', etc so that it became that much harder to detect you.

Mebroot source, log, and my questions. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22633178)

I just read an article about the Mebroot virus, which buries itself in the
Master Boot Record and cannot be detected by most virus protection software.
This nasty bug gives hackers access to info from financial sites that are
visited. A program from GMER supposedly can detect and remove this threat,
and a link was included to download it.

I don't know which is scarier - the virus or the download.
Here's the mebroot viral source and my observations. [dwarfurl.com]
Does anyone have any knowledge of this?

AVG, Clam (1)

BrookHarty (9119) | more than 6 years ago | (#22633184)

Googled, but guess its too new, does AVG and Clam scan for mebroot yet?

The fix is free: (3, Informative)

Futurepower(R) (558542) | more than 6 years ago | (#22634016)

At the bottom of the linked article [f-secure.com] , there is another link: Gmer -- MBR [gmer.net] . At the end of that long technical article it says: "Rootkit removal: To remove rootkit from infected machine you can simply use "Recovery Console" command: fixmbr."

To use it, you first go into the Windows XP Recovery Console [microsoft.com] . Then run FixMBR /? for parameters. Save the MBR (Master Boot Record) first.

Here is a discussion [microsoft.com] on the Microsoft web site about tools for fixing the MBR without the Recovery Console. I've never tried them; I've always used the FixMBR utility that comes with the Recovery Console.

FIXMBR -- trust chain (2, Informative)

sconeu (64226) | more than 6 years ago | (#22635992)

Yeah, but you've got to boot off of CD to use it, otherwise you're suspect, since you've booted off the bogus MBR to get to the recovery console.

From the article (2, Informative)

Corporate Troll (537873) | more than 6 years ago | (#22633194)

From the article:

In fact, it is quite surprising that it's possible to write to the MBR from within Windows to begin with.

I'm pretty sure you can only do that when you're Admin.... Use "Limited User" for crying out loud!

Re:From the article (1)

hcmtnbiker (925661) | more than 6 years ago | (#22633264)

Or if you use vista:

Mebroot boot loader modifying rootkit is attempting to modify the MBR.
[Cancel] [Allow]

Re:From the article (1)

Corporate Troll (537873) | more than 6 years ago | (#22633380)

Yeah, but the novice user will click "Allow" to get back to work.... Doesn't help. Limited User on XP simply doesn't allow you to do anything that's dangerous. No dialog boxes, no passwords: simply "Access denied" which is how it should be. You want to install something of change configuration login as Admin or use RunAs.

Of course, that would mean that the user knows what he's doing, and we're back to the weakest chain in the link... *sigh*

Re:From the article (1)

LoadWB (592248) | more than 6 years ago | (#22633584)

ISTR a number of motherboard BIOS which protect the boot block of a hard drive. Would this not then protect the MBR?

If so, I will refrain from asking, "then why don't people use it?" because I know why. And I know why I have not enabled this feature. Simply put, lack of motivation to do so. But since I'm not loading an OS onto my computer every day I use it, or my servers, I could level-up my responsibility stats by write-protecting the MBR. (Of course, any cracker worth his salt (HA!) would find a way around the BIOS write protection.)

Yeah?

Re:From the article (1)

Corporate Troll (537873) | more than 6 years ago | (#22633750)

Hmmmm... With the multitude of different BIOSes out there, I doubt it is possible to have code that would work on every machines. From time to time one hears of BIOS viruses and the like, but I frankly think they're urban myths.

On the other hand, the MBR is on a fixed position on your harddisk and modern operating systems do not need the BIOS to write to it. It might thus be possible to write the MBR without he BIOS noticing.

Re:From the article (1)

networkBoy (774728) | more than 6 years ago | (#22644768)

"From time to time one hears of BIOS viruses and the like, but I frankly think they're urban myths."
Look up Blue Pill rootkit.
-nB

Re:From the article (1)

Corporate Troll (537873) | more than 6 years ago | (#22647280)

I know Blue Pill and Blue Pill isn't a BIOS virus. It doesn't infect the BIOS, it essentially installs a hypervisor under the operating system, which then runs the operating system itself in it. At no point this needs a BIOS modification. MBR is enough.

"not written for fun" (4, Insightful)

ph0enix (87965) | more than 6 years ago | (#22633288)

This malware is very professionally written and produced. Which of course means it's not written for fun.

Why include this swipe at amateur software development?

Nearly all of the "professionally produced" code that I've read is horrendous and looks like it's been coded by rabid gibbons on LSD, while the best code I've read has been written by people for whom it's a labor of love. Yes, there is also plenty of ugly open-source code, but the fact that it's well written just means that the programmer cared about it.

Re:"not written for fun" (0)

Vampyre_Dark (630787) | more than 6 years ago | (#22633436)

Yes, but that professional code was shipped and is running all over the place and doing what it intended. The amateur code is sitting on a sourgeforge page somewhere, where people can't stop tinkering with it and make a release. Also, everyone in my experience seems to think code not written by them is really bad, and the guy who wrote it is a lunatic!

Re:"not written for fun" (1)

dzfoo (772245) | more than 6 years ago | (#22633946)

I agree: some of the most innovative viruses that were created back in the day, the ones experts collect and study for their brilliant and elegant design, were done basically for "fun", not profit.

This MBR infector could very well have been written by "professionals" with a specific agenda, but to reach that conclusion based solely on the apparent quality of the code is wrong.

          -dZ.

Re:"not written for fun" (1)

stonecypher (118140) | more than 6 years ago | (#22636358)

This malware is very professionally written and produced. Which of course means it's not written for fun.
Why include this swipe at amateur software development?
I didn't read it that way at all. The way I read that was "the person who wrote this did so to create a tool for a specific purpose; their goal was not mischief or proving their skill, as is so common in this arena, but rather to create an exploit to make themselves rich."

Intimidating (1)

Workaphobia (931620) | more than 6 years ago | (#22633316)

Was I the only one a little unnerved by that bad boy's description? Attacking the MBR *and* hiding in free disk space?

Re:Intimidating (1)

downix (84795) | more than 6 years ago | (#22634182)

Reminds me of the one nasty little bug I ran across (DOS virus, mind you) which hid not on the HD, but in the SRAM buffer found on a particular brand of floppy drive (chinon or mitsumi I believe). Incredibly nasty in that nobody knew where it was coming from, or why a HD wipe didn't get rid of it.

DOS Viruses (5, Interesting)

ledow (319597) | more than 6 years ago | (#22633354)

Maybe it's just me remembering the good old days of DOS viruses but none of this actually seems "new", except for "calling the NDIS API directly, using a 'code pullout' technique to load just the parts of ndis.sys that it needs", which is just a shortcut to direct hardware access... it's basically loading another copy of a library to use it seperately from the OS (and therefore, presumably, OS security) to access the network card. It's a nice way to access a network card from "below" the OS in a hardware-independent way (i.e. let's pinch the Windows driver rather than try to work out what card we are using and create 1000 drivers for each different brand of card.). But on the whole, this is hardly "new" or "shocking".

Having said that, it's nice to see something where people have actually invested time and skill into creating a program that bypasses the OS in such a way, rather than just another re-written script with a couple of variables changed.

Lines like:

"This malware is very professionally written and produced. Which of course means it's not written for fun."

might annoy some, though. The old DOS viruses NEVER really acheieved anything useful (even with blackmail attempts while holding your boot sector to ransom) etc. and were written "just because" by teenagers. That didn't stop them from appearing professionally written and breaking genuinely new ground for the time. Just because people are now using such malware for financial gain, doesn't mean that it's ALWAYS the case. And Linux zealots are sure to jump on the above quote with all their hearts. :-)

And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.

Re:DOS Viruses (2, Informative)

jfim (1167051) | more than 6 years ago | (#22633636)

And then you have the obvious - why is the OS allowing you to modify the MBR without appropriate rights and/or why are users running as users with the rights necessary to do this? This is STILL a problem harking back to the DOS days - everyone as administrator. With a new twist - the average user hasn't needed to BE administrator for quite a long time now.

Except in Vista, this isn't true. You need to either have elevated privileges(or have disabled UAC so that everything runs as administrator) to be able to write to the MBR, at least according to this website [softpedia.com] . Of course, UAC does not mitigate the issue if they attach to a publically available installer(say kazaa-super-deluxe-installer.exe), since you'll need elevated privileges to run the installer and thus will click "Accept". However, since writing to the MBR is a highly unusual operation, they could bring another box that clearly marks the operation as unusual before allowing the write to the MBR.

Also, since the article mentions that the rootkit does not modify the registry, it would appear that all that is required to remove it is to do a "fixmbr" from the installation CD to overwrite the MBR with a clean copy(which is corroborated by Symantec [symantec.com] ).

Re:DOS Viruses (1)

ledow (319597) | more than 6 years ago | (#22633656)

I don't have vast experience of Vista because I decided against deploying it on the last few networks I managed. However, it seems that it must still be incredibly easy to access the MBR even, as you point out, as a non-administrator user.

However I assume that "Boot sector protection" as available in most modern BIOS's should stop this stone dead (I know that I implement it but I doubt everyone does). It's like 1989 all over again...

Granted, the virus is easily cleaned, although it's potential effects may not be (identity theft etc.).

Re:DOS Viruses (1)

jfim (1167051) | more than 6 years ago | (#22634072)

I don't have vast experience of Vista because I decided against deploying it on the last few networks I managed. However, it seems that it must still be incredibly easy to access the MBR even, as you point out, as a non-administrator user.
Not really. UAC [wikipedia.org] is essentially like sudo, except that when you run in an administrator account, there is no password prompt, only a Allow/Cancel choice. From a non-administrator user, you have to enter the login and password of an administrator. Of course, if you disable UAC and set it so that everything runs as administrator, there is no protection.

However I assume that "Boot sector protection" as available in most modern BIOS's should stop this stone dead (I know that I implement it but I doubt everyone does). It's like 1989 all over again...
It probably would. It's a good idea to use this option anyway, there's no real reason to write the MBR very often, maybe except to update Grub or LILO.

Granted, the virus is easily cleaned, although it's potential effects may not be (identity theft etc.).
Agreed, especially when considering that TFA mentions that it mostly targets financial websites.

Re:DOS Viruses (1)

InverseParadox (189133) | more than 6 years ago | (#22639834)

UAC is essentially like sudo, except that when you run in an administrator account, there is no password prompt, only a Allow/Cancel choice.
This is only true if the built-in Administrator account has no password. If you enable the built-in Administrator account (which can apparently be done any of several ways, but the one I've always used is 'net user administrator /active:yes') and then give it a password, the UAC dialog will thereafter have a password prompt. This has always been the first thing I do on any Vista machine I've had to configure (which fortunately has not been many).

I also remove sudo from every *nix box I admin; 'su -c' does just fine, and since it requires the root password it does not leave room for know-nothing-user mistakes the way sudo does. Anyone who should be making changes which require root access already has the root password anyway.

The addition of an effective admin-privileges model and at least some of what is needed to enforce it is one of the few things I would consider an improvement in Vista as compared to XP - and note that I'm generally anti-Microsoft, and dislike Vista significantly more than I do XP. Why, having added such a model, Microsoft then chose to cripple it by not only hiding the root user, and not only automatically creating an admin-level account, but not automatically creating a non-admin account is something which I have never been able to figure out; nothing about it makes the least bit of sense to me.

Re:DOS Viruses (1)

InverseParadox (189133) | more than 6 years ago | (#22641000)

...unless, of course, that's just a mistaken observation on my part by virtue of never having bothered to run with a non-restricted account while Administrator had a password. (I somehow failed to think of this possibility before posting.)

Re:DOS Viruses (1)

jfim (1167051) | more than 6 years ago | (#22643392)

This is only true if the built-in Administrator account has no password. If you enable the built-in Administrator account (which can apparently be done any of several ways, but the one I've always used is 'net user administrator /active:yes') and then give it a password, the UAC dialog will thereafter have a password prompt. This has always been the first thing I do on any Vista machine I've had to configure (which fortunately has not been many).
Interesting. I never enabled the Administrator account on my Vista machine and didn't think it would make a difference.

I also remove sudo from every *nix box I admin; 'su -c' does just fine, and since it requires the root password it does not leave room for know-nothing-user mistakes the way sudo does. Anyone who should be making changes which require root access already has the root password anyway.
Sudo has the advantage that it leaves an audit trail, which can be a desireable feature in an environment where there are multiple administrators. I agree though that it doesn't make as much sense if you're the sole administrator.

The addition of an effective admin-privileges model and at least some of what is needed to enforce it is one of the few things I would consider an improvement in Vista as compared to XP - and note that I'm generally anti-Microsoft, and dislike Vista significantly more than I do XP. Why, having added such a model, Microsoft then chose to cripple it by not only hiding the root user, and not only automatically creating an admin-level account, but not automatically creating a non-admin account is something which I have never been able to figure out; nothing about it makes the least bit of sense to me.
It is pretty much the best implementation they could have made, considering the amount of legacy stuff they had to live with. As for not running as admin by default, it is so that, by default, applications don't run with all privileges. It behaves the same way as OSX or Linux, when you're in the wheel group/sudoers.

I disagree. (2, Funny)

jd (1658) | more than 6 years ago | (#22633782)

The Drain virus taught a lot of noobs that disk drives are not washer/dryers. The cascade virus brought new meaning to the saying that what lights up must come down. Early viruses were very educational.

Re:DOS Viruses (0)

Anonymous Coward | more than 6 years ago | (#22634036)

Faggot.

Re:DOS Viruses (1)

jgrahn (181062) | more than 6 years ago | (#22638864)

Lines like: "This malware is very professionally written and produced. Which of course means it's not written for fun." might annoy some, though. [---] And Linux zealots are sure to jump on the above quote with all their hearts.

Not just Linux zealots. If you cannot write good code for fun, you cannot write it for money, either.

Yes... (4, Funny)

sonicattack (554038) | more than 6 years ago | (#22633602)

...but does it boot Linux?

I'm impressed! (1)

dzfoo (772245) | more than 6 years ago | (#22633908)

Wow! I did not know you could have such low-level access with Visual Basic. These kids nowadays...

        -dZ.

Do we only care about business? (1)

Bromskloss (750445) | more than 6 years ago | (#22633982)

What about its effects on the well-being of us, the humans?

(Provided energy use is bad for the planet, the increase of that might be important, if it's large.)

Re:Do we only care about business? (1)

seramar (655396) | more than 6 years ago | (#22634314)

you meant to post that over here I think http://slashdot.org/article.pl?sid=08/03/04/0241218 [slashdot.org]

Hackers,Phishers,Virii writers (1)

flyneye (84093) | more than 6 years ago | (#22635312)

The unethical in IT,so frustrating and destructive,amongst the most hated in the world.
It wouldn't surprise me to find legislation in many countries,unopposed by the citizenry(even the U.S.) for capital punishment or at least cutting off their hands.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...