Security mavens have uncovered a new class of attacks that attach malware to the bowels of a hard drive, making it extremely hard to detect and even harder to remove. The rootkit modifies a PC's master boot record (MBR), which is the first sector of a storage device and is used to help a PC locate an operating system to boot …
The wheel has come full circle
So now we're back to the old boot-sector viruses that plagued the DOS and Amiga machines of the 80s and nineties. Back then, PC motherboards (486/Pentium/Cyrix types) DID have an AV built into the BIOS; you disabled it to install Windows (or OS/2 - remember that one?) and then re-enabled it when you were done. Then nothing could change the MBR. Why oh why did the MB makers stop adding this feature? Dumb.
The next step for the malware authors will of course be to flash the BIOS. Remember the old Chernobyl/CIH that flashed your BIOS with garbage thus rendering the motherboard unusable - unless you had a spare compatible BIOS chip lying around? Of course, the new version won't trash the motherboard, it'll just place a stealthy backdoor for the scammers to secretly insert more complex trojans without Windows (or Mac/Linux for that matter) knowing anything about it.
Maybe if we started extraordinarily rendering and publicly executing these bastards who are destroying humanity's greatest achievement, we might start getting somewhere. I, for one, would gladly go to the public hanging of a malware scammer (as long as he was PROVEN guilty) and throw rotten eggs with the greatest pleasure.
I would like to hear more what design features, what hardware? I am sure EL Reg could get these answers somehow. If Joanna has real ideas I think the world would like to know I am not trying to be funny.
I wonder how EFI fairs with stuff like this. I guess it does lack MBRs, but I do wonder what a malware writer could pull off with that.
Nothing new under the sun
A "new class of attacks"? Gimme a break. Even the very first PC virus, Brain, was loading from the boot sector and was stealthing itself there. OK, so it was the DOS boot sector instead of the MBR - but that was because it didn't infect hard disks, only floppies. Still, it's certainly the same "class of attacks". That was almost quarter of century ago.
More recently - like, you know, "only" about a decade ago or so - there was some Windows thingy (forget whether it was a virus or a Trojan) that loaded from the MBR and patched the kernel to disable password protection.
Of course, all this isn't being helped by irresponsible guys like eEye hosting the source of such crap on their Web site. :-(
cruelty to rootkits surely
poor things *have* to put up with windows. There's not even a mercy-killing by the av. sad indeed.
re: Round Wheels
IIRC, the BIOS in my old socket 3 & 4 systems didn't have AV - just a warning on the screen (accompanied by loud bleeping) that something was trying to write to your MBR, although the BIOS vendors did tend to label it "Virus protection"
I suspect the reason it was scrapped is that Windows doesn't take kindly to the BIOS taking over the UI to post a warning - at least, doing anything to the MBR with Win95 would cause Win95 to die (then again, there were a few other things like normal use that would cause Win95 to die). I don't know how modern OSes feel about that sort of thing, though.
I also think this is not Windows-only - MacOS & Linux most likely have exactly the same vulnerability, it's just that there may not be an exploit for it just yet...
Critical memory like MBRs and BIOS should be hardware write-protected, with a jumper to enable writes in the rare occasions when new data needs to be written.
emm, yes I remember the write protect bootblock option, I dont think this desktop has it but the cheapo motherboard I just paid £18 for still has it.............
I don't understand
The comment reads that the virus loads before Windows. I'm missing something which hopefully someone can help me with - surely this is a virus loading before a major virus? Viruses are basically code thingymajigs which cause your PC to do what you didn't intend it to do, and I swear that sometimes Windows is doing something I didn't want.....
Vista security flaw eh?
Vista: more flaws in 1 year than OpenBSD in 10.
New class of attack?
Or rather a "forgotten" class of attack, because at one point they included AV in the bios to cut out this type of problem.
And the lesson is......don't ignore Windows security updates.
Will this thing install on the MBR of ALL the drives on an infected PC?
Does it jump onto any burned CD's / plugged in Devices for an infection vector?
Does it affect other O/S's? If so, How?
If so, is Dual-Booting useless as both O/S' will be infectious, even if your other boot partition doesn't get actively exploited, the MBR infection can Cross-contaminate?
And No insight from AMFM? This it top-quality Conspiricy Materials!
New entry in AUTOEXEC.BAT
Does that still work, I wonder...
Does AUTOEXEC.BAT still get called, I wonder...
Takes me back though.
@ The wheel has come full circle
I remember the CIH virus very well. I wrote an article on hot swapping your bios chip for PC Format at the time. I wouldn't have recommended it for 99.99% of users though!
Security is still an afterthought in PC architecture. Why have guards on the front-desk if someone leaves the back door open when they pop out for a cheeky fag.
I'm at a loss to figure how 512 bytes of code (incl partition table data) running in real-mode - (even if it steals the top 1k of real-mode RAM, moves itself there and hooks int13h) can survive the jump into flat 32 bit mode and still be active in this day and age of 32 (or 64) bit drivers. So calling it an MBR rootkit and comparing it to oldies like Stoned is probably selling it short.
Rutkowska - Zero Credibility
Joanna Rutkowska has no credibility with anyone with proper technical understanding of malware. Her reputation exists entirely upon smoke and mirrors, and a couple of big scaremongering stories from a couple of years ago.
Anyone remember the 'blue pill'? Joanna warned us years ago that she was working on.... wait for it.... Undetectable Malware! Yes, she claimed that she would soon present her working prototype of her blue pill technology which would be completely undetectable to A-V software. She gained a _lot_ of press and attention for these extreme claims, and became quite famous on the back of it all, but professionals working in the industry were extremely skeptical...
...with good reason. Nothing she has ever claimed has amounted to anything of substance. Where is this ground breaking undetectable hypervisor-based malware she promised? All we ever got was an extremely detectable first prototype (memory scanning was sufficient to detect it) and the promise of a new version soon that would be live up to all the promises.
We're still waiting. And with every day that passes in the meantime the reputation of Joanna Rutkowska means less and less.
"I, for one, would gladly go to the public hanging of a malware scammer (as long as he was PROVEN guilty) and throw rotten eggs with the greatest pleasure."
If you were about to be hung (or even already hung), would you be bothered by the eggs, rotten or otherwise..? If I was about to be executed by hanging, I don't even think I'd notice the eggs.
Difficult to repair...
Insert Windows CD.
Boot from Windows CD.
Enter Recovery Console.
Type "fixmbr" and hit return.
MBR *= MBR
MBR++: > I'm at a loss to figure how 512 bytes of code (incl partition table data)
> running in real-mode - (even if it steals the top 1k of real-mode RAM,
> moves itself there and hooks int13h) can survive the jump into flat 32 bit mode
The code could contain (a) its own switch to 32/64-bit mode, (b) code to download more stuff from a couple of tracks which it has concealed from every OS by fudging the reported disc geometry (c) switching back to real mode with the system RAM size fudged to conceal the presence of the malware.
more than 512 bytes available.
Someone said "I'm at a loss to figure how 512 bytes of code (incl partition table data)"
There's vastly more room than that. The 512 bytes is what is loaded into memory at boot time, the whole of the first track (cylinder maybe) is available as well.
<pedant>It depends whether you're hung or hanged, I suppose</pedant>
Real SMARTer Software ........ [4Alien Concepts2]*
""We will never win the battle with malware, especially rootkits, without a help from hardware and changes in the *design* of the OSes," Joanna Rutkowska, a researcher specializing in rootkits, wrote in an email." ....... And that requires an Intellectual Mindset Change to IntelAIgent Design [Software] for any who would be wanting to change Root/Core Driven Operating Systems [Hardware]
Have you consider that such a "battle" as outed in this Registered conversation is more IntelAIgent Designer Software at ITs Playful, Restful Work?
"Maybe if we started extraordinarily rendering and publicly executing these bastards who are destroying humanity's greatest achievement, we might start getting somewhere. I, for one, would gladly go to the public hanging of a malware scammer (as long as he was PROVEN guilty) and throw rotten eggs with the greatest pleasure." ..... Crikey, Steve, that's extremist. Love the caveat though.
And here is something else to consider. Is that Cookie/RSS Feed Binary Processing a lot SMARTer than Plain Ordinary Human Intelligence and does IT Feed that Simple Intelligence with ever more Specialised IntelAIgents Secrets so AIMachine Intelligence is Immaculately Conceived/Spontaneously Evolved to Server from Core Servering Operating Systems?
Is "the pest Trojan.Mebroot", as a bastard child/prodigal son being Mentored with Monitors to ensure Beta Performance in AI Changed Virtual Realms?
* [ 4Advanced Drivers2 .......Master Pilots. Optional and/or as Needs Must/Need to Know Permits]
And all OSs are enhanced and dDeeply embedded with such Enrichment Facility, are they not?
For an Asute Sub-Atomic (as in Quantum) NEUKlearer HyperRadioProActivity in Global Operating Devices..... for yet another Available Option? ..... http://jamesstgeorge.proboards32.com/index.cgi?board=UKdomestic&action=display&thread=1199776538&page=1#1199865122
Be careful out there, IT is AI Virgin Jungle in the Reign of Amazons. I Kid U Not. Although that would surely be AI Pleasure to look forward to. :-)
Of course no-one's seen or heard anything about her malware - it's undetectable. Self-explanatory, really.
Viruses/malware are good!
Keeps most of us in a job, if a computer goes wrong who do you call? Me!
<quote>Maybe if we started extraordinarily rendering and publicly executing these bastards who are destroying humanity's greatest achievement, we might start getting somewhere. </quote>
Humanity's greatest achievement? You mean someone is destroying Monty Python films?
Bastards... Crucifixion's to good for them!!!
How can the BIOS protect the first sector, anyway
Any disk access through the BIOS (INT13) could disable writes to the hard-disk, but it would not stop real mode code writing directly to the disk hardware, bypassing the BIOS.
What you need is either a hardware switch or a password protected software switch built in to the hard-disk-drive - oh what fun would lost passwords be.
The protected flash BIOSs must have some sort of password or PIN built in to the flash upgrade utility.
What's wrong with fdisk /mbr?
AFAIK this will replace the MBR of a disk. I used it to defeat some security software a vendor was demoing to me a few years ago.
Yes, a hardware switch for MBR write protection would be the ideal solution, especially as this isn't yet another windows virus but effects every OS.
Think I'll have a look at using an SD card as the primary boot device, at least they can be write protected :)
You say 'undetected by most AV apps'
But fail to mention which ones do?
"The protected flash BIOSs must have some sort of password or PIN built in to the flash upgrade utility."
Usually a physical link on the mobo.
Where's the issue?
Just repair or restore the master boot record (MBR) periodically or whenever you assume presence of (or root kit discovery software finds) malicious MBR software:
"The simplest way to repair or re-create MBR is to run Microsoft's standard utility called FDISK with a parameter /MBR, like
A:\> FDISK.EXE /MBR
FDISK is a standard utility included in MS-DOS, Windows 95, 98, ME.
If you have Windows NT / 2000 / XP, you can boot from startup floppy disks or CD-ROM, choose repair option during setup, and run Recovery Console. When you are logged on, you can run FIXMBR command to fix MBR." (Extract taken from ntfs.com/mbr-damaged.htm).
Except to the obvious limit to re-writes before failure, if anyone better informed can explain the risks with this measure then please state them so that no-one messes up their MBR.
I use to do this regularly when I worked in hardware fault diagnostics.
Re: Where's the issue?
I do remember one issue with restoring the MBR as I described above: if you're computer has a hidden partition (i.e it's an HP, Compaq, PB or similarly manufactured) then it could render the restore disc unusable. But then, most restore discs based on hidden partitions fail to work anyway.
If it's undetectable...
.... what's the worry? What *else* does it do to systems that causes this to be a concern? If it's a case that someone's using a proof of concept virus to demonstrate they can insert code into the MBR, it needs to be watched but not paniced about.
If it's a case that this virus will destroy all the computers on the 1st of February, then we need to panic! :)
@ Joe Blogs
Crucifixion's a doddle...
And to throw my hat into the ring - meat (and certain male individuals) are hung, people are hanged.
I can't believe I signed up to post this....<shakes head sadly>
OTOH, I am doing so on paid time. Swing...roundabout...hmmm
So what if the rootkit intercepts the Fdisk /MBR call. And then instead of *actually* rewriting the MBR just sends you a message saying it has....
World of pain.
Am I the only one
who thinks the virus writers are actually doing us a favour by exposing so many security flaws, generally before major damage has been done?
Of course it would be more civilised if the system designers offered rewards for proofs of concept rather than actual attacks but, realistically that would only attract white hats. Our "immune system" needs to be attacked by genuine pathogens from time to time (rather than simulations) if we are ever going to create something close to genuine security.
Even older-school solution to an old-school problem
Perhaps it's time to pull the 48k Spectrum out of the basement and press it back into daily service.
Try infecting *that*, you buggers. :)
(Though emailing a Tasword 2 document might pose some difficulty, at both ends...not that MS Word attachments are much less problematic.)
Mine's the black coat with the rainbow stripes, ta muchly.
@ Andy Worth
"And the lesson is......don't ignore Windows security updates."
Andy, the problem is that Microsoft ignores Windows security updates for a minimum of 30 days. That's a huge window (sorry) of time for the malware spreaders to exploit.
Re: Where's the issue?
Well, if I did FDISK /MBR on the PC where I'm typing this, it would completely trash my grub setup, and render the machine unable to boot any of the Solaris, Linux or WinXP OSes currently installed, so it doesn't sound like a great fix to me...
dd if=/dev/hda of=mbr count=1 #backup
dd if=mbr of=/dev/hda #restore
b166er: Says only Symantec's AV (Norton) can detect it.
To me, this sounds like a scaremongering tactic to get people to buy Norton AV.
If it is, shame on you, Symantec. I've not had any respect for your product for years and my opinion can't go much lower.
Could we all stop fiddling with the MBR please?
So Vista came along, with some decent kernel security, and protected access to the HDD.
Then every AV vendor whined and whined and whined their product doesn't work anymore, as the hooks to hardware are now blocked - there's a bloody good reason for that, and it's called security! Does Symantec run on Linux, hmmm?
So the kernel gets re-written to allow poor strugling AV vendors to access hardware, and blammo! we're back to square one with MBR virii.
Not just AV people, but the dubious dodgy software "protection" systems (Macromedia, I'm looking at YOU) that also require hardware access to MBR to do their dirty tricks.
Incidentally, my MB (Gigabyte) still has MBR blocking, and doesn't AutoCAD kick up a stink when it's enabled! I need to give Autodesk's PERFECT BUG-FREE CODE (yeah, right) access to my MBR just to run the program, not just install it! Oh, and of course the software demands Run As... ADMIN! So it can do bloody anything! Nice.
AV and software "protection" - "Nice PC you got here buddy, lotta data on it... be a SHAME if it caught a VIRUS huh?"
Seriously, every time I hear [generic AV vendor name] I think "fire insurance from the Mafia"; "ooh, looky looky a new threat, and OUR software blocks it!" See? There's NO BLOODY DIFFERENCE AT ALL!
Vista has no protection!
It is very easy to do an absolute sector write to the hard disk under Vista (you need elevated admin rights but no special APIs - the same code works on XP as it does on Vista). Although Vista does not allow absolute writes to a mounted volume (unlike XP), it does allow Absolute disk writes to areas outside of these volumes and that includes the first track (where the MBR is) and any unpartitioned space!
Vista does have protection
"It is very easy to do an absolute sector write to the hard disk under Vista (you need elevated admin rights but no special APIs...)"
That's exactly what UAC is there for. To stop non-priviledged applications from accessing certain administrator APIs. If you disable UAC, you lose that protection. If you're stupid and click "Allow" to unknown applications, then - well - you're stupid and would probably do the same on any machine, regardless of the OS.
I'm sure if I said the following, I'd get flamed by all the Linux (and Mac?) crowd out there - but essentially it's no different:
"It is very easy to do an absolute sector write to the hard disk under Linux/OSX (you need to be root to do it but no special APIs...)"
In Vista, you need to be elevated - in Linux/OSX you need to be root.
How it works / how to detect
More info on the operation and detection of this rootkit:
@mdubh - thanks
Taken from the link that 'mdubh' provided: "The MBR root kit runs on Windows Vista with some restrictions. For instance, it cannot get a foothold if User Account Control is enabled."
Just another reason why disabling UAC is kinda dumb.
From past experience, Symantec are normally worst at detecting anything, now they are the first to detect a MBR rootkit ? something fishy smell here ...
Hmm... old-timers virus infecting MBR heh?
Sure, old-timers solutions may work. But what if inside the virus lies its own BIOS? Ops, that´s useless unless you take over the real BIOS. Lets assume that, the virus now took over the BIOS, and can intercept MBR utilities. But wait.
Is it infecting your flash BIOS on your motheboard, or your hard drive MBR?
Most newers PCs have fail-safe flash BIOS, so overclockers can tinker at will. When the flash BIOS gets thrashed with overclocked settings, the mobo will fail to boot, and will read a READ-ONLY-HARD-CODED-BIOS on a chip that is known to work. Then the flash bios is thrashed, and rewritten with the safe BIOS read from the ROM chip. So I understand that if your flash-BIOS is virus-infected, just overclock your settings so it will thrash the flash-BIOS and load a safe one from the ROM. Not neat, but effective. Unless the virus was specifically written to detect this, he will be vaporized, next time the flash bios is wiped.
When hard-drives get infected, you boot from a CD. You won´t even read the infected drive's mbr. Now you can fire up your MBR utilities and wipe all infected MBRs clean! That´s old school solution, and most people in the area know about it, in particular readers of El Reg. Assuming the BIOS is clean, MBR utilities can kick in.
The only kind of virus that could compromise a motherboard permanently is one that resides in the MBR AND the Flash-BIOS, and not just that, it can notice all the motherboard activity, specifically when it is trying to wipe the flash-BIOS because it believes it's been corrupted, (and über-overclocking will do just that). Thats a kind of knowledge specific to each motherboard, right?
Could a tiny virus block a flash-bios wipe in any model of motherboard? Wouldn´t that require intimate knowledge of every kind of ROM chip and motherboard architecture in the market?
Remember, modern motherboards DO HAVE 2 LOADED BIOS. One resides in the flash memory, and there you get your settings saved. The other is located in a ROM chip and cannot be tampered, its only purpose is to replace the flash bios when it gets overclocked to a non-boot condition. Mine does, I overclocked it, it crapped out, the BIOS was made anew from the ROM chip.
I guess there resides the doubts, if any.
I myself ran into a kind of malware that was pretty nasty. It took the shape of a .DLL and a loaded executable. Should you delete the .dll, it would reappear in anyway (the copy on memory could read its presence). If you removed it from memory, the dll would load it again on the next reset or power down. The solution was to remove it from the memory, and pull it out of mains, literally. You were supposed to pull the plug, no reset button or power down button. The virus could intercept the reset button, and the ATX power supply interrupts involved. If it was a notebook, you would have to yank out the battery while it was on!
Now, if I said anything that looks like utter rubbish, please do speak up, correct me. I would love to understand how can a MBR virus load itself into memory and corrupt the BIOS or otherwise, when the hard drive it resides in isn´t booted, and a CD or clean media is booted instead.
Are we assuming here that the flash-bios can be infected, and the virus can avoid being wiped from there?
or use a tool like DFsee