Report: boot sector viruses and rootkits poised for comeback in Security http://www.dslreports.com/forum/r20274445 en Wed, 09 Dec 2009 04:09:46 EDT Wed, 09 Dec 2009 04:09:46 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20291205 antdude :
said by redwolfe_98 See Profile :

"What was the prank about?"

i was going to post about a "new" MBR trojan that i read about on the f-secure blog, but then i realized that it was an "april fools":

»www.f-secure.com/weblog/archives···411.html

:)
Hahaha. The part after the screen shot was funny. Before it looked legit.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer]]> http://www.dslreports.com/forum/remark,20291205 Sun, 06 Apr 2008 10:28:32 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20291016 redwolfe_98 : "What was the prank about?"

i was going to post about a "new" MBR trojan that i read about on the f-secure blog, but then i realized that it was an "april fools":

»www.f-secure.com/weblog/archives···411.html

:)]]> http://www.dslreports.com/forum/remark,20291016 Sun, 06 Apr 2008 09:17:24 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20290489 antdude :
said by redwolfe_98 See Profile :

uhg! nevermind.. another "stupid" "april fools"..
What was the prank about?]]> http://www.dslreports.com/forum/remark,20290489 Sun, 06 Apr 2008 01:52:11 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20282400 redwolfe_98 : uhg! nevermind.. another "stupid" "april fools".. ]]> http://www.dslreports.com/forum/remark,20282400 Fri, 04 Apr 2008 13:25:04 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20280897 kpatz : I can see MBR rootkits taking hold, as a launch point for the malware once installed. But MBR viruses, not too likely anymore, since people don't tote floppies around anymore.

I suppose a MBR/boot virus could spread via USB drives, but that assumes the BIOS is set/capable to boot from such a drive before the hard drive.

It should be easy enough to defeat, between BIOS MBR protection, and kernel-level MBR protection in the OS.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.]]> http://www.dslreports.com/forum/remark,20280897 Fri, 04 Apr 2008 08:08:18 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20280031 Brano : I haven't seen a BIOS lately that doesn't have MBR protection.
It warns you when somebody is trying to overwrite MBR. Just make sure it's on.]]> http://www.dslreports.com/forum/remark,20280031 Thu, 03 Apr 2008 23:49:13 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20279997 mysec :
said by Elite See Profile :

A number of other antirootkit tools and AVs have varying levels of detection and removal, depending on variants.

Also, easy to prevent from installing:

1) Patching

»www.updatexp.com/mebroot.html
Mebroot has been deliberately installed at websites controlled by the criminals and targets those website visitors who have not patched their computers with the latest security updates from Microsoft.

Mebroot Spreading through High-Traffic, Compromised Web Sites
»msmvps.com/blogs/donna/archive/2···tes.aspx
Today the Italian Web site emule-italia.it had been compromised and was hosting an obfuscated script. The script, when deobfuscated, was showing an iframe pointing to ... which was redirecting users to a server hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot.


2) White List Protection for Zero-day exploits

Ongoing IFrame attack proving difficult to kill
http://arstechnica.com/news.ars/post/20080318-ongoing-iframe-attack-proving-difficult-to-kill.html
Over the past 12 days, an IFrame injection attack that originally focused on ZDNet Asia has been spreading across the 'Net, changing targets and payloads on an almost daily basis. An iFrame (short for inline frame) is an element of HTML that's used to embed HTML from another source into a webpage.

from 2006



___________________________________________________


___________________________________________________


___________________________________________________

----
rich]]> http://www.dslreports.com/forum/remark,20279997 Thu, 03 Apr 2008 23:40:47 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20279667 Elite : Yeah sure.

The current GMER beta, at »www2.gmer.net/beta, can detect and remove all variants of MBRKit at the moment.

Prevx's "Prevx CSI" can at least detect, and I believe remove, all variants of MBRKit.

A number of other antirootkit tools and AVs have varying levels of detection and removal, depending on variants.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,20279667 Thu, 03 Apr 2008 22:35:27 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20276037 dontsleep :
said by Elite See Profile :

This rootkit is easily defeated though, if you know what you're doing. ;)
Care to elaborate for us? :p]]> http://www.dslreports.com/forum/remark,20276037 Thu, 03 Apr 2008 11:57:27 EDT Re: Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20274649 Elite : MBRKit is the only rootkit ITW right now that's doing this.

It re-writes the MBR (sector 0) on all physical volumes with it's own malicious MBR, then places a loader for it's driver in sectors 60 and 61. It re-writes the original MBR to sector 62. It then places it's device driver towards the end of the active partition. During bootup the MBR calls the loader which loads the device driver into NTOSKRNL, and does a few other interesting things.

This rootkit is easily defeated though, if you know what you're doing. ;)
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,20274649 Thu, 03 Apr 2008 05:07:16 EDT Report: boot sector viruses and rootkits poised for comeback http://www.dslreports.com/forum/remark,20274445 antdude : »arstechnica.com/news.ars/post/20···ack.html

"... Panda's report does raise a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible. Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive..."
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer]]> http://www.dslreports.com/forum/remark,20274445 Thu, 03 Apr 2008 02:40:35 EDT