dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
3469

Triple Helix
DNA
Premium Member
join:2007-07-26
Oshawa, ON

2 edits

Triple Helix

Premium Member

Ransomware lands on the MBR

quote:
Ransomware is a technique that malware writers are using to steal money from their victims by using a very simple method. Ransomware is not placing any hooks in the system, is not placing any rootkit or any other malware, it's not even stealing your data.

It’s using something more obvious, but more effective: it's the cyber-copy of the well-known blackmail. And the scary part is that it usually reaches its goal very effectively!

Ransomware is a specific malware that hold to ransom the users data, by encrypting all critical files in the PC. Users are asked to make a payment to recover the password to enable the decryption of all files.

We have seen many Ransomware’s during these years, some of them using very weak encryption algorithms, some other using very strong algorithms that cannot be actually be decrypted without the password.

Today we are seeing a new kind of Ransomware, able to hit the Master Boot Record of the hard drive. This is the first time a Ransomware takes advantage of the MBR to block users getting access to their data.

Master Boot Record has become (again) one of the critical weak points that malware can exploit to hit the system bypassing security solutions installed on the system. MBR rootkit, Whistler bootkit, TDL4 rootkit, are only a few of the infamous names of malware families which have been developed during recent years capable of attacking the MBR. Now Ransomware landed is in there as Trojan.MBRLock.

This Ransomware is being dropped on the victims PC by other infections and after it’s executed it tries to infect the MBR by opening a handle to PhysicalDrive disk device. This action is available only to users with administrative privileges, and in Windows Vista/7 it needs to pass through the User Account Control. Users with UAC enabled or limited users are protected by this threat unless they wrongly choose to allow the file administrative privileges.

Full Story: »www.prevx.com/blog/163/R ··· MBR.html
OZO
Premium Member
join:2003-01-17

1 recommendation

OZO

Premium Member

No problem, if you backup your data on a regular basis. There is a plenty of other good reasons why you should always backup your data...

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by OZO:

No problem, if you backup your data on a regular basis. There is a plenty of other good reasons why you should always backup your data...

Chalk one up for cloud backups.

Triple Helix
DNA
Premium Member
join:2007-07-26
Oshawa, ON

Triple Helix

Premium Member

How about the one's that don't Back Up? Seen many times when users run malware and even deletes the OS My computer wont start

TH
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

Then you can easily lost all your valuable data if e.g. the disk fails...

Triple Helix
DNA
Premium Member
join:2007-07-26
Oshawa, ON

Triple Helix

Premium Member

said by OZO:

Then you can easily lost all your valuable data if e.g. the disk fails...

Very true I just feel for the one's that don't know how to back up and there are many

TH
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

You're right. And the only solution is - educate them. We all know that dishes should be washed after a dinner. It's a basic. Then why we don't know that disk should be backuped after you use your computer? It's a basic too...

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

jabarnut to Triple Helix

Premium Member

to Triple Helix
said by Triple Helix:

said by OZO:

Then you can easily lost all your valuable data if e.g. the disk fails...

Very true I just feel for the one's that don't know how to back up and there are many

TH

I agree. There are many who don't bother to back up anything, or even worse, don't even know how.
Me, I'm a total backup freak. I have constantly updated images of my system drive, and even backups of my backups.
And just to be safe, I have backups of my backed up backups as well.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by jabarnut:

I have backups of my backed up backups as well.

Not that I'd ever even consider messing with your head even just a little,
you are aware that if you ever need it & your backup of your backup of your backup fails, you will lose all your data??

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

1 recommendation

jabarnut

Premium Member

Not to worry, SnowyOne.
I've already considered that.
I didn't want everyone here to think I was totally crazy, so I kept it brief. But beside the backup of my backup, and another backup of that back up, I have yet another backup (external drives, ya know).
But there is no question you can't be too careful.
In fact, right after this post I think I'll backup the backups of the backups of the backups.

Thanks for the reminder.

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

Dustyn to Snowy

Premium Member

to Snowy
said by Snowy:

said by jabarnut:

I have backups of my backed up backups as well.

Not that I'd ever even consider messing with your head even just a little,
you are aware that if you ever need it & your backup of your backup of your backup fails, you will lose all your data??

That's why you need backed up backups of your backed backed up backups... right?

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

1 recommendation

jabarnut

Premium Member

Exactly right, Dustyn...you got it, my brotha.

Triple Helix
DNA
Premium Member
join:2007-07-26
Oshawa, ON

Triple Helix

Premium Member

This is funny we should start a new thread on Back Ups

TH

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

2 recommendations

Blackbird

Premium Member

said by Triple Helix:

This is funny we should start a new thread on Back Ups

TH

Good idea... then that would act as a backup to this thread. Just in case...

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

2 recommendations

Snowy to jabarnut

Premium Member

to jabarnut
said by jabarnut:

Not to worry, SnowyOne.
I've already considered that.

You sound like you'd be an excellent candidate for the
"Human Genome Backup Project"
Researchers are working the bugs out of it right now.
The goal is to chain backups into, you guessed it, the human genome!
The benefits are obvious.
You always have a backup with you wherever you go!
As long as the host is alive, the backups are good.
In cases where the host is no longer alive the backups presumably become less important to the former host anyway.
In cases where a company might an interest in a human hosted backup events such as sudden trauma can be mitigated with life support systems in place to keep the human alive long enough to retrieve the backup(s).

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

1 edit

jabarnut

Premium Member

said by SnowyOne :
...
As long as the host is alive, the backups are good.
In cases where the host is no longer alive the backups presumably become less important to the former host anyway.
Yeah, if this host is no longer alive, I'll let other people worry about the backups. It wouldn't matter to me one "bit" by then.
However, you're getting WAY over my head now. Lets "back up" a little now, shall we?

Mashiki
Balking The Enemy's Plans
join:2002-02-04
Woodstock, ON

Mashiki to Triple Helix

Member

to Triple Helix
In theory it's easy to beat something like this by using a board that supports a redundant bios/bootsect backup system, which takes MBR snapshots every x days. And ensuring that the bios(or EFI) are the only two things that can write to the protected backup.

Heck my 2yr old motherboard supports it, I don't know why it's not standard.

a4nic8er
Tempus Fugit, Carpe Cerevisi
join:2001-03-09
New Zealand

a4nic8er to Triple Helix

Member

to Triple Helix
Having just upgraded several pieces of hardware, involving creating backups and restoring from those backups, making new backups and (of course) backing up those backups, I am grateful for this thread as it reminded me to turn the MBR write protection back on in my BIOS.

GadgetsRme
RIP lilhurricane and CJ
Premium Member
join:2002-01-30
Canon City, CO

GadgetsRme to jabarnut

Premium Member

to jabarnut
said by jabarnut:

Not to worry, SnowyOne.
I've already considered that.
I didn't want everyone here to think I was totally crazy, so I kept it brief. But beside the backup of my backup, and another backup of that back up, I have yet another backup (external drives, ya know).
But there is no question you can't be too careful.
In fact, right after this post I think I'll backup the backups of the backups of the backups.

Thanks for the reminder.

And then will we hear about it in "Jabarnut the Rewrite" or maybe "Jabarnut Backups Rewritten"
Stumbles
join:2002-12-17
Port Saint Lucie, FL

Stumbles to Snowy

Member

to Snowy
Cloud backups are just another version of ransomware. Instead make local backups.

lordpuffer
Legalize It Joe!
Premium Member
join:2004-09-19
Old Town, ME

lordpuffer to jabarnut

Premium Member

to jabarnut
You want to hear about crazy....I have a complete backup on an external drive in a safe deposit box

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

1 recommendation

jabarnut

Premium Member

That doesn't sound so crazy to me...sounds smart. (Then again, keep in mind you just got a compliment from a crazy guy).

secured655
@rr.com

secured655 to Triple Helix

Anon

to Triple Helix
TH, no dispute from me on the value of backup and image use and the value of restoring before it is needed, but....

It occurs to me that a little more would be useful for this particular piece of malware. In the event of an infection, the partition table is rendered un-usable.

From your link:

"Attempt by most users and technicians to fix the infection will be to run “fixmbr” to restore the MBR with a clean copy. Sadly it is not possible, because the rootkit wipes out the whole partition table section from the first sector of the hard drive - it is copied out to the fifth sector along with whole original MBR. This results in a new bugged Master Boot Record which is not able to boot the machine because it doesn't have any working partition table in it."

So unless backups are sector by sector and whole drive, I'm not sure that a bootable backup/restore disk is going to be useful. Same with the Windows install disk (for repair purposes anyway).

Best way to prepare for this particular nasty (and actually in the event that the partition table gets corrupted which can occur from many causes beyond malware) would be [PRIOR TO CORRUPTION]

1. Include a partition table editing software in your library which is bootable (in my case it's partition magic which can boot to ptedit.exe from the installer disk).
and

2. Before a corruption/ infection occurs, open the editor and print a copy of the partition table for future reference, stored as a backup of sorts.

Then, as pointed out in your link, boot to your PT editor, and reconstruct the table, then fixmbr or the like.

I dealt with a pickled and forked partition table once (someone else's computer) and spent a lot of time creating a marginally usable table (from scratch- drive config and partition info unknown to user) to recover data from the drive, before rebuilding from a re-format.
The link suggests rebuilding the table from scratch, which is fine, but every hard drive I have contains numerous partitions, and pulling the correct values for the table out of 'scratch' just doesn't seem to be an efficient or likely effective approach.

Just my $0.02. Anyway, thanks for posting, and as noted in your Wilders thread, this piece of malware doesn't actually encrypt the drive contents so fixing the table and the MBR will reclaim system access. The posts on BIOS utilities are also nice. Thx.

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus to jabarnut

Premium Member

to jabarnut
But what happens if the backup of your backup backup fails? What do you have then? Eh?

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

jabarnut

Premium Member

I simply retrieve the new backup from my safe deposit box that I just made...(thanks to lordpuffer See Profile)
That one is super special, and I'm sure it would never fail me.
However, just in case it did, I'm in the process of backing it up.

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus

Premium Member

So on a more serious note:
Do you trust cloud backups? As in anti-snooping, people snooping into your backup?
Also which ones do you use?

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

1 edit

jabarnut

Premium Member

Actually no. I prefer to save disk images locally, as well as on external drives.
And I also keep a reasonably updated image of my system drive, somewhere other than my house. (So while lordpuffer See Profile's idea may have sounded a little crazy, it really wasn't as crazy as it sounded).

God forbid your house burned down, or some other catastrophe. It's always a good idea to keep some sort of backup of your important data elsewhere.
I'm not saying keeping data backed up on-line isn't a viable solution, just that it's not my preferred method.
Oh, and I primarily use Acronis, although I have other options as well.

I also have two internal drives in every computer I own...if the system drive fails, I simply replace it and restore the data.
If the backup drive fails, I replace that and create another backup as soon as possible.
And then, there's always my external drives with additional backups.

Yikes...sorry for the long winded post. I'm really getting rusty with my typing in my old age, so I figured I'd practice a little today.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy to tempnexus

Premium Member

to tempnexus
said by tempnexus:

Do you trust cloud backups? As in anti-snooping, people snooping into your backup?

Storing unencrypted data anywhere is never a good idea.

jabarnut
Light Years Away
Premium Member
join:2005-01-22
Galaxy M31

jabarnut

Premium Member

said by Snowy:

Storing unencrypted data anywhere is never a good idea.

Agreed.

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by jabarnut:

said by Snowy:

Storing unencrypted data anywhere is never a good idea.

Agreed.

I'd bet your encryption key management is worthy of a thread of it's own