antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  Report: boot sector viruses and rootkits poised for comeback
»arstechnica.com/news.ars/post/20···ack.html
"... Panda's report does raise a new concern, though it comes from a surprising direction. According to the company, boot sector viruses loaded with rootkits are poised to make a comeback. This honestly sounds a bit odd, considering how long it has been since a boot virus has topped the malware charts, but it's at least theoretically possible. Such viruses have a simple method of operation. The virus copies itself into the Master Boot Record (MBR) of a hard drive, and rewrites the actual MBR data in a different section of the drive..."
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
Elite
join:2002-10-03
Orange, CT
 ·Optimum Online
| MBRKit is the only rootkit ITW right now that's doing this.
It re-writes the MBR (sector 0) on all physical volumes with it's own malicious MBR, then places a loader for it's driver in sectors 60 and 61. It re-writes the original MBR to sector 62. It then places it's device driver towards the end of the active partition. During bootup the MBR calls the loader which loads the device driver into NTOSKRNL, and does a few other interesting things.
This rootkit is easily defeated though, if you know what you're doing. 
--
QUAD!!!! |
|
dontsleep
join:2006-08-26
Astoria, NY
| said by Elite  :This rootkit is easily defeated though, if you know what you're doing. Care to elaborate for us?  |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| Yeah sure.
The current GMER beta, at »www2.gmer.net/beta, can detect and remove all variants of MBRKit at the moment.
Prevx's "Prevx CSI" can at least detect, and I believe remove, all variants of MBRKit.
A number of other antirootkit tools and AVs have varying levels of detection and removal, depending on variants.
--
QUAD!!!! |
|
mysec
Premium
join:2005-11-29
4 edits | said by Elite :A number of other antirootkit tools and AVs have varying levels of detection and removal, depending on variants.
Also, easy to prevent from installing:
1) Patching
»www.updatexp.com/mebroot.html
Mebroot has been deliberately installed at websites controlled by the criminals and targets those website visitors who have not patched their computers with the latest security updates from Microsoft.
Mebroot Spreading through High-Traffic, Compromised Web Sites
»msmvps.com/blogs/donna/archive/2···tes.aspx
Today the Italian Web site emule-italia.it had been compromised and was hosting an obfuscated script. The script, when deobfuscated, was showing an iframe pointing to ... which was redirecting users to a server hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot.
2) White List Protection for Zero-day exploits
Ongoing IFrame attack proving difficult to kill
http://arstechnica.com/news.ars/post/20080318-ongoing-iframe-attack-proving-difficult-to-kill.html
Over the past 12 days, an IFrame injection attack that originally focused on ZDNet Asia has been spreading across the 'Net, changing targets and payloads on an almost daily basis. An iFrame (short for inline frame) is an element of HTML that's used to embed HTML from another source into a webpage.
from 2006
___________________________________________________
___________________________________________________
___________________________________________________
----
rich |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON | reply to antdude
I haven't seen a BIOS lately that doesn't have MBR protection.
It warns you when somebody is trying to overwrite MBR. Just make sure it's on. |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to antdude
I can see MBR rootkits taking hold, as a launch point for the malware once installed. But MBR viruses, not too likely anymore, since people don't tote floppies around anymore.
I suppose a MBR/boot virus could spread via USB drives, but that assumes the BIOS is set/capable to boot from such a drive before the hard drive.
It should be easy enough to defeat, between BIOS MBR protection, and kernel-level MBR protection in the OS.
--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK. |
|
redwolfe_98
join:2001-06-11
2 edits | reply to antdude
uhg! nevermind.. another "stupid" "april fools".. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by redwolfe_98 :uhg! nevermind.. another "stupid" "april fools".. What was the prank about? |
|
redwolfe_98
join:2001-06-11
·RoadRunner Cable
3 edits | "What was the prank about?"
i was going to post about a "new" MBR trojan that i read about on the f-secure blog, but then i realized that it was an "april fools":
»www.f-secure.com/weblog/archives···411.html
 |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by redwolfe_98 :"What was the prank about?" i was going to post about a "new" MBR trojan that i read about on the f-secure blog, but then i realized that it was an "april fools": » www.f-secure.com/weblog/archives···411.html Hahaha. The part after the screen shot was funny. Before it looked legit.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
