Vista Can Handle MS-DOS Era, 10-Year-Old Master Boot Record Threats
section: windows, for your questions: KezNews forum, 11.1.2008
All Windows Vista users can take a sigh of relief. Microsoft has confirmed that its latest iteration of the Windows client is more than capable of handling 10-year-old threats focused on the Master Boot Record, dating back to the MS-DOS era.
Trojan.Mebroot (as it was labeled by Symantec) is a rootkit detected in the wild that is aimed at the Master Boot Record (MBR). According to the Cupertino-based security company, Windows XP, Windows Vista, Windows Server 2003 and Windows 2000 are all at risk of infection.
"An MBR is the first sector of a storage device such as a hard disk, and is generally used for bootstrapping the operating system after the computer's BIOS has done its startup checks. Basically, if you can control the MBR, you can control the operating system and therefore the computer it resides on. MBR-based attacks have been around since the MS-DOS era. Viruses such as Stoned, Michelangelo, Junkie and Tequila used this technique to infect systems, and it is quite incredible to see that almost ten years later, we are again facing attacks on the MBR", explained Elia Florio, Symantec Security Response Engineer.
Proof-of-concept rootkits, such as "BootRoot" (from Soeder of eEye Digital Security) and "Vbootkit" (from Nitin and Vipin Kumar of NVLabs), are illustrative examples of how malicious code can modify the MBR in order to take over the Windows operating system, Vista included. Trojan.Mebroot however is not a PoC by any means, but an actual threat based on the "BootRoot" PoC, but altered so that it will load a stealth back door Trojan Horse and compromise the operating system. The main danger lies with the way in which the Windows platform allows applications to overwrite disk sectors from user mode. Vista is vulnerable to such an attack, but only if the user runs the operating system with full administrative privileges, i.e. the User Account Control is completely disabled.
"To open a disk for raw disk access (i.e. the method by which you can write to a raw disk sector) requires admin rights. If you run as non-admin or are on Vista with UAC this malware won't be able to modify your MBR. To fix a modified MBR you can use the Windows Recovery Console and use the 'fixmbr' command. You boot the recovery console by using your Windows CD / DVD. So the fact that this malware doesn't use any registry based ASEPs, is actually a pretty big weakness - it makes it easier to defeat", explained Robert Hensing, Microsoft Security Software Engineer.
source:
news.softpedia.com
Send link 2 friend | Permalink
MORE RELATED ARTICLES:
Windows XP era ends? Will Vista step up? || Vista sets 2007 land-speed record for copying and deleting || Microsoft sees end of Windows era || Microsoft Reports Record Third-Quarter Revenue || Former President Clinton Joins Microsoft CEO Ballmer to Hail Giving Record
Comments(4)
some of us "infect" our mbr's on purpose! ;)
i'll second that.
that's a very interesting threat, cos a friend of mine asked me how to destroy her vista
on her tattooed laptop to go back to xp :d
some of us "infect" our mbr's on purpose! ;)
very funny
but on
reflection not so funny, there are a lot of programs that modify the mbr legitimately such
as third party boot loaders, linux dual boot systems and some old copy protection systems.
if microsoft stops the mbr from being modified in sp1 to defeat the vista boot hack then
perhaps microsoft could be sued for anticompetitive practises. many bios have anti-virus
protection that prevents the mbr from being changed so i don’t see the need for microsoft
from stopping the mbr from being changed in sp1 unless it is to temporarily defeat the
vista boot hack.
No new comments are allowed for this article.
For your questions use our KezNews Forum
I like my SLIC MBR "Virus"
By Itsame on 11.01.2008 - 21:01