"The installer will install the bootkit on any hard disk that has a MBR boot partition, regardless of the specific type of hard drive. However, if the partition uses the GUID Partition Table disk architecture, as opposed to the MBR partitioning scheme, the malware will not continue with the installation process."
It's a MBR attack and the modern Windows systems aren't typically MBR anymore.
I don't know about you but my primary system disk is an SSD, which is far less than 2 TB... Guess what kind of partition it is (and guess which one it came with)?
I've found AOEMEI (?) to be good for converting other partitions from MBR to GPT but their shareware version won't do boot partitions without paying ;)
Windows will not boot in UEFI mode if the partition table is of MBR kind. One must manually enable the BIOS legacy mode, hence the comment on modern Windows systems (younger than 4 years, say).
It's also not compatible with GPT, so even if you have Secure Boot disabled but you're using GPT, it won't work. And for some reason it requires the .NET framework installed for it to work.
Come on, bootkits are hardly new. You can detect them by just like you'd detect a rootkit, as they rather rarely cover each and every system API that can reveal its presence, and you remove them by firdt booting into an alternative OS, which most AV vendors provide.
For malware to be really tricky to remove you'd have to start infecting hardware firmware like BIOS or harddrive controllers, like IRATEMONK or IRONCHEF from NSA TAO do.
Bigger problem is at least two of the more well known AV solutions are badware. My enemy #1 in this regard is McAfee, but recently (front page now) Avast seems to have upped their game considerably.
According to stopbadware.org a badware is a "[...] software that fundamentally disregards a user’s choice about how his or her computer or network connection will be used."
I think op meant in a more general sense they are bad at what they are marketted to do because the cost of using the software (user/admin experience, not money) is starting to outweigh the pros of using the software (gets rid of viruses et al).
Hm. I do have a candidate fitting this description. "But of course you want to update to W*s Nein, even though you have declined the popups, disabled the GWX Clippy abomination and disabled the specific updates; I will kindly reenable all of that for you. Oh, and I'll also suck down 6 gigs of install data, it's not like you are using your metered pipe for anything useful anyway. Admit that you want it."
3,2,1.... SecureBoot? I sure hope not. As with terrorism, the problem is not removing the owner from the equation any more than is removing privacy everywhere (or encryption without backdoors, or computers without rootkits... lots of parallels there), because "terrorism".
If we can wade through the power-grabs and social-engineering disguised as erudite commentary and philosophizing (similar to that surrounding national security), increasing transparency and user control remains the answer. Any software can have flaws, but software you can't fix because it's locked into hardware is worse. Worse yet is hardware that turns a computer into an single-purpose (flaws-and-all) appliance.
Any bootloader relies on a chain of trust. If the on-disk (OS) portion of that fails (incidentally, the biggest attack surface) and is vulnerable (likely - proprietary software can be fuzzed like any other), then the hardware-linked protection is at best annoying to the actual hardware owner.
In that sense, SecureBoot is actually an inversion of good security principles, which dictate simplicity and accountability/openness. The better place for signed loader verification is in the on-disk bootloader stub. If the OS were perfect, this would be enough too, but at least it is patchable (and the OS is re-installable) when it isn't.
A computer that can't be re-installed when you brick it is expensive garbage that was at best constraining while it even worked.
FOSDEM 2013 had a worthy social and technical overview of UEFI and SecureBoot I enjoyed:
Many Secure Boot implementations let you load your own keys. The "removing the owner from the equation" thing is not an issue with Secure Boot, but with particular manufacturers.
> The better place for signed loader verification is in the on-disk bootloader stub.
That is already part of the Secure Boot. But who verifies the bootloader stub? The point is that you can't trust anything on the disk.
> Any bootloader relies on a chain of trust. If the on-disk (OS) portion of that fails (incidentally, the biggest attack surface) and is vulnerable (likely - proprietary software can be fuzzed like any other), then the hardware-linked protection is at best annoying to the actual hardware owner.
Firmware verifies the (on-disk) bootloader, bootloader verifies the kernel, kernel verifies the drivers, and so on. The chain of trust is there.
> The point is that you can't trust anything on the disk.
But the disk is where my choice of software lives. I trust my choice of software, by definition. I don't want to be removed from that equation any more than I want someone else sleeping with my wife.
If I don't trust my (current) on-disk bootloader, the appropriate thing to do is clean it and put something I do trust in its place. If I wake up hearing a noise, I check my house for intruders - I don't lock myself out and throw away the keys.
The reality is that any chain of trust has to start somewhere. It should start in the place I have the most control: on physically-removable, writable media.
I don't, but if I am in doubt, I can replace the disk. The alternative is worse - I have to replace the whole system. It is fascinating to watch such subtle abuses of language ploddingly erode our free(ish) societies from the inside out, when secure is obviously "newspeak" for centralized. Even technologically-literate people are clearly willing to buy the logic that "well, you might get an STD by having sex... therefore, let this small group of condom manufactures move in and have sex with your wife, in your place, for your protection."
We can't outsource confidence. It doesn't help improve my self-esteem to watch someone else live my life, and it doesn't work to fight "the terrorists" to let someone else make me safe (for some definition of "safe", that I can seemingly no longer contribute to) - but that all seems to be beside the point. :(
Please allow for the possibility that the word "secure" is no more than an attempt by a company (Microsoft) to leverage your fears and co-opt your natural pursuit of safety in order to help make a consumer-restricting technology appear to be a feature. Would you have as much faith in the technology under a different name? Perhaps: MicrosoftBoot (implying it could only boot a Microsoft OS, or the specific version of Windows your PC came with)?
(In a sense, dropping TLS is the correct response... In the sense, of not using the limited set of services. The corresponding response here is to not buy PCs with SecureBoot present in any imposing way, which may mean boycotting "modern" computers that are no longer general, user-controlled, devices if, in the future, they all are locked to Microsoft out of the box.)
A competent repair shop will do what they've done since the late 90s and pull the HDD from the computer, hook it up to a second computer and scan it. Not much is "undetectable" when you do that.
Yup. This is one of the oldest classes of malware (second only to the Great Worm), back when they were called "viruses" and travelled in floppy disks' MBRs.
Looks like ExtremeTech is using some kind of adblock detection/injection suite to inject ads, despite adblocker rules, after the page is already loaded.
Quite ironic, considering that I classify attempting to work around client software like uBlock, just as shady of a tactic as boot sector malware.
You equate a site trying to compensate themselves by showing you an AD you should be seeing for viewing their content with someone creating a program that maliciously alters your computer and can take control of it? Seriously? Would you like to retract that statement as hyperbole or are you still wanting to stand by it?
I had one of these 2-3 years ago, it was pretty amazing to be honest. I hadn't gotten a virus in so long I was impressed at how much they'd stepped up their game.
Even fdisk /mbr from a windows bootdisk wouldn't get it. So I installed Linux and it STILL tried to f'ing load. Had to dd the whole mbr from a live linux disk. That worked. My next step would have been mounting it as a secondary drive on another computer.
So this isn't remotely "new" either. It's what I get for wanting to evaluate a video game before buying.
41 comments
[ 0.26 ms ] story [ 87.2 ms ] threadIt's a MBR attack and the modern Windows systems aren't typically MBR anymore.
I've found AOEMEI (?) to be good for converting other partitions from MBR to GPT but their shareware version won't do boot partitions without paying ;)
a trusted boot chain means you can't put malware at the start without a much more sophisticated attack than this.
For malware to be really tricky to remove you'd have to start infecting hardware firmware like BIOS or harddrive controllers, like IRATEMONK or IRONCHEF from NSA TAO do.
http://www.zdnet.com/article/hacker-demos-persistent-mac-key...
Or Thunderstrike ?
http://www.zdnet.com/article/macs-vulnerable-to-virtually-un...
According to stopbadware.org a badware is a "[...] software that fundamentally disregards a user’s choice about how his or her computer or network connection will be used."
This in addition to causing general issues. (On at least two occasions have I fixed what weird computer problems just by removing McAfee.)
Oh, and yes: scammy click-by-installers when you try to install other software.
If we can wade through the power-grabs and social-engineering disguised as erudite commentary and philosophizing (similar to that surrounding national security), increasing transparency and user control remains the answer. Any software can have flaws, but software you can't fix because it's locked into hardware is worse. Worse yet is hardware that turns a computer into an single-purpose (flaws-and-all) appliance.
Any bootloader relies on a chain of trust. If the on-disk (OS) portion of that fails (incidentally, the biggest attack surface) and is vulnerable (likely - proprietary software can be fuzzed like any other), then the hardware-linked protection is at best annoying to the actual hardware owner.
In that sense, SecureBoot is actually an inversion of good security principles, which dictate simplicity and accountability/openness. The better place for signed loader verification is in the on-disk bootloader stub. If the OS were perfect, this would be enough too, but at least it is patchable (and the OS is re-installable) when it isn't.
A computer that can't be re-installed when you brick it is expensive garbage that was at best constraining while it even worked.
FOSDEM 2013 had a worthy social and technical overview of UEFI and SecureBoot I enjoyed:
https://www.youtube.com/watch?v=NsoXFvGiAas
> The better place for signed loader verification is in the on-disk bootloader stub.
That is already part of the Secure Boot. But who verifies the bootloader stub? The point is that you can't trust anything on the disk.
> Any bootloader relies on a chain of trust. If the on-disk (OS) portion of that fails (incidentally, the biggest attack surface) and is vulnerable (likely - proprietary software can be fuzzed like any other), then the hardware-linked protection is at best annoying to the actual hardware owner.
Firmware verifies the (on-disk) bootloader, bootloader verifies the kernel, kernel verifies the drivers, and so on. The chain of trust is there.
But the disk is where my choice of software lives. I trust my choice of software, by definition. I don't want to be removed from that equation any more than I want someone else sleeping with my wife.
If I don't trust my (current) on-disk bootloader, the appropriate thing to do is clean it and put something I do trust in its place. If I wake up hearing a noise, I check my house for intruders - I don't lock myself out and throw away the keys.
The reality is that any chain of trust has to start somewhere. It should start in the place I have the most control: on physically-removable, writable media.
Same goes for malware on most PC operating systems does it not? How can you know the disk has not been silently compromised?
We can't outsource confidence. It doesn't help improve my self-esteem to watch someone else live my life, and it doesn't work to fight "the terrorists" to let someone else make me safe (for some definition of "safe", that I can seemingly no longer contribute to) - but that all seems to be beside the point. :(
And there is no promise that this will not change.
Might as well ditch TLS since soon you'll only be able to get certs for government approved content.
(In a sense, dropping TLS is the correct response... In the sense, of not using the limited set of services. The corresponding response here is to not buy PCs with SecureBoot present in any imposing way, which may mean boycotting "modern" computers that are no longer general, user-controlled, devices if, in the future, they all are locked to Microsoft out of the box.)
Early 1990s nostalgia strikes back ;)
http://www.wired.com/2015/02/nsa-firmware-hacking/
Quite ironic, considering that I classify attempting to work around client software like uBlock, just as shady of a tactic as boot sector malware.
Additional reloads just have a large gray element taking up 20% of my viewing area.
Even fdisk /mbr from a windows bootdisk wouldn't get it. So I installed Linux and it STILL tried to f'ing load. Had to dd the whole mbr from a live linux disk. That worked. My next step would have been mounting it as a secondary drive on another computer.
So this isn't remotely "new" either. It's what I get for wanting to evaluate a video game before buying.