
New PC malware loads before Windows, is virtually impossible to detect - walterbell
http://www.extremetech.com/computing/219027-new-pc-malware-loads-before-windows-is-virtually-impossible-to-detect?mailing_id=1524318&mailing=ExtremeTech&mailingID=D019A13C4B613C0E860C7EA8741CF8F6
======
wmt
Come on, bootkits are hardly new. You can detect them by just like you'd
detect a rootkit, as they rather rarely cover each and every system API that
can reveal its presence, and you remove them by firdt booting into an
alternative OS, which most AV vendors provide.

For malware to be really tricky to remove you'd have to start infecting
hardware firmware like BIOS or harddrive controllers, like IRATEMONK or
IRONCHEF from NSA TAO do.

~~~
SixSigma
Remember the rootkit that lived in Mac keyboards ?

[http://www.zdnet.com/article/hacker-demos-persistent-mac-
key...](http://www.zdnet.com/article/hacker-demos-persistent-mac-keyboard-
attack/)

Or Thunderstrike ?

[http://www.zdnet.com/article/macs-vulnerable-to-virtually-
un...](http://www.zdnet.com/article/macs-vulnerable-to-virtually-undetectable-
virus-that-cant-be-removed/)

------
voltagex_
[https://www.fireeye.com/blog/threat-
research/2015/12/fin1-ta...](https://www.fireeye.com/blog/threat-
research/2015/12/fin1-targets-boot-record.html) \- it's an MBR (UEFI?) virus.
"New", but not new.

~~~
acqq
"The installer will install the bootkit on any hard disk that has a MBR boot
partition, regardless of the specific type of hard drive. However, if the
partition uses the GUID Partition Table disk architecture, as opposed to the
MBR partitioning scheme, the malware will not continue with the installation
process."

It's a MBR attack and the modern Windows systems aren't typically MBR anymore.

~~~
waspleg
I don't know about you but my primary system disk is an SSD, which is far less
than 2 TB... Guess what kind of partition it is (and guess which one it came
with)?

I've found AOEMEI (?) to be good for converting other partitions from MBR to
GPT but their shareware version won't do boot partitions without paying ;)

~~~
baghira
Windows will not boot in UEFI mode if the partition table is of MBR kind. One
must manually enable the BIOS legacy mode, hence the comment on modern Windows
systems (younger than 4 years, say).

------
reitanqild
Bigger problem is at least two of the more well known AV solutions are
badware. My enemy #1 in this regard is McAfee, but recently (front page now)
Avast seems to have upped their game considerably.

~~~
jmnicolas
Can you expand a bit on this ?

According to stopbadware.org a badware is a "[...] software that fundamentally
disregards a user’s choice about how his or her computer or network connection
will be used."

~~~
Piskvorrr
Hm. I do have a candidate fitting this description. "But _of course_ you want
to update to W __ __*s Nein, even though you have declined the popups,
disabled the GWX Clippy abomination and disabled the specific updates; I will
kindly reenable all of that for you. Oh, and I 'll also suck down 6 gigs of
install data, it's not like you are using your metered pipe for anything
useful anyway. Admit that you want it."

------
iolothebard
I had one of these 2-3 years ago, it was pretty amazing to be honest. I hadn't
gotten a virus in so long I was impressed at how much they'd stepped up their
game.

Even fdisk /mbr from a windows bootdisk wouldn't get it. So I installed Linux
and it STILL tried to f'ing load. Had to dd the whole mbr from a live linux
disk. That worked. My next step would have been mounting it as a secondary
drive on another computer.

So this isn't remotely "new" either. It's what I get for wanting to evaluate a
video game before buying.

~~~
nunodonato
that's why I "evaluate my games before buying" under WINE in linux :P (of
course that, not all of them run...)

~~~
eugenekolo2
Why not "evaluate" them under a VM instead? Seems a lot more likely to
actually work...

------
Shank
Looks like ExtremeTech is using some kind of adblock detection/injection suite
to inject ads, despite adblocker rules, after the page is already loaded.

Quite ironic, considering that I classify attempting to work around client
software like uBlock, just as shady of a tactic as boot sector malware.

~~~
MrRage
I'm using only Ghostery, and I did not see any ads. Perhaps it stops such code
from running?

~~~
undersuit
An ad for Intel popped up on my first load with Ghostery.

Additional reloads just have a large gray element taking up 20% of my viewing
area.

------
lunixbochs
this is not as scary as it sounds, because of that "annoying" uefi secure boot
that ships by default on oem windows machines these days.

a trusted boot chain means you can't put malware at the start without a much
more sophisticated attack than this.

~~~
mtgx
It's also not compatible with GPT, so even if you have Secure Boot disabled
but you're using GPT, it won't work. And for some reason it requires the .NET
framework installed for it to work.

------
9jnjiavh
3,2,1.... SecureBoot? I sure hope not. As with terrorism, the problem is not
removing the owner from the equation any more than is removing privacy
everywhere (or encryption without backdoors, or computers without rootkits...
lots of parallels there), because "terrorism".

If we can wade through the power-grabs and social-engineering disguised as
erudite commentary and philosophizing (similar to that surrounding national
security), increasing transparency and user control remains the answer. Any
software can have flaws, but software you can't fix because it's locked into
hardware is worse. Worse yet is hardware that turns a computer into an single-
purpose (flaws-and-all) appliance.

Any bootloader relies on a chain of trust. If the on-disk (OS) portion of that
fails (incidentally, the biggest attack surface) and is vulnerable (likely -
proprietary software can be fuzzed like any other), then the hardware-linked
protection is at best annoying to the actual hardware owner.

In that sense, SecureBoot is actually an inversion of good security
principles, which dictate simplicity and accountability/openness. The better
place for signed loader verification is in the on-disk bootloader stub. If the
OS were perfect, this would be enough too, but at least it is patchable (and
the OS is re-installable) when it isn't.

A computer that can't be re-installed when you brick it is expensive garbage
that was at best constraining while it even worked.

FOSDEM 2013 had a worthy social and technical overview of UEFI and SecureBoot
I enjoyed:

[https://www.youtube.com/watch?v=NsoXFvGiAas](https://www.youtube.com/watch?v=NsoXFvGiAas)

~~~
_yy
Many Secure Boot implementations let you load your own keys. The "removing the
owner from the equation" thing is not an issue with Secure Boot, but with
particular manufacturers.

> The better place for signed loader verification is in the on-disk bootloader
> stub.

That is already part of the Secure Boot. But who verifies the bootloader stub?
The point is that you can't trust anything on the disk.

> Any bootloader relies on a chain of trust. If the on-disk (OS) portion of
> that fails (incidentally, the biggest attack surface) and is vulnerable
> (likely - proprietary software can be fuzzed like any other), then the
> hardware-linked protection is at best annoying to the actual hardware owner.

Firmware verifies the (on-disk) bootloader, bootloader verifies the kernel,
kernel verifies the drivers, and so on. The chain of trust is there.

~~~
federico3
> Many Secure Boot implementations let you load your own keys.

And there is no promise that this will not change.

~~~
ryanlol
That's a great reason to get rid of security features!

Might as well ditch TLS since soon you'll only be able to get certs for
government approved content.

~~~
qczfawlvcgt
Please allow for the possibility that the word "secure" is no more than an
attempt by a company (Microsoft) to leverage your fears and co-opt your
natural pursuit of safety in order to help make a consumer-restricting
technology appear to be a feature. Would you have as much faith in the
technology under a different name? Perhaps: MicrosoftBoot (implying it could
only boot a Microsoft OS, or the specific version of Windows your PC came
with)?

(In a sense, dropping TLS is the correct response... In the sense, of not
using the limited set of services. The corresponding response here is to not
buy PCs with SecureBoot present in any imposing way, which may mean boycotting
"modern" computers that are no longer general, user-controlled, devices if, in
the future, they all are locked to Microsoft out of the box.)

------
__sxp__
Bootsector viruses, they are back. Nothing new.

------
empressplay
A competent repair shop will do what they've done since the late 90s and pull
the HDD from the computer, hook it up to a second computer and scan it. Not
much is "undetectable" when you do that.

~~~
Piskvorrr
Yup. This is one of the oldest classes of malware (second only to the Great
Worm), back when they were called "viruses" and travelled in floppy disks'
MBRs.

Early 1990s nostalgia strikes back ;)

------
zvrba
Secure boot would counteract this?

~~~
tremon
Yes. Your system will simply fail to boot in that case.

------
gokhan
fdisk /mbr

------
dang
Related articles were posted but got no discussion:
[https://news.ycombinator.com/item?id=10691725](https://news.ycombinator.com/item?id=10691725),
[https://news.ycombinator.com/item?id=10691613](https://news.ycombinator.com/item?id=10691613).

