Best ways to protect the MBR

Discussion in 'other anti-malware software' started by Blue Ring, Aug 7, 2009.

Thread Status:
Not open for further replies.
  1. Blue Ring
    Offline

    Blue Ring Registered Member

    I'm looking for either a list of security apps or other techniques that can be used to protect the MBR (on xp/vista).

    It would be really nice if there is some app or way to prevent anything being able to write to the MBR or make any changes to it, is this possible?

    I'm not looking for a program that will only detect viruses in the MBR, but any kind of changes made as well.

    I'm hoping to prevent anyone from tampering with the MBR on this pc, even when/if they could obtain physical access to this machine.

    Ok, maybe in the case of physical access I wouldn't be able to do that much to protect the MBR, but in that case some kind of warning after the fact that the MBR has been tampered with or changed would be nice. Well nothing maybe is 100 percent, but I'm hoping to get as good as I can protection for the MBR.

    This is related to the problem with TrueCrypt full disk encryption being able to be bypassed, discussed already on the forums here, but also against other bypass/infection techniques too.

    Thanks very much for help in this area.
  2. jmonge
    Offline

    jmonge Registered Member

  3. HKEY1952
    Offline

    HKEY1952 Registered Member

    01)- Configure the system BIOS to enable system password protection
    02)- Configure the system BIOS to disable floppy disk booting and cd-booting or change the order of the boot process to hard drive first


    HKEY1952
  4. Blue Ring
    Offline

    Blue Ring Registered Member

    Thanks for the tips HKEY1952. I guess that would deter a less persistent and determined attacker, but still useful in most cases I would think.

    Ok, so MD can protect the MBR. That's good to know. Thanks jmonge.

    I'm more than interested in any additional ways to protect the MBR, if anyone knows.

    Thanks.
  5. Creer
    Offline

    Creer Registered Member

    Hope this help:
    http://malwaretestlab.com/more.aspx?entry=25
  6. Julian
    Offline

    Julian Registered Member

    I would choose a strong HIPS like Malware Defender, Online Armor or Kaspersky to protect the MBR. They are the hardest type of program to crack for attackers.
  7. Blue Ring
    Offline

    Blue Ring Registered Member

    Thanks for the info Creer. Very interesting tests. I wonder which of the apps tested will warn you when writing is taking place to the MBR and which just warn after the fact, as opposed to any changes to the MBR which may not be due to a detected virus. I was hoping for an app that could block any changes to the MBR, virus related or not, that way even a new or unknown virus could be blocked.

    Thanks for your comments Julian_evil. All good programs no doubt. I'm hoping to find out more about each of the three you mentioned and in what way exactly each of them protects against changes made to the MBR, as I mentioned above in my comments to Creer.

    I wonder if any of these programs (mainly Malware Defender & Online Armor) could protect your pc if it was powered down though. As in someone gets ahold of your computer and connects a 2nd pc to yours and then adds, for example, the Stoned boot loader virus that way.

    I suppose the excellent recommendation by HKEY1952 to add the BIOS password could help prevent this type of attack, well at least I think it would. But from what I've read it's not too difficult to get by a BIOS password, if one is persistent enough. And if a highly skilled hacker, it would probably be almost easy. :(
  8. Kees1958
    Offline

    Kees1958 Registered Member

    Search for MBR Guard in the what is Appguard thread.
  9. Johnny123
    Offline

    Johnny123 Registered Member

    If someone has physical access to your computer, probably what HKEY1952 posted.

    Otherwise just don't run as admin. This advice is not real popular with the Sandbox and HIPS trolls here, but it works.
  10. Blue Ring
    Offline

    Blue Ring Registered Member

    Thanks for the recommendation of MBR Guard Kees1958, I'll look into that.

    Ok thanks Johnny123. So your saying running in a limited account will prevent others from being able to fool with the MBR? And just hope that whoever might have physical access to my pc and try to install a MBR virus, would give up at the sign of the BIOS password prompt? I hope they aren't aware that bypassing a BIOS password isn't too difficult. :ninja: But yeah, I guess if I was extra paranoid I would get a computer security cage also. :D

    I guess it just comes down to how knowledgeable and skilled a hacker I'm dealing with. Maybe many people would just give up after seeing a BIOS password prompt and a few guesses later. I hope so.

    At any rate, I'm not completely paranoid about this stuff but it still is interesting to know the best ways to protect yourself against these kinds of things.
  11. pbw3
    Offline

    pbw3 Registered Member

  12. Johnny123
    Offline

    Johnny123 Registered Member

    It might depend on how strong your password is. If you choose your dog's name for the password, it might not be too difficult to guess :). I suppose someone could also re-set your BIOS with the jumper, but you could put a lock on the case. This, however, would only slow down someone determined to get your data.

    OTOH, if you really think these situations are a possibility, you might want to consider installing a bank vault in your house to store your computer :).
  13. MrBrian
    Offline

    MrBrian Registered Member

    I use MBRtool from a bootable floppy to backup and periodically verify that the MBR hasn't changed. MBRtool can also restore the MBR.
  14. Blue Ring
    Offline

    Blue Ring Registered Member

    @ pbw3

    Thanks for the links. Some real good info in those threads. :)

    @ Johnny123

    Actually I was thinking of renting an old bank vault and working out of that in the future. After all that would be far more secure, don't you think? Maybe an old fallout shelter would work too. I don't know what do you think? :D

    But seriously, seeing how many ways there are to get past a BIOS password, it seems almost a waste to use one. I do like them but if someone really wants to they can just open your computer case and remove the CMOS battery and 'poof' no more BIOS password. Or they could just remove your HD and slave it to another computer to get what they want. Or perhaps a BIOS backdoor password would fit the bill. There are just too many easy ways to get by a BIOS password that guessing is pretty much left to the n00bs. ;)

    Of course what I'm discussing here is all just for informational purposes and I don't think Big B is out to get me or aliens came half way across the universe to do a mind probe on me to capture my BIOS password lol. :D :D

    @ MrBrian

    Thanks for the recommendation but after looking into this tool it seems a little advance for me. I don't want to screw up my computer and as I'm sure your well aware those who fool with the MBR and don't know exactly what they're doing are just asking for big trouble.
  15. HKEY1952
    Offline

    HKEY1952 Registered Member

    Actually no, the BIOS and CMOS settings, including the System Password, are stored in nonvolatile memory, except for the Time.


    HKEY1952
  16. Blue Ring
    Offline

    Blue Ring Registered Member

    Well I just tested it on a XP machine, because I've always heard that removing the CMOS battery will cause the BIOS password to vanish. And it did remove the passwords, both the Supervisor and User passwords.

    After setting the passwords in the BIOS and then testing to make sure they worked, I removed the CMOS battery for 15 to 30 mins. I then replaced the CMOS battery and rebooted. I got no password prompt and Windows let me boot back in XP with no problems, except upon the very first boot only I got some message about CMOS battery failed and I need to press F1 to continue. But absolutely no other problems.

    So the BIOS password was very very easy to bypass, as I've always heard.

    I tried removing the battery once for 15 to 30 mins and then a 2nd time for as little as five minutes and each time same result.

    Of course if your dealing with someone who doesn't know this, it may help protect you.

    Also, you would know that the password had been bypassed by someone when you next went to use the machine. That is if someone did this behind your back while you weren't present.

    So still could have some use, but minimal at best.
  17. Johnny123
    Offline

    Johnny123 Registered Member

    I'd go with the fallout shelter now that you mention it. This would also eliminate the need for a tin-foil hat and thus kill two birds with one stone. :D
  18. Blue Ring
    Offline

    Blue Ring Registered Member

    Forget the tinfoil hat, here's what we wear. http://www.meredy.com/lis03.jpg A tinfoil suit! That's me on the far right and my wife right next to me with the blonde hair followed by my daughter. The man standing on the far left is my brother with his wife and son.

    I'm not sure who that weird looking guy is behind my daughter. We think he is a telepathic projection of a hacker who works for the Federation of intergalactic BIOS password stealing aliens who has been trying to break into my laptop pc for the past five years to steal my BIOS password. Either that or he's my uncle Dave.

    Oh, and that's our anti BIOS password stealing robot in the middle. It will detect the thoughts of anyone up to 2 miles from our house who may have the intention of stealing our BIOS password, and can be hooked up to our PCs for a realtime anti BIOS password stealing firewall that will prevent any hackers, alien or otherwise, from acquiring our password from over the internet.

    My brother and I built it with the alien technology that he recovered from crashed ufo parts that his dog dug up in the back yard. :D :D :D
  19. pbw3
    Offline

    pbw3 Registered Member

    LOL...:)
    ..good start to the morning..!!
    Last edited: Aug 13, 2009
  20. Windchild
    Offline

    Windchild Registered Member

    Fallout shelters are always a good idea. They're good for "security", of course, but also really handy places for hosting "parties" that might otherwise make too enough noise to make your fellow humans call the police to shut you down. :D

    Best ways to protect the MBR? Physical security, and limited user accounts. "Best", as in easiest, cheapest, and really effective.
  21. Johnny123
    Offline

    Johnny123 Registered Member

    I agree, but as you've also discovered, this isn't a very popular opinion here. There's no kernel hooks, you don't have to spend three weeks trying to configure it and you don't have to figure out the right order of installation with the other 8 security applications ("layered approach") to keep it from choking.

    Besides that, as we now know from Franklin, Real Men don't eat quiche (or use limited accounts).
  22. pegr
    Offline

    pegr Registered Member

    The last time I tried to restore the MBR from an Acronis True Image backup, I forgot to temporarily disable Prevx 3.0 (paid) first and Prevx detected and blocked the attempt to change the MBR.

    Whether or not it would ever be possible for the MBR to be changed without Prevx detecting and blocking the change I can't say though, as I don't do any testing using live malware.
  23. PROROOTECT
    Offline

    PROROOTECT Registered Member

    * To detect and remove the latest variant of MBR rootkit, please use MBR rootkit detector mbr.exe last version (link at the bottom of the Page) here: http://www2.gmer.net/mbr/ or here: http://www.gmer.net/

    *Also use USEC Radix - Free Antirootkit from usec.at (look for MBR tab) here: http://www.usec.at/rootkit.html

    *AVIRA AntiVir Personal (Free) scan Master Boot Sectors: http://www.free-av.com/en/download/download_servers.php
    My disc is write-protected by AntiVir, and real-time protection is enabled.

    * I have also other protectors in real-time: look to my Signature, please.

    * I make the backup.


    PROROOTECT
  24. Johnny123
    Offline

    Johnny123 Registered Member

    You could also just run the recovery console and type fixmbr or start from a Win98 boot floppy and run fdisk /mbr to get rid of the rootkit.

    Since the topic of LUA is being discussed (and mostly maligned) in a couple of threads right now, not running as admin would also prevent getting this rootkit to start with. Prevention is the best cure.
Thread Status:
Not open for further replies.