Let's Get Down To Brass Tacks

Discussion in 'other anti-malware software' started by EASTER, Jul 2, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    OK, i been burning with fury over this ever since Peter2150 got his partition table clobbered with the notorius KillDisk Trojan he tested and fell into confusion when even his Windows CD and other Disks bit the dust against this clever MBR destructor.

    While it's comforting & encouraging news indeed that now some security apps are finally making an effort with strides to protect the MBR from disasters like these cruel beasts can incursion on a system to render partitions blasted, does anyone else see a need for a small simple application that need not have to be implimented into a full blown program just in order to prevent the MBR from such vicious attacks, just in case they become more numerous somewhere down the line in the near future?

    Although a very useful and needed protection feature, whats the likelihood you think that some developer will take up this issue and fashion a simple program just to address against this type of destructive virus. In other words, something that can immediately read & detect that a partition/MBR virus is attempting to write disrupting code to the MBR and make it so the user can choose to block it before it can reach the MBR Table and offer the choice of terminating or at least blocking it before it can reach that code section which is so vitally important to maintaining an uninterruptable intrusion into it?

    Anyone care to share some opinions on this? Short of using SandboxIE or another program that already serves other purposes.

    I don't see that it should be that difficult to put something useful together for this end, and stop these potential disruptors before they can scramble and make a mess of things that so far only TestDisk in my experiences is been able to restore an infected partition table/MBR.

    Thanks, and looking forward to some of your own opinions on this.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You used to have one in your signature - Anti-Executable.

    EDIT: Ooops... I see you still do have it. So, there you are!
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    IMHO, with Returnil and SBIE, such an app is not extremely needed.
    Returnil protects against KillDisk trojan and others. But the "dogs" can defeat if, AFAIK using direct drive access. SBIE protects against this.
    If the combo Returnil+SBIE can be eventually defeated, there no reason to think that a MBR protecting app wont be defeated as well.

    I agree with Rmus. If you add AE to the equation, you are as good as invincible.
     
  4. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    Well I don't think product/combination of product can provide 100% security.

    But I agree in practical terms AE and SB and Returnil is all you need and you don't need something to specifically protect the MBR.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Hi Rmus:

    You always express in living pictures details are that extremely useful. And yes, of course AE will put the breaks on executables nicely, but i'm curious because it would be of beneficial use for those other users who either cannot use AE or won't, and so i reach out on their behalf as well as recognize the usefulness of something that let's say the MBR disrupter executable hypothetically evades (surely not AE) but another app that is yet to impliment this type of critical protection to stave off a serious interruption or disaster should such a vicious code penetrate thru basic defenses straight to it's target of the MBR/Partiton Table. Much in the same way a HIPS will recognize the intent and direction/path of the target but is aborted or suspended ahead of the curve thus allowing an alert and choice for the user to recognize a serious corruption of their system is within reach but not able to make it to it's intended target without a user intervention to cancel & terminate it, much like Cyberhawk jumps up at dll injections and when you press DENY, the source offending executable program is immediately and completely terminated on the spot.
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    IMO, such an application would be completely useless. MBR/partition destroyers and malware which performs low-level disk operations don't posess a risk for the wide majority of users, even those who are not security-savvy:
    - Almost all malware is profit-driven, destructive malware isn't high in the priorities of malware creators.
    - Most malware relying on these low-level techniques to write to disk has been developed for the Chinese market, where ISR solutions are a very popular measure on public computers (e.g., Internet cafes)
    - Exercising common sense and keeping your apps/OS up-to-date will reduce the chances of automatic execution to almost zero.
    - This kind of malware is delivered in binary files, so those with execution control solutions (AE, LUA+SRP, classical HIPS, etc) in place are in no danger of accidental execution.
    - Raw disk access is forbidden in LUA and detected by most classical HIPS (SSM, EQS, etc)
    - Sandboxes have proven to be resistant to this kind of malware.
    - Some ISR vendors promptly fix any leak in their applications.
    - Recovery is possible, even when Windows-based utilities don't work.
    - Those folks playing with this type of malware know what they're doing, so they think twice before doing anything and they do their tests inside VMs.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    I understand your point but still can't shake it out of my mind personally so i'm of the mind of not distancing or dismissing these type of vital security products that can intercept these executables like AE for one example, but am in favor of taking a piece of Returnil's MBR Protection for example or ShadowDefender's in the same way of rationing off that "auto-restart" of forced closed apps implimented by SSM, and that takes nothing at all away from these other protections apps like those are designed to counteract against potential malware.

    Useless is a stretch because most users want to protect their PC's from even Chinese worse malicious disruptors, even POC's, and seal their system's most sensitive area that once tapped by say KillDisk, renders the system into a tailspin of total disabled use.

    Perhaps some more research could be introduced into better shoring up against this attack no matter how far fetched or distant it might appear, at least for now, but who's to say this type of infection won't at some point begin to find it's way into mainstream systems that are already easy targets evidenced by the MASSIVE use of ComboFix and other tools when users are entering by the droves still to forums after being bitten by Vundo and numerous other infections.

    I'm old hat, so i still believe in and hold tight to hardening type apps that users shouldn't have to go with a full blown security application just for such a coverage as the MBR.
     
  8. Dogbiscuit

    Dogbiscuit Guest

    The BIOS on my system has a Virus Warning feature: "If this function is enabled and an attempt is made to write to the boot sector, BIOS will display a warning message on the screen and sound an alarm beep."
     
  9. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Very good early warning system, i suppose these preventions fall between mobo manufacturers that build in self BIOS/MBR protections to those that are not so equipped.
     
  10. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    @ Lucas1985 : i agree to all points but the first.... IIRC the robodog malware was a password stealing trojan.they are not all destructive..

    @EASTER : i think you will very much like the new OA version to come that renders a LUA environment to all unknown applications and you get to keep eqs for the registry guard of it and maybe have enabled the low level disc accesses if u wish to..after all it makes sence since all such malware types have 1 common thing.....Died before LUA... ;)
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Hi Easter

    I am afraid you have mistaken the facts here. I was never clobbered by Killdisk, but tested it on my virtual machine. As part of my test I tried doing an image restore, and couldn't. However the damage was repaired by using the Windows XP CD and running Diskpart to delete the partition.

    The episode you were referring to was when I tried zeroing the partition table using the Acronis Disk Director from BartePE. That did leave me in a mess, as to access the disks I needed some time of windows boot so I could load the nvidia drivers, and once the windows stuff saw the partition table they crashed.

    Other than that it's a valid question. My answer though is no I don 't think a separate program is needed. Depending on the thread vector, which for me is basically a drive by download from the web, I feel more then covered. Sandboxie blocks all these attacks. Online Armor has several upcoming features that block them in several fashions. Then if behaving in a risky manner, both Shadow Defender and Returnil handle them. Just not sure I see the problem at this point, beyond the users.

    Pete
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    :)
    The point is that you need to bypass several "layers" before even worrying about this kind of malware.
     
  13. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    That was the chief concern here, but if such MBR attacks are not so dangerous with the proper hardening or methods, even in a LUA technique then theres really not much of a chance for something of that nature to even get close too.

    Aside from going with SandboxIE and/or Returnil i been looking for an alternative approach that might prove just as capable to prevent that sort of severe interruption even if run locally in a testbed research of them.

    Experimenting with SuRun & Samuari together seems to do pretty much the same as goes layering, just bare bones and no dependency on either virtual sytems, sandboxes, HIPS or even AE. If you're wondering what i'm getting at, it's examining the possibly of alternating between these two methods on the same system/machine, not so redundant if one or the other can be switched over to inactive but in reality indeed redundant and one or the other protection i'm looking at as the best full defense, preferably as mentioned, the least possible need for a full program(s) to achieve the same purpose.

    When i said clobbered, i don't mean you were caught with your drawers down, just that KIllDisk threw a curve ball at the time when it wasn't better understood just how far it goes in disrupting the partition table and rendered some of the common safety discs ineffective to easily recover from it. LOL

    EASTER
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I use some free programs on a boot floppy that save mbr etc. to the floppy. Occasionally, I boot with this floppy and compare the mbr etc. on floppy with the version on the hard disk. If there are discrepancies, the version on the floppy can be restored to the hard disk. This is not prevention, but it is detection and a cure.
     
Thread Status:
Not open for further replies.