|Home » News » Roundups
Never Out of Fashion
Malware attack vectors that worked in the previous millennium still work today on Windows.
'Old school virus methods appear to be in vogue at the moment!' writes Liam OMurchu on the Symantec Security Response Weblog. OK and cheerio and all that - but why do they still work? After all these years why?
The answer is eminently forthright and devastatingly simple.
Hot on the heels of Trojan.Mebroot which overwrote the MBR...
But the MBR - the master boot record - is part of the computer hardware. And on secure systems there's supposed to be no way for ordinary user land processes to access computer hardware.
The worm in question is called W32.Joydotto and it initially appeared to be just another worm that spreads by copying itself and an autorun.inf file to all removable devices...
So in other words Windows allows any user processes to configure removable devices and hijack their operations.
Upon closer examination it was seen that the worm copies itself to removable devices without using a file name for itself...
This means the worm can get below the user land file system API. This means ordinary user land processes are capable of performing system altering operations.
By doing this the worm cannot be seen using any file-listing tools since there is no filename to find...
Loverly. Overriding and breaking the law of the file system - something even the superuser wouldn't be able to do. Do you feel safer now?
In addition to this the worm ensures its longevity by marking part of the disk as being corrupted...
An old trick. Get into the volume bitmap - whether it be the old 'FATs' or NTFS medadata. This trick worked for boot sector viruses fifteen years ago - on 16-bit unprotected insecure Windows 3. It's not supposed to work anymore on 'secure' Windows.
In fact the only way to find the worm on the disk is to know its exact location, along with the correct decryption keys.
Not true. If this innocent worm can corrupt the volume bitmap so can a skilled security researcher. All you do is go into the volume bitmap yourself and unmark all the 'damaged' clusters and then run a disk check. The worm will turn up as orphaned clusters and be put in a quarantine where you can pick them up and dispense with them. This works because Windows and its file systems are insecure both for the malware and for the security pro.
This is a trick that some older dos viruses used back in their heyday, however this trick has not been popular for quite some time now.
Uh - maybe it's because everyone presumed Windows was more secure after all these years?
Symantec: Virus Tricks of the Old School
Radsoft News: The Return of the Boot Sector Attack