MBR rootkit

Bozo · Jul 1, 2011

Chewy509 · Jul 1, 2011

Yep, there's been a lot of talk about this newish rootkit, and Microsoft's advise on how to clean it.

But going back years when I first started with UNIX systems, the advise for a system that had a rootkit installed or had been hacked was simple. "Wipe the HDDs and do a clean install. Restore user data from backup, and verify setup in line with documentation".

Or as Ellen Ripley put "nuke the entire site from orbit. It’s the only way to be sure".

My personal thought is, yes you may have cleaned the rootkit, but what else has been installed?

Mercutio · Jul 1, 2011

That really should be the outcome of any security breach, not just a rootkit.

LiamC · Jul 2, 2011

Chewy509 said:
Yep, there's been a lot of talk about this newish rootkit, and Microsoft's advise on how to clean it.

But going back years when I first started with UNIX systems, the advise for a system that had a rootkit installed or had been hacked was simple. "Wipe the HDDs and do a clean install. Restore user data from backup, and verify setup in line with documentation".

Or as Ellen Ripley put "nuke the entire site from orbit. It’s the only way to be sure".

My personal thought is, yes you may have cleaned the rootkit, but what else has been installed?

+1. What else is there to say.

LunarMist · Jul 2, 2011

Nobody uses Ghost or the Acronis anymore?

Bozo · Jul 2, 2011

LunarMist said:
Nobody uses Ghost or the Acronis anymore?

How do you know you are not reinstalling the rootkit.

Bozo · Jul 2, 2011

Has anyone seen a utility that detects this nastiness?

LunarMist · Jul 2, 2011

Bozo said:
How do you know you are not reinstalling the rootkit.

The rootkit travels back in time?

jtr1962 · Jul 3, 2011

I'm surprised nobody has found a hardware solution to this, something like putting a jumper on the HDD which disables writing to the boot sector. Once you partition a hard drive, there's no reason for anything to be written to the boot sector unless you're repartitioning it.

ddrueding · Jul 3, 2011

IIRC, BIOSes have supported a "Virus MBR Lock" for some time, where it will interrupt any changes to the MBR when enabled. Of course, you have to turn it off to install the OS then remember to turn it back on.

MaxBurn · Jul 4, 2011

I guess this would be one benefit from using an advanced format drive to boot from?

Howell · Jul 5, 2011

Isn't AV software protection of the boot sector as old or nearly as old as the BIOS protection?

LunarMist · Jul 5, 2011

That is useless when the virus/malware bypasses the AV software.

MBR rootkit

Bozo

Storage? I am Storage!

Chewy509

Wotty wot wot.

Mercutio

Fatwah on Western Digital

LiamC

Storage Is My Life

LunarMist

I can't believe I'm a Fixture

Bozo

Storage? I am Storage!

Bozo

Storage? I am Storage!

LunarMist

I can't believe I'm a Fixture

jtr1962

Storage? I am Storage!

ddrueding

Fixture

MaxBurn

Storage Is My Life

Howell

Storage? I am Storage!

LunarMist

I can't believe I'm a Fixture