Coming from the oldest computing times,the boot record viruses remain still one of the most preffered attack vectors. Like their predecessors, the Stoned computer virus(created 1987), Brain(created 1986 and the first PC virus !), Michelangel0(1991), Elk Cloner(1980), actual boot record viruses use the same method of infection: they replace boot record codes with infected code. For who does know what is a boot record Master Boot Record(MBR) or Volume Boot Record(VBR) the advantages of a such infection are obvious.
For who does not know about MBR or VBR and their role, here are the details of an Windows PC boot sequence in a simplified form.
- When the computer is switched ON, the power supply first perform a self-test on voltages, current and stability and if the results passed the test, the CPU loads and execute the BIOS(Basic Input/Output System) code.
- BIOS performs basic tests on the present hardware, loads if necessary other BIOS routines(for example for video cards) and finally executes Power On Self Test(POST) routines. In these routines the video card is initialized, RAM memory chips, hard drives or other drives(CD-ROM, DVD-ROM, USB devices) are tested and their details displayed and the last step is to read the configuration stored in CMOS memory to see what is the order set for boot devices. If, for example the first boot device is set to DVD-ROM but there is not any DVD inserted, the BIOS will check automatically the second boot device in the order list for a boot record. But if a DVD is inserted, the user is prompted with “Press any key to boot from CD/DVD” message. Also during this boot sequence stage, user can get access to various BIOS settings or configurations by pressing the “Delete” button when the POST informations are displayed for 1-2 seconds.
- If it’s a hard disk boot case, like in any Microsoft Windows workstation, the BIOS will look for MBR. The Master Boot Record with 512 bytes in size, is located in the first sector of the hard drive, cylinder 0, head 0, sector 1 and if it is valid(the last two bytes must be 55AAh) will contain a section with informations about hard disk partitions named partition table and another section with the Primary Boot Loader(or Partition Loader) instructions. The MBR is including also short error messages used in unsuccessful booting cases: “Invalid partition table”, “Error loading operating system” or “Missing operating system”
- The Boot Loader(or Partition Loader) looks in Partition Table for an active partition, usually that’s the partition containing the operating system and load the Boot Record which is located in the first sector of that partition(remember, the MBR is located in the first sector of hard disk) and has like the MBR, 512 bytes in size. This boot record is also named the Volume Boot Record and contains further instructions for booting up the operating system. If the hard disk is not partitioned, the Master Boot Record is replaced by the Volume Boot Record, if the hard disk is partitioned it will contains as many VBRs as the number of partitions , and a MBR located in the first sector of hard disk.
- From this point, the booting process is different depending of Windows version. Different configuration files or Boot Managers are used for initializing the kernel and continue the boot process: NTLDR file as loader and boot.ini file for booting options for Windows XP, a Boot Manager(bootmgr) for Windows Vista and Windows 7. Boot.ini file is replaced for these newer versions of Windows by Boot Configuration Data Editor (BCDEdit) for configuring the boot process.
I hope it is obvious now for everyone why the boot sectors viruses are so stealth, so dangerous and so hard to be removed by the conventional antivirus software. Boot record code is the very first read and executed code from the hard disk and can determine how the operating system is loaded, practically it set an special environment in which the operating system will be running. Let’s see two of the newest boot record viruses.
TDL4 is a MBR rootkit from the TDSS family, compatible with 32 and 64 bits systems able to bypass PatchGuard, a kernel patch protection built in 64 bit versions of Windows starting with XP edition. Once it infects a system, the rootkit add its “loader” code to MBR, create a hidden and encrypted(RC4 algorithm)partition in the last sector of the hard disk, where using its own file system, it saves other rootkit components and the original MBR for later use. The “loader” code from MBR read using int 13h instruction responsible for Low Level Disk Services(disk input/output) the last sector of the hard disk where resides the file table of its partition, decrypt it and find the file offset of its ldr16 component, load it into memory and pass the control to it. The ldr16 job is to implement an int 13h hook and to overwrite in RAM memory the infected MBR with the original MBR saved before in the rootkit encrypted partition.
The ldr16 job is not finished yet.
First phase of kernel initialization is the loading of two main operating system components: hal.dll(hardware abstraction layer) and kdcom.dll(kernel debugger HW extension). ldr16 file continues its execution searching for kdcom.dll file signature and when found replace it into memory with a malicious file called ldr32 or ldr64 depending of the opearting system. To disable the code integrity check(Loader Integrity Check Enforcement) the rootkit monitors all the disk read operations hooking int 13h function and modify in memory the Boot Configuration Data. The trick is to switch for a short period of time to Win PE mode where there is not implemented a file verification for digital signatures. Once the malicious kdcom.dll file is loaded into memory the Win PE mode is disabled. Main function exported by the malicious ldr32/64 rootkit component is KdDebuggerInitialize1 which will finally load and execute the main rootkit component drv32 or drv 64 finalising the system infection. Another side effect of kdcom.dll replacement is the impossibility to use any kernel debugger.
In this stage the infection is fully initialized, by controlling the disk read/write operations this virus is able to hide its presence in the compromised system and the malicious disk port driver hook and the infected MBR is protected by its own protection mechanism – a “watchdog” thread. If the infected MBR is overwritten, the virus will re-infect it.
TDL4 rootkit push the complexity to another level. To assure its supremacy in the infected system, it’s even able to remove another viruses/rootkits. It uses a private encryption algorithm to communicate with the Comand and Control servers. Using the Kad network via a virus module(kad.dll) it’s easy to control the entire botnet inside a decentralized structure.
The TDL 4 bootkit is spreaded using affiliate marketing strategy where affiliates are paid per number of infected computers. It is used to download and execute other malware into the infected computer as rogue antivirus software, adware, for fraudulent activities on advertising systems(click fraud) or to influence the search engines. It’s a well-known fact that this rootkit is responsible for malicious Google redirects.
It’s worthing to mention another boot record rootkit, named by Kaspersky Lab, Rootkit.Win32/Win64.Cidox . It is a Volume Boot Record virus, compatible with 32 and 64 bits systems. The main feature is to alter the browser source pages, displaying advertisements or asking for sending paid SMS for a supposed system disinfection, in a SMS fraud attempt.
About another now notorious Master Boot Record virus Popureb.E, I wrote already here.
The boot record viruses scares the users with their complexity and each new virus is a pain for antivirus researchers to debug and to develop a fix for it. Because the boot record viruses are initialized from MBR , the solution to Master Boot Records(MBR) viruses is rather simple: to write another MBR from outside the system using a live CD or an USB stick for example.
Let’s see a few methods of fixing the Master Boot Record:
- Using the Recovery Console from a Windows installation CD for Windows 2000, Windows XP and Windows Server 2003 operating systems with fixmbr command for fixing the Master Boot Record or fixboot command for fixing the Volume Boot Record. In Windows Vista the Recovery Console substitution is named Recovery Environment and the command used is bootrec. Here is a step-by-step tutorial of how to fix your Master Boot Records for Windows XP and Vista and here is a tutorial for Windows 7. If you have not the original Windows installation CD/DVD, you still can download and burn on CD/DVD the Recovery Environment Disk for Vista 32 bits and Vista 64 bits posted on digiex.net forum. Here are the Recovery Environment Disc for Windows 7 32 and 64 bits.
- AntiVir Boot Sector Repair Tool, an excellent tool from Avira security vendor able to create bootable CDs for fixing MBR.
- Super Grub Disk offers an easy solution for fixing the boot records under Linux and Windows computers.
Especially for TDSS.TDL4 rootkits, there are two free tools from Kaspersky and Bitdefender company:
- Anti-rootkit utility TDSSKiller
- Free Removal Tool for TDL4
- Aditionally, UnHackMe is an antirootkit tool able to disinfect the boot records. A free tool for detecting TDL4 rootkits is avalable here.
The boot records viruses are among the most frightening viruses but are far from being indestructible, once they are detected the disinfection is rather simple: just overwrite the 512 bytes of infected MBR.
Keep safe !