Coming from the oldest computing times,the boot record viruses remain still one of the most preffered attack vectors. Like their predecessors, the Stoned computer virus(created 1987), Brain(created 1986 and the first PC virus !), Michelangel0(1991), Elk Cloner(1980), actual boot record viruses use the same method of infection: they replace boot record codes with infected code. For who does know what is a boot record Master Boot Record(MBR) or Volume Boot Record(VBR) the advantages of a such infection are obvious.
For who does not know about MBR or VBR and their role, here are the details of an Windows PC boot sequence in a simplified form.
- When the computer is switched ON, the power supply first perform a self-test on voltages, current and stability and if the results passed the test, the CPU loads and execute the BIOS(Basic Input/Output System) code.
- BIOS performs basic tests on the present hardware, loads if necessary other BIOS routines(for example for video cards) and finally executes Power On Self Test(POST) routines. In these routines the video card is initialized, RAM memory chips, hard drives or other drives(CD-ROM, DVD-ROM, USB devices) are tested and their details displayed and the last step is to read the configuration stored in CMOS memory to see what is the order set for boot devices. If, for example the first boot device is set to DVD-ROM but there is not any DVD inserted, the BIOS will check automatically the second boot device in the order list for a boot record. But if a DVD is inserted, the user is prompted with “Press any key to boot from CD/DVD” message. Also during this boot sequence stage, user can get access to various BIOS settings or configurations by pressing the “Delete” button when the POST informations are displayed for 1-2 seconds.
- If it’s a hard disk boot case, like in any Microsoft Windows workstation, the BIOS will look for MBR. The Master Boot Record with 512 bytes in size, is located in the first sector of the hard drive, cylinder 0, head 0, sector 1 and if it is valid(the last two bytes must be 55AAh) will contain a section with informations about hard disk partitions named partition table and another section with the Primary Boot Loader(or Partition Loader) instructions. The MBR is including also short error messages used in unsuccessful booting cases: “Invalid partition table”, “Error loading operating system” or “Missing operating system”
- The Boot Loader(or Partition Loader) looks in Partition Table for an active partition, usually that’s the partition containing the operating system and load the Boot Record which is located in the first sector of that partition(remember, the MBR is located in the first sector of hard disk) and has like the MBR, 512 bytes in size. This boot record is also named the Volume Boot Record and contains further instructions for booting up the operating system. If the hard disk is not partitioned, the Master Boot Record is replaced by the Volume Boot Record, if the hard disk is partitioned it will contains as many VBRs as the number of partitions , and a MBR located in the first sector of hard disk.
- From this point, the booting process is different depending of Windows version. Different configuration files or Boot Managers are used for initializing the kernel and continue the boot process: NTLDR file as loader and boot.ini file for booting options for Windows XP, a Boot Manager(bootmgr) for Windows Vista and Windows 7. Boot.ini file is replaced for these newer versions of Windows by Boot Configuration Data Editor (BCDEdit) for configuring the boot process.
I hope it is obvious now for everyone why the boot sectors viruses are so stealth, so dangerous and so hard to be removed by the conventional antivirus software. Boot record code is the very first read and executed code from the hard disk and can determine how the operating system is loaded, practically it set an special environment in which the operating system will be running. Let’s see two of the newest boot record viruses.
TDL4 is a MBR rootkit from the TDSS family, compatible with 32 and 64 bits systems able to bypass PatchGuard, a kernel patch protection built in 64 bit versions of Windows starting with XP edition. Once it infects a system, the rootkit add its “loader” code to MBR, create a hidden and encrypted(RC4 algorithm)partition in the last sector of the hard disk, where using its own file system, it saves other rootkit components and the original MBR for later use. The “loader” code from MBR read using int 13h instruction responsible for Low Level Disk Services(disk input/output) the last sector of the hard disk where resides the file table of its partition, decrypt it and find the file offset of its ldr16 component, load it into memory and pass the control to it. The ldr16 job is to implement an int 13h hook and to overwrite in RAM memory the infected MBR with the original MBR saved before in the rootkit encrypted partition.
The ldr16 job is not finished yet.
First phase of kernel initialization is the loading of two main operating system components: hal.dll(hardware abstraction layer) and kdcom.dll(kernel debugger HW extension). ldr16 file continues its execution searching for kdcom.dll file signature and when found replace it into memory with a malicious file called ldr32 or ldr64 depending of the opearting system. To disable the code integrity check(Loader Integrity Check Enforcement) the rootkit monitors all the disk read operations hooking int 13h function and modify in memory the Boot Configuration Data. The trick is to switch for a short period of time to Win PE mode where there is not implemented a file verification for digital signatures. Once the malicious kdcom.dll file is loaded into memory the Win PE mode is disabled. Main function exported by the malicious ldr32/64 rootkit component is KdDebuggerInitialize1 which will finally load and execute the main rootkit component drv32 or drv 64 finalising the system infection. Another side effect of kdcom.dll replacement is the impossibility to use any kernel debugger.
In this stage the infection is fully initialized, by controlling the disk read/write operations this virus is able to hide its presence in the compromised system and the malicious disk port driver hook and the infected MBR is protected by its own protection mechanism – a “watchdog” thread. If the infected MBR is overwritten, the virus will re-infect it.
TDL4 rootkit push the complexity to another level. To assure its supremacy in the infected system, it’s even able to remove another viruses/rootkits. It uses a private encryption algorithm to communicate with the Comand and Control servers. Using the Kad network via a virus module(kad.dll) it’s easy to control the entire botnet inside a decentralized structure.
The TDL 4 bootkit is spreaded using affiliate marketing strategy where affiliates are paid per number of infected computers. It is used to download and execute other malware into the infected computer as rogue antivirus software, adware, for fraudulent activities on advertising systems(click fraud) or to influence the search engines. It’s a well-known fact that this rootkit is responsible for malicious Google redirects.
It’s worthing to mention another boot record rootkit, named by Kaspersky Lab, Rootkit.Win32/Win64.Cidox . It is a Volume Boot Record virus, compatible with 32 and 64 bits systems. The main feature is to alter the browser source pages, displaying advertisements or asking for sending paid SMS for a supposed system disinfection, in a SMS fraud attempt.
About another now notorious Master Boot Record virus Popureb.E, I wrote already here.
The boot record viruses scares the users with their complexity and each new virus is a pain for antivirus researchers to debug and to develop a fix for it. Because the boot record viruses are initialized from MBR , the solution to Master Boot Records(MBR) viruses is rather simple: to write another MBR from outside the system using a live CD or an USB stick for example.
Let’s see a few methods of fixing the Master Boot Record:
- Using the Recovery Console from a Windows installation CD for Windows 2000, Windows XP and Windows Server 2003 operating systems with fixmbr command for fixing the Master Boot Record or fixboot command for fixing the Volume Boot Record. In Windows Vista the Recovery Console substitution is named Recovery Environment and the command used is bootrec. Here is a step-by-step tutorial of how to fix your Master Boot Records for Windows XP and Vista and here is a tutorial for Windows 7. If you have not the original Windows installation CD/DVD, you still can download and burn on CD/DVD the Recovery Environment Disk for Vista 32 bits and Vista 64 bits posted on digiex.net forum. Here are the Recovery Environment Disc for Windows 7 32 and 64 bits.
- AntiVir Boot Sector Repair Tool, an excellent tool from Avira security vendor able to create bootable CDs for fixing MBR.
- Super Grub Disk offers an easy solution for fixing the boot records under Linux and Windows computers.
Especially for TDSS.TDL4 rootkits, there are two free tools from Kaspersky and Bitdefender company:
- Anti-rootkit utility TDSSKiller
- Free Removal Tool for TDL4
- Aditionally, UnHackMe is an antirootkit tool able to disinfect the boot records. A free tool for detecting TDL4 rootkits is avalable here.
The boot records viruses are among the most frightening viruses but are far from being indestructible, once they are detected the disinfection is rather simple: just overwrite the 512 bytes of infected MBR.
Keep safe !
To fix viruses (TDL4)MRB infection
1.-Run a live cd like Win7Pe, Hirens 13.** (any live cd)
2.- Download aswMBR tool from Avast website tool
(In this step if you use a Win7pe live cd is better if you connect to internet an run automatic updates)
a)Run AswMBR.exe
b)Click in Scan
Will show you (first line) Disk 0 TLD4 Found Will
(Second line) Disk 0 TLD4 ***ROOTKIT**
Both line in red color.
Hit FixMBR
—————
Usa un CD para accesar Virtual CD como Win7pe, hirens cd etc.
Descarga la herramienta de AVAST aswMBR.exe
Eejcutalo y haz click en Scan
Encontraras dos lineas que ha encontrado el root kit, las dos lineas seran en color rojo.
Elije FIXMBR
Muy buena herramienta.
Saludos y disculpen mi mal ingles.
Grettings and sorry my bad english santiago.js@live.com
What is truly weird is that I am finding all sorts of information about these BIOS, RAM and process/driver/device infections from 2 – 4 years ago, and then there’s total bupkiss (nada), absolute radio silence. I’m convinced that the actual problem has in the intervening period been much more severe and widespread than apparent or discussed, but has been conveniently shunted with band-aid patches and work-around fixes by the industry that don’t actually solve or even much confront the problem, but just kick the can down the road until the infection resurfaces like an untreatable staph lesion, by which time the user has reached a convenient consumer price-point where he/she can be saying, “Yeah, whatever, time to buy Windows (Iteration of Increasing Entropy) or Mac or Linux/Android, or just go totally headphone isolating XBox, at which point i’d just as soon join a monastery or go rogue Amish, pitied as I suffered still with the flop sweat and technology panic attacks. 2013, and we’ve/I’ve been dealing with the same issues and causes, spreading like cancer at inevitable repeating stages of denial and insanity because something-wicked-this-way-came. And it snuck in the ‘backdoor’ by walking right in the front. I’ve disassembled devices and chunks of OS and supposed recovery partitions, and reassembled somehow even more code and hardware, what with the router firewalls, the anti-v programs (free and purchased), rootkits, drive erasers, bootloaders, mindnumbing all-nighters of manually picking through system files, tech support, pc sales retail clerks, oh and the most useles of all, Lenovo Customer Assault and Battery. I will never buy another POS Lenovo again. It was infected, or rather primed for infection, from the get go. They were kind enough to at one point send me reinstall disks for my G series laptop, but were insistent that I cash-up before they’d even listen to any further issues I had with a reinstall that was obviously not going according to plan (hmm, I don’t think command line windows should intermittenly be popping up and illustrating an internalized battle of bad driver assimilation complete with timeouts and (misspelled) diagnostic message screens, but the guy on the phone just took that in stride. My laptop started acting hinky from day one, when my first user profile just disappeared. Then the firewall and other security issues, anti-v reports with not a single v or even the odd PUP appearing, and those always shows up at least in SuperAntiSpyware, then the service management changes, missing drive management. I’ll give them this: I’ve learned a ton of sausage-making in the guts of this Lenovo/Win7 abbatoir; and even more about the real issue at hand, after having to rely on Android and Linux backup systems hobbled and cobbled from dead hardware that the worm I boneheadedly passed on and then through Amazon (respectively). I am now at a point where my laptop is barely operable (dingbat/wingnut, whatever it’s called, font shows up as the text in the OS both in reality-bites and safe mode, but I do get low-res but full-frontal Arial font in my applications, and that has confirmed a lot to me there, as consistent disk cleaning always picked up a head scratching amount of new temp font files. Long ago, I had tried to produce a solution through hard-liner command line madness, but I could never get the absolute problem of the partition hierarchy to emerge. I was finally able to get to a workable scenario where my system wasn’t reverting at some point to a partially concealed workstation wannabe, and this by obliterating anything to do with the wireless driver(s), and part of the sound management (the most tenacious of the reinstallation driver issues I’d had since speaking first with Lenovo). From there, it was a constant monitoring procedure, and I was alway losing ground in my battle with optimization to keep my head above water. This all, however, ironically crashed and burned me when I accidentally reset my BIOS, as one groggy morning, I mistook a friend’s computer for mine (at the time, I was successfully and complacently clearing it of an itty bitty humdrum virus issue, and some creative IP configuration). The BIOS changes reverted the system to a bitter mess of high voltage and no circuit breakers. And, there it was, the Kraken was back. I tightened the screws with all that I’ve learned (and mislearned) and in this barely functional life support environment I’ve reached, a system I can boot but can’t use, I able to thankfully now see within command line what I hadn’t been able to directory list before, the process by which I boot okay into the drive I want, but then I am immediately directed further back into the Windows hierarchy into another Windows environment with a bootmanager that employs its own set of corrupted drivers in employ of doing whatever it damn well pleases, replete with fake AV reports, Windows screen props, browser protocols that bypass what I need with alacrity, the Kraken has an answer for everything. However, along the way, I’ve found bits of text documentation that describe how the Kraken has faked out my every attempt to repartition effectively, and how alias commands have vexed, me and how I couldn’t even thinki of changing the BIOS because it would postdate its release date past that of updated BIOS from the Lenovo site. I am hoping the resources you’ve provided, through your post (though it is a couple of years old), will still be able to tackle this issue, but the monstrosity is a form of Hal on steroids, and a lot of the fixes suggested from the post I’ve read from this time period have been rendered obsolete by sometimes clever, sometimes blatantly “duh” coding sleight of hand. A boot disk diagnostic I ran a few weeks ago suggest that part of the original infiltration is a Linux mounting, but the Windows trail and mapping clearly lay out the circular path of the boot, which ends up filteriing through a Veriface file (I uninstalled that 18 months ago, but am I surprised? hell to the no!) full of executables that begin a glut of processes it chokes me to even ponder, Then the fake Windows environment is off and running, and I can’t get rid of the pieces because I can’t even rely on the usual working last resorts (fun to discover a list of aliases for cmd requests and parameters, even for mundane operations like listing existing volumes). I long ago gave up on the chase to whip the partitions into order as the boot and system files would have me chasing their tail in circles (I did get somewhere at one point by going stone age and loading MS DOS, which was graciously nonchalant in its “whatever” attitude, allowing me to go nuclear in boot/system annihilation, where I had at last been able to resurrect enough working Frankenstonia to be safely online (wired only), but then the day of the Kraken. So, now I’m piecing together what I’ve tediously stapled to my brain with bookmarks/favorites I can barely decipher on fading post it notes. This is evil incarnate. I actually have decided to take this SOB to an ICK Lenovo ‘authorized’ repair dungeon to at least show them what Hal/Hell they hath wrought (as I am completely, 100 percentafiable certain that their bad BIOS negligence had everything to do with either most of the eventual mess, but certainly the initial domino in the chain of tumbling catastrophes. I don’t actually have a particular question for you, but I do want to thank you from the bottom of my cold, dead heart for your post, your time, your resources, your intelligence, your compassion, your humanity and your disdain for corporate and idiocy in the face of cell-structured malware terrorists. God, if they ever got together they would be a dangerous force that could take over the entire industry with an eternal ploy of spy v. spy requring endless software, hardware and security changes/updates/reconstructions, bilking billions from hapless consumers who just want to pay their Mastercard online, but don’t want to fund some former Soviet republic’s mafia at the expense of identity theft and the cost of DSL. Speaking of, what next, the phone company gets in on it?! NOT MA BELL!!! Cripes. Anyway, I know I haven’t given you too many details about my setup, since I came to praise Caesar and not bury him with specs, but if any of this sound familiar in a more recent context and you know of any further resources that might apply, I’d be dead grateful to hear back or see a response post. In the meantime, off I go to play with the MBR, post XP boot edits, and catch-me-if-you-can load disks, and if need be, I go to Lenovo land, which never sees the sun, where I will have pried, wheedled or threatened lives for a little free advice. Or maybe I’ll just get my vision and sanity partially back by loading Ubuntu and calling it a day, for every dog must have one, even if he’s been Lenovo’s bitch for almost two years. At the end of the aforementioned day, I am just relieved that piecing this together from random posts, and stitching the remnants of directory and file evidence, chipping away layer by ugly layer has restored some sense of self-worth and mental stability. You will not believe (oh yes you will) how many people have just looked at me as if I’m a paranoid nutcase, an inept InterWeb novice, or just confused and hopeless as I’ve described each raising of the stakes in getting at the source of the problem, which few professionals or even dedicated hobbiests/masochists has seemed to faithfully define or report on in years, or since the poiint at which academics were first claiming and the industry was scoffing as hogwash that RAM infections ,and its mplications were patently impossible. Meanwhile, it’s now estimated about 20% of computers come out of the box with malware infected or purposefully installed. As I mentioned, I think the powers that be realize there’s such a problem, but it’s easier to sweep it under the rug as the entire PC unit itself has slowly degenerated in price and reliability toward being one big chunk of expendable hardware. Throw out the baby, the bathwater and the kitchen sink. But people like Lenovo don’t talk to you like you’re crazy because you believe you have this problem; they just bide their time until you give in to the belief that you’d be crazy not to spend your money on letting them fix it. If I didn’t have such clumsy figures, instead showed off the digit-dextrous ice-skating fingertips, I’s have moved on by now to master the tablet, and I’d be a happier camper. Not because I’d actually by a tablit, but because I’d be taking those wondrous appendages to a monastery where I’d be slowly and restfully illuminating Bibles while praying never to see another freaking product of technocracy ever again. Well, thanks for listening. It’s been real. It’s been fun. But it hasn’t been real fun.
it doesnt seem possible to remove these to me. i have persistent hacks on all my systems and after reading they can infect themselves into the hardware of even video cards and hard drive hardware fireware… it seems completely impossible. my only symptoms are constant hd access. sometimes fan speeds increasing decreasing. sounds like comps are constantly being scanned.
Wow, what a great resource! Thanks for sharing this…
Hi, thanks for sharing such an informative blog. I have read your blog and I gathered some needful information from your blog. Keep update your blog. Awaiting for your next update
https://www.canonprintersupport247.com/blog/how-to-fix-error-code-22/