Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Garrett: UEFI secure booting
Posted Sep 22, 2011 4:14 UTC (Thu) by imgx64 (guest, #78590)
Technically speaking, this is not a step further, but a step *back* in the boot process. This malware modifies the BIOS (or in the future, UEFI), so UEFI checking the OS for a signature is too late to stop it.
The only way to stop the above malware is to disable the ability to flash the ROM from inside the OS (a misfeature that was added, like most other misfeatures, for "convenience").
Posted Sep 22, 2011 10:47 UTC (Thu) by etienne (subscriber, #25256)
Posted Sep 23, 2011 1:27 UTC (Fri) by hamish (subscriber, #6282)
Posted Sep 23, 2011 10:20 UTC (Fri) by etienne (subscriber, #25256)
Posted Sep 30, 2011 9:00 UTC (Fri) by robbe (guest, #16131)
Posted Oct 3, 2011 11:14 UTC (Mon) by etienne (subscriber, #25256)
Posted Oct 3, 2011 18:05 UTC (Mon) by raven667 (subscriber, #5198)
IHMO EFI mostly solves Windows problems, I fail to see which Linux problem is solved.
That's kind of amusing since AFAIK EFI has been mostly used for and presumably designed for booting UNIX systems, HPUX and then MacOSX, with Windows support being a distant afterthought.
Posted Sep 27, 2011 6:47 UTC (Tue) by ssmith32 (subscriber, #72404)
Mebroot or whatever name you use is the only one that has come out in _years_ ... but it is a scary.
Mebroot was done in a fairly professional manner (with an update system, and even, I believe, a tracking system to let them trace crashes, etc), and then most likely sold on the underground market to other malware authors. And I believe the most common payload it delivers is bank account stealers, and it does well to stay under the radar (as in, it does a good job, and it's good that it does that - from the perspective of the bad guys, at least ;) ).
OTOH, most A/V vendors detect this (there are ways), and there are no signs this is a growing trend (no new malware is coming out and installing in the MBR).
In the end, MBR malware doesn't buy you that much more than a normal kernel-level rootkit. It's a little harder to deal with, but it can be dealt with. And it's gonna be much harder to write, and write well (Even Mebroot hewed pretty closely to the eEye PoC, early on). Even Mebroot moved away from depending on the MBR as it's only infection vector, I believe..
So I would say Microsoft's whole thing about doing it to block malware is a bunch of BS. There are no trends that indicate that this is growing threat.. the cost/benefit trade off for malware authors going to the MBR is just not there. Keep in mind, you want your malware to spread, and (I think) MBR code can be fairly specific to some hardware at times..
Although, given that there is actual malware out there, it's not quite the smoke and mirrors as the blue pill was ;)
Yay! my first not so trollish post. I'm learning ;)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds