Garrett: UEFI secure booting

Mebroot or whatever name you use is the only one that has come out in _years_ ... but it is a scary.

Mebroot was done in a fairly professional manner (with an update system, and even, I believe, a tracking system to let them trace crashes, etc), and then most likely sold on the underground market to other malware authors. And I believe the most common payload it delivers is bank account stealers, and it does well to stay under the radar (as in, it does a good job, and it's good that it does that - from the perspective of the bad guys, at least ;) ).

OTOH, most A/V vendors detect this (there are ways), and there are no signs this is a growing trend (no new malware is coming out and installing in the MBR).

In the end, MBR malware doesn't buy you that much more than a normal kernel-level rootkit. It's a little harder to deal with, but it can be dealt with. And it's gonna be much harder to write, and write well (Even Mebroot hewed pretty closely to the eEye PoC, early on). Even Mebroot moved away from depending on the MBR as it's only infection vector, I believe..

So I would say Microsoft's whole thing about doing it to block malware is a bunch of BS. There are no trends that indicate that this is growing threat.. the cost/benefit trade off for malware authors going to the MBR is just not there. Keep in mind, you want your malware to spread, and (I think) MBR code can be fairly specific to some hardware at times..

Although, given that there is actual malware out there, it's not quite the smoke and mirrors as the blue pill was ;)

Yay! my first not so trollish post. I'm learning ;)