I don't have an MBR. Will these cretins consider supporting GUID partition table / UEFI in their next release?
Classic Shell, Audacity downloads infected with retro MBR nuke nasty
Classic Shell and Audacity downloads were booby-trapped this week with an old-school software nasty that knackered victims' Windows PCs. Hackers were able to inject some retro-malware into the popular applications' installers hosted on fosshub.com, an official home for Classic Shell and Audacity releases among other software …
COMMENTS
-
-
-
Thursday 4th August 2016 15:46 GMT Hans 1
>Careful what you wish for, overwriting efivars on the MB could brick your computer in the kind of way which can't be rescued with any boot disk.
Upvovoted, but, Windows Cleaner and Suface Experts do not understand that downloading something from some rogue website and installing it is insecure. They do not know what MBR is, or EFI for that matter ... else they would have jumped to Linux/FreeBSD/AnythingButRedmond a long time ago.
In short, you are wasting your time with these n00bs.
-
-
-
Thursday 4th August 2016 16:06 GMT Anonymous Coward
Re: UEFI affected as well
"This particular malware was very new and detected only by AVG and Kaspersky as a generic threat."
Which in my opinion only goes to show you of what poor quality most virus scanners actually are. I'm not talking about detection here but prevention. Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?
-
Thursday 4th August 2016 18:43 GMT Ken Hagan
Re: UEFI affected as well
"Surely it's not that hard to intercept disk writes to the boot sector and partition table and ask the user for approval first?"
I had a BIOS that did that, about twenty years ago, so it's not that hard. However, I haven't had a similar warning anytime recently, so apparently it isn't something that modern BIOSes bother with.
-
-
-
Thursday 4th August 2016 03:34 GMT Kanhef
UAC limitation
A lot of FOSS isn't signed – many developers don't seem to want to bother with the hassle – so the warning isn't too unusual. The only way it would have prevented an infection is if someone had installed the program enough times to notice that it's usually signed, but this time it wasn't.
-
-
-
Thursday 4th August 2016 06:36 GMT frank ly
A good example
"We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization."
Admit you made mistakes, recognise your shortcomings and work like heck to put them right. It's a refreshing change and I hope it starts a trend.
-
Thursday 4th August 2016 07:17 GMT wolfetone
The problem with that pop up window is that people who know about computers will know it's a pain in the ass, but they'll have gotten their software from a trusted source.
People with no idea about computers will click OK to anything because they know that's the only way to install the thing they downloaded.
There is no patch for human stupidity, but there may be a way to alter their MBR?
-
Thursday 4th August 2016 15:55 GMT Hans 1
>There is no patch for human stupidity, but there may be a way to alter their MBR?
Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ....
-
Friday 5th August 2016 06:44 GMT wolfetone
"Hey, you, get off your high horses for a second ... these are ordinary citizens who were force-fed Windows X^3 and who really want their Win7 back, hence they revert to downloading some software from some rogue website .... ALLL BECAUSE FSCK'ING REDMOND DECIDED TO DO AWAY WITH WHAT EVERYBODY WAS ACCUSTOMED TO SINCE 1995 .... and failed to recognize their error when Windows 8.x tanked .... they are not asking a lot, just an option to revert to "sensible Windows", whatever that means ...."
But Windows 7 has the same stupid notification bullshit that allows this problem to carry on.
-
-
Thursday 4th August 2016 17:05 GMT Nolveys
The problem with the popup window is that users have to click on such windows _all_ _the_ _time_ and that the message is completely non-specific. A message such as:
"This software wishes to:
- install itself for all users to use
- add itself as a service
- hook into explorer.exe
- hook into winlogin
- perform low-level disk modifications
Do you wish to continue?"
Would help immensely. Of course this would require some sort of capabilities-based privilege elevation and associated API.
-
Thursday 4th August 2016 18:52 GMT Ken Hagan
On paper, MSIEXEC could do all of that. The MSI file that you feed it could be just data and the operations that it requests on its behalf could be sanity checked and classified for end-user (well, Administrator) approval.
In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain custom DLLs that do anything you want as the running user. To add insult to inury, there's an instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.
All this has been true since MSI debuted almost (?) 20 years ago. MS has never felt it necessary to add these features. There *may* be an option, buried deep inside some Group Policy template, to disable custom actions. Or there may not. Since it isn't enabled, or advertised, by default it hardly matters whether it exists or not.
Tl;dr: the Windows Installer is utter, utter loathesome crap.
-
Friday 5th August 2016 07:01 GMT Anonymous Coward
>In practice, MSIEXEC lets you do anything that can be written as an MSI and MSI files can contain >custom DLLs that do anything you want as the running user. To add insult to inury, there's an >instance of MSIEXEC that runs as SYSTEM, in case Administrator isn't sufficiently god-like.
You mean like running a program as root on Linux?
-
-
-
-
Thursday 4th August 2016 08:23 GMT Tony W
Would this be detected on check?
As others have pointed out, quite a lot of legitimate sw produces unknown publisher warning. I scan all exe and zip downloads before running though. I also use Scotty that detects changes to startup programs. Am I just getting a false sense of security by doing this?
-
Thursday 4th August 2016 10:19 GMT phuzz
Re: Would this be detected on check?
A virus scanner is unlikely to pick up a brand new threat (although I assume this one is in the databases of most virus scanners by now), so that probably wouldn't have helped you.
Also, a change to the MBR is 'before' any OS is loaded, or startup programs, so monitoring here wouldn't have helped either (assuming this malware just altered the MBR and didn't install it's own startup program).
What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.
tl/dr: no, your current defences would probably not have helped defend against this specific malware.
-
Thursday 4th August 2016 13:44 GMT Pascal Monett
Re: Also, a change to the MBR is 'before' any OS is loaded
I don't think so. The MBR was changed by the execution of the nasty. Besides, if no OS is loaded, how can any change be made ? Something has to run the code that makes the change.
Why this MBR rewrite could fly under the AV radar is beyond me. Is the MBR being regularly rewritten by the OS all day ? Don't think so. So why does MBR access not trigger a humongous red screen with nukular* blast in the background and big white lettering saying "HEY, SOMEBODY WANTS TO RECONFIGURE YOUR DISKS - ARE YOU SURE ???" and a nice red button with "FUCK NO" written on it to abort.
But no, apparently any piece of code can just go and write to the MBR. No problem here, no sir, carry on while I slow the Internet down with all the Flash checking I have to do. . .
* yes, I did write nukular on purpose
-
Thursday 4th August 2016 15:14 GMT Jim Mitchell
Re: Also, a change to the MBR is 'before' any OS is loaded
@ Pascal Monett
Even without AV, the OS should block this. Windows UAC will query for writes to system files, but I can blow away the MBR without any question? On a related note, I was surprised when the BIOS update program from the manufacturer ran fine without Windows asking for user approval of any kind.
-
Friday 5th August 2016 10:24 GMT phuzz
Re: Also, a change to the MBR is 'before' any OS is loaded
I assume that the malware did bring up a UAC prompt, but as the users thought they were installing legitimate software they clicked it without noticing that it was unsigned.
I have seen BIOS's which block any writes to the MBR, but of course you have to turn this off before you install an OS, and remember to turn it on later. I've not seen it in a BIOS for a few years now.
-
-
-
Friday 5th August 2016 20:05 GMT jelabarre59
Re: Would this be detected on check?
What would keep you safe from this is enabling (the much reviled in anti-Microsoft circles) SecureBoot, which checks that the bootcode is cryptographically signed. Or simply just using a GPT boot block, rather than MBR.
SecureBoot is not reviled because it checks your boot process. It's reviled because Microsoft have appointed themselves God And Holy Gatekeeper of SecureBoot, allowing no others control over it. Properly done you should be able to register your OWN keys into it's index when you install a new OS. But MS are doing everything possible (and I didn't even say everything "legal") to make sure it stays that way.
-
-
-
Thursday 4th August 2016 09:30 GMT yossarianuk
More reason to use Linux
Installing Audacity on Linux is genrally done via a centralised package manager where it is far far far harder for an attacker to upload a malware version - you are much safer that finding the same software on Windows.
Opensource of windows involves visiting random sites, which often have about 20 different download links (most are not real download buttons but just a link to another random advert).