Giving Old Viruses the Boot

General

16

Further to my recent post on the venerable (but still out there) Slammer worm, we were asked recently about a real old-timer, a boot-sector infector called Stoned.Angelina. (Oddly enough, I think this was the last BSI reported to me when I was still doing occasional 2nd-linet AV support earlier in this decade.) How could such an elderly virus infect a protected system?

For those who may have missed out on this phase of virus pre-history, a BSI infects when a PC is booted with an infected floppy (remember those?) in drive A. (The floppy doesn’t have to be bootable.) Which is why we used to advise people to reconfigure their PC CMOS settings so that the system would boot by default off the hard disk even if there was a floppy disk present – when people made extensive use of the funny little things, it was surprisingly easy to forget there was one still in the floppy drive when you switched off the system.

From a detection point of view, the difficulty is that if the system isn’t initially booting from the hard disk, the infection has already taken place by the time a scanner gets a look-in, and, unfortunately, NT derived systems can present particular problems if a BSI does manage to infect the hard disk.

Because so many systems nowadays are floppy-free zones, we tend not to give much thought to the issue. However, there are clearly still vulnerable systems and infected diskettes out there. If this might apply to you, you might want to consider:

  • Checking CMOS configuration on all systems (especially older systems) and fix any that are still set to boot by default from drive A
  • Doing a little data housekeeping. Floppy disks aren’t the most reliable of media for very long-term storage, and you may want to transfer data that still need to be kept to a more resilient and less risky storage medium.
  • While you’re doing that housekeeping, you might want to take the opportunity to scan those disks with an up-to-date scanner. Certainly I have floppies around here that were probably last checked with scanners that don’t even exist any more.

David Harley
Research Author
ESET LLC

Author David Harley, ESET

  • http://anti-virus-rants.blogspot.com kurt wismer

    “How could such an elderly virus infect a protected system? ”

    simple – old viruses never die, they just become too rare to measure their prevalence accurately…

  • Derek W

    Dave, good article. Actually, some BIOS now have a switch for “OS Install” that won’t allow updates to the boot block area unless its set to “Enable”.

  • Johnson

    People should learn how to protect them by themselves.Too depend on av is not a good thing.I often see many famous avs even all avs miss some threats,but there are many people think it’s false positive.Also,many avs detect some files as threats doesn’t mean these files are real threats,maybe they are false positive.

  • http://www.smallblue-greenworld.co.uk David

    I agree that AV does tend to encourage a “culture of dependence”: many people have a tendency to assume that their AV will protect them from everything, even their own careless or reckless actions. Even advanced behaviour analysis doesn’t give a scanner 100% detection. No-one wants to turn every computer user into a security expert, but people need to take some responsibility for their own actions.

    I’m not sure I understand your second point. Technically, if a product misses a threat, that’s a false negative, not a false positive. If you mean that people have absolute but inappropriate trust that a file not flagged as malicious must therefore be innocent, yes, that does happen, and it’s unfortunate. If a program looks suspicious but isn’t flagged by your scanner, it’s always worth thinking twice and investigating further. Like other AV companies, we have an address to which possible malware samples can be submitted: see http://www.eset.com/company/contact.php.

    As to your third point, it’s true that any company can misdiagnose an innocent object as infected from time to time. It’s unpleasant for the customer and bad PR for the company when it happens, but given the complexity of an advanced scanning engine, it’s remarkable that it doesn’t happen more often. The fact that it doesn’t is, in my unbiased opinion :), something of a tribute to the determination of AV development teams to ensure it happens as little as possible.

  • Johnson

    David,I don’t know if you analyzed the sample which ess detects it as Win32/KillDisk.NAE,it faked virus removal tool to kill MBR.When I found the sample,I uploaded it to virustotal,no av can detect it.I sent it to some av vendors(eg Kaspersky),but they think it’s clean,only because it faked virus removal tool?When some people sent it to Kaspersky some times,Kaspersky think it’s a threat,but soon Kaspersky remove the detection,they think it’s false positive.When some people sent it to Kaspersky again,they rename the sample.Wow,what an interesting thing!I only want to say people shouldn’t trust av vendors
    blindly.

  • mudes

    my windows has infected by virus. Usually the virus make new folder named 10.1.08.exe. Help me please…

  • http://www.smallblue-greenworld.co.uk David

    mudes,

    There’s a Trojan called Senna that sometimes creates a file of that name, I believe. If you’re an ESET customer you’ll get better help than I can offer at http://www.eset.com/support but if not, you might want to try our online scanner at http://www.eset.com/onlinescan/.

  • http://www.smallblue-greenworld.co.uk David

    Johnson,

    It’s a long time since I analysed a sample myself, long before I joined ESET, and I don’t know anything about this malware, but I’ll see if I can find out more. There’s a KillDisk program I’ve seen references to that seems to have been described as a utility -and- as a Trojan. Not sure if it’s related: if it is, that might explain Kaspersky’s being unsure whether it’s malicious or a false positive.

  • Johnson

    Today all av vendors not only against zero-day attacks,but also against zero-hour attacks,I can find many new variants of zlob,dnschange,swizzor,banking trojans,virtumonde and other threats every hour,when av vendors receive them,they have have new variants,these threats can bypass many av vendors’ heuristic,does it mean av is dead?As I know,some av vendors have new technology–cloud computing to against them,the new technology has faster response time.David,do you know if eset can add the new technology?If add,when will eset add it?Thanks.

  • http://www.smallblue-greenworld.co.uk David

    You’re right: what we sometimes call the glut problem dominates today’s malware scene, and makes it impossible for a scanner reliant solely on detection of known malware to offer effective protection. And yes, some malware does bypass heuristic analysis: in fact, some malware authors go to some lengths to tweak their creations until specific scanners no longer detect them. That doesn’t mean anti-virus is dead: it means that you can’t rely on it to catch every new threat. But that’s always been the case. That’s why we advocate multi-layered defensive strategies. But end users need to be aware of the risks and be reasonably cautious themselves: the worst thing they can do is assume that they can click on anything because they have AV. There are no 100% solutions.

    I know that at least one vendor is marketing cloud computing heavily, but the way I read their press releases, they’re talking about what is essentially still signature detection but moved off the customers’ systems and into “the cloud”: I’m not convinced that this will result in appreciably faster response times to new threats so much as reduce processing time and use of resources on the customers’ systems. Which is a good thing, but I’m not sure it should be presented as a solution to the glut problem. I don’t know if our development team is planning to go in this direction, but I’m sure they’ve looked at it. I will ask.

  • Johnson

    Yes,many people think their av can offer them 100% protection,so they can do everything,but I often see many hackers use exploits to attack some large websites,these users may infected them quietly.The worth thing is they even can’t find they have been controlled by hackers,the hackers can send many threats to these infected pcs.I tried ESET SysInspector,I think it’s very useful,it can show suspicious program/file.
    As I know,Panda?Mcafee and Trend Micro have “cloud computing” technology,but they only have beta version.To me,now the “cloud computing” only means collect whitelist,but I think it will be very strong in the future:-)

  • http://www.smallblue-greenworld.co.uk David

    I don’t think cloud computing is specific to whitelisting. In fact, Trend’s solution looks very much like pattern detection to me. Besides, the expression is used a lot outside the AV industry. You’re right that a lot of malware is now web-hosted, and often includes the ability to exploit vulnerabilities. However, where the exploits don’t work, they have social engineering to fall back on.

  • Johnson

    David,I have a question about the priority of the threat analysis.I understand why eset has the priority to analyze threats,but I can’t understand why when the customers send the virus samples to you,you still implement the priority.As customer,we only hope when I send the undetected samples to av vendor,they can solve them very fast.As I know,when you send many virus samples to some av vendors in a short time,they can add you to blacklist,even they regard you as a virus collector,they can’t give you reply and solve the undetected samples fast.In the fact,there are many new threats everyday.I’m interested in how you analyze the threats are sent by customers or virus authors.

  • http://www.smallblue-greenworld.co.uk David

    I can’t answer your question talking specifically about ESET at the moment, as I’m not involved with the sample submission process and simply don’t know the details about the filtering process. (Actually, you shouldn’t regard me as a sort of official spokesman for the company anyway: that’s not in my remit.)

    As regards the prioritization issue generally, it’s one that causes the industry some headaches. Again, it’s about glut: vendors get very many samples from many different sources, and the average virus lab has to introduce a degree of automation into the acquisition and filtering processes in order to cope at all. Submissions from customers are important for more than one reason, but the best interests of the customer are best served by prioritizing the most urgent threats. Those may be seen first coming from almost -any- source, so I wouldn’t expect the fact that a submission comes from a customer to override all other criteria. It’s a matter of balancing competing priorities.

    As we seem to have strayed rather far from the original topic of the blog, I’m going to mail you privately, so that if you have any further questions, you can contact me directly. :)

  • masood dadar

    hello
    i would send for you some viruses for analysis.how i can send for you? please guide me for addres and sending form.
    thank you.

    • Randy Abrams

      To submit samples to ESET, put the files in a zip or rar file and password protect it with the word “infected”. Use all lower case and do not include the qute marks (“)
      Best Regards,

      Randy Abrams
      Director of Technical Education

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

2 articles related to:
Hot Topic
20 Jun 2008
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.