Comments on: Urban Myth in the Making http://www.welivesecurity.com/2011/08/07/urban-myth-in-the-making/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: David Harley http://www.welivesecurity.com/2011/08/07/urban-myth-in-the-making/#comment-3511 Tue, 09 Aug 2011 13:30:46 +0000 http://blog.eset.com/?p=8965#comment-3511 :-D

]]>
By: jim02 http://www.welivesecurity.com/2011/08/07/urban-myth-in-the-making/#comment-3510 Tue, 09 Aug 2011 13:29:19 +0000 http://blog.eset.com/?p=8965#comment-3510 Ok, that makes sense. I was just looking for an easy way out. :)

]]>
By: David Harley http://www.welivesecurity.com/2011/08/07/urban-myth-in-the-making/#comment-3509 Tue, 09 Aug 2011 08:57:47 +0000 http://blog.eset.com/?p=8965#comment-3509 You can, in principle, use specialist tools to examine the boot sector to look for strings in the same way that first generation AV did, but early boot sector viruses were much more simplistic and consistent between samples than TDL: and that approach would not be effective for detection across a range of samples and variants. Concealment is less a matter of moving the MBR than of misdirecting utilities so that they don’t see what they “think” they’re seeing. In fact, many early BSVs did the same thing, though with different mechanisms. The kind of hooks and patches that rootkits use are analogous forms of misdirection.

]]>
By: jim02 http://www.welivesecurity.com/2011/08/07/urban-myth-in-the-making/#comment-3508 Mon, 08 Aug 2011 20:34:10 +0000 http://blog.eset.com/?p=8965#comment-3508 No, I'm sure removal is more difficult than that, I just wondered if it was possible to use a tool like Dimio's "HDHacker" on windows, or "sudo cat /dev/sdaX" on Linux, (or any hex editor with raw disk access to the boot sector) and examine the contents of the MBR for certain bits or strings that TDL puts in the MBR, that wouldn't normally be there. I'd show you a screenshot of what I mean, but I'm not allowed to post links. :)
How does it conceal the MBR? Isn't the MBR always in sector 0? I glanced through the whitepaper, but maybe I need to read it a little more…

]]>
By: David Harley http://www.welivesecurity.com/2011/08/07/urban-myth-in-the-making/#comment-3507 Mon, 08 Aug 2011 09:11:25 +0000 http://blog.eset.com/?p=8965#comment-3507 We’re not sure what you mean by “visual inspection”. If you mean by not using any dedicated tools then it’s not possible to remove the bootkit that way, since TDL conceals the infected MBR and prevents it from being overwritten.

]]>
By: jim02 http://www.welivesecurity.com/2011/08/07/urban-myth-in-the-making/#comment-3506 Sun, 07 Aug 2011 20:17:24 +0000 http://blog.eset.com/?p=8965#comment-3506 From "indestructibel botnet" to "undetectable virus." I blame Golovanov and Stewart, along with the media, which has twisted something rediculous into something even worse.
While you're on the subject of TDL, I don't suppose you have a picture of what the data in an infected MBR looks like? Are there any telltale strings added or removed from the original MBR, or anything similar that could give the bootkit away just by a visual inspection? Just curious.

]]>