Master Boot Record Malware Becoming More Stealthy

Your hard disk's Master Boot Record (MBR) is the first thing that gets loaded when you start your computer, even before the operating system. What if you could change the MBR to load your very own special program? That would make your program the 'most powerful' on your computer, giving your program access to all sorts of potentially interesting things.

MBR malware has been around for a while, and has surfaced again. Check out the McAfee folks analysis of the latest version of a MBR malware: http://www.avertlabs.com/research/blog/index.php/2008/03/23/exploring-stealthmbr-defenses/ .

One of the interesting things is that the malware is self-aware. The program monitors itself, and if the program stops, it restart (and re-infects) the computer.

Malware writers are getting a bit clever.

A Zero-Day Spam Attack

Sudden increase in spam that got through the filter over the weekend. Since most spam detection is 'reactive', using a database (or signatures) of 'known spam', a new spam campaign will likely get through your spam filter for a day or two.

Since those messages were short (pun not intended), a dictionary-based blocking wouldn't work. Only when the spam databases get updated with the latest attack will the spam be blocked.

So the various users got a bit excitable this morning as they saw a few more spam messages in their email inbox than they usually see.

Although if you use Gmail, you might not have noticed the spam attack. Gmail seems to be very effective in blocking spam. I suspect it's because there is user involvement via the 'report spam' button. There are so many Gmail users that there are a lot of people reporting spam.

I suspect that Gmail proactively removes spam from your inbox. For instance, a zero-day spam attack might get some spam into your regular "in" folder. But as people report messages as spam, I suspect that the Gmail guys actually dynamically remove the spam from your in folder and stick it in the spam folder.

Zero-day spam attacks prevention is much like the risk of a zero-day virus attack. A new virus might get through your virus detection until the anti-virus vendors get things updated. So relying on one layer of protection is not enough.

I suspect that these 'zero-day' attacks will become more prevalent in the future as the more organized spam cartels get better at bypassing spam filters.

Web Defacement and Password Stealing

The TrendMicro folks (anti-malware vendor) got hit by a web site defacement. But they weren't the only ones. There's hundreds of thousands of sites that will try to install password-stealing software on your computer. (One story here: http://www.infoworld.com/article/08/03/13/Password-stealing-hackers-infect-thousands-of-Web-pages_1.html ).

And the Internet Storm Center reports (http://isc.sans.org/diary.html?storyid=4139 ) has a related report on the problem.

The attack seems to come, as usual, with a web site (usually an 'adult' site) that asks you to install some software to view a video. Or the site may try to tell you to install some software to scan your computer for viruses.

One example of the attack is shown in a video on McAfee's site (http://www.avertlabs.com/research/blog/index.php/2008/03/13/follow-up-to-yesterdays-mass-hack-attack/ ) . Interesting short video that shows how the attack works.

The protection? The usual "safe computing practices" we've previously discussed. Current anti-virus, don't install software/add-ins just because a web page asks you to, current operating system and other software patches, etc, etc.

And it's not just Windows-based systems. The operating system is not the only vulnerability; all your software needs to be kept current.

Be careful out there.