Wednesday, March 05, 2008

mebroot shouldn't be so scary

there's been a lot of attention paid to mikko hypponen's statement that “You can’t execute any earlier than that” in reference to the execution of the MBR of a mebroot (that bootroot derivative i previously posted about) afflicted system...

the news media must love that sound-byte - it sounds scary, doesn't it? after all, as i said for years in usenet (and fidonet before that), the code that runs first wins - and clearly the MBR runs first... but if you remember back far enough then you'll remember that this is pretty much the same problem we had with the entire class of malware known as boot sector viruses (most of which infected the MBR)...

how did we manage to circumvent that little problem? simple, we booted from known-clean external media (back then it was a floppy, but now it would probably be a cd or some other mass storage medium that can house tools for fixing a windows machine)... as such, we had trusted code executing not before the bad code but instead of it... not really difficult, just a little obscure by today's standards (though still something people should know how to do, even in the absence of mebroot, since old viruses never die)...

1 comments:

Vess said...

I always recommend to people BartPE for making a bootable CD-ROM with various recovery tools. The page below points to it and other similar things:

http://en.wikipedia.org/wiki/BartPE