- Jul 22, 2014
- 2,525
How do you protect your system from Bootkits, so from Malware that infects BIOS (CMOS/Bios) or MBR? Do you know any software that is able to detect changes and to back up the Bios and MBR? Is Sbabr still a valid program?
Bootkits, Cmos, MBR and Router: how to detect changes and repair them?
- Thread starter Solarquest
- Start date
- Sep 9, 2013
- 1,054
i know that good BBs like gdata and a few others can stop rootkits in their tracks and if you get rootkited use drweb boot cd or hitman pro to remove the rootkit and fix any drivers that was change by that rootkit.you can use a sandbox like sandboxie to monitor safely the rootkit
8 Free Tools to Backup and Restore the Master Boot Record
I use MBRtool on Ultimate Boot CD for DOS to backup MBR to another sector on the same hard disk.
I use MBRtool on Ultimate Boot CD for DOS to backup MBR to another sector on the same hard disk.
if you are infected at this point, using tools will not help much:
in case of Bioskit, flash the BIOS right away, nothing else can be done. Deep format/wipe your drive and reinstall your OS. Faster & safer than using tools that may not clean your machine at 100%.
in case of Bioskit, flash the BIOS right away, nothing else can be done. Deep format/wipe your drive and reinstall your OS. Faster & safer than using tools that may not clean your machine at 100%.
- Jul 22, 2014
- 2,525
If a malware "just" infects/encrypts the MBR, is it possible to overwrite it with a clean MBR copy (done with the tools suggested by McBrian) and be sure the MBR is clean again?
If the BIOS was flashed by a malware, can you detect it somehow (bios date, comparing old with new BIOS if possible..)?
If you flash the BIOS with a clean one the infected one cannot "survive" in the bios(of course with the following low format), correct? thks
If the BIOS was flashed by a malware, can you detect it somehow (bios date, comparing old with new BIOS if possible..)?
If you flash the BIOS with a clean one the infected one cannot "survive" in the bios(of course with the following low format), correct? thks
Yes, if you do it from a clean alternate operating system and the malware isn't active. Imaging programs may back up the MBR. Macrium Reflect, for example, gives you the option to restore the MBR from a backup when restoring an image.
Malware that can survive BIOS re-flashing
- Jun 9, 2013
- 6,720
- Jul 22, 2014
- 2,525
Booting from a clean rescue disk to clean/restore the MBR is an option too, isn't it? thks
Apparently Noton Ghost offers an option to save/recover the MBR too. thks again!
Apparently Noton Ghost offers an option to save/recover the MBR too. thks again!
- Nov 5, 2011
- 5,855
Hmm I prefer to use MBR check tools ONLY, not to restore MBR.
If you restore your MBR, you lost your personal partitionning of your hard drive. Beware. Be aware.
I use mostly the tools from this topic: MBR check tools : http://malwaretips.com/threads/mbr-check-tools.5458/
Thank you to don't mess with the MBR restore!
(if you had made the new partitions in your hard drive ..)
.. I already wrote about in another topic:
'But always on similar tools - attention on 'FixMBR' button: if you fix, then your disk partitionning return on primary, precedent state of your PC, before your partitionning, and you lost your new partition you maked! If you maked this new partition.'
If you restore your MBR, you lost your personal partitionning of your hard drive. Beware. Be aware.
I use mostly the tools from this topic: MBR check tools : http://malwaretips.com/threads/mbr-check-tools.5458/
Thank you to don't mess with the MBR restore!
(if you had made the new partitions in your hard drive ..)
.. I already wrote about in another topic:
'But always on similar tools - attention on 'FixMBR' button: if you fix, then your disk partitionning return on primary, precedent state of your PC, before your partitionning, and you lost your new partition you maked! If you maked this new partition.'
Last edited:
>Flash your BIOS or update it (as updating a BIOS includes to flash it most of the time)
>MBR Rookit -> bootrec /fixboot | bootrec /fixmbr
>BootKit : Use a Live Rescue Environment
Little bit rusty on that too. Been a while since I dealt with these.
>MBR Rookit -> bootrec /fixboot | bootrec /fixmbr
>BootKit : Use a Live Rescue Environment
Little bit rusty on that too. Been a while since I dealt with these.
Yes.
I occasionally use MBRtool on Ultimate Boot CD for DOS to compare the current MBR with the backup MBR. If they differ, I would probably restore a Macrium Reflect image, including the MBR.
@frogboy: You're welcome
.
- Jul 22, 2014
- 2,525
Thank you! I asked for a theoretical curiosity as to prepare for the worst scenario...I hope I'll never have to use it, but since I prefer to "prevent than to cure" as to "limit the damages"..it's best to be "ready"
Is it possible to avoid (protect from) flashing the bios by using a password in the bios? I don't think it is possible by moving a jumper on the "modern" motherboards, correct (not sure if it was possible in the past...)?
Aura, what do you mean with bootrec /fixboot | bootrec /fixmbr?
thank you All for the answers, links (very interesting and scaring, if true as I think they are..), suggestions..!
Is it possible to avoid (protect from) flashing the bios by using a password in the bios? I don't think it is possible by moving a jumper on the "modern" motherboards, correct (not sure if it was possible in the past...)?
Aura, what do you mean with bootrec /fixboot | bootrec /fixmbr?
thank you All for the answers, links (very interesting and scaring, if true as I think they are..), suggestions..!
Last edited:
- Jul 22, 2014
- 2,525
Thank you! To deep format/wipe the drive do you use the low format tool (sometimes) provided by the manufacturer of the HD or a special tool/pr? Which one if needed?
Here is video about how to protect against rootkits :
http://avs.nprotect.net/FreeAV/NPMBRGuardSetup.exe
(Chinese laungage )
http://avs.nprotect.net/FreeAV/NPMBRGuardSetup.exe
(Chinese laungage
)
- Jul 22, 2014
- 2,525
Thanks for the info!
Did someone already tryed it?
Just got dubious as Prorootect on http://malwaretips.com/threads/nprotect-mbr-guard.5402/ since no trace of the program on the main WW page...was it discontinued?
I then tryed to download gmer from gmer.net; when I download the "exe" I get illogical and different names every time I download it...on VT all O.K apparently, but strange to me...is it really O.K? thks
Did someone already tryed it?
Just got dubious as Prorootect on http://malwaretips.com/threads/nprotect-mbr-guard.5402/ since no trace of the program on the main WW page...was it discontinued?
I then tryed to download gmer from gmer.net; when I download the "exe" I get illogical and different names every time I download it...on VT all O.K apparently, but strange to me...is it really O.K?
thksI then tryed to download gmer from gmer.net; when I download the "exe" I get illogical and different names every time I download it...on VT all O.K apparently, but strange to me...is it really O.K?
That's normal for GMER.
- Jul 22, 2014
- 2,525
- Jul 22, 2014
- 2,525
I'm preparing a PC for testing AV vs Malware.
I would like to get a PC where the host is very difficult to get infected; if the host gets infected I would like to be able to undo all changes (all that can be undone)....same for all other devices that might get infected (e.g router)....
I know that there are still areas that cannot be protected/infection that cannot be detected (e.g in devices's firmware) and also that the probability that I run such kind of malware is very low.....ideally I would like to be ready to recover from infections caused by all other kind of malware (that can be detected/wiped off from PC/devices)....I prefer to prevent than to cure if possible/ paranoid mode is and will be on...
For this: Virtualbox 4.3.15-95713 was installed (No special tools nor usd support were installed), HD was cloned (with MBR) and rescue disk was created.
The BIOS and the router are still worrying me since I'm not sure if and how I can protect them or back them up or be able to detect changes.
I 'm researching for the BIOS and found that as I remembered some older MObos had a jumper to avoid flashing of the BIOS. Newer ones with it are rare. Mine doesn't have one...nor a "Flash BIOS protection" option in the BIOS
I found a program that should help to detect changes in the BIOS, Copernicus by MITRE.
Did somebody already used it?
Does someboby know other ways to protect the BIOS from getting flashed?
Creating a password in the BIOS helps to protect from unwanted flashing of the BIOS?
What descibed in this video at around min. 10 () might apply for HDs too?
What can be done to protect the router from changes/attacks? As of now I changed the password and saved the config in another pc in case I have to restore it.... but I know it's not enough....
What can be done in addition to this to protect the Router? thank you!
I would like to get a PC where the host is very difficult to get infected; if the host gets infected I would like to be able to undo all changes (all that can be undone)....same for all other devices that might get infected (e.g router)....
I know that there are still areas that cannot be protected/infection that cannot be detected (e.g in devices's firmware) and also that the probability that I run such kind of malware is very low.....ideally I would like to be ready to recover from infections caused by all other kind of malware (that can be detected/wiped off from PC/devices)....I prefer to prevent than to cure if possible/ paranoid mode is and will be on...
For this: Virtualbox 4.3.15-95713 was installed (No special tools nor usd support were installed), HD was cloned (with MBR) and rescue disk was created.
The BIOS and the router are still worrying me since I'm not sure if and how I can protect them or back them up or be able to detect changes.
I 'm researching for the BIOS and found that as I remembered some older MObos had a jumper to avoid flashing of the BIOS. Newer ones with it are rare. Mine doesn't have one...nor a "Flash BIOS protection" option in the BIOS
I found a program that should help to detect changes in the BIOS, Copernicus by MITRE.
Did somebody already used it?
Does someboby know other ways to protect the BIOS from getting flashed?
Creating a password in the BIOS helps to protect from unwanted flashing of the BIOS?
What descibed in this video at around min. 10 () might apply for HDs too?
What can be done to protect the router from changes/attacks? As of now I changed the password and saved the config in another pc in case I have to restore it.... but I know it's not enough....
What can be done in addition to this to protect the Router? thank you!
Last edited:
Similar threads
