Beating Bootkits

Quads · ‎07-21-2008

I have been thinking of an idea to be able to have Norton beat Bootkits once detected.

Once Norton is installed on a computer and that system is clean, Norton can then be able to copy the Boot Sector of the machine it is installed on and hide it away within Norton for safe keeping (future use) if required. Like a good Quarantine if you like and hidden.

Then in the future say that PC gets infected with a Bootkit like Tidserv, Mebroot, Alworo................. So "boot.xxxxxx" Norton can then take that copy of the Boot Sector and overwrite the Bootkit with the original copy. Now the MBR is clean. This also works or OEM versions (Dell, H.P., E Machines etc) as remember Norton has taken the copy from the machine it is installed on at a earlier date, so doesn't matter about being a OEM version.

It would also work for MBR Ransomware that locks the PC so the user can't get to Windows even loading. Norton has the original copy stored away So the user would be able to use the Recovery disc to access the stored copy in Norton on the Hard Drive and overwrite the MBR Ransomware (infected MBR). Restart the PC and Bingo Windows loads, no ransomware bootkit.

Quads

Stu · ‎04-08-2008

Very inter4esting theorie indeed.

Although I'm not sure this can be done

"All that we are is the result of what we have thought"

Quads · ‎07-21-2008

It can be done, I can copy Boot Sectors with one click, not hard.

Quads

SendOfJive · ‎02-07-2009

There are applications available that can back up the MBR, so it is certainly something that can be done. It sounds like a very straightforward solution to a problem that is becoming much more common. I think Quads' idea has a lot of merit.

Quads · ‎07-21-2008

Hmm, lets for now call it the "Good File Repository" that is a folder within Norton like other parts of Norton (Virus Defs etc.)

I had a question / statement saying about users accidently backing up a bad file or Boot Sector (which is a 512 byte file)

One way is to once Norton is installed on a system it is clean Norton will backup / Copy the required files and place them in the "Good File Repository", after which the button (if one) and the copy function is disabled or greyed out, As Norton now has the legit copies it requires from the system in question.

This should stop both Norton and the User from accidently being played with by the click of a mouse and so on, hopefully meaning it's sucure.

Secondly, because the "Good File Repository" Folder is within Norton, it could be protected by Norton as part of the "Anti - Tamper Protection", this would be so hopefully Malicous files or users can not delete the files or the whole Folder.

Quads