3

I'm doing research on various malware and I came across boot-sector viruses. Kaspersky states that "they are not designed to infect removable media."

My question is, how do they spread then?

Again quoting Kaspersky, "Boot sector computer viruses are most commonly spread using physical media." Are not removable media (USB sticks for example) the same as physical media? External hard disks etc?

LvB
  • 8,217
  • 1
  • 26
  • 43
DrDoom
  • 445
  • 1
  • 5
  • 12

1 Answers1

3

Well actually Removable media is a subset of physical media. Its the old "a cube is always a beam, but a beam is not always a cube." thing.

Boot sector viruses have been know to be spread through:

  • Hard Disks
  • Floppy Discs
  • CD/DVD/Blu-ray Discs
  • Tape's
  • Cartridge's
  • BIOS and Secondary BIOS infections
  • PCI equipment (I only know of lab-experiments like this, but they do prove its possible)
  • Firewire devices.
  • USB devices.
  • Networks
  • Downloads(quite rare there actually)

For most cases the way the work is the look for the Primary MBR (Master Boot Record) and modify its content with there own payload so the Virus is loaded on each boot. It usually have some companion app that it will retrieve as soon as possible to do the reinfection on different devices and redistribute the virus to other devices. so while on themselves they often do not pose a risk for removable media. They are hard to get rid of. they are more a thing of the past though, since secure boot and the UEFI environment its harder to implement scheme's like this undetected.

LvB
  • 8,217
  • 1
  • 26
  • 43
  • I have a sub-question. You stated that they retrieve a "companion app". Are you saying that the "companion app" actually does the infecting of the removable media? – DrDoom Jun 13 '16 at 12:13
  • in some yes, Often these type of infections are done to gain further access. or in other words to deliver some remote access mechanism. – LvB Jun 13 '16 at 12:14
  • OK, so lets say it's a 2 step process. 1, you somehow infect your PC with the boot-sector virus. 2 the virus then acquires the "companion app" from the internet or wherever that infects other removable media. This removable media is again compromised, inserted into an uninfected PC. The PC is now infected and again in acquires the "companion app", etc etc? Am I getting this correct? Sorry for the follow up questions. Thanks – DrDoom Jun 13 '16 at 12:32
  • Well depending on goals of the virus, yes. the MBR is not that big so adding something to it without making the machine unbootable is quite hard. It is the most used strategy that I have heard about for this type of attacks. It is important to note that this companion app can reside completely in memory and is written compiled to machine instructions so it an be that the OS is not even aware of it being there (aside form a few missing ram-addresses) – LvB Jun 13 '16 at 13:19