Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, November 19, 2011

Verifying programs in Windows

Who do I trust MBRCheck.exe?
naaah, there is NO defense BUT:
BTW your antivirus does a completely different thing, it "snapshots" your current MBR (which is supposed to be "OK") and checks whether it has changed.
This is a very reasonable approach but it does a DIFFERENT thing.
The Author is (generically) the geekstogo thingy:
the actual download address: hxxp:// leads to them and the tool is actually recommended on their Forum.
Look, something like this will give you a MDA5 of your MBR in a file :

dsfo \\.\physicaldriven 0 512 mymbr.mbr
dsfo mymbr.mbr 0 440 NUL 2>&1 >>mymbr.md5
(or you can create the 440 byte file and SHA1 it).
You do this a few times on the various system you work on, and you quickly have a "database" of "good" MBR codes.
When you find a "positive" (i.e. a non-match) you quickly disassemble the MBR code (if there are no signs from where it comes from) and verify that it doesn't do anything "nasty".
There doesn't appear to be all that many different MBR's
I have seen in my experience at least 50 of them, without counting localized versions and "strange OEM's" one.
I frankly doubt that the mentioned tool has ever seen most of these.
Additionally there are at least TWO known tools/approaches, one is MBRFIX and the other is the XP Kansas City Shuffle", that do use some unused byte(s) of a perfectly "kosher" MBR for their use.
AND "bootmanagers" like grub4dos normally use some bytes in the MBR to store some needed info, as well as (other example) mbldr and heaven ONLY knows how many more, this will make an impossible to track down number of forks or different checksums.
It is the actual "method" of comparing a checksum with a list of known ones that is flawed IMNSHO, as there can be as many different checksums on perfectly "kosher" MBR codes than stars in the sky.
Of course if we limit this to original MS Windows, we have just 3 or 4 of them and it makes sense. :)
As said the only usefulness of such a tool is to check for a relatively small number of very common MBR's and switch an alarm on if it is found different, but the times the alarm will be triggered on will be often due to false positives, and as you pointed out, you have not ANY *guarantee* that a malware is (intentionally or by mistake) added to the whitelist nor about the originality of the actual program, so if you are actually preoccupied, write you own tool and verify it yourself (NO other *safe* alternatives).

No comments: