News of a new botnet set up that is trying to be indestuctible thanks to hiding in the . According to the BBC article 'Code that hijacks a PC hides in places security software rarely looks and the botnet is controlled using custom-made encryption.' then goes on to say _The virus installs itself in a Windows system file known as the master boot record. This file holds the list of instructions to get a computer started and is a good place to hide because it is rarely scanned by standard anti-virus programs. _
Excuse me? MBR viruses are not exactly a new thing. They existed back in Novell days and it was a pain because you'd have to shutdown netware to get to the DOS area to fix the damn thing. To me, this is yet again pointing out the flaw of AV software. It's being lazy and not doing it's job properly.
AV Software is basically arse about face. It scans for things that SHOULD NOT be there whereas it should be scanning for things that SHOULD BE there and considering everything else a threat. It really shouldn't be too much difficulty to have a database of common windows files and the most popular applications/games/utilities in use today along with MD5 hashes and scan against those to ensure the integrity of the system.
Both Vista and Win7 go some way to doing this with things like UAC
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox