Security Think Tank: How to deal with wiper malware
How much should businesses worry about destructive, computer-killing malware, and what steps should they take to mitigate attacks?
Malware that can overwrite a computer's master boot record (MBR) has been around ever since the boot loader was invented, mainly because it is the easiest place to sit without getting noticed. Operating systems and anti-virus solutions are typically completely oblivious to what is in the MBR, as the malware runs as soon as the disk is spun up, before the operating system is loaded.
This is absolutely a risk we should all be worried about. MBR-overwriting malware can be installed simply by a visit to a malicious website or a click on a link in an email. It sits in memory and reminds itself to install whenever you next reboot.
As we have seen from the FBI reports, there is a particularly nasty variant of MBR-overwriting malware that wipes your PC the next time you restart. We are not talking a single-pass overwrite, we are usually talking several passes that render the disk and your data unrecoverable.
My practical advice would be to ensure you have backed up your essential files, and have a business recovery plan in place that works. An anti-malware strategy is indeed a must, especially if you are getting sick of invoking your recovery plan, and a blended approach that includes user security awareness is key to defending against any malware.
Read more on this topic
- Security Think Tank: Mitigation strategies for data-wiping malware
- Security Think Tank: Sony attack a reminder to protect company data
- Security Think Tank: Monitoring and response capabilities key to mitigating cyber attack
- Security Think Tank: How to prepare for computer-killing malware
There are solutions that can help eliminate the risk of MBR-overwriting malware; these are based around Trusted Platform Modules (TPMs), the chips of which are installed in all modern off-the-shelf PCs. Intel implements this through Trusted Execution Technology (TXT), which creates a chain of trust during the boot process, ensuring an untrusted or altered MBR simply cannot spin up.
As with all solutions (even free ones), these take time, effort, resource and cost to implement, and all companies should consider the risk in context, and not rush out and Google the next silver bullet for their security woes.
Over time, MBR malware will dwindle to nothing, as modern operating systems such as Windows 8.0 become more ubiquitous – and people remember to turn on disk encryption, which frustratingly is not enabled by default.
Tim Holman is an international board director at ISSA and CEO at 2-sec.