Does Windows protect MBR from being overwritten?

Question

I have read article about TDL/Alureon Rootkit:

According to research published on Monday by GFI Software, the latest TDL4 installation penetrates 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source. The rootkit achieves this feat by attaching itself to the master boot record in a hard drive’s bowels and changing the machine’s boot options.

Does this mean that Windows doesn't protect MBR from being overwritten? Can then any program, including malware/rootkit, running with administrator privileges just overwrite MBR and simply bypass driver signing enforcement?

Thanks for any explanation.

score 1 · Answer 1 · answered Apr 25 '18 at 22:05

1

An administrative/SYSTEM user has complete access to the system, and can make changes to disk partitions, etc. Also, tools exist for Windows which can modify the MBR to point to a different bootloader. So I'd say, no, there is nothing protecting it.

The question makes it sound like a big deal that "any program" running with administrator privileges can overwrite the MBR. A process with SYSTEM privileges can do whatever it wants. However, that is the standard threat model; if someone else runs code on your computer, it's not your computer anymore.

answered Apr 25 '18 at 22:05

multithr3at3d

12,842
3
32
43

Doesn't Windows use its TPM to verify it? – forest Apr 26 '18 at 13:32
@forest I didn't think that applied to MBR schemes, but I could be wrong. – multithr3at3d Apr 26 '18 at 13:44
Ah yeah you're right, MBR only works with CSM/BIOS, not UEFI. – forest Apr 26 '18 at 13:45

score 1 · Answer 2 · answered Apr 26 '18 at 20:19

Defending MBR from changes may be a difficult task. But there's a way of warning the user that the OS Windows loader file have been modified.

Starting from Windows 6.1 there's a built in possibility of using Require Signature Check or INTEGRITYCHECK. This tool can check if the file was modified and even prevent OS loading. E.g. if you would use EasyBCD software to edit Windows loader code from a guest OS you may be notified about those changes during the next loading with 0xc0000428 status code.

This security may be applied not only for a loader files but for any DLL that implements kernel-mode code.

The mentioning about this technique can also be investigated in more details in this book source.

Does Windows protect MBR from being overwritten?

2 Answers2