Government Security
Network Security Resources

Jump to content

Photo

Mbr Code For Plausible Deniability

security
  • Please log in to reply
15 replies to this topic

#1 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 02 December 2010 - 09:30 AM

MBR ransomware Win32/RansomSeftad gave me an idea.
It ransoms your data by encrypting it, and changes the MBR to display a ransom message.

You could use this message for plausible deniability.

I wrote the following code to display the same message as Win32/RansomSeftad:
; Code for MBR to display message & halt
; If you adapt this program, make sure the binary code is not longer than 440 bytes (MBR code limit)
; Written for NASM assembler (http://www.nasm.us) by Didier Stevens
; https://DidierStevens.com
; Use at your own risk
;
; History:
;   2010/12/02: start

org 0x7C00

START:
	xor ax, ax
	mov ds, ax
	mov ss, ax
	mov sp, START
	lea si, [HELLO]
	xor bx, bx
	mov ah, 0Eh
	cld
PRINT_LOOP:
	lodsb
	test al, al
	jz HALT
	int 10h
	jmp PRINT_LOOP
HALT:
	cli
	hlt

HELLO:
	db "Your PC is blocked.", 0dh, 0ah
	db "All the hard drives were encrypted.", 0dh, 0ah
	db "Browse www.safe-data.ru to get an access to your system and files.", 0dh, 0ah
	db "Any attempt to restore the drives using other way will", 0dh, 0ah
	db "lead to inevitable data loss !!!", 0dh, 0ah
	db "Please remember Your ID: 773921,", 0dh, 0ah
	db "with its help your sign-on password will be generated.Enter password:"
	db 0

If you want to change the message, change the strings after HELLO. Don't forget to terminate your message with byte 0x00.

I'm not going to explain how you change the code in your MBR. If you don't know how to do this, it's very likely you'll corrupt the MBR and make your machine unbootable.
Test this first in a virtual machine you can miss, and if you do it on a real machine, do a full disk backup first and test your restore procedure first.
I only tested this in a virtual machine.

If you know how to change your MBR: don't forget to backup your original MBR first.

#2 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 02 December 2010 - 10:16 AM

That's actually not a bad idea, if you would combine this with with encryption of any partition you wish to hide I think this could hold up in court..

EDIT: to anyone who wants to start playing around with this, use vmware for starters. If you really want to work with real hardware and don't know how to do this, read up on dd and clonezilla for backups. For winblows fdisk /mbr can rescue a failed attempt sometimes, but backup anyway
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#3 Guest_DiabloHorn_*

Guest_DiabloHorn_*
  • Guests

Posted 04 December 2010 - 01:01 PM

you can use truecrypt to do this also :) since you can specify your own message. Not sure about the layout.

#4 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 04 December 2010 - 01:25 PM

you can use truecrypt to do this also :) since you can specify your own message. Not sure about the layout.


Unfortunately, Truecrypt limits the message to 24 characters: http://blog.didierst...screen-options/

With my MBR, you get around 400 characters, and it just halts your CPU after displaying the message, so there's no risk something else will be displayed when you start typing on the keyboard.

#5 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 04 December 2010 - 02:56 PM

Here's another one (same program, different text):

Posted Image

#6 Guest_DiabloHorn_*

Guest_DiabloHorn_*
  • Guests

Posted 04 December 2010 - 04:29 PM

heh nice one didier, btw what are you using as a development environment?

#7 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 05 December 2010 - 02:10 AM

heh nice one didier, btw what are you using as a development environment?


nasm, a programmer's editor (UltraEdit) and a hex editor (010 Editor) to modify the MBR of a virtual machine

#8 infiltrator

infiltrator

    Staff Sergeant

  • Sergeant Major
  • 421 posts

Posted 14 December 2010 - 09:10 PM

What happens when you press "any key to continue"? Does it display the same error message again, or is it prompting you to enter a password.

#9 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 15 December 2010 - 11:28 AM

What happens when you press "any key to continue"? Does it display the same error message again, or is it prompting you to enter a password.


With my MBR, you get around 400 characters, and it just halts your CPU after displaying the message, so there's no risk something else will be displayed when you start typing on the keyboard.


@Infiltrator:

Like Didier said, this is just a method of plausible deniability. Nothing happens since the cpu is halted.

Read up on computer architecture, one book I can recommend is 'structured computer architecture' by Andrew Tanenbaum. They come in different editions, you can prolly find older ones very cheap.

/http://www.amazon.com/Structured-Computer-Organization-Andrew-Tanenbaum/dp/0130959901
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#10 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 15 December 2010 - 01:45 PM

What happens when you press "any key to continue"? Does it display the same error message again, or is it prompting you to enter a password.


bonarez is correct, I disable interrupts and then halt the CPU, so nothing will happens.

If challenged, you can always feign ignorance: machine is infected/broken, you don't know what's wrong or how to fix it.

#11 Icingtaupe

Icingtaupe

    Private First Class

  • Members
  • 20 posts

Posted 16 December 2010 - 12:54 AM

Nice idea, could be fun.

On the other side, I don't get situations to use it : on my computer ? MBR backup; then go, no real utility. On *friend* computer ? Annoying, could be a way to "Give it to me, i'll fix it"...and install what you want. Stoned, again (for testing purposes with his aknowledgement, of course). (*Evil smile*)

Anyone ideas, something I missed in this tool ?

#12 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 04 January 2011 - 06:39 AM

Just saw another BSOD screenshot with a short message one could use:

STOP: c0000da9 Unknown Hard Error
Unknown Hard Error

#13 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 04 January 2011 - 09:34 AM

STOP: c0000da9 Unknown Hard Error
Unknown Hard Error

That's an error code I've never seen before. Google sure don't know it either.

A bit off topic perhaps, but did you find out what caused it? Did you get to analyze the crashdump?
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#14 DidierStevens

DidierStevens

    Specialist

  • Sergeant Major
  • 100 posts

Posted 04 January 2011 - 09:46 AM

Google sure don't know it either.


Same result here. But that will change soon after Google's Spider came along in this thread ;-)
If you google without the hex number, you'll find some other examples.

A bit off topic perhaps, but did you find out what caused it? Did you get to analyze the crashdump?

I saw it on Twitter (I occasionally search Twitter for BSOD pictures).
http://twitpic.com/3mlhc9

#15 sajid89

sajid89

    Private

  • Members
  • 9 posts

Posted 19 April 2012 - 10:07 PM

nasm, a programmer's editor (UltraEdit) and a hex editor (010 Editor) to modify the MBR of a virtual machine





Also tagged with one or more of these keywords: security