Why do viruses that wipe boot sectors exist?

In a moment of desperation and without thinking, I executed an .exe file purporting to be a pirated version of a hard-to-find program, forgetting that I had no real-time antivirus active. A few seconds later Malwarebytes (the free version, so not real-time) had been removed from the system. I then hurriedly tried to do a System Restore but sure enough, found that my boot sector had been wiped.

Thankfully, the virus – or maybe more accurately, just malware? – hadn’t touched any of my data, including the image backups on one of my internal disks, so I was able to restore back to a working system within a few hours, but this sobering experience has left me wondering: what exactly is the purpose of such a destructive virus?

I can understand ransomware, cryptominers, or malware that turns my computer into part of a botnet, but what motivation would a malware developer have to wipe out a system’s boot sector? What’s the endgame to doing so? As a bonus question, is there known active malware that goes further and wipes out a user’s actual data?

Integrity Check on power on VS. Secure boot

Can we consider the Integrity Check on power-on and the secure boot equal from security point of view?

Secure boot is about allowing only a trusted SW to boot on the processor. A chain of trust can be built as a result of sequence of a securely booted Software components: for example:

  • Bootloader authenticates the OS.
  • The OS authenticates Application.

Let’s imagine that a system provides an Integrity check on power on, which means on power-on, the stored data (Bootloader, OS, Application) is hashed and the new hash is compared to the old stored hash of the same data. In this case, the integrity of all the stored SW component are going to be checked all together. Then a boot-up is only allowed when the integrity check was successful.

Does it make a difference to check the integrity/authenticity of the SW one after one (secure boot) or to conduct an integrity check on all of them together on power-on? In other words, when can we consider the integrity check and the secure boot equal?

Why authenticated boot not Secure boot?

Context: Secure boot is one of the important elements of Trusted Computing in computer system. One variety of the Secure boot is authenticated boot. While secure boot prevent the boot of a non trusted software, the authenticated boot detects a non trusted software but does not prevent its boot.

Questions:

What are the reasons that would encourage deploying authenticated boot in the system rather than secure boot? In my point of view, it makes more sense (from security point of view) to deploy the secure boot.

Is there other varieties of the secure boot except the authenticated boot?

Any recommendation of reading about Trusted Computing and secure boot?

Thanks!

High Availability Boot processes and only using code-signing certificates

High Availability Boot (HAB) is a technique described here in an NxP application note. This is best summarised as:

HAB authentication is based on public key cryptography using the RSA algorithm in which image data is signed offline using a series of private keys. The resulting signed image data is then verified on the i.MX processor using the corresponding public keys. This key structure is known as a PKI tree. Super Root Keys, or SRK, are components of the PKI tree. HAB relies on a table of the public SRKs to be hashed and placed in fuses on the target.

The procedure burns Super Root Key (SRK) fuses using a software tool called srktool. In it’s proper use, I would use an SSL certificate with the OID set for code-signing. This would have an oid of 1.3.6.1.5.5.7.3.3.

However, there doesn’t appear to be anything that stops me from using a certificate that is created for other purposes, e.g. for client authentication with the OID of 1.3.6.1.5.5.7.3.2.

The problem is that if I have two certificates from the same CA:

  1. Code-signing certificate
  2. Client certificate

I could sign the image with the code-signing certificate. If I could update the public key on the target device, then it would be possible to sign it with the client certificate and it would be accepted as valid.

The only option is use different CAs for both code-signing and client certs. I’m wondering if there’s some way to check the OIDs?

How can BitLocker be considered safer, if it doesn’t asks for a key during boot

This is most likely a naive question, but I failed finding proper answer to it, so I dared to ask here.

When I was using TrueCrypt / VeraCrypt, my key / hash / password was never stored anywhere and I was forced to provide it upon each boot. When I have now enabled BitLocker in my Windows 10 Pro, my key / hash is stored inside TPM (?) and I am never asked for it. My system disk is being decrypted on-the-fly as system boots.

Now, if I don’t have to provide this key during boot then my disk is completely unsafe, if someone would stolen it toghether with my computer (very likely, most often scenario?). I am only safe, if an attacker will get the disk, but not the computer, and will install it in its own computer.

When I was using TrueCrypt / VeraCrypt, I always safe, now matter whether unauthorized person got access to my disk in mine or in any other computer. Without key / hash, my disk was garbage.

Please, explain what am I missing? How can BitLocker be considered safer than TrueCrypt / VeraCrypt give above two scenarios.

dual booting an HP laptop,4gb ram,intel i3 6006.Windows 10 and ubuntu dual boot, each time i install ubuntu “something else” option in installation

I am installing ubuntu on HP laptop with windows 10 preinstalled . Each time i install ubuntu on a partition the grub is not installing i386 file in /boot/grub folder which causes error as grub searches for that file and run into grub rescue at each boot , hence i cannot boot into ubuntu nor windows , i manually added the file by live usb but failed to make grub config for such changes . My partition show (hd,msdos6) as root . grub is installed on root partition. Grub never installs the i386 file and this file can be found in /usr/lib/grub .

Can’t boot windows after deleting Ubuntu partition?

Linux newb.
A while ago I ran Ubuntu from a usb to test out some stuff. I now need Ubuntu so wanted to install it properly.
On windows 7 I deleted the partition that would’ve contained Ubuntu (only one without nstf) and then tried resizing my C: drive to make space for Ubunutu.
I then had to restart my pc. When I did it loaded to grub rescue. I haven’t been able to figure this out from here.
I got Ubuntu running on the usb again but can’t get the partitioning to work right (I think)
I can’t lose my windows data and want dual boot.
Help please. 🙂