Who do I trust? MBRCheck.exe

[jeff.sadowski]

For the most part I trust Microsoft and some other major software providers like Adobe and Apple stuff but have recently started to run into issues. Example: I can no longer find tweakui on Microsoft site.

I know its just a registry editor but it makes it so much easier to do some of the tasks I need to do like autologin.

I wanted to know about how I go about verifying the program I am downloading and that it is from whom it says its from.

I know tweakui pops up that it is a microsoft signed program but others are not so obvious. And thats only after I try and run it.

Example: I had been reading about malware being in the Master Boot Record and wanted to explore how I would verify that my MBR was infected or not. I found word of mbrcheck.exe and downloaded this program. It seems good but how do I know mbrcheck.exe is not infecting me? I'm doubting it is infected because it says my MBR was written from Dell when I was expecting it to say something about microsoft written mbr meaning it gave a lot of information that was more correct than I was expecting. I was hoping I could read somewhere on the net to look at the MBR in more detail without any third party program. I am good with linux commands and was hoping there was a way to verify the MBR using dd to copy just the MBR and verify what was in the MBR that way. I didn't find anything about patterns to match good or bad so I went with mbrcheck.exe I only see a version number for mbrcheck.exe I don't see any contact info or company info I have no clue as to where its from or if it itself hasn't been infected. In linux we have checksums and if a developer is smart they have a pgp signed statement stating the md5 checksum and maybe sha1 checksum. Thus you have the persons pgp public key to verify and you know overtime that some of these can be trusted. At that point you can trust the md5sum and then verify the executable with that. I see nothing like this in the windows world and it scares the bejesus out of me.

A.)

I'd like to know the official site for mbrcheck.exe if anyone can help?

B.)

I'd like to know how to verify I have an uninfected binary.

MBRCheck.exe version 1.2.3 has

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

md5sum cb2d120a4b72422a8141192831b1f500 *mbrcheck.exe

sha1sum 4f384c8d798dd0ee6c7ff12046db64e6cc05ccf0 *mbrcheck.exe

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAk5VYOMACgkQ59JpGAdkjyUjFACgj3tS2pi7p0dYD4Kneg3lO6by

g80AnjVaLnogvS+jVUTTJGl2jG6Nvr8u

=Vr+I

-----END PGP SIGNATURE-----

my signature is from my jeff.sadowski at gmail.com pgp key.

if someone can verify that please. Thanks.

also some other information as I was trying to figure out what mbrcheck.exe was doing to check things

I figured out using cygwin and dd that it is

comparing an sha1 hash of the first 440 bytes of the disk

in cygwin I did a

dd if=/dev/sda of=test.raw bs=440 count=1
sha1sum.exe test.raw

to get the same sha1 hash that was displayed

Also FYI mbrcheck claims

sha1 ae3e0a945d44c8ea304a19a8f50f69065c34344b

is a Dell Inspiron MBR code

if that helps anyone out.

[jaclaz]

With all due respect. , I cannot understand anything of your post.

Is there a queston?

Or an issue?

Why has it been posted in General Discussion?

Are you talking of this?

http://windows7themes.net/how-to-check-mbr-for-virus-infection-via-mbrcheck.html

It simply compares the current MBR (CODE part) checksum (SHA1) against an internal table of "standard" checksums.

It is a mostly unuseful tool, in the sense that there are millions of machines around that don't have "standard" MBR code, like most OEM's with a recovery partition, then grub4dos, syslinux, gujin, mbldr and heaven only knows how many other boot.managers that have their own MBR code, published each in a zillion subsequent versions.

Depending on the extents of the MBR code that it uses it may also give "false positives" (meaning "hacked MBR") on different languages of the same MS Operating systems, if it does the first 440 bytes, it includes the "text strings" that may change in different languages.

So, it is ONLY useful if you know that you should have a "standard" MBR among those in the internal "table".

Think of it as an AV product (but with no heuristics) it would need a very wide database of "MBR definitions", constantly updated, to become an useful tool, IMHO.

jaclaz

P.S.: TWEAKUI: http://windowsxp.mvps.org/tweakui.htm

Edited August 25, 2011 by jaclaz

[jeff.sadowski]

With all due respect. , I cannot understand anything of your post.

Is there a queston?

Yes, I'm asking to find the offical place to download MBRCheck?

And if someone can verify the md5sum or sha1sum of the latest version of MBRCheck or at least the version I downloaded.

How would someone know if it was intercepted and replaced with a version that does infect the BIOS and reports its version with the infected MBR as something else.

If I had an author of said program and his signed hash for said program I could verify my download.

Or an issue?

Why has it been posted in General Discussion?

Forums I see to post stuff to

Announcements,General Discussion,Introduce Yourself!,Windows 7,Windows Vista,Windows XP,Windows NT4/2000/2003,Windows Server 2008 / Server 2008 R2,Windows 95/98/98SE/ME,Microsoft Office 97-2010,Microsoft Beta Discussion

I didn't realize it scrolled down more and that is all the topics I saw.

I guess it belongs in Software hangout?

Are you talking of this?

http://windows7themes.net/how-to-check-mbr-for-virus-infection-via-mbrcheck.html

It simply compares the current MBR (CODE part) checksum (SHA1) against an internal table of "standard" checksums.

It is a mostly unuseful tool, in the sense that there are millions of machines around that don't have "standard" MBR code, like most OEM's with a recovery partition, then grub4dos, syslinux, gujin, mbldr and heaven only knows how many other boot.managers that have their own MBR code, published each in a zillion subsequent versions.

I was going to mention some of those to the author if I knew who I could report to. Hence where is the official site?

I found what syslinux's was. I could also get grubs

It does have some blacklisted MBR's to check for.

If I could find a list of the blacklisted MBR's I'd like that.

Many of the OEM's from bigger corporations are white listed.

There doesn't appear to be all that many different MBR's

I myself look forward to the day when MBR is past and EFI finally takes hold.

Depending on the extents of the MBR code that it uses it may also give "false positives" (meaning "hacked MBR") on different languages of the same MS Operating systems, if it does the first 440 bytes, it includes the "text strings" that may change in different languages.

False Positives for Blacklisted is highly unlikely and with only 440 bytes I'd say nearly imposable to create a false positive with an sha1 hash.

It declares an unverified hash of MBR's with an unknown signature. Most people only using windows are going to have an MBR from One of the big manufactures or a clean install of windows.

There aren't that many different languages that you couldn't list all the versions of windows MBR hash codes.

So, it is ONLY useful if you know that you should have a "standard" MBR among those in the internal "table".

Think of it as an AV product (but with no heuristics) it would need a very wide database of "MBR definitions", constantly updated, to become an useful tool, IMHO.

jaclaz

P.S.: TWEAKUI: http://windowsxp.mvps.org/tweakui.htm

Thanks for the quick link to TweakUI

I mostly agreed but you don't think you should check on your MBR from time to time to see that no program has messed with it for a malicious reason. Especially on a windows only machine.

[allen2]

I mostly agreed but you don't think you should check on your MBR from time to time to see that no program has messed with it for a malicious reason. Especially on a windows only machine.

My antivirus does this for me. Also being paranoid about computer security can lead to something like this: http://www.youtube.com/watch?v=5mXSYz4MiFk

[jaclaz]

Also being paranoid about computer security can lead to something like this:

Naaah, there is NO defense BUT:

http://reboot.pro/13177/

BTW your antivirus does a completely different thing, it "snapshots" your current MBR (which is supposed to be "OK") and checks whether it has changed.

This is a very reasonable approach but it does a DIFFERENT thing.

@jeff.sadowski

You apparently missed the "general point" I was trying to make.

No matter WHO is the Author of that utility, you cannot reasonably trust him/her nor the validity of his/her whitelist or blacklist.

The Author is (generically) the geekstogo thingy:

http://www.geekstogo.com/

the actual download address: hxxp://ad13.geekstogo.com/MBRCheck.exe leads to them and the tool is actually recommended on their Forum.

Look, something like this will give you a MDA5 of your MBR in a file :

dsfo \\.\physicaldriven 0 512 mymbr.mbr

dsfo mymbr.mbr 0 440 NUL 2>&1 >>mymbr.md5

(or you can create the 440 byte file and SHA1 it).

You do this a few times on the various system you work on, and you quickly have a "database" of "good" MBR codes.

When you find a "positive" (i.e. a non-match) you quickly disassemble the MBR code (if there are no signs from where it comes from) and verify that it doesn't do anything "nasty".

There doesn't appear to be all that many different MBR's

I have seen in my experience at least 50 of them, without counting localized versions and "strange OEM's" one.

I frankly doubt that the mentioned tool has ever seen most of these.

Additionally there are at least TWO known tools/approaches, one is MBRFIX and the other is the XP Kansas City Shuffle", that do use some unused byte(s) of a perfectly "kosher" MBR for their use.

AND "bootmanagers" like grub4dos normally use some bytes in the MBR to store some needed info, as well as (other example) mbldr and heaven ONLY knows how many more, this will make an impossible to track down number of forks or different checksums.

It is the actual "method" of comparing a checksum with a list of known ones that is flawed IMNSHO, as there can be as many different checksums on perfectly "kosher" MBR codes than stars in the sky.

Of course if we limit this to original MS Windows, we have just 3 or 4 of them and it makes sense.

As said the only usefulness of such a tool is to check for a relatively small number of very common MBR's and switch an alarm on if it is found different, but the times the alarm will be triggered on will be often due to false positives, and as you pointed out, you have not ANY *guarantee* that a malware is (intentionally or by mistake) added to the whitelist nor about the originality of the actual program, so if you are actually preoccupied, write you own tool and verify it yourself (NO other *safe* alternatives).

jaclaz