 | | 
01-12-2005, 09:42 PM
|
#1 (permalink)
| | Registered User
Join Date: Jan 2003 Location: Ohio
Posts: 64
| » 
Shameful ! Applications writing to reserved boot sectors !
Remember the Intuit TurboTax fiasco of 2002? It seems that the software was writing to the reserved BOOT sectors of the hard drive.
I don't know if Intuit did this to thwart piracy or spy on their customers, but they suffered a public relations black eye for this SHAMEFUL practice.
Before I divulge the names of two other companies which are doing THE SAME THING, a little tutorial on hard drives...
The boot sector is the first sector of a hard drive (sector 0). It is used to boot the system and transfer control to the operating system.
On a typical hard drive, the boot sector is followed by 62 reserved sectors. These reserved sectors are not currently used. Technically, they exist outside of the data areas, the drive partitions. You can even FORMAT the drive and the reserved sectors aren't touched.
I was surprised to see that Norton Ghost (DOS command line version) writes to sector 62. As far as I can tell, this isn't done to facilitate the drive imaging process, it is done to keep YOU honest, to make sure that you're using the software within the bounds of the license agreement !
Another offender is Sony's Vegas 5 ( video editing application, trial version tested ). Why would a VIDEO application need to access sector 2 of your hard drive?
This is dangerous ground, people. There are no specifications for these reserved areas. Data written to these sectors is not protected by a filename, or file folder, or flagged. Another application can corrupt any information previously written to the same sector. Any information stored there is essentially useless.
But still they do it. Why?
| 
|  | |
01-16-2005, 12:16 PM
|
#2 (permalink)
| | Registered User
Join Date: Aug 2004
Posts: 307
|
i have to be very sceptical of what is actually writting to your boot sector, as i have never seen any program pop up the BIOS antivirus protection screen, other than when changing drive letters or lables with windows explorer.
please provide more information as to what proof you have that these programs are actually writting to the boot sector. if ever many programs did write to the boot sector, i would think it would fill up rather quickly and you would have greater proof of this, such as frequent system crashes.
| |
| | |
01-16-2005, 06:00 PM
|
#3 (permalink)
| | Registered User
Join Date: Jan 2003 Location: Ohio
Posts: 64
|
Johnny,
The programs aren't writing to the BOOT sector (sector 0). They are writing to the reserved sectors, as I stated previously.
Any disk sector editor will verify that Norton Ghost writes to sector 62. The text 'Norton Ghost' appears in the sector dump, along with the names of the attached hard drives on the system.
Since this sector is BLANK before Ghost runs, I'm fairly certain that Ghost is the culprit.
The reserved sectors (1-62) don't affect the system boot. The bios only needs to read sector 0 before control is passed to the OS.
For all intents and purposes, the reserved sectors (1-62) are invisible to the OS. They don't belong to any partition on the drive. They are off-limits to application software. The only way to write to these sectors is to use the BIOS disk routines directly, and bypass the OS filesystem.
There is no LEGITIMATE reason for an application to use these sectors.
| |
| | |
01-16-2005, 07:38 PM
|
#4 (permalink)
| | Registered User
Join Date: Aug 2004
Posts: 307
|
ok... you're talking about norton ghost.... disk imaging software. i would expect it to write to every sector of the drive, including the boot sector or else it is not doing its job. you say its for copy protection/license agreement.... this occurs when you install the program? be more specific as to when it writes to that sector, unless you have a reference from symantec on why they do that, and post it.
i'm wondering about these other programs though. if the operating system does not have access to those sectors as you say, how can these programs write to it? as i was saying before, if the BIOS boot sector virus protection is enabled, then any aplication that accesses the boot sector, no matter where it is, it would bring up the warning screen, correct?
| |
| | |
01-16-2005, 11:26 PM
|
#5 (permalink)
| | Registered User
Join Date: Jan 2003 Location: Ohio
Posts: 64
|
Johnny,
Let's say I want to make a backup of my 'C' drive. I'm not backing up the entire hard drive, just the 'C' partition. The backup image is stored on another drive.
Ghost has no reason to even READ the reserved sectors, let alone WRITE to them. They don't belong to 'C'.
Ghost isn't 'backing up' the reserved sectors. It's writing TO them. Ghost won't even backup the boot sector unless the ENTIRE drive is imaged.
Find a disk sector editor. Skip through sectors 1-62. These sectors should contain nothing but zeros.
Run Ghost, and backup ANY partition on the hard drive. Now check the reserved sectors again with the sector editor. You'll find that one of the sectors (probably 62) has the 'Norton Ghost' signature.
It isn't difficult to write a program to access the disk controller directly. Load the proper CPU registers and jump to an interrupt vector.
This won't raise any flags with the OS. The boot sector is NOT being written, the reserved sectors are.
My point remains the same. These companies should be able to protect themselves from piracy. This is not how it should be done.
Think of this as a permanent 'cookie' on your hard drive. The program leaves a cookie, and nothing short of partitioning the drive will remove it.
| |
| | |
01-17-2005, 08:46 PM
|
#6 (permalink)
| | Registered User
Join Date: Aug 2004
Posts: 307
|
right, that's not my point.
the BIOS virus protection should be catching this. my question is if it notices these things, and if not, why doesn't it? this would beg the question of whent hese programs aftually are writting to the boot sector (somehow before or during POST?!?!)
| |
| | |
01-22-2005, 11:50 PM
|
#7 (permalink)
| | Registered User
Join Date: Jan 2005
Posts: 4
|
sectors 1- 62
on C:\> there is " . " which should be the MBR then there is " .. " then C:\WINDOWS> if there is software writing some kind of spy software to sectorsa 1 - 62 then run a spyware program that will do a complete scan of the C:\> drive and it should find it. then delete it. the only company that put anything on C:\> is Microsoft to verify that the software you have is not a Boot-Leg copy. Boot-Leg Copy= any software installed on a computer with a stolen virgin Product Key obtain from the use of a Key Generator the can trace you and file criminal charges against you for Piracy, Theft, and Violation of FCC Rule & Regulations.  | |
| | |
01-23-2005, 12:48 PM
|
#8 (permalink)
| | Registered User
Join Date: Aug 2004
Posts: 307
|
i guess i'm just mis understanding the issue here... ok, i keep reading the title of the post and then thinking boot sector... sector 0, but you're saying "reserved sectors 1-62".... now all i'm thinking is, why would it matter? reserved by who, windows? i'd think if windows needs these sectors specifically, it would go ahead and push the data that is there over to another place on the drive and then write whatever it needs tot he sectors.
i mean, correct me if i'm wrong, but windows using NTFS doesn't care all that much about where the data is as long as the boot partition starts in the right place before a certain sector... right? even then from what i have seen you can make it work if the partition is way later on the drive, so long as the drive geometry doesn't get changed from what windows wants it to be.
my question is, does windows give elevated permissions to files launching from certain sectors? i thought this problem was addresses with the security file level security settings and access controll lists, independent of the actual file locations outside of sector 0. i mean, wouldn't microsoft have the forethought to deny access to "special" sectors from programs not running under microsoft signed credentials? i would imagine there is a developer article addressing this, and i'd definitely like to see it if in fact this is a way of circumventing microsoft security, or a fluke and oversight in the design. how special are these sectors really?
| |
| | |
01-23-2005, 08:45 PM
|
#9 (permalink)
| | Registered User
Join Date: Jan 2003 Location: Ohio
Posts: 64
|
Who owns the reserved sectors?
What if you had a multiboot setup, with Windows XP, Windows 98, and Linux ?
Windows doesn't own the reserved sectors.
Linux doesn't own the reserved sectors.
None of these OS's have a reason to write to the reserved sectors. They exist on their own partitions, separate from the reserved sectors.
The ONLY reason an APPLICATION would write to these sectors is to hide data from you, in a semi-permanent way.
Format your drive, reinstall the OS. The data is STILL there, untouched.
If you can't access data on your drive with the tools the OS provides, it shouldn't be there. As far as I know, Windows doesn't provide such a tool to erase the reserved sectors.
Remember,
Just because you're not PARANOID doesn't mean that someone isn't watching you...  | |
| | |
01-24-2005, 06:49 PM
|
#10 (permalink)
| | Registered User
Join Date: Jan 2003 Location: Ohio
Posts: 64
|
Johnny,
I always enjoy our discussions. You pose questions that I cannot answer, and that compells me to learn more.
Maybe I'm being paranoid. But I won't give an inch on this one. I vow to keep my reserved sectors the way my Western Digital drive utilities intended them to be.
You should, too.  Do not go gentle into that good night, Old age should burn and rave at close of day; Rage, rage against the dying of the light.
Dylan Thomas
| |
| | |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | | | | Thread Tools | | | | Display Modes |  Linear Mode | 
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts
HTML code is Off
| | | | Most Active Discussions  | | | | |
Recent Discussions | | | | | |
