Boot Sector Virus

Not a highly probable event.

What is the current recommended way to detect such an issue?

What is the current recommended way to clear any problem, if I suspected that there was one.


You will find useful information if you read about Trench Boot, Anti Evil Maid and Secure Boot.

Starting from here might be a good idea (and reading the references):

1 Like

It is good you posted those links. I think it is more the prevention of the problem.

How to be sure I removed a Boot Virus. I mean, the specifics of removing it, while being sure some kind of trick did not immediately re-install the boot virus.

  1. Find another system you trust to be virus free
  2. Create an installer on a trusted media (e.g. a trusted Flash drive) using the above system
  3. Boot your target system with the above flash
  4. Reinstall operating system of the target system or repair MBR and/or UEFI and boot partition of the target system.

Failure to achieve any of the above individual steps will result on an untrusted target system.

If I am simulating a high security mode. I do not trust anything. Which, for my threat model, I agree, is a bit silly.

I had thought, that in order for some distros of LInux to part of dual install, THEN:

When the distro would read the boot sector, make the change for the current install to work, write it back… Not to write a completely new “Boot Sector” from the installing distro.

GitHub has some software to specifically fiddle with boot sectors. I was looking at one that dealt in editing UEFI. But that also comes back to my trusting someonee else’s suggestio.

A bit off the subject. With the latest Qubes 4.2.2 rc1,
When the verify, confirmed flicks by, it is too fast to read. I tried to photo it with cell phone camera. Also too fast. This is a bit of bother. I want to not only verify that I got the correct Download of Qubes 4.2.2.rc1 with gpg, hashing. I want to be sure that the version I am installing has been correctly written, then being, read from USB key. . Can we have a hang right after USB verify correct Qubes OS, waiting on enter from keyboard. Or is there some thing about that I do not understand as well.

I would feel pretty sure that a newcomer to Linux will not verify the PGP key of the downloaded ISO. The verify on the install is all they will do.

I think the installer won’t continue the installation if the media test failed so there is no need to pause the installer to tell the user that media test succeeded.

Never trust. But raise the bar as high as possible by verifying with all the tools provided.

You just can’t be sure ever. It’s a game over.

Especially if you don’t know how it happened to be infected. As a boot sector virus must be a multi stage one, where you need an already compromised OS. So when you ‘detecting’ a boot sector virus… you already lost this game by a few steps - unless you are talking about a floppy/USB/or any other external disk, as that case might be a verry different one.

If it’s you man disk, you better reconsider everthing you have done on such an infected machince. And you migh also need a forensics analysis to find out when and how you got infected - without that you will get it again…

But… as you might imagine, those are very time consuming tasks, and also requires some expertise.

That’s why prevention is the thing you should focus on, and this is where Qubes can help you.

simply reinstalling the OS might be not enough…

I would owerwrite the disk by dd.
The firs few sectors should be enough, but better if you fully overwrite it.

If you really paranoid, you might want to destroy that disk and not reuse it ever again.

Also the boot sector ‘virus’ might be just part of the issue, if a system is compromised, the attacker migh get much more persistence, by infecting/rewriting BIOS/UEFI of the system, and/or BIOS/firmware of other devices like:

  • VGA,
  • Network/Wifi Card,
  • or any other (PCI) device with writable firmware.

But again: Qubes is here to prevent such situations.
If it is already happened: Game Over.