MBR Trojan Approaching the 3-Year Mark

bl8n8r writes "Still going strong since February 2006, the 'Sinowal' Master Boot Record infector (also called 'Torpig' and 'Mebroot' by various anti-virus companies) has compromised more than half a million financial accounts. An HTML injection engine adds fields to login pages to compromise credentials. Injection is triggered by the Web addresses — more than 2,700 bank and e-commerce sites are hard-coded into the malware. 'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.' The majority of anti-virus and anti-malware scanners do not detect this threat."

dupe

[symbolset]

No point in commenting on this since the previous story is still on the main page.

Re:dupe

[zappepcs]

There is another reason for not really needing to comment: Slashdot needs a special tag for stories that include this implicitly or by implication. That information is:

The majority of anti-virus and anti-malware scanners do not detect this threat.

For such stories, we need to call bullshit and throw spam like emails at the majority of anti-virus company's email servers.

It's one thing to say you are selling really nice tasting lemonade that helps your body fight disease by assisting your body with vitamin C. It's another to say you don't need to take anything else to help your body by our lemonade. That is the trouble with non-F/OSS software; they claim to have the answers. This is no better than selling snake oil IMO when you consider the condition of many if not most home users PC systems.

There are many times in the USA when the fucking cure is worse than the disease. Antivirus companies are part of that 'issue'

Re:dupe

[symbolset]

Actually, it's correct. With rootkits, the rootkit inserts itself into the processes of the operating system as it loads. If the AV attempts to read the boot block, it feeds the AV the boot block that it saved when it installs itself. It excludes itself from the process listing. It prevents access to memory where its functions are stored. It really is bulletproof.

With a bug like this one you usually have to boot to some other media (usually read-only) and run a scan against the disk without using the compromised operating system. In short, they're a pain in the butt.

Re:dupe

[zappepcs]

You know that part on the label on cold medicines that says not to operate heavy machinery? When you buy an antivirus software package, are there any warning labels? Nope. This is what leads to my complaint. There are large numbers of people that think their original one year license for Symantec et al is good enough for the life of the PC, and nobody is telling them any different. Nor is anyone telling them that what they got for free with the PC will not keep up with malware, and that they are going to have to keep paying and paying if they want to use that program. This is a large portion of why Windows machines are so vulnerable. Even though Windows fanbois like to claim that Linux is for advanced users and not average users, those same users are making Windows a target for virus writers. The other portion is the vast security holes left in Windows production software.

Antivirus companies and MS will NEVER make Windows safe for two reasons: Nobody really wants to pay a yearly subscription and the people they sell to have NO FUCKING CLUE how to keep their machine(s) safe. You and I might know how to get rid of a MBR virus, but aunt bettie doesn't, and won't without a lot of training. FerChrisSakes, you first have to explain what a boot record is. Does training come with a Windows license? Do you need to pass a state level exam to operate a PC? nope. The problem will persist and will not get any better until antivirus companies start trying to educate. It will not get any better till your average Windows users understands that they have to work hard to administer their system to avoid infections and malware.

Without education, the problem will continue... ad infinitum!

That's why I think there should be a tag for it

Re:dupe

[spydabyte]

Then you said it yourself, education is the fix, not a "tag" or label. I say take the warning labels off of everything and let the problem solve itself. /quote.

Re:dupe

[zappepcs]

Buy anything from China? Just curious.

Re:dupe

[compro01]

Taking the warning labels off everything doesn't work in this instance, as them getting infected results in other people's stuff getting screwed up (DoS'd servers, etc.).

Re:dupe

Are tags and labels not a form of education?

Re:dupe

[davolfman]

So you build a bootable read only disk and scan from outside the OS. I suppose being effective is less important than "easy" for these vendors.

Re:dupe

[hairyfeet]

What I don't get is this: flash sticks are really really cheap,right? And just about every PC built in the last 8 years can boot off flash drives,and most OEM machines I worked with have this set to work by default,in case the user needs to update the BIOS. So why don't the AV companies simply have an encrypted file connected to a bootloader so that when you go to the website you can pick "make me an antivirus flash stick" that will(after prompting to back up the files if it isn't empty) format and install a scanner with an encrypted sig payload so you can then reboot and scan the machine outside of the OS/HDD. This would allow them to scan for those bugs that load pre OS and would make it butt simple for even Joe home user to check for things like rootkits. Maybe I'm missing something here,but it seems to me that would be the way to go. And they could always put up a weekly ISO for those that can't boot from USB.

Re:dupe

[symbolset]

Generally if you can boot it and it has am environment that can read NTFS partitions and run an antivirus program, it's an operating system. Antivirus vendors don't include operating systems with their products for the obvious reason.

Re:dupe

[ion.simon.c]

I hear that DR-DOS and Linux are pretty cheap these days.

Re:dupe

[slicenglide]

At GeekSquad*dodges many books thrown* we have a MRI that does specifically that, boots it's own PE environment, and then runs scans against both your hard drive, and a redirected remote registry scans against your hard drives registry. If you boot your own OS, you don't have to worry about rootkits.

Re:dupe

[symbolset]

So... at which step do you download all the porn to your server?

Re:dupe

[hairyfeet]

THANK YOU!!! That was EXACTLY what I was trying to suggest! We are not talking about making an entire OS here. After all it is going to have only one job,which is to run the encrypted AV which will in turn look for bugs. Any kind of very basic DOS or Linux could be used for it. Hell if they wanted to get fancy and let the user have a way to work or goof off while it ran I'm sure the guy that wrote Menuet would let them use it cheap,or they could of course use BSD for free.

The point is we are seeing more and more bugs that can get around the traditional scanning,either by loading before boot,or even running virtual like the Blue Pill. And we know that malware is only going to get nastier. After all there is big money in botnets. And where there is big money,there are clever programmers willing to take the cash. So by giving the AV a way to scan outside the OS and HDD it should be able to detect even the nastiest forms of malware. So why hasn't anyone done this yet? With the amount of competition in the AV industry you'd think cooking something up like this would be a big selling point.

Re:dupe

[slicenglide]

As far as that goes, we have mule PC's to transfer all data at precincts... and we can't open or view files, and it's logged who copies what to where.... and is deleted automatically from the machine after 30 days... I know it's the big joke, but honestly.. a few people give a whole company a bad name... and that had to change.. -So they did.

Re:dupe

[hairyfeet]

But that doesn't explain why someone isn't making an easy one for Joe Home User. Network boot is for someone who is a geek or in IT,not Joe. And I checked some of those Google links and they were nearly all by folks saying they need one but can't find one. So it is pretty obvious the need is out there,and this would give a home AV company a really nice selling point if they made it easy for Joe to use,so why hasn't anybody jumped onboard? Maybe someone who works at one of the AV companies can answer the question.

Re:dupe

[symbolset]

I'm glad they've changed. Your PC tech is more like your confessor or your doctor than ever before. The level of professional confidence required is not matched by legal protections or professional standards.

That needs to change.

Re:dupe

[slicenglide]

The company is always changing, something I haven't minded while working there. H.I.P.P.A compliance is something they take very seriously.. and the company is working towards being at the top of the game when it comes to customer privacy, and having great tools that take worry out of the equation for both the customer and the employee are always loved when they come through the chain.

Get you're birthday hats ready

[narcberry]

It's quickly approaching! The very important 3 year mark is only 3... months... away...

The majority of anti-virus/anti-malware?

[morgan_greywolf]

Wow. ClamAV and AVG both detect Sinowal. Both are free as in beer and ClamAV is free as in speech.

Re:The majority of anti-virus/anti-malware?

only avg did.
http://www.virustotal.com/analisis/e124e55a8ac21d5898e5181c4a82c543

Re:The majority of anti-virus/anti-malware?

[symbolset]

Not to put too fine a point on it, but it does appear that Sinowal is free as in beer as well.

Re:The majority of anti-virus/anti-malware?

[Joao]

According to the chart, ClamAV didn't.

Re:The majority of anti-virus/anti-malware?

[Joao]

Forgot the link to the chart

Re:The majority of anti-virus/anti-malware?

[indifferent+children]

Sinowal is not free as in beer. Its more like free as in the-raping-you-get in prison is free. Now if Sinowal were a Microsoft product, it would pound you in the ass and then take your 'smokes'.

Re:The majority of anti-virus/anti-malware?

[Otter+Popinski]

New category: free as in herpes?

What efforts are being made to find the operators?

[Animats]

Since this thing is understood, it's possible to inject phony credit card numbers into the attack. If law enforcement and a bank worked together on this, they could inject flagged credit card numbers and watch where they were used, then make some arrests. For that matter, a denial of service attack could be made against the attacker by injecting huge numbers of bogus credit card numbers, the use of any of which triggered law enforcement attention.

Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area. This is what FBI Baltimore should be doing, instead of sending out child porno and seeing who bites.

Re:What efforts are being made to find the operato

[NobleSavage]

The CC numbers are probably sold through various layers of various criminal organizations. If they made arrests it would probably just be people at the end of the chain. Granted they could try to them to turn states evidence if they had any info that would lead back up the chain.

The majority of anti-virus scanners...

[Fryth]

...suddenly do!

Re:The majority of anti-virus scanners...

suddenly == ~3 years ago?
Check http://www.kaspersky.com/viruswatchlite?hour_offset=-1&search_virus=Sinowal&page=32

15 December 2005
Trojan-PSW.Win32.Sinowal.a 02:35 04:11

Re:What efforts are being made to find the operato

[BrokenHalo]

Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area.

Sure, Bush will be gone, but that doesn't mean you'll get any decent management (if that isn't an oxymoron).

I won't go as far as to say that shit floats to the top (OK, maybe I will) but where else are you going to put all those unskilled workers other than management? ;-)

Re:What efforts are being made to find the operato

[symbolset]

That's cute. Their system employs double blind methods for getting your money from your account to their account, and they have infinite scale. Billions of phony accounts would not slow them down and would not impede their activity in the slightest.

There are strategies that could be employed, but neither candidate is clueful enough to find someone who knows what they are. The government is not going to descend from on high and make the Internet a nice technocolor paradise. It's rough out here. Fend for yourself.

Man, will I be glad when silly season is over and people quit trying to insert politics into every issue.

No surprise

[kent_eh]

'RSA investigators found more than 270,000 online banking account credentials, as well as roughly 240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks.'

Yet people still look at me like I'm a cave man when I refuse to do online banking...

Re:No surprise

No worries. It's so easy even a caveman could do it.

Re:No surprise

[symbolset]

If this doesn't seal your confidence, remember that this is only one of millions of Windows malware systems feeding into a fully evolved malware ecosystem. It's a wonder anybody has money in their account at all. It's a wonder every person's credit isn't compromised. Certainly enough personal data has been lost to compromise everybody but the Amish.

Re:No surprise

[j79zlr]

A good idea but how many eyes see a personal check between whoever you wrote it for and when it gets back to your bank? What difference does it make that you don't online bank when the teller looks up your information on the compromised machine at the office? You can't live your life in fear.

Re:No surprise

[wiredlogic]

The difference is that there is much more incentive for organized crime to develop trojans that can amass credentials to hundreds of thousands of accounts than there is in trying to intercept a check. Card skimming is a bigger problem and even that is difficult due to the likelihood of getting caught once the fraud detection is set off and they track down the source. The scope of what can be accomplished through fraud on the internet is much greater and therefore the risk is higher.

Re:No surprise

[Mascot]

You are a caveman if your bank belongs in the stone age and you don't switch to another.

Any bank with an online solution worth using will have token based authentication per transaction. And those would be impervious to this attack.

I was shocked when I learned a lot of banks actually don't use such a system. It became apparent to me when a lot of people piped up about the World of Warcraft token based login by saying "now WoW has better security than my bank". What the... How are those banks permitted to handle money at all with such lax security routines?

Re:No surprise

[Ihmhi]

A buddy of mine works for a company that designs software for use in police cruisers and the stations. They can also cross-reference data between other systems.

To access the master server where all of the cross-referenced data is aggregated, you need one of those tokens. For the uninformed, it's a small device about the size of a flash drive with a constantly rotating number that is in sync with an encryption scheme on the server. It rotates every 30-60 seconds as I recall.

If it's good enough to secure the loads of personal information that's sure to be contained in said records, than why don't our banks employ such a system? It would certainly go a long way towards reducing fraud IMO.

Re:No surprise

[dkf]

If it's good enough to secure the loads of personal information that's sure to be contained in said records, than why don't our banks employ such a system?

Oh that's an easy one. Banks don't do that because they reckon it is cheaper to reimburse people for the actions of fraudsters after the fact. It a sad day when doing the obviously fair and right thing is rejected on cost grounds; obviously the value of being honest is underrated by banks. I just so wish I was surprised.

Re:No surprise

[Ash-Fox]

Any bank with an online solution worth using will have token based authentication per transaction. And those would be impervious to this attack.

Royal Bank of Scotland uses a challenge/response calculator. You insert your credit card/debit card into it, tell it you want to do a challenge, enter your card pin, enter the challenge code on the screen, get the response code and type that in manually.

Neat thing is that you don't need to carry multiple dongles for each separate account you have with them.

Re:No surprise

[Mascot]

why don't our banks employ such a system?

The US seems to be lagging way behind when it comes to technology in banking. I'm in my mid 30s and I've never had a checkbook. In the US that's still widely used, apparently. Some years back a friend of mine took a job for a few years in the US and got his pay literally via physical check. That's unheard of.

As far as security is concerned, I couldn't name a single bank that don't use tokens for online access, yet that too seems very common in the US.

Re:No surprise

[rcamans]

Actually, if one bank started using token-based, then all the other banks would be in the embarassing position of haveing to explain why they didn't. And the token bank would have to explain why they finally did. Banks do not like to talk about security and crime, because they are so weak. They do not want anybody thinking about banks and security and crime because some of those thinking people might start questioning bank security and crime.

A very long time ago I dated a girl who was a bank teller at a drive-up window. So we were in my bed and she was telling me how she thought she deserved a few thousand bucks more, so she would take people's money and not deposit it. Eventually the bank would catch on, and let her go. Not prosecute her or anything, just let her go. So she would get a job at another bank, since that is what she already knew how to do. The bank would not tell ANYONE she was a bank crook, not even another bank. Why? because they cower in terror of anyone realizing this stuff happens. By the way, I immediately got up and hd my wallet.

The majority of crime in most businesses (like retail, for example) is theft by employees. Why do you think banks are any different? If banks cannot coordinate the simplest system to keep thieves out of the bamks, how do you expect them to keep thieves out of banks?

Some of what needs to be done about bank security is being done by Visa / Mastercard. They have a PCI DSS specification. That needs to be enhanced to include token based, and other security specifications that forces banks and all other money handling institutions to comply and clean up their acts.
Like adding a database of bank workers who stole money, or loan officers who made bad loans to friends. Like setting up a special industry wide corporation that goes after banking criminals.

Re:No surprise

[arminw]

....because they reckon it is cheaper to reimburse people for the actions of fraudsters after the fact...

It is probably true that at least so far, the losses are smaller than the costs of better security would be. A customer who lost or misplaced their token would soon find out that his neighbors bank did not have such a hassle and switch to that bank that only had a simple password. People do lose their keys to cars and houses and will resist to having to carry another key they could lose. There always will be a trade-off between convenience and security. Most people will gamble on the side of convenience and easy usability.

Re:No surprise

[zippthorne]

Does the calculation happen on the card itself or in the reader? This is, IMO, particularly important if you want to use your card anywhere but your home and the bank's branch offices.

Re:No surprise

[Ash-Fox]

Does the calculation happen on the card itself or in the reader?

Calcuation occurs on the reader (which has a full numpad) using some unique values that are stored on the smartcard of the card you receive (can't be just generated from knowing the card number).

This is, IMO, particularly important if you want to use your card anywhere but your home and the bank's branch offices.

It's a handheld device. Offical information on the card, what it looks like.

Re:No surprise

[ion.simon.c]

I've seen comments on /. that indicate that *some* banks *are* handing out authentication tokens.

This teller... was she a fun lay?

Re:No surprise

[ion.simon.c]

Heh. They've changed the headers:

X-Leela: There's a political debate on. Quick, change the channel!

Re:No surprise

[Bat+Country]

We're lagging behind in many if not most other technological fields as well.

Our cellular networks frankly suck and so do the plans they offer us.

Our telephone infrastructure is still bad enough that there are semi-populated areas in which there is no telephone service at all

Our broadband proliferation is very nearly the worst in the developed world.

Voting machines are still a new thing to us, and rather than use the ones provided by companies outside the US who have been supplying more technologically advanced nations for years, we get ours from companies whose engineering pedigree typically has such wonderfully complicated technologies as vending machines and credit card paypoints.

Our gas-burning automobiles are less efficient than what is considered a minimum requirement in Brazil.

Our electrical power infrastructure is inadequate to the task of supplying electricity to certain parts of the country during summer months without rolling blackouts and regular brownouts - even in cities under a hundred miles from major hydro plants.

Keeping the US at the top of the technological food chain hasn't been popular ever since the end of the Cold War. American corporate culture has changed since the grand old days where keeping their customers happy, cheerful, wearing the best damned clothes, driving the best damned car, and using the best damned newfangled icebox were all that mattered. Brand loyalty used to be the real currency which kept business afloat. I'm not old enough to have seen these supposed glory days, but I'm old enough to have watched its decline.

The banks have no incentive to improve their service or security, as their competitors aren't doing it and the worst that could happen is that a few customers would become angry and leave the bank. This used to be considered a terrible thing. Now they can just shrug and continue shafting their other hundred million customers. It's nothing more than an attitude shift, but it's a pretty destructive one, and helps explain why so few people buy US-made products outside the US (except in the few industries where there is no other option).

Re:No surprise

My bank requires a random personal question to be answered alongside a custom username/password. I thought it was tedious at first for them to require me to answer several dozen personal questions, but now I'm glad they require it. A bot/trojan/whatever would need to get my username, password, AND land on the same randomized question that I answered when infected. Not that I should be concerned, since Debian doesn't have too many viruses floating around for it, nor am I stupid enough to get one even on windows.

Re:What efforts are being made to find the operato

[narcberry]

The problem isn't our ability to detect and identify the criminals.

Our problem is convincing Russia and China to help us. Why would either be motivated to?

Quite frankly, maybe I'm being an ignoramus, but the international community should create internet blockades around nations that don't play nice.

Someone had to do it

[Anthony_Cargile]

Re:Someone had to do it

[Chris+Tucker]

You mean to say that this three year old Trojan ONLY affects machine running the Windows Operating System.

I'm shocked, shocked, I say!

"Botnets, spammers botnets!

What kind of boxes make up botnets?

Compaq, HP, Dell and Sony, true!
Gateway, Packard Bell, maybe even ASUS, too!

Are boxes, found on botnets, all running Windows. FOO!"

Re:Someone had to do it

[Anthony_Cargile]

lovely poem, lol! Don't get me wrong, I have 10 computers all running either some Linux distro (mostly debian) or hackintosh. I was just satirizing the typical /. response to the article.

Re:Someone had to do it

[Chris+Tucker]

No offense taken whatsoever!

My little ditty was, in its own way, a similar response as your own.

Not there wasn't more than a metric tonne of grains of truth to either, mind you.

whiskey and slashdot...

[tjstork]

I just saw this line in the article about a three year old Trojan and I thought, man wouldn't that thing get kinda full at some point?

Re:whiskey and slashdot...

[compro01]

Nah, it's in a wallet.

Re:whiskey and slashdot...

[ceoyoyo]

They expire after a couple of years. Really should toss that one and get another.

Re:whiskey and slashdot...

[dotancohen]

I just saw this line in the article about a three year old Trojan and I thought, man wouldn't that thing get kinda full at some point?

You are not the average /.er. The average /.er hears a woman mention Trojans and instinctively tells her that he can fix it.

Re:whiskey and slashdot...

[Antique+Geekmeister]

Why replace something that will never be used?

Re:whiskey and slashdot...

[ceoyoyo]

Hope.

Re:whiskey and slashdot...

It never said it was a used Trojan, but they do expire eventually, and your wallet isn't a good place for them.

Re:whiskey and slashdot...

Full of dust, maybe. This is Slashdot!

Re:What efforts are being made to find the operato

[BungaDunga]

Who says the people grabbing the card numbers are the ones who eventually use them? The guys controlling the virus probably just sell them en masse to someone else.

Re:What efforts are being made to find the operato

[WTF+Chuck]

FTA:

While the Sinowal authors no longer use RBN as a home base, Brady said his team could find no trace of a single Russian victim in the entire database of credentials and identities stolen from customers of hundreds of banks across the United States, Europe and Asia, and at least 27 other countries.

These guys aren't shitting where they eat, so why would the Russians have any incentive to cooperate?

Re:What efforts are being made to find the operato

[narcberry]

While I agree, I would hope other nations uphold lawful behavior as a virtue, these men are still breaking Russian laws.

But it's the essence of corruption. We cannot expect Russia to help us. We cannot expect China to help us. So, why do we let them peddle their packets in our networks? That might motivate them, but it will definitely reduce the security risks we face.

so crazy

[Tank_Snow]

it is so crazy i will go online no more

Re:What efforts are being made to find the operato

[KermodeBear]

Maybe when Bush is gone, and the FBI and Justice Department get some decent management, we'll see some action in this area.

Yeah, because I'm sure that the priority of every president is credit card fraud.

I know that it's popular to blame Bush for all the ills of the world, but it is short sighted and unrealistic. If you want to bash him over things for which he is truly responsible, feel free. There's lots of material. Blaming him for this, though, is just lame.

Re:What efforts are being made to find the operato

[compro01]

Of course, the difficultly is in defining exactly what "not playing nice" is.

clamav did NOT detect it

[circletimessquare]

read the story again, it links to virustools, which lists the 10 out of 35 vendors that made the detection. antivir did (mine, phew)

Re:clamav did NOT detect it

Some of the software they used was waaaay out of date though, unless I read something wrong. For instance, they said they used BitDefender 7.2 but the BD free version is 10 and premium is 11(maybe 12 at this point, I don't know)

Re:clamav did NOT detect it

they are using an old version of clamav.

Re:clamav did NOT detect it

[morgan_greywolf]

yep. They're using 0.93.1 and the latest stable is 0.94.

Re:What efforts are being made to find the operato

[Jah-Wren+Ryel]

I know that it's popular to blame Bush for all the ills of the world, but it is short sighted and unrealistic. If you want to bash him over things for which he is truly responsible, feel free. There's lots of material. Blaming him for this, though, is just lame.

One can certainly blame bush for focusing way too many resources on his war on terror and thus away from actual crimes like this one. Besides, nobody was "blaming him for this" they were blaming bush for not doing anything about this.

we need an antivirus vendor

[circletimessquare]

that supplies cd images online with their own mini boot os, updated monthly, that you download, burn, and then reboot into via cd

90% of users wouldn't bother. its just a giant hassle. but amongst the ultraparanoid, which you are if you know even just a little about what goes on out there, it would be a nice piece of mind guarantor

of course, this product probably already exists. in which case PLEASE TELL ME WHERE ;-)

Re:we need an antivirus vendor

[BlueStrat]

that supplies cd images online with their own mini boot os, updated monthly, that you download, burn, and then reboot into via cd

90% of users wouldn't bother. its just a giant hassle. but amongst the ultraparanoid, which you are if you know even just a little about what goes on out there, it would be a nice piece of mind guarantor

of course, this product probably already exists. in which case PLEASE TELL ME WHERE ;-)

Why not simply boot into a live CD whenever you want to do online banking or other such sensitive tasks if you're that paranoid? Nearly all allow for writing to the hard drive, so it's not a problem to save any data you want around after the task is completed like online statements, etc. If you're really paranoid, use Anonym.OS put together by Kaos.Theory Security Research and based on OpenBSD with hard encryption and use of TOR as defaults?

Download here: http://sourceforge.net/projects/anonym-os/

More information: http://kaos.to/cms/projects/releases/anonym.os-livecd.html

Cheers!

Strat

Re:we need an antivirus vendor

F-Secure does something like this already, which is based on knoppix:

http://www.f-secure.com/linux-weblog/2008/06/19/f-secure-rescue-cd-300-released/

Re:we need an antivirus vendor

Google 'SystemRescueCD' and you'll find something pretty good.

Re:we need an antivirus vendor

[compro01]

Bitdefender used to have something like this called linuxdefender, though all indications point to it having been discontinued.

Re:we need an antivirus vendor

http://free-av.de/en/tools/12/avira_antivir_rescue_system.html

Re:we need an antivirus vendor

[Antique+Geekmeister]

A PXE and DHCP setup that provides a local OS image to load and run works very well in server environments, and in large identical client configurations like university computer rooms. Updating the single primary image becomes trivial.

Re:we need an antivirus vendor

[eulernet]

Kaspersky Boot CD, daily build:

http://dnl-eu3.kaspersky-labs.com/devbuilds/RescueDisk/

(although it seems dated from 15th of October)

Re:we need an antivirus vendor

AVG makes one available that I know if. It is a paid-for product. Since AVG already detects this one, it might be pretty good too.

Re:we need an antivirus vendor

yes, it exists, its called Kaspersky antivirus, and it uses BartPE automaticaly.

Re:we need an antivirus vendor

Wouldn't it suck if your virus noticed these downloads and "added" itself to the boot loader part of every bootable ISO you -burned-? :)

Re:we need an antivirus vendor

[BlueStrat]

Wouldn't it suck if your virus noticed these downloads and "added" itself to the boot loader part of every bootable ISO you -burned-? :)

Why, if one is that paranoid, would you even think of downloading and burning it on a machine suspected of being infected? Besides, it's trivial to check .iso-image MD5 hashes to assure that the .iso is uncorrupted on another known-clean machine.

Cheers!

Strat

Re:we need an antivirus vendor

[toddestan]

If you have another known-clean machine, then why not download and burn on there? Since a MD5 check could be intercepted by the virus too on a contaminated machine, I'm still trying to figure out if you could verify the bootable CD was clean given only infected or possibly infected computers to work with.

Re:we need an antivirus vendor

[BlueStrat]

If you have another known-clean machine, then why not download and burn on there? Since a MD5 check could be intercepted by the virus too on a contaminated machine, I'm still trying to figure out if you could verify the bootable CD was clean given only infected or possibly infected computers to work with.

There comes a point where you 'what-if' yourself to a standstill. The MBR virus only has so much capability. If you assign it unlimited intelligence and power the only safe move is not to play, to steal a movie quote, and simply give up.

Cheers!

Strat

Re:we need an antivirus vendor

There are at least F-Secure Rescue CD and Helix Incident Response and Forensics CD

Re:we need an antivirus vendor

based on OpenBSD with hard encryption and use of TOR as defaults?

In fact, using tor leaves you vulnerable to exit node sniffing. Should not matter when using SSL, but...

Re:What efforts are being made to find the operato

[symbolset]

Yes, you're being an ignoramus. That's ok. It was your turn. Last week was my turn.

The depth of my ignorance can be measured by the length of time I've been aghast at the carelessness and clue deficit of software engineers, system designers, corporate and government IT staff. We're over a quarter century now, so I must be really, really dumb.

Fortunately for me, in that I'm at least not unique.

Re:What efforts are being made to find the operato

and who are you to decide what packets teh global internet should or should not carry ?

Ok, but only because you asked.

[symbolset]

The cure is here.

It might take a little getting used to, but not as much as Vista. In the end I think you'll like it. Updates are twice a year rather than monthly but that seems to be frequent enough because the system has vulnerabilities less often, and you can't infect a CDROM anyway.

The good news is that if you like the LiveCD version you can remove your hard drive and its risks altogether. You can even save your settings, preferences and files to a pen drive, SDHC chip or network share if you like. The bad news is that it's a PITA to install software that's not included unless you use a HDD or pen. Up from there, an office package is included, and all you have to do to install it to a HDD is click the install icon and answer a few simple questions. You can even use the thing while it installs to the HDD in the background.

If you consider installing it to HDD you should be aware that historically it has supported 32 of the 1.7 million pieces of malware available on the Internet. Of those 32, only one ever escaped the laboratory, and that one is no longer supported in any possible configuration of the current version.

Let me know what you think.

Re:Ok, but only because you asked.

[setagllib]

You can just boot it off an external USB drive and update it as you would a normal install. But if you're going to do that routinely, you may as well just dual boot.

Re:Ok, but only because you asked.

[symbolset]

Dual boot is for people with commitment issues. It's not worth the hassle, nor the Doubt of knowing if the second install is going to hash the first. If you need both, buy another PC or install one in a VM. It's not like a good Linux box costs more than $220 and virtualbox is free.

But pen boot is cool. The version of Ubuntu that does it is only a couple days old. I haven't tried it yet. Maybe tomorrow. I'm pretty hot about it. I pen boot Clonezilla at work a couple hundred times a day. It's slick.

Re:Ok, but only because you asked.

[Ihmhi]

Dual boot is for people with commitment issues.

Commitment issues? Excuse me?

Please point me towards the OS that does everything excellently without compromise.

It doesn't exist, which is why a lot of people Dual Boot. If it weren't for the fact that I were such a hardcore gamer I'd probably be using Ubuntu over XP. And please, save yourselves the trouble of bringing up WINE, because someone will inevitably retort that WINE isn't perfect and many games run poorly, at lower FPS, and possibly with a myriad of other problems.

I love the idea behind Linux, but it won't be accepted by a large majority of people until it can do some of the most common tasks (Photoshop, more than a few PCs games, run legacy or odd software) without having to run an emulator that won't work perfectly.

Re:Ok, but only because you asked.

[symbolset]

I love the idea behind Linux, but it won't be accepted by a large majority of people until it can do some of the most common tasks (Photoshop, more than a few PCs games, run legacy or odd software) without having to run an emulator that won't work perfectly.

And a pony. It has to come with a pony.

Nothing but Admiration

[DigitalisAkujin]

As a programmer I have to point out that the programming required to make this trojan that fits in less then 512bytes of MBR space could not be matched by most "programmers".

Props to those guys. Capitalism unregulated. ;)

Re:Nothing but Admiration

[Stormwatch]

512 bytes ought to be enough for anyone!

meh

[symbolset]

For this kind of work 512 bytes is huge. You have the resources of the BIOS, and you have to find one block: the block where the rest of your code begins. You have to load it and execute it. You're allowed to write the CHS address of this block in your boot block because the OS is never going to see it.

I doubt it takes even 50 bytes to do that. On the original PC I could do it in 30.

Re:meh

[freedumb2000]

Original PC? What's that, Win95?

Re:meh

[oldCoder]

Yeah, but first you've got to load in the Java VM, the debugger...

Re:What efforts are being made to find the operato

You would see no problem with turning the internet into the US-net? You think that will eliminate fraudsters and scammers in any way, and not just give them a surety that their targets are in fact located where they appear to be?

Such product exists

[dallaylaen]

http://www.freedrweb.com/livecd

AFAIK it's a linux livecd with drweb antivirus installed. I have not used it myself, though.

Re:What efforts are being made to find the operato

[Richard+W.M.+Jones]

Who says the people grabbing the card numbers are the ones who eventually use them? The guys controlling the virus probably just sell them en masse to someone else.

What's your point? They're still criminals. Arresting either the people who write the trojan, or the people controlling the trojan, or the people using the credit card numbers is still better than doing nothing.

Rich.

Virustotal: ZoneAlarm

[oldCoder]

The Virustotal list doesn't show ZoneAlarm Antivirus at all. So does ZoneAlarm find the virus or not?

ClamAV Live CD

ClamAV Live CD - works really, really well. If you have a network connection, it will allow you to download the latest signatures as well.

See also Knoppix (and most other linux distributions with a live CD .iso).

Re:What efforts are being made to find the operato

[Ihmhi]

All of you guys who talk about anonymity and encryption... wouldn't the people who made such a virus be smart enough to use it?

I mean, what are they going to say? "I got the info from saltyballs6669@yahoo.com.

Trace the IPs? Libraries (as in books), Internet Cafes, distribution via Zombie Computers. How long would it take for the FBI to break down some poor old lady's front door because her comp was a zombie?

Really, I think it would be pretty impossible in a situation like this. I mean, how often are virus authors (or the criminals who use them) caught?

The scary thing is that stuff like this could be used as a justification for working against the anonymous Internet.

No remedy for infection...

that supplies cd images online with their own mini boot os, updated monthly, that you download, burn, and then reboot into via cd

Won't work. If your machine is compromised, it can mess with your DNS/HTTP/certificates and make you download a fake image, which won't detect itself.

Once untrusted code has been allowed to execute with full privileges on a machine nothing short of wiping it will give any guarantees...

Malware?

[windsurfer619]

This whole "malware" thing sounds exciting! How can I get it? I'm running Ubuntu 8.10.

Slashvertisement

Three months away? Isn't this just an ad for the companies who detect the virus and FUD for the companies who don't?

Able to watch from the sidelines

[HangingChad]

From the article: ...designed to steal data from Microsoft Windows PCs.

That's the best thing about using Linux. When these sort of exploits roll through the computer world you can watch with amused interest instead of a knot in your stomach.

I don't laugh too loud because I think about all the places that might be storing my credit card number on a Windows box. It's been rare that I've ever accessed any of my bank or investment accounts from a Windows client and never in the last four years.

Again, I try not to get too high and mighty. No OS is completely immune to rootkits and IT history is full of Pearl Harbor events.

Where's the link?

[ari+wins]

What, no download link? You fail me again, Slashdot!

"the majority"

[nurb432]

Doesn't mean all, so i don't see a problem with him using that statement.

Its all about how you define majority.. 51%? 60%? 90%?

Re:What efforts are being made to find the operato

[amiga3D]

Don't worry, Obama's next in the barrel. We can bash him for the next 4 to 8 years. :) disclaimer: I'm neither Repuke or Dumbcrat but Independent. A plague on both their houses.

Re:What efforts are being made to find the operato

[Dun+Malg]

...they could try to them to turn states evidence if they had any info that would lead back up the chain.

You think that the guys who came up with this MBR virus might possibly be clever enough to not sell the CC#'s from their personal email account?

Re:What efforts are being made to find the operato

[Erikderzweite]

Not a single Russian victim? Bullshit. How does a program know your nationality? It *may* be working on a certain range of IP addresses excluding Russia or target services which are seldom used by Russians, but claiming that there is not a single Russian victim is just ridiculous.

Re:What efforts are being made to find the operato

Man, will I be glad when silly season is over and people quit trying to insert politics into every issue.

Typical liberal.

It is slowly changing

[NJRoadfan]

Well the check part is anyway. The only time I write a check is to family members that can't be bothered with electronic transactions. I sometimes get checks for holiday gifts of money as well. Other then that, the checkbook sits and collects dust. Most of my transactions are cash (for small amounts) and credit/debit.

Whats interesting is that my particular credit card simply doesn't offer RFID or Smartcard functions even though the same issuing bank offers cards with the functions. I literally would have to open up a new credit card account that includes that feature.

Re:It is slowly changing

[Mascot]

The only time I write a check is to family members that can't be bothered with electronic transactions.

That illustrates it nicely. Reality here is the exact opposite. Electronic transaction is done in less time than digging out a checkbook would, and transfer is virtually instant. Punch in account number, amount, security token and you're done.

I suspect there's a lack of a centralized system in the US. If every bank would need to interface directly with every other bank to perform a transaction, I can see how it would be both costly and time consuming.

Re:It is slowly changing

[NJRoadfan]

There really isn't a universal system here, unless both parties happen to have an account at the same bank. Even then it isn't straight forward. The best I can do is something like Paypal *shiver*.

Providing an MBR...

[the-advanced-lemon]

How about antivirus companies providing MBRs with their software that worked in a similar fashion to rootkits like this? It would be very difficult if not impossible to write a virus targeting multiple antivirus software that could coexist with the MBR already in place by the said software!

Antivirus software X could install its own MBR that did the same, load it with the operating system, restrict memory access to it's functions, fake the original boot record etc, but it could be programmed to allow X, and only X to see the actual MBR. That way, if a rootkit got in, it would fake the MBR with the MBR it sees (the original one as MBR X has faked it), and then when X scans the system it won't see its MBR, but the original one instead.

Problem solved...

It could even be secured by providing an encrypted token calculated on the fly when asked to by software X, in sync with the encryption scheme of software X. Just like the token based schemes in use by some banks.

I could keep going...

What are antivirus software writers doing with their time if they can't even come up with something as simple as this? That would eliminate 100% of all MBR viruses until somebody could find a way to reverse engineer the encryption scheme being used and design something to coexist with it... But antivirus software is updated frequently anyway, so as long as this is changed every so often, that's all viruses infecting the MBR solved for good!

Sound like a good idea to you?

Re:What efforts are being made to find the operato

NO, just no.
No more internet censoring! Ever!
The internet should be 100% uncensored.
Censoring should only ever happen on the computer.

If anything, people should be pissed off more at the people who make operating systems so easy to infect. (Microsoft being the majority here, but Linux can be infected if run by an idiot just as easily)

Re:What efforts are being made to find the operato

[narcberry]

Censoring is filtering. I'm suggesting full blocks around countries. You're talking a Brita filter, I'm talking a cork. This is an important distinction.

Re:What efforts are being made to find the operato

[narcberry]

I'm not talking packet filters. I'm talking fully isolate nations.

Re:What efforts are being made to find the operato

Yeah thats one way to get the US disconnected from the internet fairly quickly.

Great idea mate. :D

Re:What efforts are being made to find the operato

[Anne+Thwacks]

If the (US Based) credit card companies were threatened with being shutdown if they handled money from the goods/services promoted by spam, the whole lot would stop overnight. If MS was threatened with shutdown unless it was made vaguely safe against botnetism, it would grind to a halt.

Its not the morons that own PCs that are the problem, it is Bill Gates and the US Government

The hours wasted dealing with viruses add up to far more lifetimes than are lost as a result of Al Quaida actions. Yes folks its true, Bill Gates and Visa/Mastercard are the new Axis of Evil!

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What efforts are being made to find the operato

I think you just said the most offensive thing I'm going to find on the internet today.

When one person or group gets to decide who can or cannot be "on the internet" ... it'll be official, we're fucked.

The dross comes with the freedom, and the freedom is why we still have an internet.

Re:What efforts are being made to find the operato

[narcberry]

We already control who can or cannot be on the internet. Usually going as far as even restricting computer use of computer criminals.

If by one person or group, you mean an entire international community, you should get your head checked.

Hoax !!!

As a system engineer, I wonder how such blatant hoax came to be on slashdot ... test of credulity ???

2700 IP adresses, along with code for HTML injection, network hw, IP and TCP networking ... all this under 1k ?

If you believe this, then why pay for DVDs ? 360k Floppy disks ought to be enough for fullres HD !!!

BootSector Rootkits? No problem! FIXMBR

Well, on Windows NT-based OS?

You have a viable/working option to destroy. bootsector originated rootkits!

That's FIXMBR from the RECOVERY CONSOLE

(You can even install this from your OS installation CD/DVD from the I386 folder, & make it a boot up option to utilize, which is more convenient than doing it from the OS installation media (CD/DVD))

To install it as a bootup option, you must issue this command to install it as a bootup option:

winnt32.exe /cmdcons

Once you are within your OS installation media's I386 folder (should you wish this to be a bootup option. It alters boot.ini for this, & inserts a Windows RECOVERY CONSOLE bootup option. Otherwise you must use your OS installation CD/DVD to use it):

The FIXMBR command is a "sure-fire" way to rid one's self of these kinds of pests & it is the ONLY kind of rootkit you can kill yourself, afaik... other types such as those that are originated via critical system files being infected are unaffected by FIXMBR (memory resident types, in other words).

APK

P.S.=> Another useful set of commands are ENABLE & DISABLE - these can even stall bogus device drivers (such as some trojans use) that some malware utilize (yes, off on a tangent, but RECOVERY CONSOLE is one useful tool vs. malwares in general - especially when usermode tools such as AntiSpyware/AntiVirus/AntiRootkit tools fail you)... apk

Re:BootSector Rootkits? No problem! FIXMBR

[symbolset]

Cute. You had a root kit. It had total control of your operating system for an indeterminate period of time. During that time it could download any software from the internet it wanted, and use it to patch any operating system or application file it liked - or all of them.

But you can fix it "sure fire" by using FIXMBR. That will restore the boot block and all will be well again!

Please don't give any more computer advice until you've been detarded.

Re:BootSector Rootkits? No problem! FIXMBR

"It had total control of your operating system for an indeterminate period of time. During that time it could download any software from the internet it wanted, and use it to patch any operating system or application file it liked - or all of them" - by symbolset (646467) * on Tuesday November 04, @12:35PM (#25627991)

Ahem:

I'm only listing a way to REMOVE a bootsector originated rootkit (or virus for example) - that's all. Are you listing better advice here, to help others?? No. I don't see it...

The same could go for spyware/virus/trojans (other forms of malware-in-general), so, what is your point anyhow?

Besides/above all else: What I had just put out as a method to destroy a bootsector infector of any kind on Windows NT-based OS' is FAR more helpful/useful advice than the garbage you are tossing my way now...

(Which by the way, imo @ least, was spoken like a true maker of such malwares in fact on YOUR part)

Fact is, in my experience?

Well, the only people I've ever noticed bitching about methods of securing one's self, are those affected adversely by the methods used in that it affected THEIR ability to do others wrong (such as virus/trojan/spyware/rootkit maker's would be by stalling their heinous machinations)...

(See? I can make assumptions also, like yourself, as you had, which I quote below next!)

----

"Cute. You had a root kit." - by symbolset (646467) * on Tuesday November 04, @12:35PM (#25627991)

No, I never had one: You're assuming things. Don't put words in others mouths they never stated, ok, OR, stop skimming & interpreting things incorrectly (it's that, or you need to take your ADD-ADHD meds-treatments, &/or get "hooked on phonics" so you interpret what you read better!

(See? I can be rude to you as well, easily, & get a laugh out of it, @ YOUR expense easily - too easy, you set yourself up for it, mind you & had it coming for your reply I quote below))

APK

P.S.=> By the way?

"Please don't give any more computer advice until you've been detarded." - by symbolset (646467) * on Tuesday November 04, @12:35PM (#25627991)

Learn some manners, class, & general etiquette ok? Tossing names only shows you for who you truly are... apk

Deliberate misinformation abounds here

[symbolset]

on slashdot. Please don't share it around.

Are you listing better advice here, to help others?? No. I don't see it...

I had a nice writeup on this in my journal, but it's gone now. There's only one reason I can think of not to wipe and reinstall if you find your system's been compromised by any malware at all: if you're running a honey pot and you want to see where the traffic goes.

Otherwise, it's wipe and reinstall. Always. Just like I wrote above. One of the first things malware does when it gets its toe in is it worms its way deep into everything it can - some active and some hidden with time delays so that it can be persistent despite cleaning attempts. Some of it you'll find, but can you find all of it? Is there any way to be sure you found all of it? No. Wipe and reinstall. Always.

Re:Deliberate misinformation abounds here

'But you can fix it "sure fire" by using FIXMBR. That will restore the boot block and all will be well again!" - by symbolset (646467) * on Tuesday November 04, @12:35PM (#25627991)

I already addressed the other possibles you cannot affect via FIXMBR (which you noted, other things that might be downloaded by said machinations, like bootsector viruses/rootkits)... you put your foot in your mouth, via your skimming & overlooking that I noted your point already, lol! You only did that, to yourself, mind you! See this quote from myself, from my original reply to your method(s):

----

http://it.slashdot.org/comments.pl?sid=1015483&cid=25627505

"The FIXMBR command is a "sure-fire" way to rid one's self of these kinds of pests & it is the ONLY kind of rootkit you can kill yourself, afaik... other types such as those that are originated via critical system files being infected are unaffected by FIXMBR (memory resident types, in other words)by Anonymous Coward on Tuesday November 04, @12:14PM (#25627505)

----

Thus, I never said "all will be well again", did I? No, not once...

----

It seems you like putting words in others' mouths... &, lol, you only inserted your foot into your OWN mouth... how's that taste (the bitter taste of defeat, for your being a fool man, what else can I say? This isn't name tossing w/ out proof of your mishap, unlike your name tossing directed MY way).

AFTER ALL - I ONLY LISTED A METHOD THAT WORKS TO "TAKE OUT" THE ROOT CAUSE, the rootkit's main launchpoint, itself, & also noted that FIXMBR doesn't affect peripheral files or other kinds of rootkits... you seemed to have 'ovelooked that', now didn't you?

----

See? I already noted that other things aren't affected by FIXMBR, only a repair of the bootblock/bootsector... Such as anything else a rootkit may "haul in" to infest you with even more (and, to 'back itself up' via say, a phalanx type defense of itself & its constituent parts)!

Yes, you have to work on any other files (or other kinds of rootkits even), via other means!

(Your methods a possible, there ARE others! HOWEVER, they're all fairly unreliable: Especially vs. memory resident ones spawned by infected .exe files, simply because of being able to intercept (via API call hooking as 1 method of doing so) function return values from libs or even std. executables)).

By the way?

The day you can appear in noted publication in this field, or have dual degrees in this field, or have your code go into commercial apps & have over 30 "enterprise class" data processing systems to your credit, AND have your work or wares make a Microsoft Certified partner place as a finalist in the hardest category @ Microsoft Tech Ed?

(As I did 2 yrs. in a row, & nearly a decade ago already on all of the above no less in this art & science/field, such as for SuperSpeed.com/EEC Systems 2001-2002) in the HARDEST CATEGORY @ MS TECH ED, in SQLServer Performance Enhancement (plus, have over 25 yrs. total time experience in this field and possess dual degrees in it as I have))?:

VERIFIABLE PROOFS OF MY STATEMENTS:

----

Windows NT Magazine (now Windows IT Pro Sept./Oct. 1996), for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache I/II program (a logical block diskcache operating @ the DISK DRIVER level) program increasing its effectiveness by up to 40%) albeit, for their SuperDisk (mirroring back to backing HDD ramdrive program) this time & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row iirc.

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

PC-W

EVIDENCE OF YOUR SKIMMING (get ADD/ADHD help)

'But you can fix it "sure fire" by using FIXMBR. That will restore the boot block and all will be well again!" - by symbolset (646467) * on Tuesday November 04, @12:35PM (#25627991)

By the way, because I don't have TIME for your b.s. today to do this in your next reply (I will anyhow though to put you in your place, should you reply when I get back from voting later)?

This is in regard to your point you tried to make? I am going to watch you eat your words, or apologize, for your assuming & skimming, & for tossing names my way in your feeble reply:

I already addressed the other possibles you cannot affect via FIXMBR (which you noted, other things that might be downloaded by said machinations, like bootsector viruses/rootkits)... See this quote from myself, from my original reply to your method(s):

----

"The FIXMBR command is a "sure-fire" way to rid one's self of these kinds of pests & it is the ONLY kind of rootkit you can kill yourself, afaik... other types such as those that are originated via critical system files being infected are unaffected by FIXMBR (memory resident types, in other words)by Anonymous Coward on Tuesday November 04, @12:14PM (#25627505)

----

Thus, I never said "all will be well again", did I? No, not once... you like putting words in others' mouths... &, lol, you only inserted your foot into your OWN mouth... how's that taste (the bitter taste of defeat, for your being a fool).

I ONLY LISTED A METHOD THAT WORKS TO "TAKE OUT" THE ROOT CAUSE, the rootkit's main launchpoint, itself, & also noted that FIXMBR doesn't affect peripheral files or other kinds of rootkits... you seemed to have 'ovelooked that', now didn't you?

See?

I already noted that other things aren't affected by FIXMBR, only a repair of the bootblock/bootsector... Such as anything else a rootkit may "haul in" to infest you with even more (and, to 'back itself up' via say, a phalanx type defense of itself & its constituent parts)!

Yes, you have to work on any other files (or other kinds of rootkits even), via other means!

(Your methods a possible, there ARE others! HOWEVER, they're all fairly unreliable: Especially vs. memory resident ones spawned by infected .exe files, simply because of being able to intercept (via API call hooking as 1 method of doing so) function return values from libs or even std. executables)).

By the way?

The day you can appear in noted publication in this field, or have dual degrees in this field, or have your code go into commercial apps & have over 30 "enterprise class" data processing systems to your credit, AND have your work or wares make a Microsoft Certified partner place as a finalist in the hardest category @ Microsoft Tech Ed (as I did 2 yrs. in a row for SuperSpeed.com/EEC Systems 2001-2002) in the HARDEST CATEGORY THERE, in SQLServer Performance Enhancement (plus, have over 25 yrs. total time experience in this field and possess dual degrees in it as I have):

VERIFIABLE PROOFS OF MY STATEMENTS:

----

Windows NT Magazine (now Windows IT Pro Sept./Oct. 1996), for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row iirc.

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

WINDOWS MAGAZINE, WINTER 1998 - page 92,

Wow.

[symbolset]

Now I'm arguing with a famous anonymous coward. Cool. Y'know, Rob Enderle gets himself into print a lot too.

Wiping and reinstalling doesn't have to be painful. If you catch a good image with clonezilla you can restore in just a few minutes. It's actually faster than scanning the whole PC, don'tcha know.

Oh, and I don't need any blue ribbons on my shirt to point out the blatantly obvious.

Re:Wow.

"Rob Enderle gets himself into print a lot too." - by symbolset (646467) on Tuesday November 04, @02:14PM (#25629861)

He gets into print (publication & websites), albeit, on what grounds? He has NO computer-sciences specific education (for 1 thing)...

ALL, Per this document @ wikipedia about him:

----

http://en.wikipedia.org/wiki/Rob_Enderle#Education

Education

Orange Coast College, Associate's degree in Merchandising
California State University, Long Beach, B.S. in Manpower Management, MBA
Pace University, CMA Certificate

----

Another "MBA holding wannabe", in the field of computer science is what I see there!\

I.E.-> SO, what EXACTLY qualifies him as some sort of "computer guru", anyhow, in this field/art & science? Writing articles about it?? Being a part of some b.s. advisory council (which is laughable - without SOLID education + hands on in the trenches in this field in professional experience (such as programmer-analyst/software engineer OR network tech/admin? Man, that's essential, for understanding of it - otherwise? You're "playing music via tableture, not reading & understanding music", period!)

He has NOTHING of value as pertains to expertise in this field (computers) that I can see!

(AND - & this is coming from someone, in myself, who has BOTH, in 1.) a B.S. in Business (MIS concentration/minor to boot to go with it), AND 2.) An Associates degree in Comp. Sci. to top that off, + LASTLY, 3.) Decades of professional hands-on experience in this field (as well as being recognized & published internationally in it in noted reputable publications in this very field - computers, & more, per my last reply to you here))

Imo, & based on the evidences above?

Well, I'd have to say that this "Rob Enderle" (are you he? You refused to answer that by the by) is just another:

"I have a P.R. machine behind me & thus, I can be considered a computer expert"

(Albeit, one with no degrees in the art & science/field of computing, & probably no years to decades of hands-on experience with them in the trenches either (on this latter point? It's ONLY speculation, but the former point isn't for sure... &, usually? When you don't have 1, you odds are probably don't have the other))

APK

P.S.=> In fact, he sounds like the CIOs/CEOs you see in the trade rags in this field that take ALL the credit for innovations that those who actually KNOW what they're doing it, DO THE WORK FOR, while these 'preening peacock wannabes' get paid more + take said credit for accomplishments... yet, they did nothing of actual value to the production of said accomplishment (like actually writing the code for it - which, without that, for say a piece of hardware OR software? YOU HAVE NOTHING!)... people who KNOW what they're about in this field? They do NOT respect "that type/ilk"... they're 'fake-it-till-you-make-it' wannabes... period! apk

You brought it on yourself: Drink in & digest

"Now I'm arguing with a famous anonymous coward" - by symbolset (646467) on Tuesday November 04, @02:14PM (#25629861)

Famous? Thanks!

I just tend to think of myself more like "I can get the job done, & others have noticed it in noted publications in this field/art & science, numerous times, over a decade"... this IS all. I can easily & did prove that much, w/ easily verifiable evidence no less, from the publications it occurred in + dates, pages, etc. et al!

(&, I did that with me only 2-3 yrs. into this field as a pro no less outta academia, when I was into shareware/freeware creation circa 1995-2002, & it took me into commercial products, some of which I still draw royalties from no less)...

Apparently, you cannot do the same, although you like calling others names as you had myself!

Above all else?? This is NO argument - I was accused by yourself falsely, & my own words you skimmed over after you called me names (retarded etc.) proved YOU, wrong, on both points & in both regards. You did this, to yourself, not I.

(& then you turned up a skimmer, & wrong in your accusation that I missed your point on FIXMBR command from the RECOVERY CONSOLE being no good vs. anything BUT bootsector/bootblock originated rootkits &/or viruses, which is true, but the topic of this here on this site? It's ABOUT MBR originated rootkits, thus, you are offtopic!)

BUT, after you called me names (retarded or something like that? I had to show you I did NOT miss your points @ all):

----

"The FIXMBR command is a "sure-fire" way to rid one's self of these kinds of pests & it is the ONLY kind of rootkit you can kill yourself, afaik... other types such as those that are originated via critical system files being infected are unaffected by FIXMBR (memory resident types, in other words)" - by Anonymous Coward on Tuesday November 04, @12:14PM (#25627505)

----

However, the pity is?

You made some good points, & yes, you were modded up well for it - it is unfortunate your name calling & arrogance was your undoing is all, & you ONLY DID THAT, TO YOURSELF! I never missed the points you accused me of, & YOU KNOW IT, you missed them due to skimming & had the nerve to toss names my way. Pitiful.

----

NOW - I noted you mentioned you have (or, rather supposedly HAD) something along those lines here in the way of a guide... now "disappeared" (yea, ok, it's possible, lol)... I have some of those, that have gone over the tune of 200,000++ views in less than 1 yrs. time in fact online this year (&, their points are proving to be very good for users, in making them literally INVULNERABLE vs. virus/trojans/spyware & even rootkits, IF they practice & adhere to its points & some common-sense):

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (&, beyond):

http://www.tcmagazine.com/forums/index.php?s=0250759f7432219943d329cae12ddc5e&showtopic=2662

It's even been said to be good stuff, & "modded up" more than a few times, here on slashdot no less by your peers here, see this:

http://ask.slashdot.org/comments.pl?sid=970939&no_d2=1&cid=25092677

&

http://news.slashdot.org/comments.pl?sid=999923&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25427039

To name just a couple... from THIS site in particular. Big nitpickers are here, I cannot afford NOT to put up proofs.

----

Want more proof (as you know, I'm "big on that" because it lend

I am not him.

[symbolset]

That you don't know of him is interesting.

Re:I am not him. Then, why drop a name?

Why did you toss out that person's name for? That makes no sense here. Tossing names on your part apparently does though:

"Please don't give any more computer advice until you've been detarded." - by symbolset (646467) * on Tuesday November 04, @11:35AM (#25627991)

Except the fact exists you skimmed over the rest of the reply which covered that which you stated was omitted, and thus your name tossing quoted above only put egg on your own face, via your own words, when my COMPLETE reply, verbatim (note the BOLDED part, especially?), was:

----

"The FIXMBR command is a "sure-fire" way to rid one's self of these kinds of pests & it is the ONLY kind of rootkit you can kill yourself, afaik... other types such as those that are originated via critical system files being infected are unaffected by FIXMBR (memory resident types, in other words)" - by Anonymous Coward on Tuesday November 04, @11:14AM (#25627505)

----

You later mentioned someone (this Rob Enderle person) who clearly doesn't have the foundations to do anything unique or original in this field of computer sciences and doesn't even have degrees specifically oriented to computers (but, instead, more towards "business").

E.G.-> Knowing how to calculate the par value of a stock (something MBA's often learn in their coursework, mind you - because I helped my brother study for his, because I come out of an MIS background (a combined business + comp. sci./data processing degree track)) 'doth not a computer scientist make', for lack of a better expression here in regards to that...

APK

Once again...

[symbolset]

Please don't tell people to use FIXMBR to repair a root kit. It's not an appropriate or effective repair for a system that's been compromised. As a repair it's worse than useless - by giving a false sense of security it leads to greater risks.

Re:Once again...

"Please don't tell people to use FIXMBR to repair a root kit. It's not an appropriate or effective repair for a system that's been compromised. As a repair it's worse than useless - by giving a false sense of security it leads to greater risks." - by symbolset (646467) on Friday November 07, @11:08PM (#25685185)

LOL, it works better than NOT doing anything @ all, on a bootsector spawned virus OR rootkit (the topic of this thread no less)...

In fact?

My suggestion here works better than anything you've suggested!

E.G.-> Your method of "scanning a drive, when mounted as a 2nd or more disk in another computer", for example?

Buddy??

That won't work vs. memory resident (spawned from inside infected .exe's for example) ones either, anymore than FIXMBR will (though FixMBR can repair the infected bootsector vs. bootblock/bootsector spawned virus AND rootkits - & this is ALL I stated it can do vs. rootkits of bootblock/bootsector originated design):

You didn't list a method for repairing an affected bootsector did you? Are you trying to tell us this would NOT help, vs. an infested bootsector??

(FixMBR (from the RECOVERY CONSOLE) works to do so, it repairs bootsectors/bootblocks!) ... & nothing more (just a repair of an infested bootsector, but, that is where these things start from).

NOW - It's often said (if you don't have a pristine system image backup, & who can guarantee that?) that if you get other kinds of rootkits?

"REPAVE"

(In other words, redo your system, because even IF you can detect them (not that easy, & not with your method of placing the affected disk into another system & scanning it (this will odds or, NOT have that disk "detonate/launch" any rootkits either, as memory resident, OR, from its bootsector (since it is NOT the booting disk, AND, it is NOT the OS in operation either)).

APK

P.S.=> Correct me if I am wrong, but, you don't even BEGIN to mention how to clear a shot bootsector did you? You also assume you have a pristine system image OR backup... bad assumption on YOUR end, a "false sense of security"... apk

Re:Once again...

[symbolset]

Correct me if I am wrong, but, you don't even BEGIN to mention how to clear a shot bootsector did you?

You're wrong. Wipe and reinstall from known good media does clear the shot boot sector, as well as everything else. The only malware that can survive this process are either on the installation kit (none currently available, though it has happened in the past) or firmware (also, none known, a theoretical threat at most).

Of course I assume a pristine image backup. A good image backup is a necessary part of first line support for every PC. Whether a user is supporting their own system or tech support falls to some third party, gradually installing all the software in a useful desktop PC takes time. Performing a clean install from source media is an essential step of preparing even a new PC in order to eliminate OEM included software nonsense. clonezilla is fast, reliable and free. It's good professional guidance to tell people to build an image with known-good software with all available patches and make an image backup before connecting to the network and again after all the software that must be "activated" has phoned home. It's work but it's background work every PC needs to operate in the current untrusted network environment. This practice pays off with just one restore and systems should be restored from a known good image periodically whether compromise has been detected or not because sometimes compromises go undetected and systems develop cruft over time that destroys performance and distracts from the work of the day. Guiding people away from that sane "provably safe foundation" principle borders on malpractice.

It's also good guidance to recommend that people operate from a restored snapshot image rather than just taking one. That way they know for certain they can restore the snapshot from a tested backup and it will work.

If people don't have a clean image then recommending they build one as part of the recovery practice while wiping and restoring to recover from a rootkit is sound guidance also. The only problem with this is when people don't have reinstall permission, rights or media. Those people aren't going to listen to anything you tell them anyway.

Again: Please don't tell people to try to "repair" rootkits or viruses. Repair is not reliably possible. At worst it communicates to the undetected and unrepaired malware that the unit is a real person, not a honeypot, and that they're clueless about security. In that way it makes them more of a target and decreases rather than increases their security.

Your original idea? Doesn't work, & WHY... apk

"Of course I assume a pristine image backup" - by symbolset (646467) on Saturday November 08, @02:37PM (#25689061)

Yes, & this is where you "go wrong", in assuming you have that, in the first place... by ASSUMING. You cannot GUARANTEE that, anymore than my technique, which works for recreating a VALID bootblock/bootsector, via FIXMBR (RECOVERY CONSOLE).

"Again: Please don't tell people to try to "repair" rootkits or viruses. Repair is not reliably possible" - by symbolset (646467) on Saturday November 08, @02:37PM (#25689061)

Oh, you mean like your suggesting that nobody use FIXMBR (to blow out the actual BOOTSECTOR originated ROOTKIT? Which that does??)???

You mean like your saying that "scamming a drive while put into another computer" works? How is THAT going to happen, when the registry loaded is NOT from the infestd machine & not resident to check for entries that use "trailing null characters" (telltale possible sign of rootkitting), & the OS loaded is NOT the one that is infected?? If it doesn't get initialized, then, neither will its rootkit - thus, how can you tell is API call hooking or DLL injection (just SOME of the possibles here programmatically that rootkits use, memory resident ones no less, the "undefeatable kind") is going on, or not?

YOU CAN'T, period... thus, your suggestions (original one)? Erroneous!

Your 'original recommendation'??

It rests on a POOR foundation, technically!

Especially in regards as to HOW memory-resident rootkits work, period!

(Even memory resident ones, though, the topic here is ABOUT BOOTSECTOR/BOOTBLOCK ORIGINATED ROOTKITS (& thus, you're offtopic really, as to noting other types really, though I did as well, so others would NOT be misled in thinking FIXMBR repairs memory resident rootkits too (it does not, & I said so, though you called me names for that, & I AM CORRECT ON THAT MUCH!)).

The ONLY way I know of, to burn out a rootkit, is to use FixMBR - you only have a chance vs. these, to repair & rid yourself of them, via FixMBR (to rewrite/restore a pristine bootsector)...

Just as I stated CLEARLY earlier, & nothing more (to which you called me names for, but you had to "eat your words" about because you skimmed over my stating this -> "it won't work vs. other types of rootkits, such as memory resident ones").

Give me a break. Give up already...

APK

P.S.=> And, until you can show others here reading that you've accomplished 1/10th even of what I have in this field, & over 13++ yrs. back to around 7 yrs. back, which was noted in publication by others in this field to GOOD regards & results (such as placing @ Ms Tech-Ed 2001-2002, 2 yrs. in a row & appearing in Windows IT Pro mag's pages, a highly regarded & respected publication)??

Don't even ATTEMPT to advise me on "what is what" in this art & science...

You clearly don't have the means technically, nor, the grounding in this field necessary to do so, period!

Least of all, don't toss names @ those who are trying to help others, & only to have yourself proven WRONG via your own words in calling me a 'retard' etc. et al, when you KNOW you skimmed over the points I made that you said I did not note - &, I clearly did so! apk

Here's a post from a long time ago

[symbolset]

Where I explained this process back in April 2006.

I expanded on this with a journal article, but it's gone now. Maybe someday I'll put up an update.

Oddly enough, it's from the article Microsoft Says Recovery From Malware Becoming Impossible. If you won't believe me, believe them:

A Microsoft security official recommends that big businesses invest in an automated process to wipe hard drives and reinstall malware-infested operating systems.

Here is what I think of your post (with proofs)...

For an overall cure?

Note - I said the same "REPAVE", here (especially vs. memory resident types of which I also outlined some of their mechanics they use (of which you noted none, & this only tells me you read what others write, but, do NOT have the 'technical saavy' on your own steam to think of things to do, yourself - therein, I suspect, lies the diff. between MY understand of this stuff, vs. your own, such as it is):

----

"NOW - It's often said (if you don't have a pristine system image backup, & who can guarantee that?) that if you get other kinds of rootkits?

"REPAVE"

(In other words, redo your system, because even IF you can detect them (not that easy, & not with your method of placing the affected disk into another system & scanning it (this will odds or, NOT have that disk "detonate/launch" any rootkits either, as memory resident, OR, from its bootsector (since it is NOT the booting disk, AND, it is NOT the OS in operation either))." - by Anonymous Coward on Saturday November 08, @09:10AM (#25687161)

---- ... & I never ever stated otherwise, as regards memory resident types of rootkits. I stated cleanly that once you get one of these? You're hosed, basically/unfortunately.

----

NOW - As to "Microsoft Officials"? Well, in my time??

I've put a couple in their place, with ease in fact... don't ASSUME again, that they are "perfect", because nobody is.

(E.G.-> Dr. Mark Russinovich whom I used to work for the same company for no less, contracting out wares he & I produced for NT-based OS of SERVER CLASS... I did so, first, by catching he in rather "rookie" hardcodes in his pagedefrag.exe, & telling he how AND WHY (most importantly) to fix it (to which he only did PARTIALLY, for pagefile.sys location & reading it from the registry rather than hardcoding to C: root, but he omitted that for REGISTRY HIVE locations, which I warned him of & his still hardcoding them to their std. location (& yes, they ARE moveable))

All, to which he did & thanked me for via email, no less...

AND, again I did so later to he, on noting errors in his "memory optimization hoax" article @ Windows IT Pro in 2003, & where he was off/wrong, to which he could NOT counter points I had, 15 of them in fact (such as Memory Optimizers as he called them, unstalling frozen Exchange Servers & also working for better performance outta Terminal Servers, as just SOME examples thereof)

APK

P.S.=> You went wrong, in 1 regards:

YOU ASSUME A PRISTINE SYSTEM IMAGE...

This, on your part?

That is assuming, & dangerous! You can't guarantee that either.

Example? Well, I have a driver for a PCI modem from U.S. Robotics here, & what's on that CD? A virus, right off the bat, from the OEM no less... incredible as that may seem, it happens!

Note, again, Dr. Russinovich (author of rootkit revealer, which shows falsies like mad @ times, unfortunately)? He found a rootkit on a SONY music CD for God's sake... you can't go & assume the software you load is "110% straight" & free of infectors, of ANY kind, either... apk

I gotta give you points for persistence

[symbolset]

If you can't trust the installation media, you have no hope of building a good system, no matter what. If you have a firmware virus, same deal.

OTOH, using a built from scratch restore image that hasn't touched the network evades all other malware problems. It's the best you can do.

I don't quite assume a pristine image -- I only posit that if you don't have one, rebuilding after an infection is the ideal time to make one. Having the forethought to create one beforehand is of course preferable. I do assume either a pristine image or installation media. If you don't have either of those you've got bigger problems than just malware.

Not making a pristine image when you restore, or forgoing the restore in preference for "cleaning" are both options that are not best practice.

Re:I gotta give you points for persistence

"I gotta give you points for persistence" - by symbolset (646467) on Saturday November 08, @04:28PM (#25689759)

Of course: Especially when I've "shot down" every method YOU extoll to prevent or fight these things, cleanly, with solid known or documented evidences...

After all: I am only telling it how it is, or can be.

Now, by way of contrast?

Are you willing to state to everyone here reading that FixMBR from the RECOVERY CONSOLE will not eradicate the trace of any BOOTSECTOR ROOTKIT (or virus for that matter), upon its issuance?? Clue: That is what FixMBR does - it rewrites the bootrecord.

The topic is that - bootsector rootkits. Not memory resident ones, or, peripheral viruses it might even download ontop of itself (say, to back itself up in UserMode)...

AND, the sad fact is, as reagards your initial premise (& YOU KNOW IT)? See your next quote below...

----

"If you can't trust the installation media, you have no hope of building a good system, no matter what. If you have a firmware virus, same deal." - by symbolset (646467) on Saturday November 08, @04:28PM (#25689759)

You CANNOT guarantee a perfectly 110% pristine system image, &... well, that IS that, period.

However, on the converse?

I can 110% guarantee that RECOVERY CONSOLE (especially IF run off the installation media CD) is capable of destroying what the topic of this post is:

A rootkit housed w/in an infected bootblock/bootsector on a booting HDD!

FixMBR (run from the RECOVERY CONSOLE, & especially from INSTALL MEDIA, a read only surface mind you) - Hey, it's purpose is to recreate that, in pristine form... & no virus (much less rootkit) is known to run in that environs!

(How could it? It comes from installation media that is READ ONLY, & is coded on a little used API (iirc, NT ?NativeAPI")).

Thus, I rest my case!

(Especially since I covered that which you accused me of & said I ought to be 'detarded'... wtf?)

I mean, hey, LOL: You said that I said that "all would be well/100% perfect" after running FixMBR (&, as far as clearing a bootsector? Yes, it is, taking out a rootkit there - this is the only kind you can kill easily, & that is how - on things it COULD in theory download & install, say such as a usermode service or invisible app running to 'back it up' & reinstall itself? That is just like what memory resident rootkits would be like too, & I covered THAT, lol... FixMBR would not affect that, but, I stated that from the outset!))

Also, when all I stated was on the topic of this thread here, about bootsector rootkits, & how to "nuke" them is all I stated, & I also excluded memory resident rootkit types from FixMBR's being effective on them - you called me, 'retarded' or something to that effect? Please...

----

You said this to me:

"Please don't give any more computer advice until you've been detarded." - by symbolset (646467) * on Tuesday November 04, @11:35AM (#25627991)

After all I said that is 100% technically accurate? Even showing folks how to have 1/2 a fighting chance vs. ANY kind of rootkit (bootsector driven ones ARE eradicatable, via RECOVERY CONSOLE, & FixMBR commands issued therein - other things they may create, or D/L? That is another topic, such as memory resident rootkits... but, then again, I mentioned that already, didn't I? Yes, I did...)

APK

P.S.=> As for the rest? Well, I've achieved what little I have in this field... you have nothing like it, apparently, by way of comparison... & yet, you feel fit to call others names, especially after your methods have been shown to be faulty or less than perfect?? Please - get over it, stop, before you slip even more... apk

Re:I gotta give you points for persistence

[symbolset]

Now, at the foot of this thread, I'll repost what I said that offended you:

Cute. You had a root kit. It had total control of your operating system for an indeterminate period of time. During that time it could download any software from the internet it wanted, and use it to patch any operating system or application file it liked - or all of them.

But you can fix it "sure fire" by using FIXMBR. That will restore the boot block and all will be well again!

Please don't give any more computer advice until you've been detarded.

I meant it then and I mean it still. Please don't try to give advice about things you don't understand. Please don't try to justify yourself. You're just making it more and more obvious that you're an idiot.

As smart as you are...

[symbolset]

You haven't figured out yet that I'm just leading you on to eat up your output in this forgotten thread. Yes, please don't give any more computer advice until you've been detarded. C'mon. Level with me. You're a bot, aren't you?

Re:As smart as you are...

Yes, please don't give any more computer advice until you've been detarded. C'mon. Level with me. You're a bot, aren't you?" - by symbolset (646467) on Saturday November 08, @07:26PM (#25690889)

I have only figured out that you like to toss names, as you have once more... & that only shows you for who you really are, & that you are on the ropes here as far as intelligent discussion... after all:

1.) I only listed a way to take out rhe ROOT CAUSE (pun intended) of a BOOTSECTOR/BOOTBLOCK based ROOTKIT, via RECOVERY CONSOLE's FIXMBR command (which rewrites & restores a pristine bootsector, & that much I can guarantee, where you cannot on a pristine system image, especially if RECOVERY CONSOLE's run off the OS installation media, which is a read-only environs, & the fact that NO virus/trojan/malware-in-general is known to run in that environs (how could it? It's a read only media when run from OS install media))

I never once stated FixMBR covered other things that a rootkit MIGHT use to defend itself - though in your FIRST REPLY TO ME? You stated I did say that... which is clearly NOT true, & I requoted that several times now...

(However, the other parts a rootkit MIGHT install, in usermode? Those you CAN 'take out' via using tools like booting to safemode, & using Process Explorer (beter than taskmgr.exe in that it breaks out constituent services &/or libs run by apps, not just the main .exe itself only as taskmgr.exe does), msconfig.exe, IE addons removals, startup registry + startup group pruning, services trimming, Add-Remove Programs (control panel applet) & more... even "manually", via regedit.exe even)

&

2.) You cannot guarantee a totally 100% PRISTINE system image for YOUR methods... period.

----

"You haven't figured out yet that I'm just leading you on to eat up your output in this forgotten thread." - by symbolset (646467) on Saturday November 08, @07:26PM (#25690889)

So, you get your "jollies" in that type of thing? I can see that, especially when you're losing a debate...

Were I you - I'd give up, because I will tell you right now, after the name calling you seem to "get off on"?? I won't give up in continuing to show others how wrong you are on your methods, & that your being "modded-up" 5 is off/wrong because of the imperfections inherent in methods you're extolling (especially after you tossed names my way, first, & now repeatedly)

LOL... & limits?

The "A/C" 10 posts in 24 hrs. limits on "Amonymous Cowards"?? Don't apply here... I can be back in, in seconds mind you, on another IP address range & beat those restrictions in seconds... been doing it here, for years now in fact.

Why???

Well, you "registered users" think you're God's gift, & you are SO wrong, in that because you are registered here, you are SO EASILY TRACKABLE, it is NOT even funny... & I????? I am NOT "with that"...

I.E.-> Fact is, it's much harder to track an "A/C" around here, than it is a registered user is why!

(& I do NOT want to be harassed by folks that have nothing better to do than goad others... especially when they've lost a technical debate & want 'revenge' etc. et al, like you are only showing othes YOU are clearly into doing, in this debate with myself now).

APK

P.S.=> No method's "110% perfect" vs. ALL possibles out there, because many of these things (virus/trojans/spyware/rootkits/malware-in-general) use 'blended threat' type tech, & often use a "phalanx type defense" in other parts protecting themselves (backup like a zone defense is in sports, more-or-less), but as far as the topic here, in BOOTSECTOR based rootkits (or even viruses)? RECOVERY CONSOLE's FIXMBR command can & DOES guarantee a pristine bootsector & does 'take out' the root cause (once more, pun intended) there, by rewriting the bootblock/bootsector itself... that's all I ever said, & it's correct technically! apk

Re:As smart as you are...

[symbolset]

Do you have any idea how many monkeys it takes to fly a toaster?

It's a challenging pursuit and quite frosty.

Your method=bad no guarantee pristine system image

"I meant it then and I mean it still. Please don't try to give advice about things you don't understand." - by symbolset (646467) on Sunday November 09, @01:21AM (#25692687)

LOL, buddy, odds are strong here that while I was out making the trade magazines in this field + having code I wrote be put into reputable noted commercial wares (ontop of doing noted freewares & shareware in my time also):

----

Windows NT Magazine (now Windows IT Pro), Sept./Oct. 1996 pg. 83 for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program, improving its performance up to 40% better mind you & being paid for the code in its being bought out by said company, a MS certified partner, mind you) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row iirc.

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

GERMAN PC BOOK, 2001, Data Becker publisher "PC Aufrusten und Repairen" my work is contained in it

HOT SHAREWARE Numero 46 issue, 2002, pg. 54 (PC ware mag from Spain), my work is there, first one featured, yet again!

----

You were still in diapers while I was doing so between 7-13 yrs. ago when I was still "into" that type of 'recognition' in this field... which I have & can prove, & YOU? You clearly, do not.

Don't try to tell others that b.s. about myself, when you don't have the same on YOUR part (not even CLOSE)...

(&, the day YOUR CODE goes into commercial applications? Is the day you can talk to me thus (you probably don't even have this part mastered in this field, & until you do? Imo @ least?? You're STILL "playing music via tableture", not "reading & understanding" the music (this field in other words), completely, period!))

----

ALSO:

Don't even TRY to tell me "I don't understand" this field, when I have clearly shown your methods to be faulty - in mainly 1 respect alone: You CANNOT 100% guarantee a PRISTINE system image, period.

However, by way of comparison??

I can (&, have) easily show that FIXMBR from the RECOVERY CONSOLE (especially if run from OS installation media) can guarantee a 100% pristine bootsector/bootblock (especially considering it is on read only media, & NO KNOWN VIRUSES etc. run in that environs also)...

Reminder: The topic here?

BOOTSECTOR/BOOTBLOCK ROOTKITS... Nothing else!

( & I listed a way to eradicate the "root cause" of a rootkit spawned from the bootsector (the topic itself here)... you said I did not cover the fact that FixMBR is ineffective vs. other kinds of rootkits (such as memory resident ones, or their constituent "phanlanx-like backup" portions they may construct)? That is untrue, see this quote from myself (which you skimmed over & screwed up on)):

NOTE THE BOLDED SECTION OF THE QUOTE, FROM MYSELF, MIND YOU (showing your accusation & name tossing on top of it, towards myself, was unjustified & that you were incorrect in it, period):

"The FIXMBR command is a "sure-fire" way to rid one's self of these kinds of pests & it is the ONLY kind of rootkit you can kill yourself, afaik... other types such as those that are originated via critical system files being infected are unaffected by FIXMBR (memory resident types, in other words). - by Anonymous Coward on Tuesday November 04, @11:14AM (#25627505)

----

"Please don't try to justify yourself. You're just making it more and mor

Said all that was needed, here, already

http://it.slashdot.org/comments.pl?sid=1015483&cid=25693923

APK

Re:Said all that was needed, here, already

[symbolset]

Twas brillig, and the slithy toves

Did gyre and gimble in the wabe;

All mimsy were the borogoves,

And the mome raths outgrabe.

Re:Said all that was needed, here, already

Like I said before, in regards to your methods' faultiness (& calling me names ontop of it, after you skimmed and accused me of something I never said, missing it completely no less)?

Said all that needed to be said, right here, already:

http://it.slashdot.org/comments.pl?sid=1015483&cid=25693923

APK

Re:Said all that was needed, here, already

[symbolset]

The very fact that you can't let this go even though you're posting as an AC lends some credibility to my current belief that you need professional help.

Please. Consult a professional before you hurt yourself or someone else.

Care to show us proof of you PhD in psychiatry?

"The very fact that you can't let this go" - by symbolset (646467) on Tuesday November 11, @02:26AM (#25717129)

LOL, you're here too, aren't you? Isn't that the "pot calling the kettle black"??

----

"even though you're posting as an AC" - by symbolset (646467) on Tuesday November 11, @02:26AM (#25717129)

Ah, yes - 'double-standards' abound... 'do not as I do (when I am getting my butt kicked), do as I SAY (for I am the "almighty registered user" here (the highly trackable one no less, lol - you really don't get that part of being registered here, do you? It's a DOWNSIDE in that you are SO easily tracked, anyone you 'tick off' can find you & bug you to no end, because of it... think it out, see this point @ least!))...

AND, The "limits" such as 10 posts in 24 hrs. for us "A/C"'s? Again, do NOT apply to me, I have been 'beating that restriction' here, for years now in fact.

----

"lends some credibility to my current belief that you need professional help." - by symbolset (646467) on Tuesday November 11, @02:26AM (#25717129)

Care to show us your PhD in psychiatry, or state license in that field? Oh, you don't HAVE one... lol, figures (the usual is this type of 'weak retort', along with your usual name calling you've done here repeatedly - says it all, you are "on the ropes" here, bad)...

----

"Please. Consult a professional before you hurt yourself or someone else." - by symbolset (646467) on Tuesday November 11, @02:26AM (#25717129)

Again - got that license to practice psychiatry or dispense such advice? No?? That's libel isn't it???

APK

P.S.=> All that needed to be said here, by myself vs. your erroneous methods based on a false assumption of safety, are here:

http://it.slashdot.org/comments.pl?sid=1015483&cid=25693923

Too bad it made you have to "eat your words" in name tossing out of frustration, eh? AND, too bad you like to call others who have done well in this field over time names, when YOU clearly have not since you avoided many of my questions in THAT regards, as well as others... lol! Too easy... apk