Rootkit Infection Requires Windows Reinstall

CWmike writes "Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

Boot Disc

[toastar]

um.... Why not just use a boot disc to clear the MBR/infected files?

Re:Boot Disc

[smash]

Well sure, if you have a known good checksum for every file on your machine?

Re:Boot Disc

[capnkr]

In all seriousness, and without much in the way of research just yet: why not preemptively install GRUB, or some other boot loader, even if the machine is only a single boot Win system? Does this thing attack/overwrite _anything_ attempting to write to the MBR, or only Windows? There is no mention of this in the linked FA's, only in their comments...

Re:Boot Disc

I thought Santa Claus exists.

Re:Boot Disc

[fuzzyfuzzyfungus]

Good policy, if a bit upkeep-heavy for your average desktop system. AIDE, Tripwire, Samhain, OSSEC, and quite possibly others will do it for you(at the cost of some administration and system resources) if you have a sufficiently static configuration that it won't drive you to madness...

Re:Boot Disc

[tverbeek]

Wouldn't a Linux or BSD or Haiku or Hack OS X install fix this too? This headline reads a bit like "Flooding requires rebuilding the exact same structure in the annual floodplain",

Re:Boot Disc

debsums - check...

oh wait, that only works on a real OS ;)

Re:Boot Disc

[ghmh]

Sigh. It would 'fix' the potential for getting infected by that particular rootkit on that particular O/S. All those other things are built on floodplains too, it's just that some flood more often than others. Extrapolating future floods based on the past is only going to work until it doesn't.

Re:Boot Disc

[w0mprat]

I don't see how this infection is not possible to clean. All that would be necessary is to boot another OS and overwrite MBR and clean any infected binaries. Perhaps overwrite Windows binaries with the genunine article from an install CD (downloadable version if updated since disc went RTM) if it's not cleanable.

I'd do this from a Linux live USB and have a Windows install on another partition as source. Linux generally ignores NTFS security should be able to overwrite all necessary files on the Windows install.

Microsoft could release a bootable ISO or live USB image that could easily clean the rootkit.

Re:Boot Disc

[RobbieThe1st]

To continue your flood analogy, you have three options:
1. Build out of so ething floodproof, like concrete. The *entire* house. When a flood happens, no big deal... but making changes to the house would be a big problem. This is the ChromeOS or DeepFreeze aproach: Read-only filesystem and checksums.

2. Build dams, canals and build a few feet into the air. This works for small floods, but if you get something new, it might still wipe you out. This is the Linux aproach: Try to secure things, deal with the few issues as they come up.

3. Build cheaply, and rebuild after each flood. This is the Windows re-image approach: Just assume it's going to get hit, and have a plan to rebuild afterwards.

Just my 2c.

Re:Boot Disc

[sumdumass]

If the root kit works like most older boot sector virus programs, it already functions much like Grub does in the sense that it replaces the code that allows the other code to be found and run. But the code represented to the operating system would have a sector 0 in a different location then the real boot sector.

So while you would effectively have moved the first sector as far as windows is concerned, the virus infection would be able to still tank windows because it would still initially attack sector 0. And if it's the old school infection where it uses int13h calls (the bios) instead of windows and or even the old protect mode access to access the HD, it will effectively move the grub install to a new sector and make it think it is in sector 0 on subsequent boots. It will do this the same way Grub or LiLO would make windows think it was loading from the boot sector when it wasn't.

The problem with a boot sector virus is that if the disk is allowed to load any code at all which is the default in the boot process, the manipulation is already in memory and running. You would essentially need to boot from a start up floppy or CD or something without the hard disk loading at boot.

Some modern BIOS configurations allow you to lock the boot sector of the harddrive down much like they started allowing you to lock flashing the bios down. This is about the only way to preempt this as it would give off a warning about something attempting to write to the boot sector of the hard drive. However, experience tells me that when something is trying to write to the boot sector and it fails to do it, you often need to rebuild the boot sector anyways.

Now that is with the initial infection. The attacks it uses to maintain it's infection would work regardless of the operating system because once infected, it's acting as a translation between the operating system and the harddrive. This is why a restore CD is the recommendation to fixing the issues. The CD loads instead of the drive code loading. This way, you are not fixing an infected machine with infected code.

Re:Boot Disc

What if you have applied updates to your system and using original files as recovery, some of the system files are at updated level and some are at the base level? One could assume problems to follow. In linux they are called dependancies, which are handled by package managers. I'm not familiar of similar thing for windows. So basically, one would mess up the dependancies...

Re:Boot Disc

[artor3]

So your response to flooding is to rebuild in the desert?

Re:Boot Disc

I....I need to go rethink my life...

Re:Boot Disc

[Arker]

This is hardly the first or the last to use such tricks. This is why I cannot place any faith in any antivirus being used in the typical configuration - as part of a running Windows system. That just doesnt work.

Way back In the day you had to load your scanner on a boot floppy. These days a linux boot cd is the replacement. A bit bloated, but at least it does the job.

Re:Boot Disc

So, the BIOS loads the MBR virus, which loads the Grub, which loads NTLDR (or whatever they invented), which loads the OS kernel...
Jack with the house that he built must be somewhere around.

Re:Boot Disc

People returning to the floodplane would rather return to the city they left than to a city from another culture with another language. They need to get on with their busy, and now backlogged, lives.

Re:Boot Disc

[Hylandr]

What I do is remove the drive from the system, slap it into an external enclosure and scan from a clean machine after unplugging that machine from the network.

If it kills system files then I replace or repair it once I boot from the recently cleaned hdd. Also, delete the swap file before you plug it back in. hasn't failed me yet.

- Dan.

Re:Boot Disc

[Joce640k]

Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.

If somebody's the sort of person who gets viruses an antivirus won't save them.

Re:Boot Disc

[smash]

We really need to go back to a simple (so it can be bug free) boot ROM that is proper ROM, not read/write flash. Hold key sequence to select boot media, and then boot from known-clean media. Anything that is read/write and involved in the boot process can potentially be fucked with to own your box. In the past, there have been BIOS viruses which were extremely difficult to remove - essentially as soon as the machine powers up it is owned and ready to infect whatever media you give it or intercept the operation of AV programs.

Its really only because the extra effort isn't worth it that we don't have far more serious viruses out there that are infecting EFI boot partitions, BIOS and other bits of firmware that Windows and its virus scanner software can't fix, these days.

Re:Boot Disc

[jhoegl]

Yes, I would try this first as well. Is there currently an AV that detects this rootkit? Perhaps Kaspersky?

Re:Boot Disc

Its called the Windows 7 install disk.

Boots,
Can fix the MBR
Can replace the files in the install (Repair)

And is already licensed by owners of Windows 7.

Also can be copied to and boot from a usb key.

Re:Boot Disc

[smash]

FYI, I've seen the ability to lock the MBR in bios versions as old as 1992. I'm not sure if the option went away for a while, but back when MBR viruses were the norm (dos days) this was a popular thing to do. People very rarely had any reason to touch the MBR (all it did was boot DOS for 99% of PC people), and people very rarely ever upgraded DOS.

However, given that there were also a couple of particularly nasty viruses out there that could embed themselves into the BIOS, locking out sector 0 was not a silver bullet.

Re:Boot Disc

Yeah. But ideally we'd also like to use our computers for something useful instead of turning them into mere paper weights.

Re:Boot Disc

By assuming malware is like flood. Windows to Linux is the same as floodplain to hill. You assume more, like a herd of new users will trample the hill flat.

Re:Boot Disc

Some modern BIOS configurations allow you to lock the boot sector of the harddrive down

Not exactly "modern", this has been the case for many years. However it's something of a joke security feature, since i)last time I checked all a boot virus / malware had to do was poke a "Y"into the keyboard buffer immediately before attempting the write, and ii)once inside a modern protected mode OS like windows the BIOS is mostly ignored and any sufficiently privileged process can write to the MBR.

Re:Boot Disc

[orange47]

which you do, because you made regular offline backups before the infection.

Re:Boot Disc

[walternate]

Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.

If somebody's the sort of person who gets viruses an antivirus won't save them.

If you look at timelines for spreading of the different virus/malware infections, getting protection within a week most definitely helps a lot against the majority of the infection volume. It's crazy how big volumes of infections happens long after antivirus software and OS/software vulnerabilities are patched against it (as also was the case with Conficker).

Re:Boot Disc

[DarkOx]

You are right its not impossible to clean but it is impossible to clean certainly and leaving anything worth having behind.

Your best bet with a root kit like this is to backup document files scan them (with everything you have to scan them with) and store them elsewhere and then simply reformat the drive. They could create a recovery mode on the install dvd and compare all the Windows files on your system with the originals there, perhaps downloading hashes of files replaced by later updates, from Windows Update. Then overwrite any file that has not a know Microsoft copy with a good one. Ok now you have to strip out any third party executable or script as well because any of those might also be infected, and could reinfect. In the end you have something that is basically the Windows Outofbox experience with your old wallpaper set.

It would be faster and safer just to wipe the drive and dump the WIM image again.

Re:Boot Disc

Why won't booting from one of the many anti-virus rescue cds w?

Re:Boot Disc

[Eggplant62]

It's obvious that many posting here don't know the first thing about how Windows works or why it gets infected. The problem isn't in the boot loader. The MBR is just one place that an attacker can find space to store a bootstrap program that will launch his infecting executable from a file on disk, and then, since that area is read and executed each time the PC is started, it writes to so many critical OS files that removing them from the system or disinfecting them becomes impossible without rendering the system inoperable. As the researcher quoted in TFA says, a complete wipe and reinstall is the only way you're going to be certain you have a clean system. And this is one of the many reasons you can't get me to run Windows as my primary OS. Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal. Fucking garbage without any kind of cogent security system is what Windows is.

Re:Boot Disc

[TrentTheThief]

Have you looked at Norman Security Suite?

Re:Boot Disc

[Eggplant62]

You forgot one thing: You use executables from the original CD on a patched, updated system with all the security fixes and hot fixes and patches and service packs installed, and you can forget about the system being operable. That's because the older versions of the programs you just used to write over the infected, newer versions aren't compatible with the rest of the installed software on the disk. Microsoft could come up with a way to wipe and fix stuff, but that would cost them money and we know they're no longer the 500 lb gorilla they once were.

Re:Boot Disc

[desertfool]

My first day working in IT I came across PC with Natas on it. Had to wipe that PC, and a few others in the office as well. Not fun.

Re:Boot Disc

Well sure, if you have a known good checksum for every file on your machine?

Under Linux/Unix, restore the package database from a back up onto a separate machine (and NFS export it). Boot from a recovery disc and tell RPM/dpkg/whatever to do a hash check comparing what's on that recovered package DB with what's on disk.

Of course if you have a decent imaging system (Kickstart/Jumpstart/FAI) and a good configuration management system (Puppet/Chef), you should be able to reboot and re-install any system to a known good state with in a very short period of time. Though the corruption of application data is another worry.

Re:Boot Disc

[kbg]

You can check all OS files against the original install disk. That way you know your OS is not infected. The rest of the user executable files can be checked with a standard virus program for the Rootkit. Problem solved.

Re:Boot Disc

Or build your house on a boat.

Re:Boot Disc

Wouldn't a Linux or BSD or Haiku or Hack OS X install fix this too?

Boot sector corrupt
Wipe your drive and start again
Rootkit uninstalled

Re:Boot Disc

[wazza]

Ouch... that method fails as soon as you have hotfixes installed that aren't included on the install disk. I'm assuming, of course, that the rootkit infects/affects one or more files that have been hotfixed since the OS was installed from CD.

The only way around is to add known good copies of all new hotfixed files, as they're added to your OS, to a read-only medium (like a CD-R).

Not fun!

Re:Boot Disc

[trum4n]

Because that wouldn't trigger Genuine Advantage and make you buy a new copy!

Re:Boot Disc

You did that when you installed Microsoft RootMe 7.

Re:Boot Disc

[datapharmer]

sfc /scannow
Was that so hard?

Re:Boot Disc

Wouldn't a Linux or BSD or Haiku or Hack OS X install fix this too? This headline reads a bit like "Flooding requires rebuilding the exact same structure in the annual floodplain",

More like "Flooding requires spending 5 minutes reverting the exact same structure to the state that it was in the day before."

Summary is terrible. You can see that MS said "restore your system." That doesn't mean reinstall to factory settings, just means to revert back to a restore point (Windows automatically stores a restore point at least once a week if I recall correctly, even Joe Schmoe has them).

It takes mere minutes to roll back to an older restore point.

Re:Boot Disc

I tried that, this is a nasty bug. This somehow even fucked up my linux installation...well a small snippet.

Re:Boot Disc

[Life2Death]

Last I checked windows keeps a checksum of all known files. There is a utility (though its name eludes me) that you can run to process all of the systems files. However if the hash store is corrupt, good luck with that.

Re:Boot Disc

[Life2Death]

sfc /scannow was the function I was refering to. However as others have pointed out, it bounces off of an install disk, so that has to match what you have installed (patches, service packs)

Re:Boot Disc

[kbg]

The best solution would be if you could download a bootable CD from Microsoft which could check the checksum online against all valid system files including the hotfixed files and even replace the invalid ones with the correct ones. This would solve many problems with virus infections, rootkits and even a corrupted hard disk.

Re:Boot Disc

[Chemtox]

3. Take over the housing market through any means, build cheaply but sell high, and rebuild after each flood. Rinse and repeat, while you slowly introduce the security measures that were the standard before you took over, so your PR dept. has something to say. This is the Windows re-image approach: Just assume it's going to get hit, and let the realtors or homeowners (yeah, right) care about having a plan to rebuild afterwards, which more often than not will not include what it's *in* the house.

FTFY

To hell with the house, what I really care about is my boardgame and Play^H^H^H poststamp collections. How hard would it be to "forcefully" suggest during install that the Users|Documents and Settings directory be located in it's own partition, and then spam the heck out of the user with popups and whistles every week/month until he does at least a quick incremental backup? That way you can wipe and reinstall Windows every month with minimal fuss, as Gates intended it to be, and your documents' partition when something awful happens. But no, instead of Windows Backup Advantage, we got the Genuine thing...

Re:Boot Disc

[jd2112]

So your response to flooding is to rebuild in the desert?

You make the assumption that flooding never occurs in the desert.

Re:Boot Disc

[Luckyo]

It's worth noting that machines with bios infections can potentially be cleaned through a special disk designed to remove them (usually read only media like CD/DVD. What can be written, can be overwritten in most cases.

That said, it would really be much better if there was a physical switch that required to be turned onto access bios in write mode. That way you could use the machine normally in read-only mode, and when you want to flash a new bios you flip the switch, then flip it back.

Re:Boot Disc

I use a simple script under linux to clean windows machines, it isn't the best but it does the job for now. As I find more common viral locations I add to it.

#!/bin/sh
Q=../quarantine
#create directories
mkdir $Q
mkdir $Q/filelist/
mkdir $Q/exe
mkdir $Q/pif
mkdir $Q/bat
mkdir $Q/temp
mkdir $Q/tempinfiles
#Find files and create logs
find -name .exe ./ |grep .exe > $Q/filelist/elist
find -name .pif ./ |grep .pif > $Q/filelist/plist
find -name .bat ./ |grep .bat > $Q/filelist/blist
#Move execs to folders
rsync -arv --files-from=$Q/filelist/elist ./ $Q/exe/
rsync -arv --files-from=$Q/filelist/plist ./ $Q/pif/
rsync -arv --files-from=$Q/filelist/blist ./ $Q/bat/
#Move Temp files
find -name "Temp" > $Q/filelist/tlist
rsync -arv --files-from=$Q/filelist/tlist ./ $Q/temp/
find -name "Temporary Internet Files" > $Q/filelist/tiflist
rsync -arv --files-from=$Q/filelist/tiflist ./ $Q/tempinfiles/
#Add default hosts entries
echo "127.0.0.1 localhost" > ../windows/system32/drivers/etc/hosts
echo "127.0.0.1 localhost" > ../Windows/System32/drivers/etc/hosts
echo "127.0.0.1 localhost" > ../WINDOWS/system32/drivers/etc/hosts
echo "127.0.0.1 localhost" > ../WINDOWS/System32/drivers/etc/hosts
echo "127.0.0.1 localhost" > ../WINDOWS/SYSTEM32/drivers/etc/hosts #cause microsoft can't make up their mind
#Delete original executables
find -name *.exe -exec rm -rf {} \;
find -name *.*.exe -exec rm -rf {} \;
find -name *.pif -exec rm -rf {} \;
find -name *.*.pif -exec rm -rf {} \;
find -name *.bat -exec rm -rf {} \;
find -name *.*.bat -exec rm -rf {} \;
find -name *.EXE -exec rm -rf {} \;
find -name *.*.EXE -exec rm -rf {} \;
find -name *.PIF -exec rm -rf {} \;
find -name *.*.PIF -exec rm -rf {} \;
find -name *.BAT -exec rm -rf {} \;
find -name *.*.BAT -exec rm -rf {} \;
#Delete temp files
find -name "Temp" -exec rm -rf {} \;
find -name "Temporary Internet Files" -exec rm -rf {} \;
rm -rf ../Windows/Temp/*

Ran from Documents and settings or the User folder.

Re:Boot Disc

[NJRoadfan]

Microsoft does make a CD that does all that, its called ERD Commander (formerly from Winternals). Problem is since they bought out Winternals, the tools (collectively called Microsoft Diagnostics and Recovery Toolkit) has only been available to TechNet, MSDN or "Software Assurance" customers.

Re:Boot Disc

[hesaigo999ca]

Because the MBR is only 1 of the many files infected, of which I am sure many windows files are too, such as mscorlib.dll, explorer.exe, etc...
I remember when I first studied root kits on the linux environment, I thought, linux is vulnerable too.....rootkits are the supermen of viruses....
not only do they know how to hide within the system to avoid detection (some even go so far as to use technology to split a virus file into chunks and add the chunks inside file metadata, then use a special command to dynamically load the virus chunk by chunk into memory in order to run it in the ram....all undetectable by your typical AV) they also know how to circumvent deletion, spawning reinfection based on system based actions (such as scheduled tasks, task manager calls, regedit calls, even .calling the control panel or network connections panel...which you need to use if you ever have connection problems...so it would force the reinfection each time you opened these windows...

In the end....not much can be done against rootkits, as they know how to run obscurely but what does help is running in a VM environment, usually just for web surfing. After many years , I have 2 means to recover anything , anytime. I use VM (although some VM viruses do exist) to surf the web, and each restart of the computer is with a previous snapshot completely free of infection....this is usually also for anything to do with key logging, so as to avoid banking data to be syphoned....so even if you get keyloggers or activex crap installed, next time you reboot your VM, you start fresh again. The second is for my gaming pcs....
they have no choice but to be on the actual machine (as VM does not tie in well with graphic cards) I have backups of my main c drive as an actual copy and paste should i need it....and then all i have to do once every 3 months is rebuild the MBR...need to or not....

With this, I have run without AV software for about 10 years now, and very rarely will i get viruses, although I see it does still happen....

Re:Boot Disc

[TheLink]

a complete wipe and reinstall is the only way you're going to be certain you have a clean system. And this is one of the many reasons you can't get me to run Windows as my primary OS. Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal. Fucking garbage without any kind of cogent security system is what Windows is.

Uh. How's that different from a root kit infection on Linux? AFAIK standard practice is if your machine (whether linux or windows) gets infected by a rootkit, you're supposed to reinstall. If you don't then you're just betting/assuming that the attack wasn't so serious. In most cases it isn't, and that's the same for Windows.

The problem is not restricted to Windows. There's a reason why rootkits are called rootkits after all, and not "NT Authority\SystemKits" :).

Re:Boot Disc

Try installing GRUB on a Windows boot partition and then boot into Windows and do some partition changes. Then reboot and see that you can't boot to Windows. (It happened to me, and fortunately I Had a full partition image for both Windows partitions to restore everything. That's why it's not a good idea to let GRUB write itself to the Windows boot partition (MBR). A better approach is to use Easy BCD to write to your WIndows bootloader and install GRUB in the root partition of your LInux distro. Have Easy BCD point to that distro and it will find it.

Re:Boot Disc

[hairyfeet]

Or you can just be smart (or have hired a smart guy like yours truly) and have previously downloaded and run Paragon Backup & Recovery 2011 Free and then you'd have a nice disc image preferably backed up to a USB drive that with the included recovery CD .ISO burnt takes about 20 minutes to have the machine up and running.

I swear in this age of 1.5Tb USB external drives costing less than $70 you'd think that having a disc image would be a no brainer. The software above is free, it is simple, does differential if you like, and I have yet to see any malware that would infect a third party disc image

So seriously folks, if you have friends or family that don't have a backup plan show them TFA and point them to some nice disc imaging software and a cheap external drive. Sellout.Woot has a 1.5Tb for $70 last I checked, which is more than enough space for your average folks to easily keep over a years worth of backups if they so choose. Mine has not only disc images of all my OSes, but a synced backup of all my tunes, all my GOG installers, backups of my pics, they really are handy things to have and take the work and worry out of nasties like TFA.

Re:Boot Disc

[LordLimecat]

Use combofix, and the eventual Kaspersky Labs Popureb removal tool (due out whenever there are enough infections.

And really, the only things that need checksums are executable content, and most of that is replaced if you do a Windows repair.

Re:Boot Disc

[tepples]

And this is one of the many reasons you can't get me to run Windows as my primary OS. Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal.

Have 3D applications in Windows become usably fast under recent VirtualBox software? And with PC makers failing to ship recovery DVDs and reportedly locking recovery partitions so that they'll run only on a particular hardware maker's bare metal, where should one get a copy of Windows to run in VirtualBox?

Re:Boot Disc

[mcgrew]

No, if someone's the sort of person who gets a trojan an antivirus won't save them. A true virus (or a worm) needs no human intervention, only a poorly written OS or app. AV protects you from careless programmers (if the virus is in the AV's library), not your own cluelessness.

Re:Boot Disc

[operagost]

The MBR lock was unusable for me almost from day one because I used to dual-boot OSes. Anybody who uses a boot manager (including LILO or GRUB) will probably get a popup every time.

Re:Boot Disc

[operagost]

That feature does exist on many motherboards. It just isn't used.

Re:Boot Disc

[mcgrew]

Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal. Fucking garbage without any kind of cogent security system is what Windows is.

MS is aptly named. From wikipedia:

Multiple sclerosis (abbreviated MS, also known as disseminated sclerosis or encephalomyelitis disseminata) is an inflammatory disease in which the fatty myelin sheaths around the axons of the brain and spinal cord are damaged, leading to demyelination and scarring as well as a broad spectrum of signs and symptoms.[1]

Yep, sounds like MicroSoft to me!

Re:Boot Disc

[LordLimecat]

2. Build dams, canals and build a few feet into the air. This works for small floods, but if you get something new, it might still wipe you out. This is the Linux aproach: Try to secure things, deal with the few issues as they come up.

Being completely fair here, which security features are you indicating that Linux has that Windows does not-- would that be the non-granular permissions system, their "weak" form of ASLR (researcher Charlie Miller's own words), their lack of digital signature checking on drivers, or their lack of anything comparable to SFC (the system in windows that checksums all the system files and monitors them for changes)?

By the looks of it, #2 is already in place in windows.

Re:Boot Disc

[hairyfeet]

Actually that isn't entirely accurate, it depends on the AV. Both Avast free and Comodo IS free have by default heuristics and sandboxing of ALL apps, so you'd be surprised how much herp derp that can protect against.

I have some customers that can get more viruses than a Bangkok whore on a Saturday night and switching to Avast Free (used to use Comodo but it is more fiddly than Avast) I have watched infections plummet. By putting everything in a sandbox away from the actual registry and Program Files it really does help keep the nasties away, and Avast Web Shield really does help against the zero days and nasty JavaScripts.

I hate to sound like an ad but if you don't want to deal with nearly as much herp derp PEBKAC PITA crap try Avast Free. I've found by pairing that with Comodo Dragon (which has excellent anti phisishing and sandboxing of its own) it really does help cut down on the nasties caused by a rampant case of the stupids. Of course that doesn't mean one should forgo backups, far from it, but when dealing with dumbasses all the extra protection you can get helps.

Re:Boot Disc

[CSMoran]

sfc /scannow Was that so hard?

It was easy. But did it work?

Re:Boot Disc

[mcgrew]

A virus can contain a rootkit, but a rootkit isn't a virus. And Windows is far easier to root than any other OS (even if MS is getting better at it). It isn't easy to root Linux remotely (although if you have physical access it's fairly easy to pwn).

Re:Boot Disc

3. Build cheaply, and rebuild after each flood. This is the Windows re-image approach

Wow, cheap shot. Redundancy and verified good backups is a cheap shot against Windows, because it's a good idea regardless of the OS...

Re:Boot Disc

[ncc74656]

In all seriousness, and without much in the way of research just yet: why not preemptively install GRUB, or some other boot loader, even if the machine is only a single boot Win system?

I wouldn't trust that all trace of an MBR- or boot-sector-resident virus is eliminated without something like dd if=/dev/zero of=/dev/sda bs=1024 count=1024. If you have the time, shred -vzn 0 /dev/sda obliterates everything on the disk.

Re:Boot Disc

[mcgrew]

Well, it won't help me any; I use kubuntu and have no MS programs at all (although ten years ago I was on Windows at home, and before about 1995 was on DOS). Too bad I have to use MS at work...

Re:Boot Disc

[10101001+10101001]

<jokingly>debsums?*</jokingly>

Honestly, given how much of a mess Windows is generally when it comes to installing files**, I'm sort of surprised they don't do checksums at that level anyways. But, then, that would involve some forward thinking upon helping the home user outside of a more generic, and reliable, wipe and reinstall everything.

*Admittedly, it won't actually work on all files on your machine: you still have to verify the boot loader separately, system config files have to be handled separately (although that's likely to be rather trivial for most people), and all your logs are obviously modified too commonly for checksums to make sense; but, it goes a long way to being able to verify a system. Too bad I don't know of any actual tool to automate most of the above to rectify debsums' deficiencies. Still, given how a root-kit attack works, it goes a long way towards protecting you.

**Windows does an amazingly good job at one level, given it has to deal with so many different and inconsistent install methods spanning over two decades. At the same time, it'd make a lot of sense if Windows had something equivalent to checkinstall to actually bottle installs, including the production of checksums, to mitigate the risk to the system and general make uninstalling a lot less messy. That seems especially true given all the "virtual folder" technology that has been included since Vista which could have been designed to mitigated the risk of an MBR or another type of root-kit attack.

Re:Boot Disc

[VIPERsssss]

In all seriousness, and without much in the way of research just yet: why not preemptively install GRUB, or some other boot loader, even if the machine is only a single boot Win system?

I wouldn't trust that all trace of an MBR- or boot-sector-resident virus is eliminated without something like dd if=/dev/zero of=/dev/sda bs=1024 count=1024. If you have the time, shred -vzn 0 /dev/sda obliterates everything on the disk.

Amateurs. I wouldn't trust a system without, at least, melting down and reforging the disk platters and then hand coding a new BIOS on punch card.

Re:Boot Disc

[HermMunster]

No, it didn't. The purpose of sfc is not to remove viruses. And, as far as the purpose goes, running a program such as that in an infected environment generally gets you nowhere. There are malware products that won't allow antivirus or utility programs such as that to run. The ability of these programs to do what they want, including modifying permissions in the registry, should clue everyone in as to why so many feel the registry is a dismal failure (which has never been improved since day one). Fixing this type of problem, every day, has shown me that Microsoft isn't going to put their money into fixing this stuff. Listen, they released Vista and it was a horrible failure. Look at what they accomplished as far as protecting the customer from this type of software. Look at what they did to fix the OS to make it much more of what it supposed to do (offload repetitive tasks to the computer). Windows 7 didn't correct anything. I will give them credit for a better task bar and less annoying (and faster) UAC.

When it comes down to it, little was done for the consumer in either release and a lot was done for the content/copyright holders. I can't help feeling that if they'd just have ignored that and focused on the consumer we'd have had a much better product, significantly better all around. But hey, whos to say that the copyright holders aren't more important than the consumers?

Re:Boot Disc

[networkBoy]

I'll take a boot pop-up every time to ensure that the other time when my machine is running I can't get hit.

Re:Boot Disc

Its really only because the extra effort isn't worth it that we don't have far more serious viruses out there that are infecting EFI boot partitions, BIOS and other bits of firmware that Windows and its virus scanner software can't fix, these days.

Sure we do, and it is worth the effort for some. If you hold an appropriate position in one of several US defense firms and have the correct clearance, an approved case, and enough cash in your budget, you may select from several packages available from vendors that will do just that.

Re:Boot Disc

[HermMunster]

Another problem is that most people do not know how to do a complete wipe. Imagine them fumbling around trying to get this done that they wipe out all their data. Or, imagine them screwing around trying to get their data backed up that it becomes such a task that they give up and live with the virus, or they go out and buy a new machine (which is almost never necessary).

So, once they do get their data backed up and they want to go back to the beginning, they can't find out how. They apparently received no CDs to complete this (due to how Microsoft chooses to deal with Royal OEMs and how a Royal OEM can make even more money off Windows by selling recovery disks separately). How about those self created recovery discs that only allow the customer to do the task one time, yet they miss the fact that the discs can be copied, so what's the point of limiting to a single time? What if they have a recovery partition? It's often not invoked in the same manner (hitting F11). In many cases you have to attempt to boot the computer and go into the repair this computer option and search around till you find the place where the manufacturer hid the recovery option.

Microsoft telling people they have to do this is ridiculous. They make billions every quarter. Doesn't anything think they could write a program that does it all in a single click? What I mean by is that it does it all, it cleans the MBR and every other element of that (including ensuring they don't screw around with dual boot set ups), removes the viruses, examines the system and other related files, and puts the system back without needing to completely wipe? I think it only makes sense that they do this because you know, they do take in billions in profit every quarter.

This is what I mean in by what I said in an earlier post. Microsoft won't put the time in to ensure that we progress the operating system. They are either incompetent or playing out their incremental upgrade path at the expense of the consumer (a serious expense). You know, the malware writers are putting the time in, can't we get Microsoft to do the same thing? Are the employees that were responsible for coding all this leave? Did they alienate their employees to the point that they cut into the meat when they let a bunch of people go?

Re:Boot Disc

[node+3]

Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.

If somebody's the sort of person who gets viruses an antivirus won't save them.

This is so untrue, I have to believe I'm missing something here. Antivirus software can often remove infections after the fact, and is also very useful in stopping infections from occurring in the first place. Sure, it's not 100% foolproof, but calling it "mostly useless" and saying it "won't save them" is completely untrue.

Re:Boot Disc

[node+3]

This is hardly the first or the last to use such tricks. This is why I cannot place any faith in any antivirus being used in the typical configuration - as part of a running Windows system. That just doesnt work.

But is this sort of infection common enough to support your conclusion about antivirus software not being trustworthy? Antivirus software is quite useful for preventing infections and removing infections after the fact. It's not 100%, but it is significantly better than you are making it out to be.

Re:Boot Disc

[node+3]

I honestly thought you were being ironic until I got to the end of your post.

That's an awful lot of effort to go through. When you say, "hasn't failed me yet", has it actually worked yet? And by that, I mean, has it found and removed an infection that otherwise wouldn't have been stopped initially, or been removed after the fact, by a regular antivirus procedure such that it was actually worth the almost absurd amount of effort?

I'm really quite curious about this, because although it's possible to be infected in such a way that normal procedures aren't able to detect, the probability of occurrence should be low enough to not generally be worth the effort. If it's not that low, then it's quite interesting indeed. Otherwise, it seems like a lot of effort for very little extra protection.

And that's all before even getting to the issue of whether removing the drive and scanning from another computer (that is detached from the network, no less) provides any reasonable amount of extra protection beyond simply scanning with a boot disc.

Re:Boot Disc

[CSMoran]

My question was rhetorical -- I meant to point out that we need something that works, and not just something easy -- but thanks nevertheless.

Re:Boot Disc

[WNight]

If you want non-crippled install media you'll want to download it. Same with games. When the DRM gets in the way you get a working pirated version.

Re:Boot Disc

[pnutjam]

No different then a boot disc. I PXE boot mine on a segmented part of the network and go to town.

Re:Boot Disc

[pnutjam]

You should never trust a box that has been compromised.

However, in the real world sometimes you have to clean as much as you can and move on.

Re:Boot Disc

[Arker]

No, I really am not exagerrating. We were using these techniques in the freaking '80s. An antivirus running on an infected system is only going to be able to remove malware written by total idiots. Which is most of it, but definitely not all.

Re:Boot Disc

[Hylandr]

You must have a curious definition of effort.

It's nothing to remove a drive for a machine that's already in for service. We had a motherboard screwed to a wall ( with metal backing ) and a tray for the hard disks at the time, (1995~99) and it worked wonders for a radio network that had an engineer that put their entire network on public IPs with no Protection whatsoever. I kid you not. Those things were nearly useless they were so infested. a day of scanning computers using this method and they were functional again (2001)

And it's been used regularly since then as well. Nowdays I can boot from CP and give it a go, but who has CD's around anymore? I only use Thumbdrives now.

- Dan.

Re:Boot Disc

Deepfreeze doesn't protect the MBR as we found out last month.

Re:Boot Disc

[Hylandr]

I like this, but if you're a visiting tech this isn't going to be as available as a laptop with an external drive enclosure.

- Dan.

Re:Boot Disc

Except its almost trivial once you have control of the system to delete all restore points, thus invalidating that fix. Wish you could save restore points to remote systems

Re:Boot Disc

[hairyfeet]

So how's that 6 month upgrade death march working out for ya? How many forum hunts have you had to do to find driver fixes in the last couple of years? anybody who says with a straight face that 6 months is long enough for even basic QA on an OS is just frankly insane. So far I have tried Ubuntu/Mint, Mepis, Mandriva, and PCLinuxOS and on every. single. one. when the upgrades rolled around at least one if not many drivers would shit themselves and die. This is why I won't carry Linux in my shop nor allow it in my home.

The sad part is other than Linus Torvalds being an absolute douche and treating the kernel as his personal playtoy and not allowing Linux to have what everyone else has had for a decade or more, BSD, Solaris, OSX, Windows, OS/2, a stable hardware ABI so updates don't hose drivers? Well other than that I found Linux was nice, low resource, and had plenty of apps. Of course that is like saying other than the assassination thing Mr and Mrs Kennedy had a nice trip to Dallas.

That is why when I go pick up my new playtoy tomorrow ( found a sweet little 750Mhz Toshiba laptop in mint state with case and DVD external for $40, just couldn't turn that down for a new hack toy) I'll be putting on TinyXP. Funny that users talk about low resource use for Linux when I have yet to see anybody beat TinyXP, the whole thing uses less than 64Mb for a fully loaded desktop. Since I have plenty of XP licenses laying around it ought to be perfect for that little WinME lappy.

So while I'm glad that Ubuntu works for you frankly I found Linux to be too big a PITA, with too much time spent on forum hunts and driver fixes than the thing was worth. It is a shame too, as I have 4 1.4Ghz machines sitting right in front of me that will probably end up in the dump as the XP licenses to reload them are worth more than the boxes, but with Linux I'd either have to do a Dell and disable updates and leave them vulnerable to the next flash zero day that comes along, or provide free lifetime support for all the drivers that get hosed on the upgrade death march. Frankly it just ain't worth the effort for boxes that are worth maybe $30 a piece, so in the garbage they'll go. I hate throwing working gear away but what choice do I have?

Re:Boot Disc

[metamatic]

The sad part is other than Linus Torvalds being an absolute douche and treating the kernel as his personal playtoy and not allowing Linux to have what everyone else has had for a decade or more, BSD, Solaris, OSX, Windows, OS/2, a stable hardware ABI so updates don't hose drivers?

Buy hardware that has open source drivers. End of problem.

I blame the hardware manufacturers for not providing documentation for their hardware.

Re:Boot Disc

[RobbieThe1st]

It's more two things:
1. In most common distros(ubuntu being a good example), the first/primary user is not running as root by default. The user has to actually type a passsord each session(or more frequently sometimes to gain access, and usually be using the terminal to do so.
2, and most important: keyed repositories with near everything in it. If your user isn't randomly grabbing excecutable files off the internet, and instead from a trusted/verified repo, it's more secure than not. Also, the universal auto-update setup is nice, and *far* faster than Windows Update. It also requires fewer reboots, meaning for the most part it can run automatically and not bug the user to reboot afterwards.

This is what I really meant by dams and canals: They work fine for known problems, and is better than nothing... but not perfect.

Re:Boot Disc

[jdc18]

I am with you, If an O.S is compromised with a rootkit 99% you should reinstall it.

Re:Boot Disc

[hairyfeet]

So your answer is to buy nothing? Kinda funny how the web is covered with "replace Windows with Linux" and "save that old machine by putting Linux on it" articles but whe you point out that doesn't actually work you get told to buy some mythical "open source hardware" that frankly the ONLY hardware I've seen with decent reliable open source drivers is top of the line workstation gear that frankly it would be cheaper to just buy Apple.

After all if you look up what RMS uses, which he claims is the ONLY truly "pure" FOSS device he has found so far, it is a Loongson netbook with an ARM CPU which you can't even pick up unless you are heading to the Chinese coast anytime soon.

So if the only answer to the upgrade death march is to buy and use ONLY open source driver supplied hardware? Please do the right thing and say that when you see those "replace Windows with Linux" articles and tell them they are full of shit. Because so far using the same bog standard hardware that is on a good 85%+ of the machines out there...AMD and Intel CPUs, Nvidia and ATI GPUs, Realtek, Via and Sigma sound, Realtek and Via NICs, and Broadcom and no name wireless, I have yet to find a box of consumer level hardware that doesn't shit itself and die if you let it update.

Like I said that answer really doesn't help keep these 4 1.4Ghz with 512Mb of RAM PCs I'm looking at from going to the dumpster and kinda kills the "save a PC with Linux!" meme quite dead. because if I were to listen to you the amount of parts I would have to rip out and replace would cost more than these machines would be worth. So again for the lack of a decent driver model in Linux into the trash they shall go. Shame really but Torvalds hasn't changed his position since 1993 and I doubt anyone will get anything past him until he retires or someone gets tired of the bullshit and forks the kernel..

Re:Boot Disc

[smash]

True enough I guess. Perhaps i should have added "in the wild", presumably malware that valuable is kept fairly secret and used on an as needed basis against strategic targets. Not for basic e-mail spam.

Re:Boot Disc

[smash]

If you want Linux without the upgrade cycle API breaking brain damage, go FreeBSD.

Re:Boot Disc

[smash]

No, thats not the entire problem. If Linus/kernel team stopped fucking with the kernel to break the way binary drivers can possibly work, hardware manufacturers might give a shit about developing drivers.

Also retarded shit like changing the order PCI slots/network drivers are scanned for NICs from kernel to kernel. I've had that happen before - a firewall box with 2 NICs, eth0 and eth1 - that magically swapped after a kernel upgrade (so my DMZ became my outside, and vice versa). What the fuck?

That was one of the major nails in the coffin of Linux for me.

Re:Boot Disc

[smash]

Yup, thats why i turned it off myself. But for 99% of the DOS/Windows (ONLY) using population back in the 90s and previous, it was a godsend.

Re:Boot Disc

[smash]

To be fair, back in the windows 98 and early XP days, Linux was fairly easy to root via sendmail, bind exploits, etc as well.

Re:Boot Disc

[smash]

If you firewall windows appropriately, make use of IE security zones, don't log in as admin, keep it patched and don't run dodgy shit then it is secure enough.

This is basic security 101 whatever OS you are on - if you run 3-9 year old un-firewalled Linux distributions as root without patching then you'll get owned as well.

Windows' infection rate is as much to do with the user as any amount of software vulnerability.

Re:Boot Disc

[WorBlux]

TinyCore ~10MB to an X session I saw someone on you-tube who claimed to fit a kernel, coreboot and tiny X onto an 8MB BIOS chip

Anyways give the boxes to some of the charities that do provide support and training, or how have works out a cushy deal with Microsoft.

Re:Boot Disc

[Arker]

You can use that hardware, intel and amd cpus? Fully supported. Nvidia and ATI video? Open source drivers dont provide all the functions of the proprietary ones, devaluing the hardware somewhat, but they work and there is no longer any issue of kernel upgrades breaking things as long as you use them. Used most of the other hardware you mention without problem with linux too. Requiring an unchanging ABI would have prevented much of the refinement that has gone on in the linux ABI since 1993, and done absolutely nothing to improve free software, so Linus definitely has made the right call on this one.

Ubuntu wouldnt be my choice though. Just saying. If you dont want bloatware I would try to avoid Gnome-centric distros. Slackware might require you to read in order to configure it, but it's worth it.

Re:Boot Disc

[LordLimecat]

the first/primary user is not running as root by default.

This is the exact same situation in Vista / 7. The admin account is disabled (just like root in ubuntu), the user has restricted privileges (just like Ubuntu), and if admin rights are needed a prompt appears (just like Ubuntu-- gksudo IS UAC). If the current user is NOT part of the admin group, a user / password prompt also appears (again, just like Ubuntu). Where exactly are you seeing a difference?

The user has to actually type a passsord each session

Thats a minor, trifling difference that does very little for security. Best case, youre attempting to get the user to think about what theyre doing-- yet even having to click "continue" in Vista infuriated many so that they simply disabled UAC.

and most important: keyed repositories with near everything in it. If your user isn't randomly grabbing excecutable files off the internet, and instead from a trusted/verified repo, it's more secure than not.

This is true. Repos are a HUGE 1up for Linux. On the flip side, many users DO grab random .debs off the internet (myself included :\ ), and install third party repos (again, guilty), and tools like Automatix dont help things.

t also requires fewer reboots, meaning for the most part it can run automatically and not bug the user to reboot afterwards.

Windows updates generally run at shutdown anyways; this is a valid but minor quibble.

Re:Boot Disc

[node+3]

You should never trust a box that has been compromised.

That's untrue, and besides the point.

However, in the real world sometimes you have to clean as much as you can and move on.

Wait, you just said you should never do that...

But, like I said, it's besides the point. How is antivirus software "almost useless" and "won't save" people from viruses?

Re:Boot Disc

Total crap... GNU/Linux for all intensive purposes when used correctly is immune. Microsoft Windows is vulnerable as shit and you don't have to do anything to get infected. You can do everything in your power not to get infected yet at the end of the day you still get infected.

Re:Boot Disc

[node+3]

No, I really am not exagerrating. We were using these techniques in the freaking '80s.

Technology has moved on. There's a lot of pointless shit we did in the '80s that we don't do now.

You *ARE* exaggerating when you claim that antivirus software running within the system being tested is something that "just doesn't work".

An antivirus running on an infected system is only going to be able to remove malware written by total idiots.

Which is wholly untrue, but irrelevant. What's relevant is whether it works, which:

Which is most of it, but definitely not all.

Which you clearly seem to think it does.

Re:Boot Disc

[node+3]

You must have a curious definition of effort.

It's nothing to remove a drive for a machine that's already in for service.

Where did you get the idea anyone was talking about only doing this while your computer is in for service?

Re:Boot Disc

[node+3]

No different then a boot disc. I PXE boot mine on a segmented part of the network and go to town.

So, removing a hard drive and connecting it to another computer is no different than a boot disc? Really? You see no difference?

The end result is almost the same (it's actually a mild bit better than using a boot disc, since it bypasses a possibly (but exceptionally unlikely) infected BIOS), but the procedure is quite a bit more involved.

Re:Boot Disc

[Hylandr]

Even if you are at the customers site, you cannot be sure they will have a CDRom or DVD Rom they can boot from, or a NIC in their PC or even the ability to boot from a USB stick. The fastest route is just grab the HDD, throw it in the tray and scan. But at this point it's triage anyways.

It's the path of least resistance and you don't have the customer watching you trying this, and trying that. You don't look like you don't know what your doing and the customer has less leverage to try and weasel out of the bill.

- Dan.

Re:Boot Disc

[node+3]

Again, why are you acting like this is only under the context of computer repair support?

Even if you are at the customers site, you cannot be sure they will have a CDRom or DVD Rom they can boot from, or a NIC in their PC or even the ability to boot from a USB stick. The fastest route is just grab the HDD, throw it in the tray and scan. But at this point it's triage anyways.

The number of scenarios where a computer both doesn't have an optical drive and can't boot from USB is exceptionally rare.

Re:Boot Disc

[Hylandr]

Again, why are you acting like this is only under the context of computer repair support?

If you are in any IT support role you have a customer. Good service to your coworkers or clients is best served if you perform your service in that manner. It's not what you know or what you can do that keeps your job secure.

Even if you are at the customers site, you cannot be sure they will have a CDRom or DVD Rom they can boot from, or a NIC in their PC or even the ability to boot from a USB stick. The fastest route is just grab the HDD, throw it in the tray and scan. But at this point it's triage anyways.

The number of scenarios where a computer both doesn't have an optical drive and can't boot from USB is exceptionally rare.

I am beginning to think you haven't been around much in the IT world, as this is more common than you can possibly imagine. A computer or server with a problem is not going to behave as you would expect. So far we have only discussed virus removal. How about data recovery? Same thing.

- Dan.

Re:Boot Disc

[hairyfeet]

I frankly don't give a shit about initial config, as I've been building boxes since the 80s, and that is the problem. For you see in retail these boxes won't be mine they'll belong to somebody who HASN'T been building machines since the 80s and therein lies the problem.

I have yet to see ONE, just one mind you, distro that managed to get through an upgrade with 100% of the drivers working. Frankly I am starting to believe it is like Bigfoot, it just doesn't exist except on some shaky cam filmed by a hick in Alabama. Let me name just a few I've personally seen off the top of my head: Sigmatel audio dead after update, Realtek audio giving nothing but a lovely crackle, Ali network dead, Realtek network dead, Via network...well dead, Ati coming up to nothing but a black screen (tried both company and FOSS drivers BTW, no difference in odds of getting boned), Nvidia having picture come and go, wireless more problems than I can name, sleep and hibernate? Fugedaboutit, need I go on?

Frankly I don't give a shit if I have to jump through hoops the customer must NEVER have to do so, period. I have XP boxes in the field that are 9 years old without fail and the ONLY thing they've needed from me is the occasional hardware upgrade. I have Win2K boxes even older that are now being used in a kid's room or in a basement after being rotated out of the office. Again they work just fine, completely updated from RTM to final update rollout, no driver issues.

It is THIS, this right here that for some reason when talking to Linux users I feel like I'm talking to Martians. Frankly it doesn't matter if YOU are comfortable with forum hunts and tweaking Bash commands, what matters is the customer and for the customer it had damned well better "just work" without shitting itself. You see the difference between Linux and XP is support. With XP there is 14 YEARS of support, Win 7 a DECADE. That is ten years I don't have to worry about broken drivers just because they applied an update. Even the current Ubuntu LTS has less than a year and a half on support and then its boned.

You show me just one Linux distro where I can get 6 years, that is less than half of XP and barely half of win 7, just 6 years of support without having to upgrade. People always compare this to upgrading WinXP to 7, but this is like comparing Apples to toilet plungers. WinXP gets over a decade of support so there is no need to upgrade yet if you don't want a badly out of date system in Linux there is NO choice but to jump on the upgrade bandwagon, which as I said equals "update foo broke my" and I have to protect my reputation so that is simply unacceptable.

Believe me I wish it weren't so. I have no love of throwing away working hardware, no do I love buying Windows licenses. if I could find but ONE distro that could give me 6 years without doing the upgrade death march these boxes could be saved. But I have looked at it and they simply don't exist. they don't exist because geeks think because THEY have no trouble with forum hunts and tweaking Bash commands to get a driver to work then EVERYONE can do this, but reality is about as far from that as it is from here to Jupiter. My users simply want to come home, turn on the machine, and then go to FaceBook or YouTube and have it "just work". if an update is required for security they want to click the button, let it do its thing, then reboot. That's it! No broken driver messes, no forum hunts, hell there ain't even a way to roll back to a previous version if an upgrade takes a shit all over your machine!

I want nothing more than Linux to succeed, I really do. Most of my customers now spend all their time on the web and from what I've seen Linux does do that well. But I can't in good conscience disable all updates because as we have all seen unpatched software can be pwned, no matter the OS. But the community is gonna have to accept the world simply isn't like them, the world doesn't want to set around learning Bash or keeping lists of al

Re:Boot Disc

[nagnamer]

That's one of the solutions in the blog post referenced. However, the Slashdot summary doesn't mention this (surprised?).

Re:Boot Disc

[Arker]

I have been using linux since '96 and never seen most of the stuff you are claiming happen. Updates are particularly compelling when the software is free, but you sound manic about it. "as we have all seen unpatched^h^h^h^h^h^h^h^h^h software can be pwned, no matter the OS. " - fixed that for you. You gotta catch your breath and think it through. Windows update *does* break stuff at times too, and if a distro really breaks stuff like that on updates then ffs get a different distro!

Debian gets a pretty long life cycle, and since you dont mind to configure it Slackware is actually great. You can setup your own repository and screen updates if you want. The only thing they wont do is keep you supplied with security fixes indefinitely. Pat only does the last three versions at any given time. But he does give you the tools to do it yourself with whatever version(s) you want to support. Not bad for a product you dont have to pay for!

Re:Boot Disc

What this suggests is that one must do a boot from a CD type of device, Only plugged in until Grub on that device starts up linux.

Re:Boot Disc

[metamatic]

I don't want binary drivers. They're not supportable. They cause forced obsolescence of hardware, and they tend to be bloated and buggy. I want hardware manufacturers to sell hardware, not to try and lock me in by keeping what I've purchased a secret. That's why when I buy hardware, I make sure I buy Linux certified hardware that has open source drivers.

Re:Boot Disc

[mcgrew]

How many forum hunts have you had to do to find driver fixes in the last couple of years?

Driver issues used to drive me crazy five years ago (Mandriva and Suse), especially with the video driver. My card has an S-video out that always worked in Windows with the PC plugged into the TV but it put garbage on the TV screen in Suse and Mandriva. But in the last few years I have yet to have updates break anything, and the TV is happily displaying the computer output.

I've been using kubuntu, and my main rig is cobbled together from junk parts (which may be why I have no driver issues with it, they've had time to get the drivers working on the older parts), but the (sadly stolen) new netbook that came with Win 7 ran fine under kubuntu. Actually it ran better with kubuntu than Windows. I had a hell of a time trying to find how to shut off the retarded "tap to click" so called "feature" in the netbook under Windows, but it was brain-dead simple in kubuntu.

I have to agree with you about Linus and the ABIs.

Before you trash the old PCs, see if kubuntu works on them; it's a shame to waste hardware. Only takes maybe a half hour to install, and unlike a Windows installation you just boot it from CD, make a few choices, and walk away from it while it installs and configures.

I suspect that the problem with drivers in Linux may be that the card manufacturers give Linux no respect, so somebody without the tech specs has to hack new drivers blind. I can see where it would tale a while.

Linux is the Rodney Dangerfield of operating systems!

Re:Boot Disc

[pnutjam]

I've been thinking of putting a linux partition setup as a PXE server on my laptop for just such an occasion. Pack a crossover cable, or a little switch and your in business.

Re:Boot Disc

[metamatic]

I have no love of throwing away working hardware

Then you should buy hardware that has open source drivers. Every time I've had to throw away working hardware it's been because there are no drivers for current OS releases. Your insistence that Linux needs a stable API for closed source drivers is exactly what would force Linux users to get used to throwing away working hardware.

Right now you can still use Linux with a bus mouse or a SCSI scanner. Try that with Windows 7.

Re:Boot Disc

[mcgrew]

I have XP boxes in the field that are 9 years old without fail and the ONLY thing they've needed from me is the occasional hardware upgrade. I have Win2K boxes even older that are now being used in a kid's room or in a basement after being rotated out of the office. Again they work just fine, completely updated from RTM to final update rollout, no driver issues.

When my daughter innocently installed XCP on my computer from a music CD she'd bought at the record store she worked in, it hosed the machine completely. It destroyed all the P2P software (which I used to share/download indie music) and the CD burning software, and a lot of other perfectly legal software (like recording software; XCP wasn't about piracy, it was about ruining independant musicians' recording and burning abilities) I couldn't find the original driver disks for the video card or audio chip, so I went to the manufacturers' web sites to download drivers, and there weren't any for 98. So I had to buy XP just to get drivers for my hardware.

Installing XP was a pain in the ass. I had to babysit it, clicking choices once every three or four minutes and rebooting I don't know how many times. Never mind putting in that damned antipiracy code. I was used to this; I'd gone through the same hassle upgrading from 95 to 98.

After installing the drivers from the disks that came with the hardware, and reinstalling all my software (an afternoon's work) everything worked except the CD burning software. Windows gave me a message every single time I booted saying that the software was unstable (it was the software that came with the burner). It wouldn't let me uninstall the software. I went to the burner's web site, which wanted to sell me new burning software. Windows informed me it needed updates, so I let it update, shut it off ane went to bed, figuring I'd reinstall Windows yet again the next day after checking my email.

The next morning the cablemodem was on the floor and itwouldn't get on the internet. I figured that the cat had knocked it off and broken it, so I called Insight, my ISP at the time. They said they could see the modem so I must have a bad network card. I tried a few cables first, thinking maybe when the modem hit the floor one of the connectors had broken, but it was a no-go. I planned on buying a new network card (they're only about ten bucks) and reinstalled Windows to get rid of the annoying "we have disabled your CD burning software" message every damned time I booted, and lo and behold the internet worked again!

Windows had replaced a perfectly good network driver with one that didn't work at all!

So the next thing I did was dig out the old Mandriva disks and installed it dual boot. Half an hour, where Windows had taken all afternoon. And everything worked except the S-video output.

So you see, I had the same issues with Windows that you have with Linux; I completely understand your frustration.

Re:Boot Disc

[mcgrew]

For those who'd like to run Ubuntu but don't like GNOME there's kubuntu. I haven't had any issues at all with it, either on my "cobbled together out of junk parts" PC or the new Acer Aspire One. haven't had an upgrade break drivers in years.

Configuration of important things in kubuntu can be done via the GUI.

Re:Boot Disc

[Arker]

It's been a couple years since I tried Kubuntu. At the time, it really didnt work very well at all. Glad to hear it's improved.

Re:Boot Disc

[vuffi_raa]

I have some customers that can get more viruses than a Bangkok whore on a Saturday night

I didn't know that Bankok whores run code, let alone after work hours.

Re:Boot Disc

[node+3]

If you are in any IT support role you have a customer. Good service to your coworkers or clients is best served if you perform your service in that manner. It's not what you know or what you can do that keeps your job secure.

Do you even know how questions are supposed to work?

Again:

Why are you acting like this is ONLY under the context of computer repair support? Antivirus scans isn't something that only occurs at the help desk, in the repair shop, or on a visit to a client's computer. In fact, most scans happen outside of these contexts. So, why are you acting like the only scenario that applies here is that of a computer repair one?

The number of scenarios where a computer both doesn't have an optical drive and can't boot from USB is exceptionally rare.

I am beginning to think you haven't been around much in the IT world, as this is more common than you can possibly imagine.

And like the average nerd, you can't seem to believe there's a world outside of your own, limited scope. I never said it doesn't happen, just that it's exceptionally rare. The number of computers in use today that do not have either an optical drive or the capability of booting from a USB drive is small. Very small.

A computer or server with a problem is not going to behave as you would expect. So far we have only discussed virus removal. How about data recovery? Same thing.

OF COURSE we only discussed viruses. THAT'S WHAT THIS WHOLE THREAD IS ABOUT! You keep making it out as thought it's about something it's not.

Re:Boot Disc

[Hylandr]

Whether it's a hardware or a software issue you are still fixing the damn computer.

We are done here.

- Dan.

Re:Boot Disc

[node+3]

That's not the question. How many times do I have to say this?

Antivirus software isn't only run when you are fixing someone else's computer. You can't seem to grasp this very simple concept.

Every response of yours is in reference to only IT-type interactions. You fail to answer the question as to why you think that's the sole scope of the discussion. I don't know how I could make this any clearer, multiple times in a row now. Are you stupid, or just unwilling to read a post before you reply to it?

Re:Boot Disc

You may want to include a BIOS flash when reloading. I found a dozen machines (same BIOS) that would re-infect on wipe and install. Once I flashed the BIOS all was right in the world.

Re:Boot Disc

[Hylandr]

Because the context of the very first original post was that of worst case infection where you must reinstall. Are you stupid, or just unwilling to read a post before you reply to it?

- Dan.

Re:Boot Disc

[node+3]

The very first post you replied to was included this statement:

This is why I cannot place any faith in any antivirus being used in the typical configuration - as part of a running Windows system. That just doesnt work.

This took a specific, and not terribly common, scenario and applied it too broadly.

I don't disagree whatsoever that extreme cases like this this story refers to warrant extreme measures. I also don't see anything terribly wrong with your methodology (which appears to be specific to IT-style customer interactions, but not necessarily to such severe infections). It maybe be a bit of overkill, but it's a system that I'm sure works just fine for you.

But the thing I *do* disagree with. The thing I kept asking you over and over again. The thing that the posts I've been replying to indicate. The thing that may be off topic, but wasn't me going off topic but those I was replying to (including you) veered off course with is: why are you acting like this is somehow the norm?

Antivirus software running on the host system works just *fine* most of the time. And when it doesn't, *most* infections are easily completely removed *by hand*. Yes, when things get severe, more severe actions are called for, but that doesn't detract from the benefit of going the normal route first and just jumping straight into full-nerd battle mode.

Re:Boot Disc

[smash]

Want away, it will never happen. In the mean time, in the real world, a stable ABI will provide the actual ability for the rest of us to have driver support.

So

You always do an OSRI if you get infected by any rootkit.

Re:So

[MrL0G1C]

Not always so easy with netbooks, especially when the manufacturors haven't suppied the re-install OS.

Re:So

[donaldm]

Not always so easy with netbooks, especially when the manufacturors haven't suppied the re-install OS.

In my experience you won't get a re-install disk with your shiny new PC (laptop desktop, netbook or whatever) although you do in the majority of cases get MS Windows (now MS Windows 7). When you fire up MS Windows for the first time you agree to "sell your soul" ^H^H^H^H^H^H^^H^H^H^H^H^H^H :) then after you finally fire up your OS you should be prompted to make a recovery DVD (only once mind you, you greedy bastard) which can take well over an hour and you have to hope that the disk does not get damaged over the life of the machine.

The first thing I did when I got my nice shiny laptop was to use "Clonezilla" to create an image of the disk to my backup disk and then installed Fedora on the machine. I have never looked back or even felt the need to re-install MS Windows 7 and I actually use my machine for my work as well as using it for home use.

My son's fiance put Fedora on her netbook and everything she wants to do actually works, although if you are an avid gamer you may have issues but who buys games for "Windows" for a netbook?

Re:So

[jd2112]

Sure it only lets you make the recovery disk once. But there is nothing keeping you from copying the recovery disk.

Re:So

[CSMoran]

Sure it only lets you make the recovery disk once. But there is nothing keeping you from copying the recovery disk.

What the poster meant, I think, was that if you're in a hurry and forego the prompt, you've forfeited your chance to make the recovery disk.

Re:So

[Khyber]

The poster is full of crap.

http://neosmart.net/blog/2009/windows-7-system-repair-discs/

Also: control panel ---> System and security ---> Back up and restore ---> at the side it says--> create system recovery disk.

Re:So

[CSMoran]

I fail to see how this invalidates the OP's point. Also, the link you provided states clearly:

What it doesn't do: You cannot use the Windows 7 Recovery Disc to re-install Windows - it only fixes (not replaces!) Windows.

Re:So

[Khyber]

When you make the recovery disc, (apparently you've never done this) it's an image of your system as currently installed.

It invalidates the point entirely if done when first installed, as it's essentially a clean install image.

So system restore points don't work?

I had a nasty infection a while ago that corrupted my system restore points. I haven't had a problem like that since I upgraded to Vista or Windows 7.

Does this virus kill system restore too?

And before anyone makes any snarky comments about switching to Linux look at all the nasty software infecting Android phones right now.

Re:So system restore points don't work?

[smash]

Any virus can potentially do anything to your machine, including system restore points. If the machine is owned, it is owned and everything on it should be considered as suspect.

Back in the day there were a couple of BIOS viruses, which were even worse.

Re:So system restore points don't work?

[smash]

And that's regardless of OS. Any root-kitted linux box should be treated with exactly the same level of quarantine.

Re:So system restore points don't work?

[RobbieThe1st]

Of course, you could always get a (mostly)Desktop Linux-based phone, like the N900. Near as I can see, it has just about 0 viruses, due to being A, Linux and B, ARM(which isn't that popular compared to x86).

Re:So system restore points don't work?

[kirbysuperstar]

One I had recently overwrote any files on USB media with the alphabet repeated over and over again. Ended up formatting it anyway because it was a serious pain in the ass to nail down. I'm just glad it wasn't Ransomware. If I ever come across that stuff I'll probably defecate myself.

Reinstall, but not Windows

[gstrickler]

Right advice, wrong OS.

Re:Reinstall, but not Windows

He wants an OS he can actually do things on, so Linux is out of the question.

Re:Reinstall, but not Windows

[crafty.munchkin]

Clearly you haven't tried to use Linux in the last 10 years.

Re:Reinstall, but not Windows

[interval1066]

"The only purpose it serves is to save the geek the trouble of trying to understand why Linux as a client OS is on life support.

I hear this argument every year against Linux as a desktop os. Yet me and my friends continue to chug along quite nicely with our Gnome or KDE desktops and doing quite nicely.

Re:Reinstall, but not Windows

can't be installed on non-Apple PCs

Re:Reinstall, but not Windows

[ColdWetDog]

The only purpose it serves is to save the geek the trouble of trying to understand why Linux as a client OS is on life support. StatCounter Global Stats

Hey, don't count Linux out just yet. It's making progress in some parts of the world..

Like Norfolk Island. Next year: Some other isolated bit of humanity. You might think it a hopeless endevour, but when the world goes to hell in a handbasket, who's going to be left holding the keys to mankind's future: Isolated tiny islands in the middle of nowhere.

Face it, you just don't understand the Linux world-domination strategy.

Re:Reinstall, but not Windows

[mug+funky]

of course it can't. i forgot.

*switches off hackintoshed eeepc*

Re:Reinstall, but not Windows

Parent is modded up and you are modded down. Linuxfags are obviously in a bad mood today.

(Yeah, I'm posting as AC just to avoid their wrath, even though they will waste their mod points on me anyway)

Re:Reinstall, but not Windows

Maybe he tried to use Ubuntu's Unity interface.

Re:Reinstall, but not Windows

[pinkushun]

:D Linux == Big Smiles :D

Re:Reinstall, but not Windows

[vgerclover]

:D Linux == Big Smiles :D

Linux / Big Smiles == :D / :D

Linux / Big Smiles == 1

Wait, what?

Re:Reinstall, but not Windows

[tepples]

Linux is OK until an application or a peripheral that you must use for your work isn't ported and fails to install in Wine. Which operating system were you thinking of?

Re:Reinstall, but not Windows

[CSMoran]

:D == 0, that's what.

Re:Reinstall, but not Windows

[petit_robert]

+1

I have been working full time with linux desktops for the past 6-7 years. Everything just works, and upgrades too. Installs are a breeze, and *much* faster than w/ windows.

It is very easy to try also : just burn a Knoppix CD and boot a machine with it : very likely you'll have a complete desktop, office suite included, and a working internet connection if your LAN allows it, all in a matter of minutes.

I sometimes have to do work on customers' machines, I can't believe how everything seems so cumbersome now in the Windows world.

Re:Reinstall, but not Windows

[Hamsterdan]

Sure.
That's why it's running it on my netbook (900HA) and even on my AMD tower

Re:Reinstall, but not Windows

[crafty.munchkin]

Ok, I'll pay that one... ;)

Always wise anyway

[Gothmolly]

IF you even find you have a rootkit, the only real solution is to throw out the whole machinel. Nuking from orbit is the only way to be sure - otherwise you'll find the virus flashed into your NIC boot ROM, or your VGA or motherboard BIOS.

Re:Always wise anyway

otherwise you'll find the virus flashed into your NIC boot ROM

you don't seem to know the meaning of 'ROM'.

Re:Always wise anyway

don't forget your cpu microcode the micro controllers in your usb devices......... lol

Re:Always wise anyway

Don't act the fool my boy..... it is called a "boot rom" for historial reasons, but these days, they are all FLASH based, ain't no real mask-programmed ROMs any more, these days they are al FLASH based and on most mottherboards can easily be written if you simply toggle the correct bits in the hardware control registers.

Re:Always wise anyway

[fuzzyfuzzyfungus]

At least that requires much more platform-specific knowledge(more comforting on some platforms than others, admittedly...)

Some standardized mechanism for offline inspection of a machine's entire nonvolatile storage space by an outside probe, without requiring the cooperation of any of the firmware or programmable embedded hardware would be nice, if probably Not Going To Happen.

Re:Always wise anyway

[user+flynn]

Like to point out one thing here. You talk a lot like Dixie Flatline for an ominous cow word.

      Back to the regular discussion...

Re:Always wise anyway

NICs & VGA cards have stopped having flash ever since they moved from ISA to PCI: at that point, in order to cut costs, they moved their firmware storage to the motherboard BIOS flash.

Most flash have a boot protection area that prevents MRB level infection: if the unprotected portion of the BIOS is what's infected, that can be re-flashed to have the correct contents

Re:Always wise anyway

[Alex+Belits]

NICs & VGA cards have stopped having flash ever since they moved from ISA to PCI: at that point, in order to cut costs, they moved their firmware storage to the motherboard BIOS flash.

Wrong. All graphics cards have traditional CGA/EGA/VGA BIOS interface implemented for their hardware in their flash. They wouldn't initialize properly without it.

Re:Always wise anyway

[Billly+Gates]

"IF you even find you have a rootkit, the only real solution is to throw out the whole machinel."

That is a little extreme isn't it? Infact, so many just throw out a 2 year old computer and get a new one that entire landfills are being dumped with perfectly working computers ... excluding their OS installations.

I have always been able to just reinstall Windows and buy them off of people as low cost computers for my not so rich friends. Very rare do virii flash your BOIS or VGA. Reason being, like a biological virus, it is ineffective if it kills the host. A common cold rarely kills a host and therefore has ample opportunity to spread. Bluepill ... or was it redpill? That concept has been around for years, but no real implementation to run a whole OS under a bios level VM ever came to pass. Too many bioses and running an OS in a VM is very difficult. I use virtualbox and it still has issues with reliability.

Most rootkits make it impossible to find and a simple wipe always gets rid of them. With the large amount of hardware out there it is too difficult and not practical to make a BIOS or firmware level malware that will work and spread through all hosts. Now Mac users will be in trouble because the hardware is the same. I find this odd, as pc's are too varied with different bios, cards, and other peripherals to do this effectively.

Re:Always wise anyway

[MachineShedFred]

This has never been the case, but nice try. Every video card on the market today has it's own firmware ROM, be it old school BIOS or EFI.

In fact, there's a growing community of folks out there learning more and more about how these ROMs are written, in order to customize settings on your GPU, such as clock speed, memory timing, fan RPM curves, and even hacking in EFI support for use on Macs.

Please explain how you could do that, and have those settings follow the card when you move it from one machine to another, if it was writing it to the motherboard. Idiot.

Re:Always wise anyway

[Hamsterdan]

Wrong...

The nVidia 6200 (PC) running in my Powermac G4 has replaced the old Rage128. The card runs in an *identical* fashion.

It was flashed in a PC, then put in my mac. I don't remember seeing a BIOS socket anywhere on my mac's mainboard.

duh

[smash]

The only way a machine can be trusted after ANY infection is an OS reinstall.

Or as ripley said - nuke it from orbit, its the only way to be sure.

Re:duh

Even that isn't 100% true with rootkits that can attach themselves to your PCI devices...

Re:duh

[smash]

True. But thankfully these are few and far between these days.

Re:duh

[dotgain]

I somehow doubt a nuclear blast is in the PCI spec.

Re:duh

There is permanent storage outside the hard disk that a virus can hide out in and survive an OS reinstall. The only way really to be sure is to throw out the whole computer that was infected along with any other equipment that it was networked with at any time. You'll also need to have built the replacement computer from scratch in a secure facility. Of course most people don't really need that level of security.

Re:duh

That isn't true. If you know exactly what kind of virus you've been hit with, in many cases you can just scrub it away, because you know how the virus works and hence what to look for. But rootkits and unknown infections are a different matter, and I think that Microsoft's advice in this case is sound.

Re:duh

[Bert64]

Even if the virus was stored in the bios, or in a flash rom on some kind of pci device... Would it necessarily be able to function if you were to run a completely different OS on the system?

Re:duh

The only way a machine can be trusted after ANY infection is an OS reinstall.

I think the failure to remember this is perhaps the reason why MSWindows machines are so attractive to malware creators. It's not the size of the user-base (there are embedded devices that have been targeted for worms and rootkits with a marketshare that makes NetBSD look big), contrary to what some claim. Nor is it that it's especially easy (everything is more difficult in Win32-land).

But I've never really seen any other community so resistant to wipe-and-reinstall from known-good media as the MSWindows community. There is an entire industry dedicated to telling you that you can 'fix it up good' without doing the right thing.

Re:duh

[Alex+Belits]

If you know exactly what kind of virus you've been hit with, in many cases you can just scrub it away

But how do you know if it's not a new variant of the virus that also does something different?
It's also possible that virus changed so much, an antivirus would have to contain most of the OS installation just to restore the modified files.

Re:duh

[smash]

If its in the bios, sure. It gets called/run before the OS does. The only saving grace we currently have is that to write viruses that do that is quite a bit more complex due to the size constraints and lack of operating system support to do things you want to do. Also, because BIOS / EFI firmware is a lot more complex these days and there are far more different variants out there. Back in the 90s it was basically AMI or Phoenix bios and you could cover 95% of PCs in use.

Its entirely possible though, back in the day there was a particularly nasty virus that played music out of your internal PC speaker whatever OS you were running, even if you were stuck at the "No operating system found" boot prompt. One "work around" was to disconnect the PC speaker, but it still used CPU and made the machine run slow doing its thing.

That we don't have this sort of thing today is simply because the effort required vs coverage you would obtain is not worth it. That, and the development of such nasties is a lot tricker as you're messing with actual hardware/firmware - brick your PC during development, and a replacement isn't cheap (vs simply writing viruses in a Windows VM that you can trash/test with as you see fit).

Re:duh

[smash]

I agree to an extent, though Windows' track record on security prior to 7 has been less than stellar, which hasn't helped. The platform targeting started back in the DOS days, when there was absolutely ZERO security, the virus market simply moved on from there.

I find it especially hilarious when people suggest that they can fix machines that have had worms on them that respond to IRC commands, etc. You have literally NO IDEA what the malware may have done to your machine. You may have an idea of what it has definitely done as part of the infection process, but there's nothing to say that it hasn't been commanded to do other nefarious things in addition to the standard infection.

To be 100% sure, as others have mentioned you need to vet / bin your devices that contain read/write firmware as well (anything that can be done from within the OS, including writing to firmware and potentially more can be done by the virus), but thats not practical (too expensive) for most people, and fortunately there are very few firmware infecting viruses out there any more.

But if i was responsible for somewhere that HAD to be 100% secure or people die (nuclear reactor, mil spec stuff, etc)? I'd bin the hardware in a second. Its not worth the risk.

Re:duh

Or as ripley said - nuke it from orbit, its the only way to be sure.

Only problem is - Ripley didn't say that.

Re:duh

[roman_mir]

Or as ripley said - nuke it from orbit, its the only way to be sure.

- You are technically wrong and on /. that is the WORST kind of wrong!

(also you really should capitalize proper names) .

Re:duh

[rickb928]

Whan't she just parroting Hicks?

Re:duh

[Kalriath]

I hate to break it to you, but you can cover pretty much every BIOS nowadays just with AMI and Award. Eeeeeeeeveryone OEMs the same stuff. It's pretty much either Foxconn, MSI, or Asustek at the core.

Re:duh

[justsayin]

Yep, totally agree. I got into Altiris, that imaging software package, years ago. Once I learned how to keep things clean and tight with Altiris I never went back. I have to admit my virus fighting skills are pretty much gone now. But back in the day I fought a polymorphic monkey stealth virus when sneaker net was popular.

Re:duh

[Requiem18th]

What? Are you trying to give me a hearth attack? How is that even possible?

Re:duh

No kidding. Even graphics cards can be affected. Fixed a system with a persistent rootkit once - turned out to be the GeForce. The only clue was that the splash screen read "GeBorce". Elegant, but evil.

Re:duh

If ever there was a compelling argument for Trusted Computing...

Re:duh

This is why I no longer have a fireplace. Being attacked by my hearth in the morning is no fun.

Re:duh

[jwhitener]

Google this phrase:

rootkit pci device site:blackhat.com

It should pull up a link to a pdf explaining how its done.

Re:duh

Research persistent BIOS virus, and firmware virus.

Re:duh

[smash]

Thanks for the heads up. I guess i overlooked that its just branding. Previously the BIOS was there in your face saying it was AMI or Award or Phoenix.

Re:duh

[cavebison]

The only way a machine can be trusted after ANY infection is an OS reinstall.

Not if you make occasional disk images with Acronis et al. This is why you partition the drive with the OS install on C: and your file and data somewhere else - so you can image C: and restore it in an emergency and keep on working.

Re:duh

I had one many years ago that would write itself to the buffer memory of a damn printer.. We reinstalled several times but never thought to disconnect the printer during the reinstall.. the minute the printer would get reinstalled on the system, the virus would fire back off and re-infect the PC.

News at 11

[kirbysuperstar]

I hear the ocean's kinda deep in places.

time to re-think OS architecture

We all need a major re-think of how OS is installed on the computer, how it is architected, etc.

Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go. I the image of any VM gets rooted, you just toss it and revert to last backup. The flash is immune to tricks, because you must insert a hardware key to upgrade it, so trojans could not over-write the FLASH-based kernel, the worst that can happen is that one of the OS images get corrupted, then you just revert to saved.

Re:time to re-think OS architecture

[smash]

Its called a boot ROM. For all intents and purposes, with a boot ROM physical OS installs are no different from VM installs in your above scenario.

Re:time to re-think OS architecture

+1 for insightful right there. having any kind of physical lock defeats software any day of the week.

Re:time to re-think OS architecture

[GigaplexNZ]

Sure. Let's just employ an army of minions to carry these dongles around to every workstation on the corporate domain so certain Windows Updates can be applied.

Re:time to re-think OS architecture

[The+Master+Control+P]

Except you and I both know that the idiots who get infected by the new virus every single time, who do the same things we tell them not to every time, will happily open any physical lock because the popup box says to.

Not until they are made to face major financial penalties for repeated stupidity will they stop being stupid. That means NOT repairing their box that they broke by being Fucking Retarded(tm) for the 1000th time.

Re:time to re-think OS architecture

[Skarecrow77]

good idea, but there will always be a backdoor, even to the hardware key, because coders ALWAYS write themselves a back door, and then one day the hackers find it.

Witness the PS3. reverse engineer the service mode dongle, use that to find the backdoor (master key).

Re:time to re-think OS architecture

[CharlyFoxtrot]

That's the smart phone model. Fully sandboxed, system can only be written after a cryptographic key is obtained from a trusted source (the vendor) and all files synced to another device or the cloud. Get pwned and flash the device with a system image and sync files/settings to get back the exact system state.

Re:time to re-think OS architecture

[WaffleMonster]

Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go.

I don't like it because it makes patching more difficult and does nothing to protect the end users data due to ownage of the guest.

I believe a better policy would just be to not allow untrusted execution of code on lower protection rings even for administrators/root.

Windows CE had a scheme like you describe. When you messed up your PDA you could instantly restore to factory default.

And of course we can't forget AIX which existed on RS6000 with its hardware key at a time when the rest of us were "smart little rodents hideing in the rocks".

Re:time to re-think OS architecture

[exomondo]

Except you and I both know that the idiots who get infected by the new virus every single time, who do the same things we tell them not to every time, will happily open any physical lock because the popup box says to.

Exactly! The only reason people's systems are getting infected by this is because they gave the software privileges even after being warned it was a security risk. It doesn't matter what you do, if you give them the option to bypass security then they voluntarily will.

Re:time to re-think OS architecture

[smash]

You mean like a trusted platform module?

Wait... wasn't that a bad idea? Or at least thats what the nerds were crying about back in 2005.

Re:time to re-think OS architecture

[fuzzyfuzzyfungus]

I hate to be the one to break this to you; but did you remember to tell the minions that, for security reasons, every dongle is paired at the factory with the computer whose flash sector it unlocks, and the TPM won't accept any unlock dongle that wasn't signed with its internal private key?

Just be sure they don't lose any of them...

Re:time to re-think OS architecture

[Datamonstar]

While you're right, it would help to cut down on the drive-by installs and the occasional power users that run into a bit of bad luck. And I also think that system owners should be responsible for their systems. Perhaps not so many home users, but definitely web server operators with unpatched systems. If you maintain a system that is capable of causing loss of life or doing significant financial harm then you should share responsibility for the damage done if not properly maintained. I do believe in this.

Re:time to re-think OS architecture

[Belial6]

No, I don't. I know that someone will do it, but most people would be in way better shape if they had to insert a key to install an update.

Re:time to re-think OS architecture

[sumdumass]

Well, I guess the unemployment issues might be fixed if that happened.

Re:time to re-think OS architecture

[mlts]

Physical locks don't help with the dancing bunnies attack.

This is why places are moving towards solutions that combine the physical security with taking root/Administrator/QSECOFR authority away from the end user. It stops Joe Sixpack from installing yet another Trojanized "pr0n viewer".

Re:time to re-think OS architecture

[IgnoramusMaximus]

TPM was (and is) a disastrous idea from the point of view of freedom of choice for users of general purpose computers.

TPM (or similar systems) are on the other hand a key element in "walled garden" proprietary environments, such as mobile devices and other embedded systems.

Universal adoption of TPM on PCs would inevitably change them from a "general purpose" into a "walled garden" proprietary environment. Microsoft one. There is not even a faintest doubt about that.

Fortunately a mere "read only" copy of software integrity checker and repair system (writing of which is controlled by a simple hardware switch) is quite sufficient to repair pretty much any problem conceivable involving root kits, if the user follows sane procedures.

Re:time to re-think OS architecture

[techno-vampire]

So what you're saying is, they're moving closer to the *nix model of security where the regular users are unable to install or modify system files and can't even run the more dangerous ones.

Re:time to re-think OS architecture

[Bert64]

The problem is that you are putting people with zero technical knowledge, in charge of extremely complex machines...
All current operating systems are utterly unsuitable for the average end user, and windows is generally the worst of the lot.

Apple actually has a better idea with the walled garden approach, which is actually quite good for end users - take the complexity out of their hands, and have someone competent (in this case apple) manage the system. Ofcourse this shouldn't be the only option, there should be multiple walled gardens for non technical users, and advanced options for those who actually know what they're doing.

Re:time to re-think OS architecture

[NotSanguine]

No, I don't. I know that someone will do it, but most people would be in way better shape if they had to insert a key to install an update.

And you think those self-same users won't just leave the hardware key inserted because they don't want to have to go look for it when they need it? Puh-lease!

Re:time to re-think OS architecture

[Belial6]

No, I don't since the system wouldn't run in it's normal mode when the key was inserted.

Re:time to re-think OS architecture

[Pentium100]

Why do you need a TPM for that? Just write the software to a CD-R then boot from that CD when you need to.

Re:time to re-think OS architecture

[rdebath]

I don't think that's quite right, what you're after is the sort of facilities provided by a "Continuous backup" system.

The "low-level kernel" can't be changed without the key and doesn't need to be changed unless you open the computer and change the hardware. It only provides one major service and so can reasonably be created without bugs.

The service it provides could be described as "protected storage". As the normal system works it saves changes to the "write once" storage managed by the "low-level kernel". A continuous backup.

If there's an "incident" the system gets rebooted in 'fix it' mode. The main system is "forked" (restored but don't delete any backups) from a time when it was clean and user data can be cherry picked out of later backups.

Windows system restore tries to do this but doesn't protect the backup storage area so while it's fine against an accidental problem it's no protection against malware as the malware just infects the backups too. In addition the restore of the backups doesn't work as it should either.

The closest I've seen is Puppy Linux, a tiny distribution that runs from a CD-R. The main system is loaded into memory and changes are burnt to the CD-R when you save the system. If you decide you don't like the last update you can ignore it when you reboot. Of course, CD's are slow and so it's not really a continuous backup.

Re:time to re-think OS architecture

[reikae]

Go right through Falken's Maze?

Re:time to re-think OS architecture

[Lonewolf666]

Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go.

The "hardware key" bit has been used before, in the form of a simple jumper that blocks flashing of the BIOS. That was on a 1996 Intel mainboard for the Pentium I. Good enough for most situations, because a root kit cannot reach out of the hardware and move that jumper.

I still think that made sense, but obviously most mainboard vendors find even such simple measures too expensive.

Re:time to re-think OS architecture

[drinkypoo]

No we don't. You need to rethink how YOUR computer works. You could do this right now yourself. Do a LFS with Xen now that Linux is a proper host, and load your OSes from there. Put a front-mount memory card reader, and boot from an SD card with a write protect switch. Done and done.

Re:time to re-think OS architecture

Is the write-protect switch on SD cards a physical switch blocking the electronic Write circuitry, or does it just provide a status bit to the O/S and hope that the O/S respects it?

Re:time to re-think OS architecture

[drinkypoo]

Is the write-protect switch on SD cards a physical switch blocking the electronic Write circuitry, or does it just provide a status bit to the O/S and hope that the O/S respects it?

That depends on the card. SD does have a WP line.

Re:time to re-think OS architecture

Or, you know, a simple "read-only" hardware switch on the OS flash. After the third update where the user has to be present to enable and disable writes, the switch will be left permanently in the "go ahead and break shit" state. Any other paradigm of that nature would have much the same result.

A temporary-state button that enables write until reboot may be better. OS tries to update, can't write, requests that the user enable write by pressing the button on their machine, and the system updates as much as it can within a single boot.

Simpler == better. Key authentication means lost keys. As long as it can't be faked in software, a button should suffice.

Re:time to re-think OS architecture

[Joe_Dragon]

Joshua

Re:time to re-think OS architecture

[tepples]

I believe a better policy would just be to not allow untrusted execution of code on lower protection rings even for administrators/root.

Then how would a hobbyist hardware hacker make and test the driver for his one-of-a-kind or otherwise low-volume peripheral? Generic class drivers don't cover all classes.

Re:time to re-think OS architecture

[idontgno]

Good plan. Now, how are you going to secure the database of private keys versus TPM serial numbers for all the computers in your care, so that the dongles can't be cloned and hacked? Hint: Ask the RSA SecurID people what they'd do, and then do something completely different.

Re:time to re-think OS architecture

No, individual desktops would be considered equivalent to VM's in a corporate environment. They load from the network (netboot has been around for a while now). The hardware key would only be required for the netboot masters and a few (damned few) workstations that wouldn't be on the netboot system (typically, developer workstations).

Re:time to re-think OS architecture

[cforciea]

Or, we can just leave the hardware keys in on all of the computers in a corporate environment. All of you important data resides externally on a server anyway, right? If I need to re-image you machine, it shouldn't even cause you to bat an eye.

Re:time to re-think OS architecture

[fuzzyfuzzyfungus]

I was mostly joking; but(with the exception of physical cloning attacks by people in prolonged possession of the dongle, which you can choose to make more or less costly based on how much you want to spend; but can't really defeat), implementation should be substantially easier for this hypothetical dongle than for the SecurIDs:

RSA's real fuckup was keeping copies of all their customers' token seeds, rather then destroying or offline-archiving after transfer to the customer; but the need to keep two copies(one in the token, one on the auth server) is imposed by the fact that the tokens are totally freestanding. Once they get seeded and have their RTC set, they never communicate with their environment again. This makes cryptographically desirable tricks like challenge/response impossible.

In the hypothetical dongle setup, the motherboard and the dongle could each have a private key, which they would be designed not to reveal under operating conditions(obviously, anyone with prolonged physical control and sufficient resources could attack the silicon; but that is inevitable). During the pairing, each would send the other its public key, and receive a signature from the other's private key. Each would also note that it had performed a pairing operation and refuse to do another one(either permanently, by burning a fused, or until a complete reset was performed, depending on how expendable you consider the hardware to be).

At that point, attempting to impersonate the dongle would require both knowledge of the dongle's private key and a copy of the object signed with the motherboard's private key. Attempting to impersonate the motherboard would require the motherboard's private key and the dongle's signed object(and wouldn't be all that useful, since the only thing that the dongle would do, after initial pairing, is participate in a mutual challenge/response session with you, netting you only its not very useful public key). Requiring physical access would be hugely obnoxious to the poor admins, and being able to brick a machine just by losing a dongle would suck; but it is at least conceivable.

Re:time to re-think OS architecture

[IgnoramusMaximus]

No you don't need a TPM to do it - that was what the GP claimed and with which I disagreed too - and a read-only media like a DVD can also be used for the same purpose as its very nature is also a form of a "hardware write-protect switch", which is what I was talking about in general.

I also mentioned that TPM is used mainly to enforce compliance with manufacturer's demands, most frequently as a part of a DRM scheme of some kind, like that in game consoles and its usefulness in general purpose PCs is questionable, to say the least.

So I am not sure what your point is. Are you replying to the right post?

Re:time to re-think OS architecture

[smash]

So when I infect your BIOS, how does booting from CD fix that?

Re:time to re-think OS architecture

[IgnoramusMaximus]

I believe I did mention a "hardware write-protect switch", didn't I?

Actually, many motherboards already feature a "dual BIOS" setup with this exact need in mind (in addition to corruption or failed update process). The second copy of BIOS can only be overwritten if a jumper is in a proper position. Otherwise the first copy is simply replaced with the second, "read only" copy in case of corruption or malicious software attack.

Re:time to re-think OS architecture

Wouldn't the master key be the FRONT door? :P

Recovery CD?

[grolschie]

Do all Windows PCs ship with a CD? What about retrieving the user's data?

Re:Recovery CD?

[smash]

The data is easily restored from your backup media. Oh what you weren't backing your shit up? Bad luck.

Re:Recovery CD?

[v1]

User DATA, provided it's not the "intelligent" sort like MS Word documents that can have macros in them, should be safe. Nothing executable should be trusted.

You COULD try to checksum all system files, but it's so easy to miss something that seems innocuous that is infected and will just use a zeroday to jimmy its way back into restored binaries when you reboot. You really have to nuke and pave it if it's bad enough, the odds of missing something are just too high.

And with joys like windows registry, that damn thing can't even be considered data - with all the "features" in that you have to handle it as though it's an executable, which indicates the "replace" rule. And by design, it's not really practical to replace the registry, and that forces you to try to disinfect your registry instead of replace it, see above.

Re:Recovery CD?

[grolschie]

I suspect that many Joe Sixpack's don't know about backups, or if they have, haven't set some backup system/process/plan up. I guess it's good that Windows 7 Action Center warns about backups.

Re:Recovery CD?

[smash]

Agreed. However if you're not backing your data up, its obviously not important enough for you to consider loss due to theft, hardware failure, etc either.

Re:Recovery CD?

Does Joe Sixpack have any important data to back up?

Jane Sixpack maybe has a John list that she has to back up, but Joe knows where to get his next beer or hit: Bitch! Gimme 'nuther!

Re:Recovery CD?

Mod parent up. PC's commonly shipped with recovery disks ten years ago, but most OEM vendors have discontinued the practice so they can pass along the savings to the consumer (OK, I just made up the last part).

So unless you were anal enough to make one yourself then if you get an irrecoverable malware like this, you are SOL. Remember to thank the CEOs.

Re:Recovery CD?

[juventasone]

Not recently. Instead they prompt you to create your own. If you failed to do this, and you only needed to access the System Recovery Options mentioned in the TechNet blog, you could use a disc from any PC with the same version of Windows.

Re:Recovery CD?

[mark-t]

No. Systems these days ship with a facility to create a recovery DVD in the even of a system failure. They do not ship with original disks because most consumers don't need or want them... the customers that do want them have to pay a (not expensive, but not negligible either) fee for them.

Re:Recovery CD?

[Belial6]

That's funny because I was going through and updating the backup system in our house, and asked my wife what she wanted backed up. Her response was "Nothing". She stores everything she wants to keep in a Lotus Notes Database, and that replicates to our server. She was absolutely adamant that she would have no problem if I did a factory reset on her laptop on any random night. Go figure. I guess sometimes people don't need backups. I just never expected it in my own home.

Re:Recovery CD?

[Belial6]

That is one thing that really bugs me. They want me to make a restore CD at 5 times the price with a 10 times shorter lifespan over a $0.10 piece of plastic.

Re:Recovery CD?

Nothing can be trusted, even inane things like images could be used to embed shellcode that will reinfect the user if a suitable exploit exists, it goes without saying that backups made post infection will allow anything to write itself to the media employed if they were done from inside the infected OS, and even outside the OS, nothing can guarantee there isn't a hypervisor running at all times (as for backup media, I'm not even talking about autorun, if we're dealing with very low level things here, you could make the raw data on the device crash the driver and infect the target throughout yet more shellcode).

Re:Recovery CD?

[thunderclap]

Solution: wipe both. Then you will see how much she remembers. You always need backups.

Re:Recovery CD?

The data is easily restored from your backup media. Oh what you weren't backing your shit up? Bad luck.

If your backed up data is up to date, what's to say that it too ain't infected by the virus that caused you to re-install in the first place? Or did you mean that one has a gazillion back-up images from the last several months/years?

Re:Recovery CD?

[CAIMLAS]

No. And No. The former is uncommon at best; the later is frustrating difficult if there's a possibility that the user profile is infected (due to the 'store shit everywhere, lots of binary files' nature of a profile).

Windows PCs are disposable. If it's important, assume that the PC is a kiosk. It's not such the case now as in later years, thank god, but it used to be that a Windows reinstall was more time and effort to get 'back up to snuff' as a Gentoo build.

Re:Recovery CD?

[spire3661]

Any true backup plan will have archived, off-site, off-line historic versions.

Re:Recovery CD?

[Belial6]

She didn't say she didn't want me to back up the server. She said that she didn't need backups of her computer. Big difference. You don't always need backups. Her laptop doesn't.

Re:Recovery CD?

[smellotron]

Solution: wipe both. Then you will see how much she remembers.

Yeah, then push your kid down the stairs next time you see him walking around without a helmet on. And kick the dog to teach it not to run in front of you! Your friends and family will love you for imparting your wisdom on them as painfully as possible!

Re:Recovery CD?

I bought a "cheap" Gateway laptop at Best Buy about a year ago and they wanted me to pay an extra USD 40 for a boot/recovery CD. I told them I wasn't going to pay that and just imaged the drive before I even powered on the laptop. I still thought it was kind of shitty of them to treat their customers like that.

Re:Recovery CD?

[Pentium100]

Or, scan the user data with an antivirus after reinstalling Windows.

Re:Recovery CD?

[Pentium100]

I don't know about Gentoo, but if you have a lot of software installed, reinstalling windows is still a PITA and takes a long time. Or rather, reinstalling of all the software takes a long time.

Re:Recovery CD?

[Wowsers]

There is a problem with user data, I thought that Microsoft would have fixed it in Win7, but it didn't. Microsoft by default saves all user files in the Windows partition. Wipe install Windows and kiss your data goodbye. Win WInd7, Microsoft seemed to have made a "System reserved" partition, so why could they not keep the user files separate from the OS in another partition? Thank goodness for better partition layout scheme in Linux (most distros put /home in a separate partition and not in root).

Re:Recovery CD?

[yuhong]

Even then, keep in mind you can connect your hard drive into another computer to retrieve your data.

Re:Recovery CD?

Apparently, customers DO want them. They just don't know until they get told the only way to get rid of this is to use the recovery disc.

If PCs shipped with a recovery disc, at least the customer would have it *somewhere*. But because they didn't know they needed one, they don't have one, and if they make one now, it will be infected.

Re:Recovery CD?

[Billly+Gates]

Every new pc will ask you to make one or will have one in a hidden partition. With my Asus it is F9 to rewipe the sytem back to factory defaults.

That responsibility is up to the user. I do miss the days when I had an actual copy of NT 4 or Windows 2000 that I could do whatever I want with a new workstation, but those days are over. Everyone pirated it.

If the user chose to be irresponsible they could always take them to geeksquad and wait a week or order a pair of restore cd's from the manufacture and wait a week or two. You can't expect Microsoft to give everyone a real copy of Windows do you? The agreement in the EULA is between Microsoft and the manufacturer ... not you.

Re:Recovery CD?

[AtomicJake]

No, most do not. But you can create your own CD for recovery with all factory settings (this is at least supported by the ASUS and HP laptops / desktops that I own).

Unfortunately, "factory settings" also means all the scrapware and adware stuff that you find nowadays on a retail PC. If I could chose a Windows installation CD or DVD instead, I would be a much happier customer - and reinstall each newly purchased PC right away.

Re:Recovery CD?

[black+soap]

And they don't even want to include a printed manual. Remember when computers came with manuals?

Re:Recovery CD?

[Shados]

Thats one reason why I love Windows Home Server.

Backup automatically during the night (wakes up my computers, all of them, and put them back to sleep when its done) to make incremental backups. Then there's an iso on the server that you can burn to disk...

If anything happens, you take the disk, boot with it. It detects the home server, and prompt you with a drop down asking which backup you want to restore. Mine is configured to make daily backups for 2 weeks, weekly backups for 2 months, then monthly for a year... they're incremental so they don't take much room.

Pick the backup, click the button, go get breakfast, come back, computer's fixed, problem solved.

Not that I ever had to use it aside for testing purpose, but its nice peace of mind.

Re:Recovery CD?

[Hatta]

It still takes forever to get a Windows station partially usable. Have to grab Cygwin, terminator, virtuawin, gvim, 7zip, R, Java and a bunch of stuff I can't remember right now. Should just be an apt-get away, but Windows isn't that user friendly.

Re:Recovery CD?

Do all Windows PCs ship with a CD? What about retrieving the user's data?

If they do now, they didn't not long ago. To save the extra 35 cents or whatever, some manufacturers kept the install image in a hidden partition. On the hard disk.

User data is pretty much toast. Apps will all have to be re-installed. And re-patched.

Full-scale system recovery is no pleasant job on any system. But on Windows, you'd get more enjoyment from having burning splinters jammed under your fingernails while having electricity applied to sensitive body parts and water poured up your nose.

In short, you'll live, but you won't have happy memories.

Re:Recovery CD?

[LordLimecat]

Er....
FixMBR
Reinstall windows (which renames / deletes ProgramFiles and Windows folders)

Which of these two stages is nuking the user data?

Re:Recovery CD?

[jd2112]

And uninstalling the crapware that is included on a recovery disk is equally a PITA...

Re:Recovery CD?

Really? You make it sound as though you've never encountered a user who has no idea what is in their own best interest. Computers are magic boxes to many users (sadly true) and they just "work". Until something like this happens they don't even know what a backup is or why it's important. I'd hate to break some archaic law in your town.

Re:Recovery CD?

[jawtheshark]

You don't have to... I ordered three Dell XPS L502x systems last week (Got a 50% rebate, resulting in each machine "only" being 526€, including shipping. For a quad core i7 and a Full HD screen, I though that was very reasonable. I wasn't in "need" of a new system, but I couldn't resist.) and I chose to get the recovery CDs. Costs 5€ which includes the Windows OEM installation CD. While I'd rather have those disks "free", I don't think 5€ is a huge expense compared to the hassle of not having them or having to make them yourself.

I haven't had the time to reinstall the machine (it won't ever boot in the OEM install, if I can stop it), but I'll find out soon enough how well the Windows installation disk works. (From my experiences at work: perfectly fine).

Re:Recovery CD?

One of the big problems is retreiving settings in a Microsoft system. Of course on Linux they are all out there in the open in text files.

Re:Recovery CD?

[jawtheshark]

Why give money to Microsoft for that? Ever heard of BackupPC. I don't know if it can wake up PCs, but the backup runs while the machines are on your network.

Re:Recovery CD?

[Shados]

Because its only one of the billion of features the box has, it includes the hardware, and my mom can configure it herself out of the box. You take the machine, plug it on your network, click the "next" button a few times and you're done.

Re:Recovery CD?

[jawtheshark]

You can, but it's very hard... How do I move user folder to a different drive. I found out the hard way when I installed my brothers new gaming machine. In XP it was easy-peasy to do. I had this partitioning scheme: C: = OS, D: = Data, E: = Applications, F: = Games and G: = Temp. I have not found how to do that with 7, where I had to settle for C: = Everything except data, D: = Data.

I personally think that it is unacceptable due to the rise of using SSDs for system disks, where the C/D scheme is at least needed.

Re:Recovery CD?

[jawtheshark]

Well, keep in mind that Home Server is very close to dead... Hang to it as long as you can. One of the nicest features, drive extender, will be removed (if it hasn't already been in the latest version). For me, setting up Debian by PXE and doing a few apt-gets is as easy, if not easier than whatever Home Server offers.

If you'd set up such a machine (assuming you have the knowledge), your mom could also plug it into the network and pretty much forget it. Configuration of BackupPC is done by a web interface, so it's not exactly rocket science.

Any server requires some skill, here the skill has only been outsourced to the OEM. Not to mention that the hardware requirements are harsh compared to what an Open Source solution uses. A Soekris net5501 can easily run Debian/BackupPC, try doing that with Home Server.

Re:Recovery CD?

[Belial6]

Yes I do. I also remember when Bill Gates was saying that you shouldn't pirate software because if you did you wouldn't get the manuals or techinical support.

If your nastalgic for the days of yore, you could always get one of the C64 replicas They are a C64 on the outside, a 64bit x86 Atom on the inside, and they come with a manual.

http://www.commodoreusa.net/

Re:Recovery CD?

[SilverEyes]

That way is the crazy way, there is a far easier way if you are just setting up your machine. The best way is to move the default profile accounts, delete existing accounts, and then create the new accounts you want, but unfortunately this requires a re-install. Basically do this (http://joshmouch.wordpress.com/2007/04/07/change-user-profile-folder-location-in-vista/), for Windows 7 (some of the keys may be a little different). I've done this on my computer, and the only thing that persists on C:\ are a couple of AppData caches, although I think they are junctions. Using mount points/junctions is a little messier (and you'll have the paths existing in C:\ as well), but may be easier.

Unfortunately, it requires hard coding the drive letter of the user partition, which may not be desirable for some people.

That said, Microsoft absolutely should support changing it optionally (they won't do it as default for compatibility with poorly written applications; this is why there is a junction at C:\Documents and Settings\ for C:\Users, etc.)

Games and applications can be installed on a separate partition, on a per-application basis. Not all applications support this, but for the most part it works well.

Some programs used their own temp settings, others use the system variable %TEMP% (which can be changed to the new partition if you'd like).

Moving existing accounts is frustrating (I've done it under Vista), but can be done.

Re:Recovery CD?

[SilverEyes]

(secondary note; if you only want to move the libraries, that is very straightforward: http://www.edbott.com/weblog/2006/06/windows-vista-tip-4-move-your-data-folders-to-a-separate-drive/ ; but it isn't as nice/clean as having it separated (or almost entirely so)

Re:Recovery CD?

[Have+Brain+Will+Rent]

It's even worse than that - Windows will only allow you to make 1 recovery CD set - like you would really trust your one and only burned CD set to still be good in 3 years when your machine crashes. Apparently they think users can't figure out how to duplicate CD's... so they make it needlessly more difficult to have multiple backup copies.

But it's worse than that - they also put the recovery info on a partition on the hard disk and encourage people to use that. Does anybody really think a virus writer can't figure out how to infect the recovery partition too?

Re:Recovery CD?

[tgd]

Actually Win7 on all but a reformat and re-install will preserve the data just fine. Unlike XP, user data is all under the User folder, unless you went out of your way to put it elsewhere. (And filesystem virtualization will ensure even older buggy apps write their files under your account.)

And, in either case, a system restore doesn't do what virtually everyone on this thread seems to think it does. Restore != reinstall.

Re:Recovery CD?

[cavebison]

Do all Windows PCs ship with a CD? What about retrieving the user's data?

Always partition your system so Windows is on C: drive and your data and files are on the other partition, or another drive. Then you can reformat C: and reinstall Windows without losing data.

This involves moving your user profile off C: as well. There are instructions on the web of how to do that. Then when you reinstall Windows, you reconnect the user profile to where it's stored, and off you go.

Re:Recovery CD?

[jawtheshark]

It was even more straightforward in XP. You had to do it for one single folder, My Documents, instead for all Libraries, which is a frigging pain in the ass. (No, I'm not happy with 7 at all.)

Sony?

[wideBlueSkies]

Is Sony getting back at us for bashing them over the last month or so??

Re:Sony?

[jd2112]

Who would've known back in 1997 that Axl Rose would deliver Chinese Democracy before 3DR finished Duke Nukem Forever.

Or that both would royally suck ass...

Wrong

A recovery disk will restore your computer to the state it was in when the recovery disk was created. For me, this means that I can always go back to a recovery image made at 3am each and every day and stored off site. While I don't specifically plan on getting infected with a rootkit any time soon, I do plan for the worst.

All this blog entry says is that if you are infected with this rootkit you need to fix your MBR before you restore an image of your system.

Re:Wrong

[Datamonstar]

What happens when you get rooted while on a 5-day vacation? Does it maintain weekly backups, or just overwrite the last one?

Re:Norton Ghost

[countertrolling]

You work for Symantec?... use ntfsclone or partimage from a live CD instead

wait.... what?

[smash]

Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

When the fuck did AV software stop scanning the boot sector?

Re:wait.... what?

When you're rooted with software that loads before the OS, no AV software can help you. At best, can detect (if the MBR malware doesn't instruct the bare machine that the area should be replaced by anything the malware wants to make the OS believe it is...) but rarely disinfect it.

Re:wait.... what?

[smash]

No, but the article made it sound like AV software wasn't paying attention to changes to the MBR *before* the infection takes place.

Re:wait.... what?

[KiloByte]

Because the rootkit can lie to the OS that what they read is something nice, not what actually resides in sector 0. Or any other sector or file for that matter.

Seriously, AV software might at most prevent an infection by known agents if it hogs the CPU and check every single executable that starts up, but is fundamentally worthless when ran on an already infected system. I'm quite surprised malware has regressed so far that this is news these days, in the days of yore pretty much every virus not written by a 13 years old tried to hide its presence. But fear not, once reminded of this technique, other malware makers will follow and add this.

Re:wait.... what?

[Lennie]

It probably roots the system (and thus on restart the virusscanner does not know what the rootkit does) before it does the MBR changes.

Re:wait.... what?

If your box is rooted, reads and writes can be intercepted.

Re:wait.... what?

[LordLimecat]

If the exploit code has gotten past your AV, and managed to get itself rights to infect the MBR, and that doesnt trip the AV, then youre hosed. Once the computer reboots, the AV wouldnt be able to detect the change very easily anyways.

Item Misquotes MS - Reinstall not required

[NZKiwi]

Hmm, the MS Blog doesn't say you need to do an OS reinstall; only replace the MBR with a clean one; then do a system restore to a point in time PRIOR to the infection - entirely different to a reinstall

Re:Item Misquotes MS - Reinstall not required

[JoelKatz]

I agree. That's the only sensible interpretation of what MS is saying. If you're going to do a complete system restore, why go to the trouble of fixing the MBR first?

Re:Item Misquotes MS - Reinstall not required

Because the MBR doesn't get completely overwritten during a install/re-install. So if you just re-install and DON'T replace the MBR, there's still hidden files that will replicate and infect the new installation of Windows that you've just put on your system. And visa-versa. Really, having cleaned multiple systems from DEEP infections of RootKits, I've come to implementing a policy of just backing up the files on the machine, writing zeros to the drive, and re-installing. With how fast Windows 7 installs, along with using ninite.com to install every other program I need: a fresh install takes so much less time than deep/entire system scans/cleaning AND gives me the benefit of complete peace of mind. The LONGEST part during a rebuild is always installing updates, so if they sped that part up I would never hesitate about a rebuild again.

Re:Item Misquotes MS - Reinstall not required

One may not know exactly when the infection occurred, so how could one reliably restore back to when before it happened safely? It could be an infection that kicks up activity after a period of time.

Re:Item Misquotes MS - Reinstall not required

> I agree. That's the only sensible interpretation of what MS is saying ..

How do you use the recovery CD to restore to a previous good copy of the OS and user Data?

"If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state"

Re:Item Misquotes MS - Reinstall not required

[JoelKatz]

You don't. The mention of a recovery CD is erroneous. The only way to fix the MBR and then restore your system to a previous state is with system restore, not a recovery CD. The thrust of the sentence is that there's a two-step recovery process, first fixing the MBR and then reverting the system to a pre-infected state. The method of doing this is poorly described, but the intention is to tell you what to do, not how to do it.

Re:Free recovery CD/DVDs for most systems

Free offer of recovery CDs for Windows users: http://www.ubuntu.com/download/ubuntu/download

So they get to choose between a system that is unusable from malware or a system that is unusable because it won't run their Windows applications?

Bad headline, bad article

[juventasone]

The Microsoft engineer is quoted as saying, "restore your system to a pre-infected state". The article then says, "a recovery disc returns Windows to its factory settings". This is entirely false. The engineer is not saying to do a factory restore. For the layman using 7: use F8 or a 7 disc and choose "repair your computer", run the command prompt, run fixmbr, run system recovery and go back a day.

Re:Bad headline, bad article

[juventasone]

The "F8" method might not be available because of the broken MBR, so you would have to use a disc. Also, "system recovery" should read "system restore". Going back a day doesn't loose files, it just reverts to previous versions of system files and the registry.

Re:Bad headline, bad article

[amicusNYCL]

I suspected as much when the phrase "a pre-infected state" was used, but it still raises an interesting point that there's not a reliable disinfection procedure. I've worked on some pretty horrendous machines for "friends" (friendly when they need computer help) where I've often wanted to just reinstall and be done with it. I've always managed to track down a disinfection procedure online for the specific things the machines were infected with (often with help from people like the folks at the dlsreports.com security fora). I can't say that I remember being faced with an infection where the only solution is to nuke it, so that's new.

Re:Bad headline, bad article

[SkyDragon]

I'm not sure that I would be confident that root kit X would not have the smarts to infect any type of online system backup. The point being made by many is that the only reliable way to get a compromised system back to a guaranteed clean state is to reinstall from a read only install media that comes from a known clean source. The problem then is to ensure that your data is clean before you restore it. Trusting that any tool will completely clean a system of infection without starting from scratch is overestimating the effectiveness of said too, and underestimating the inventiveness of the malware author.

Re:Bad headline, bad article

[sumdumass]

This is all incidental to the problem of the boot sector code. It changes write functions to read functions so the disk will return a response and windows will believe everything worked. IT does this because it infects the boot sector which loads code into memory before windows even thinks about loading anything into memory. It then hides and stops itself from being removed while hiding and running other code from windows.

Using system restore will not address this in the least. You will still be infected, you will only think you are not because you did some things to make yourself feel better. The system recovery was used specifically because it overwrites the boot sector before the boot sector code can be loaded into memory.

This of this virus as two or three viruses in one. First, it's a trojan that allows others remote access. Next's it's a root kit which allows that to happen completely hidden from windows or AV or anything on the computer. Finally, it's a boot sector virus which loads the crap needed to hide it before windows loads so it's always hidden from windows. I doubt system restore would even touch the infected files at all because the infection is completely hidden from windows.

Re:Bad headline, bad article

Sure, you can disinfect the specific problem, but is it worth it? Nowadays, if I encounter an infected computer, it's rarely a single infection, but rather a teeming writhing mass of them. This isn't your grandpas' Great Worm anymore.

Re:Bad headline, bad article

[Noughmad]

Engineer or scientist misrepresented or misquoted in the media. News at 11.

Re:Bad headline, bad article

[AmiMoJo]

It also seems like if you can fix it with a system restore then you can fix it by booting another OS and restoring infected files manually. That is pretty much standard practice for virus removal in repair shops - remove the HDD, attach to uninfected PC, run scans and then if required use the automatic repair options in Windows Vista/7 to replace any system files that got deleted.

Re:Bad headline, bad article

[Billly+Gates]

The problem with system restore is that it is a great way to hide malware. Since the metadata or shadow volume is copied sporadically, it means it will never be scanned by an anti virus scanner. Worse it means after the infection is cleaned it can reinstall itself later when you use the system restore. A recovery is the only tried too method unfortunately.

The only good news is that starting with Windows XP most data files are stored in my pics, my documents, etc so they are easy to backup and put back on.

Re:Bad headline, bad article

[Billly+Gates]

"I can't say that I remember being faced with an infection where the only solution is to nuke it, so that's new.

"
I have.

The problem is even after the infection, the system can be so damaged that it can take over 5 minutes just to boot. The user would love to be able to just turn on the computer and have it work fast like it did when it was fresh out of the box. My exgf had a laptop infected and nothing could be found with any anti virus product. Malware bytes could not even load properly.

I just hit F9 and did a full system recovery. It was easier to get it done and over with, as even if I did remove some infections the system was too damaged to be usable afterwards.

Re:Bad headline, bad article

[drinkypoo]

Then that engineer is a dipshit half the time, because nothing you can do from your machine itself is an effective remedy for a rootkit. Putting in the disc and running recovery MIGHT be effective. By the time you have booted your machine from its own infected disk you have already failed.

Re:Bad headline, bad article

[BradleyUffner]

Then that engineer is a dipshit half the time, because nothing you can do from your machine itself is an effective remedy for a rootkit.

You never heard of changing the boot order and starting from a clean CD? There are several ways to get back to a clean system from "the machine itself". I can think of 3 right off the top of my head.

1. Boot to CD
2. Swap hard drives
3. Boot to a different partition

Ohh, got some more.
4 .Reinstall from CD
5. Restore a backup.

Re:Bad headline, bad article

[drinkypoo]

I used pretty poor grammar but my point was that you can't boot the machine from itself to fix itself, PERIOD. You CANNOT trust that booting from another partition will fix the problem, either, especially if you have booted from it since you were infected. And by the way, do you know when you were infected? You can't boot the machine from its own disk and then restore a backup, either. You can't trust the machine. I think I made that clear.

Dunno about anyone else...

[TheRedDuke]

But if I knew one of my systems is victim to a rootkit, I'd reinstall the OS without thinking twice - otherwise I'd be looking over my shoulder at every executable on that system until the end of time.

Almost right

He was correct up to the point he said use a "recovery disk".
I recommend installation of a more secure OS. Default install of virtually any *nix OS will do.

Different?

This is different to most other root kits? I would still trash a machine if I found a root kit somewhere. You do not know what has been done or if it is really gone.

Re:Norton Ghost

i had to read that last part twice. my eyesight gets bad the older i get

How nice of them

[Groo+Wanderer]

Hmmm, the company that has fought tooth and nail to remove all user access to recovery CDs because they might pirate or something now wants us to use them? Bwahahaha. Glad I gave up on Windows a long time ago. Life is better now, not to mention cheaper, faster, less annoying, and less worrisome.

Re:How nice of them

[EvanED]

Say what? Not that I entirely don't believe you, but I don't think I've really heard any noise out of MS on that matter. I put the blame on PC manufacturers who don't want to pay for physical discs.

Re:How nice of them

Say what? Not that I entirely don't believe you, but I don't think I've really heard any noise out of MS on that matter. I put the blame on PC manufacturers who don't want to pay for physical discs.

Microsoft are equally guilty on this - they won't take a consumer's advice that a retailer won't supply read-only recovery media (CD/DVD), instead, advise the consumer to get the retailer to call them about it. Like that'll ever happen: "Hi Microsoft? Acer Computer here - Just thought we'd have a chat with you about our non-compliance with the licensing agreement we share?"

Yup, a recovery partition is beyond a joke - nothing to stop malware from shitting all over that one when it does all the other crap it does...

Re:How nice of them

[EvanED]

What do you expect MS to do about it? Pay out of their pockets (not to mention the whole "taking your word for it" thing) to get you a recovery CD?

Re:How nice of them

Hmmm, the company that has fought tooth and nail to remove all user access to recovery CDs...

Citation needed.

Re:How nice of them

[jjohn_h]

>>>
Glad I gave up on Windows a long time ago. Life is better now, not to mention cheaper, faster, less annoying, and less worrisome.
>>>

On my hardware Windows applications are quicker starting and reacting than corresponding ubuntu apps.

This is even true for apps that exist for both platforms, like Firefox, Thunderbird, Opera. And sorry, they even feel better.

Re:How nice of them

[Pentium100]

Say "go to TPB, download a CD image for your version of Windows and burn it to a CD".

Re:How nice of them

[Billly+Gates]

Well most Mom and Pops just throw out their perfectly working computers and get new ones. Now the OEMs can make even more MONEY!!

I think the throw away mentality is part of the reasoning and not to save $3 per unit. Appliance makers love people repurchasing their cheap crap every few years.

Re:How nice of them

[Groo+Wanderer]

I would love to give you a counter statement, but I can't seem to get this Ubuntu box to run malware, so I guess the majority of apps DO run better on Windows.

Re:How nice of them

[the_B0fh]

That's because you haven't been around long enough. This was something Microsoft "encouraged" due to, one of the reasons - piracy.

And when I say piracy, I mean a home user installing it on another amd/intel box without paying for a second license.

More work for me.

I don't even use Windows, but I shudder to think about all the family computer I'll have to fix due to this shit.

Why doesn't Windows Root-Kit itself?

[NotQuiteReal]

All modern operating systems do it, right? I heard IOS locks itself in pretty good. For crying out loud - once you click "accept" to that first question, doesn't that imply you agree forever? C'mon bitch, where's your automatic update now?

Re:Why doesn't Windows Root-Kit itself?

[hitmark]

turtles all the way down...

Btw, this may be the oldest trick in the book. Boot viruses are as old as the x86 IBM compatible.

Re:Why doesn't Windows Root-Kit itself?

[Kalriath]

IOS? Yeah, that thing's pretty locked down. Even needs a maintenance agreement to run effectively. And, my god - that command line is arcane!

Uh, RTFA?

[toygeek]

Requires a system *restore* not *recovery* and fixmbr. SHOCKING. I do this multiple times a week in my role as a computer fix-it guy. Grandma can't afford to spend the cash to have her system reloaded just because some virus got in there. I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.

Re:Uh, RTFA?

Hey man, you have experience cleaning up this stuff. Most people do not. Please don't crap all over them just because they don't have a fucking clue. Sheesh...

Re:Uh, RTFA?

[md65536]

I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.

Installing windows or logging into a new account should automatically install some viruses (like it used to be, when installing windows) to force you to learn how to do this and get you used to fixing the system a million times.

Re:Uh, RTFA?

Installing windows or logging into a new account should automatically install some viruses.

I thought that happened when I connect a clean windows install to the internet!

Re:Uh, RTFA?

If you have done it a million times. Almost like an expert?!

Re:Uh, RTFA?

[sumdumass]

lol.. lets don't pretend he's got something going right either. He fixes Grandma's computer multiple times a week. There has to be a reason why grandma keeps screwing her computer up so often and I don't think it's him using it as an excuse to come over for cookies and milk 3 times a week.

I have 15 accounts with 20-50 users in each and I barely have any issues outside of checking logs, fixing hardware issues and making sure no one decided they didn't need to run the nightly backups because we never need them. But here is a hint, a FIXMBR will not do what he thinks it is doing because windows will load the boot code from the disk in order to gain NTFS access on the install before you can even log into the install to run the command. And that's booting with a windows CD, your' double screwed if you are doing it from an installed command console.

Re:Uh, RTFA?

[toygeek]

Congrats, you work in a relatively clean environment. But the Average End User who opens up every email they see isn't one of those. And yes, senior citizens are unfortunately a large market for guys like me because they will believe anything they read. "Oh, I've got a virus? Click HERE? OK!" and then they call me because their ram needs defragging.

And despite your doubts, It can be fixed rather easily. Sometimes it takes more than one try, sure. My point was

A) TFA was written by someone who doesn't know their restore from their reload
B) Rootkits don't require a reload (in most cases)
C) Reloads aren't a blanket fix for cleaning viruses. People who do that aren't computer techs, they're reload techs.

Re:Uh, RTFA?

[Pentium100]

Depends on the virus. Some of them get in quite deeply and the computer might have more than one virus fighting for the system. In some cases it is faster and less painful to reinstall than to try to clean it up (and never be sure that you caught them all).

Re:Uh, RTFA?

[argStyopa]

Anyone have a recommendation for a USB boot setup?

I typically carry a USB (Tuff & Tiny) drive on my keychain, and am often greeted with the "Hi! While you're here, could you please look at my computer....?"

It's a 4 gig, so I could easily spare some of it to have a full bootable recovery OS available with a suite of repair/recover tools. I'd love to have actually a dual boot linux/ntfs option, since most of the systems I encounter are Win systems, and as much as I prefer operating from linux, I haven't always been impressed by linux' ability to 'reach into' an ntfs partition to really root out problems.

The kicker is that I also use the USB as a file transfer tool too. All the USB boot sets I've seen are meant to be the whole USB....I'd still like to have spare space available to shuffle files as needed.

Any suggestions would be great.

Re:Uh, RTFA?

Assuming you have an AV that you can trust to detect this new rootkit, do the following. Pull and mount the SATA drive to an external USB kit. Attach drive to a trusted/protected computer of your choosing. Proceed to scan and remove the infection.

The idea being that you will already have an AV running in the background to scan the MBR of any new drive attached to it. Much like any thumb drive or portable USB drive.

Re:Uh, RTFA?

[SilverEyes]

There is a Windows tool made by... HP? that allows you to create a bootable USB drive (hp usb format tool), you could use this to boot into Hi-Ren's Boot CD (actually Hi-Ren's may have instructions on creating bootable drives themselves, apparently yes; http://www.hiren.info/pages/bootcd-on-usb-disk). Many image explorer programs also support creating boot sectors for USB drives. Most recent Linux distros support creating bootable USB drives. Again, I would recommend something like HiRen for fixing Windows machines.

Re:Uh, RTFA?

[the_B0fh]

http://slashdot.org/story/06/06/06/1256221/Ballmer-Beaten-by-Spyware

You really think rootkits do not require a reload? You are not paranoid enough, young padawan

Re:Uh, RTFA?

[sumdumass]

While I do not disagree with this completely, I will caution that both, you must know that your AV is going t catch it else all you will do is infect the other machine, and removing virus from windows like this is difficult and can often leave you with an unusable windows install in which you need to resort to the system reinstall cds anyways.

The problem is the in depth dependency on the registry during the boot process. You can remove or heal infected files, but if a simple call to run a file or set of files as a service loaded in the registry isn't completed, it can cause the system to crash and remain unbootable. Your live system on the other machine, will only worry about the working registry (the live registry it is running on) and no AV program that I know of which opens inside of windows, will load the registry and check it from another drive or system that isn't the registry currently in memory.

Re:Uh, RTFA?

[hcmtnbiker]

How do you verify system files? TDSS/Aleron or Popureb all infect random "*.SYS" files located in "%systemroot%\system32", and there are NO tools released for linux to do actual disinfection. I'm sure you could copy drivers from a known good configuration, but how is this that much easier then a reimage?

Re:Uh, RTFA?

[toygeek]

After the primary infection is gone, the system gets a full scan with malwarebytes' anti-malware (malwarebytes.org). That usually gets the rest.

Re:Uh, RTFA?

[randyleepublic]

Neither is knowing the correct use of the apostrophe...

FUD

Viruses that infected the MBR and hid themselves by intercepting int13h have been around since at least the early 90's, if not earlier. A boot disk was an easy fix, and AV programs could always bypass BIOS and access the drive directly to find out what was really there.

The original blog posting says nothing about reinstalling windows. The fixmbr tool in the Recovery Console doesn't affect the operating system, and is the same old fix as it's always been. The CW article is a mix of FUD and ignorance.

Hmmm...

Somebody needs to get tough and track a few of these malware authors down and start breaking their knees, sticking hot soldering irons in their eyes, cutting their hands off, etc...

Wouldn't be long until people would be too scared to even dream about writing malware.

Re:Hmmm...

[the_B0fh]

You do realize that some of it are commissioned by the govt right? Like the recent worm/virus that attacked Iran?

Knoppix

[ltwally]

Simply boot from another OS. Knoppix is an excellent choice: it can read/write NTFS partitions, and provides you with a nice GUI to move/rename/delete files.

This is my method of choice for removing Windows viruses.

The final step for this virus would be to afterwards use the `fixmbr` tool.

Piece of cake. No reformatting necessary.

Re:Knoppix

[juventasone]

What? So you can't use rstrui (system restore) or fixmbr with Knoppix, but you figure this is the best way to do both of these things?

Re:Knoppix

[smash]

If you have an MS volume license, the Win7 DaRT is pretty decent, too.

Re:Knoppix

Knoppix doesn't actually work any more. It jumped the shark when it started booting from the CD and then just abruptly stopping complaining it "couldn't find the CDROM drive". What, the one you just booted and are now currently running off? Get fucked.

I use different LiveCDs these days, ones that don't force me to make the Captain Picard "facepalm" gesture.

Re:Knoppix

[pasv]

That is lovely. You make it sound so simple. Just go in and delete the files and then fix the MBR it's no sweat.. Actually I couldn't disagree more. This assumes you know where the virus is and that it hasn't already corrupted existing windows executables (PE infection isn't hard). Antivirus signatures may catch a couple but it's more than likely that there will be more than one virus on the system that has been reported to be infected. The reason is the viruses get in from the same places and it happens repeatedly. Also even if the antivirus detects it to be one variant of a virus there could be 12 more strains that reside in 12 other places all waiting to restore their functionality upon removal. The shitty thing about money getting into the malware scene is that now a loss of a computer is less of a return on investment, redundancy is almost assumed.

The only way to be sure is a full system restore. Backups are essential but I wouldn't back up any executable or dll files...

Re:Knoppix

M$ would rather tell it's users to waste a day reinstalling everything and lose all the data than suggest the use of linux :P

Re:Knoppix

[rdbu]

I'm sorry that I have to contradict you here, but open-source stuff is generally unsafe, as any MS employee would be able to tell you.

Actually, the best option to most problems with Windows is to buy the Premium Edition.

Summary and TFA incorrect

[Torodung]

If you read the TFA's FBE (F-ing Blog Entry), you'll find that you just use a recovery console, run FIXMBR, and then run a system restore to a date before your system became infected.

Hardly intractable. Not a reinstall. If it goes unnoticed for a very long time, you might not have a restore point early enough, but that goes for any malware.

Yawn, says OSX.

[Brannon]

People still use Windows?

Re:Yawn, says OSX.

[dexomn]

You must live in a VERY small basement.

Re:Yawn, says OSX.

[networkzombie]

No, no one uses Windows. That's why you were modded up! Everyone hates any corporation that makes money without creating a bullet proof product. Here, I'll put it in a car analogy for you: Ford!

Re:Yawn, says OSX.

[Rik+Rohl]

People still use Windows?

Yeah, about 90% of the computer users in the world still do.

Re:Yawn, says OSX.

Rootkit makers still use Windows? ;)

The average OS X user is not only as dumb as the average Windows user (according to my experience even dumber, but I'm willing to say that my observation might be an exception), no on top of it all he also has the delusion that his OS would be invincible. (And as we have read here, Apple strongly supports this view in its shops and support.)
In other words: If there ever *is* a problem, they are fucked. Big time.

Re:Yawn, says OSX.

[smash]

Conversely, OS X is still very own-able.

Re:Yawn, says OSX.

[Hamsterdan]

Sure, after all OSX is protected by Mac Defender...

NO reinstall required

RTFA.

the technow blog never says you need to reinstall. It says you need to restore the MBR with the recovery console and restore the OS. This can be a system restore point recovered by using the recovery CD. The only reason you need a recovery CD is to avoid booting the system while its still loading the infected disk driver

Did anyone spot the irony?

[pecosdave]

I mean, the fact they don't give recovery CD's anymore. Oh, I'm sure a couple of manufacturers do, maybe on a few models, but really don't give out Windows recovery disk anymore.

Re:Did anyone spot the irony?

[juventasone]

Right. They prompt you to make one. If you consider yourself the type to want to fix your PC, you would of done this, or already have one.

Re:Did anyone spot the irony?

What? you can create a recovery disk in windows 7 (and probably before). Christ you can boot of the original media and go "recovery mode". No need for a OEM to supply one

Re:Did anyone spot the irony?

[pecosdave]

As a tech who no longer does PC's full time (I haven't in about six years) I don't have a boat load of restore media like I used to. What I get now is a bunch of individual users (friends, families, small jobs) with crashed HDD's and no restore CD's for me to fix their machines with. I've tried searching the less reputable sites for OEM ISO's so I can do legitimate restores, but I haven't had a lot of luck.

My own personal machine that came with Windows 7 on the other hand is good to go. I used Clonezilla to copy the HDD in it's original state before I wiped it and put Kubuntu on it. If I ever feel the need to put Windows 7 on that particular machine in case I decide I sell it/give it away or post lobotomy I can.

Re:Did anyone spot the irony?

[pecosdave]

That's awesome if you're a reasonable tech. On the other hand most home users just ignore it and call their pal pecosdave when they need it fixed, and of course I don't do Windows and I don't the old stack of Dell OEM disk of their OS like I used to in the XP days either.

Re:Did anyone spot the irony?

[juventasone]

Here you go. Use the product key attached to the machine.

Re:Did anyone spot the irony?

[pecosdave]

Thank you, that will make life easier next time I get stuck with fixing one of those.

Re:Did anyone spot the irony?

I've tried searching the less reputable sites for OEM ISO's so I can do legitimate restores, but I haven't had a lot of luck.

http://thepiratebay.org/user/thethingy/

ComboFix

[ijakings]

By far the best tool ive ever seen to deal with a rootkit infection is ComboFix. It uses a process I can only describe as black magic to eradicate it. Use at your own risk though.

Feeding the Troll

[scrib]

So they get to choose between a system that is unusable from malware or a system that is unusable because it won't run their Windows applications?

Oh, quit whining and start WINEing.

reinstall disc?

[__aazsst3756]

Who has them? MS has pushed not shipping them for so many years. Too bad they don't do the right thing, and make install ISO's available with latest patches for XP / Vista / 7

Re:reinstall disc?

[juventasone]

If you buy Windows (whether OEM or retail) you get a disc. If you buy a brand-name PC with Windows, you get prompted to make a disc.

Re:Free recovery CD/DVDs for most systems

[RobbieThe1st]

Hey, it's got a web browser, and email, so it's already more productive than the malware infected machine.

Re:Norton Ghost

[toadlife]

+1

Ghost is great for Windows only.

Add an ext4 partition and/or GRUB and it all goes to hell.

Re:Norton Ghost

[fuzzyfuzzyfungus]

In what is probably not the world's best news for Symantec, even Microsoft has gotten around to developing a Windows imaging tool that(mostly) works. The "Windows Automated Installation Kit" is something of a baroque monstrosity; but it exists and is offered at no additional cost to Windows customers.

It took 20 years and alarming complexity increases; but it's almost like being able to tar your OS install and then untar it onto a newly created filesystem!

Wise grammar Nazi

[Datamonstar]

And you don't seem to know that punctuation goes inside quotations. Sentence capitalization not withstanding.

Re:Wise grammar Nazi

[dakameleon]

Logical or British punctuation deems otherwise.

Re:Wise grammar Nazi

[NotSanguine]

And you don't seem to know that punctuation goes inside quotations. Sentence capitalization not withstanding.

Actually, that rule is for "double quotes," not 'single quotes', friend.

*nix is more secure!!!!

[metalmaster]

Anyone who believes this, much less preaches it, is an absolute moron. There are vulnerabilities in any working system. There always have been and there always will be. Consumer distributions of Linux might not have the same holes that Windows has, but that doesnt mean there are none. It may be harder to achieve process escalation, but that doesnt mean its impossible. After all, a dumb user is still the weakest link in a security system.

Re:*nix is more secure!!!!

[techno-vampire]

There are vulnerabilities in any working system.

Of course there are. However, there are less of them in Linux than in Windows and in general they're harder to exploit than Windows vulnerabilities are, which lets out all of the script kiddies. Not only that, the main motive today for people to write and distribute malware is profit and there's more money to be made (and easier) exploiting unpatched and poorly-maintained Windows boxes than there is in Linux. Someday that may change, but for right now that's probably the biggest reason Linux isn't being targeted.

Re:*nix is more secure!!!!

Linux is targetted too, and there aren't less vulnerabilities, and they aren't harder to exploit. I agree with the latest parth, though.

Re:*nix is more secure!!!!

[Billly+Gates]

I would mod you up if I didn't contribute to this thread!

Unix is written in C just like Windows and therefore has the same buffer overlow problems. When people bitch about Windows they always quote WindowsXP, IE 6, ActiveX, and 10 year old exploits, etc.

Infact, Windows 7 rescrambles all the ram addresses constantly to prevent vector attacks etc. Linux boxen are targeted because they are servers that hold insecure mysql databases with customer credit cards and other niceties that hackers look for.

The biggest threat is not IE exploits but Adobe Flash. Linux users use it too and have the same problems. Difference, is antivirus software for Windows has active protection and monitoring. Linux you have no clue if you were hit. Real professionals uninstall it or use chrome that always has updated flash in it.

The fact that people think it is more secure is dangerous.

Re:*nix is more secure!!!!

[Gort65]

Yes, morons do have a problem understanding the word "more", thinking it means "absolutely". It's good to see someone finally clear up the misunderstanding.

So

In other news, Geek Squad continues business as usual.

Re:Which vector and why the lack of expediency?

So what hole is this infection initially exploiting to be system resident? A genuine unknown security vulnerability in Windows and IE, or a secondary attack through 3rd party software or add-ins? Is a fully patched Windows system w/ either MAV or 3rd party AV like Sophos or Kaspersky, and users running with non-Admin privileges still at risk? I'm going to assume yes here!

Yes, I read MS blog and only after checking the Popureb.B variant does it only reference I.E. slightly.

This was detected on June 21. It's been a week. For something this serious, and to the vast resources that MS has at their disposal, why is the IT community still in the dark, and just how much of a priority does a Microsoft put on this kind of end user breach?

It's a trojan, loaded onto systems by users giving root access to suspect software. This is the most common attack vector in use today. What on earth made you go straight to it being a security vulnerability? There's no "breach". There's nothing serious and no-one in the dark (except you, perhaps). It's simply a trojan. Fully patched systems are not "vulnerable" to this attack vector. Stupid users are vulnerable to it.

Best way to avoid it? Don't install pirated software, "free porn video codecs", or anything with a year in its domain name. And take your ritalin.

You've ALMOST got it right toastar (close)

That'll clear the bootsector (good job, I've been using RC's commands to 'knockout' rootkits for years too per -> )You need to use RC's:

LISTSVC - shows all drivers names & states
DISABLE - stops services AND drivers

commands to finish it off, & this SHOULD do it!

(That's because it uses a driver - issues listsvc & it will show all driver names. Then use DISABLE to stop said BAD MBR bootsector protecting driver from loading, period!)

Proof thererof on WHY those 2 commands should work, hopefully & that this thing uses a protective driver:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way â" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)

* ... & there you are!

APK

P.S.=> I've been using Recovery Console's (RC) commands for ages, since early Windows 2000 days for PC Security, & I list using it like mad for removal of even rootkits here:

http://www.proprofs.com/forums/index.php?showtopic=14264 & especially vs. rootkits as shown in that malware removal guide I wrote back in 2008 (first I wrote was 2001 for NeoWin & NTCompatible here http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text ).

RC/Recovery Console's great - it works & especially vs. rootkits

(& is pretty much as easy to use as DOS was. Very similar!)

So, you're correct on RC's FIXMBR being able to "blowout" a bootsector virus, but this one's trickier because of the driver being resident protecting the "BAD MBR"!

However - this SHOULD work to make SURE it's "blown out" & completely by not only cleaning the bootsector, but also disabling this bogus driver from loading too, if needed (sounds like it is needed - I only skimmed the articles, too late here for me to stay up reading more...)

So, since I must call it an evening? Well... if you guys find out anything else, like it's been modified even more to stop those commands of LISTSVC/DISABLE from running? Let me know... thanks, I'll catch it in the a.m. with coffee!

... apk

Re:You've ALMOST got it right toastar (close)

HAHA disregard that, I suck cocks.

... apk

Not new

MS had the same advice in the wake of Nimda.

Don't need Linux (RC can do it, & why (driver)

And, it may be one that needs tools only found in RC, check it:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272

Due to this thing protecting the MBR using drivers... fixmbr will blow out the bootsector in Windows Recovery Console, but to be ABSOLUTELY sure, the ListSvc & Disable commands will show the drivers loading & you can take them out as well!

APK

P.S.=> I don't believe you can do this from a Linux bootup with NTFS5 read/write, in disabling Windows drivers - that is, unless you guys know diff. that is - thanks for telling me IF there is a way in Linux to do that (would need Windows Registry read/write access & tools to write it properly too though)... apk

This technique SHOULD work 100% vs. this rootkit

And, it may be one that needs tools only found in RC (recovery console in Windows install media), check it:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272

Due to this thing protecting the MBR using drivers... fixmbr will blow out the bootsector in Windows Recovery Console, but to be ABSOLUTELY sure, the ListSvc & Disable commands will show the drivers loading & you can take them out as well!

APK

P.S.=> I don't believe you can do this from a Linux bootup with NTFS5 read/write, in disabling Windows drivers - that is, unless you guys know diff. that is - thanks for telling me IF there is a way in Linux to do that (would need Windows Registry read/write access & tools to write it properly too though)

... apk

Re:Norton Ghost

[Lehk228]

Assuming ghost works properly, which is a big assumption

You MAY also need RC LISTSVC & DISABLE

It may needs 1 more command from RC (recovery console in Windows install media), check it:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272

Due to this thing protecting the MBR using drivers!

Yes, fixmbr will blow out the bootsector in Windows Recovery Console, but to be ABSOLUTELY sure, the ListSvc & Disable commands will show the driver this thing uses to protect the bogus bootsector, & stop it from loading IF it's still enabled, & you can take that rootkit's protective driver out as well this way, using those commands!

This is basically a "blended threat" type rootkit, using both driver based rootkit tech (runs Ring 0/RPL 0) AND bootsector originated rootkit tech!

* VERY Interesting, but those tools SHOULD 'make mincemeat outta it'...

APK

P.S.=> I don't believe you can do this from a Linux bootup with NTFS5 read/write, in disabling Windows drivers - that is, unless you guys know diff. that is - thanks for telling me IF there is a way in Linux to do that (would need Windows Registry read/write access & tools to write it properly too though)

... apk

Fixmbr, Listsvc, Disable RC commands kill it

Besides FIXMBR, it may need 1 more command from RC (recovery console in Windows install media) to "nuke it", check it:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272

Due to this thing protecting the MBR using drivers!

Yes, fixmbr will blow out the bootsector in Windows Recovery Console!

However: To be ABSOLUTELY sure it's 100% gone, the ListSvc & Disable commands will show the drivers loading & you can take them out as well this way, using those commands!

* This IS the first "blended-threat" type rootkit I've ever seen but...

(Still - This technique SHOULD do it, by blowing out the bogus mbr rootkit protective driver too, easily & pretty fairly quickly, though you MAY have to google for the driver name, I have not seen it YET in the articles & I'm beat, need to sleep here can't look...)

Listsvc will show all drivers loading/loaded, and you can use DISABLE on the "oddball" that this thing uses (probably won't have the descriptive field loaded, which SHOULD make it easier to spot too!)

APK

P.S.=> I don't believe you can do this from a Linux bootup with NTFS5 read/write, in disabling Windows drivers - that is, unless you guys know diff. that is - thanks for telling me IF there is a way in Linux to do that (would need Windows Registry read/write access & tools to write it properly too though)

... apk

Don't need to wipe/reinstall (RC & 2 commands)

Needs 2 more commands from RC (recovery console in Windows install media) to kill it, & any Windows (even older than 7, circa 2000-7, are NTFS5 ready), check it:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272

Due to this thing protecting the MBR using drivers, listsvc may be necessary with fixmbr!

Yes, fixmbr will blow out the bootsector in Windows Recovery Console, but to be ABSOLUTELY sure, the ListSvc & Disable commands will show the drivers loading & you can take them out as well this way, using those commands!

---

* This one's interesting, in that it's a "blended-threat" rootkit, one that uses BOTH driver-based rootkit tech AND bootsector originated rootkit-tech too...

APK

P.S.=> I don't believe you can do this from a Linux bootup with NTFS5 read/write, in disabling Windows drivers - that is, unless you guys know diff. that is - thanks for telling me IF there is a way in Linux to do that (would need Windows Registry read/write access & tools to write it properly too though)

... apk

Good eff'n lord.

[BeerHat]

I'll say it again.. good eff'n lord. Seriously. Wouldn't it be a great thing to put forth all the time, money, and energy wasted fixing these senseless problems into something more worthwhile? Those of us who know how to fix this without a complete OS reload is one thing, but the thought of all the time and productivity loss (globally) is simply disgusting. Not to mention all the grandparents or otherwise 'less-than-computer literate' out there who have to pay someone to come over and fix their box. This cat and mouse game with windows just rambles on.. feeding the lemmings who buy into this snakeoil... what people will put up with just so they don't have to learn something new. Sad. Windows just seems to lay down a welcome mat for these types of infections. Shame on you M$. What are people really paying for here? What is the net gain from using your operating system? Linux! Linux! Linux! is the medicine people! (okay, okay.. Macs can play too)

Re:Good eff'n lord.

This is the price of rejecting the mainframe by you microcomputer morons. The micro world should have gone with the IBM 370 instruction set and MVS or VM. But instead you have toy crap. Every time a microcomputer user gets infected, I laugh.

Untrue, Windows RC can clear it

Needs 2 more commands from RC (recovery console in Windows install media) to kill it, & any Windows (even older than 7, circa 2000-7, are NTFS5 ready), check it:

http://tech.slashdot.org/comments.pl?sid=2275150&cid=36593272

Due to this thing protecting the MBR using drivers, listsvc may be necessary with fixmbr!

Yes, fixmbr will blow out the bootsector in Windows Recovery Console, but to be ABSOLUTELY sure, the ListSvc & Disable commands will show the drivers loading & you can take them out as well this way, using those commands!

---

* This one's interesting, in that it's a "blended-threat" rootkit, one that uses BOTH driver-based rootkit tech AND bootsector originated rootkit-tech too...

APK

P.S.=> I don't believe you can do this from a Linux bootup with NTFS5 read/write, in disabling Windows drivers - that is, unless you guys know diff. that is - thanks for telling me IF there is a way in Linux to do that (would need Windows Registry read/write access & tools to write it properly too though)

BY THE WAY? ROOTKITS ORIGINATED IN *NIX!

... apk

Re:Untrue, Windows RC can clear it

COMMANDS? come on, windows users don't type commands, that's for linux users!
It's clearly not good enough if there isn't a point and click method... Windows fans are always saying Linux isn't good enough because "you have to use the command line!", so whats the deal here?

Rootkits originated in unix, because unix was being connected to the internet in an insecure fashion long before windows.

Re:Untrue, Windows RC can clear it

[techno-vampire]

I do know that Linux now has proper read/write drivers for NTFS partitions, and has had for at least two years. I also know that Wine comes with its own copy of RegEdit, but I don't know if that can be pointed to the regular Windows Registry or if it's just for editing its own registry. And, of course, booting from Linux disables the Windows drivers because Linux doesn't use them.

No data loss necessarily,with that type of restore

[wherrera]

This is the Windows 7 System restore option, which is as follows according to MS:
see: System Restore

---
Restores your computer's system files to an earlier point in time without affecting your files, such as email, documents, or photos.

If you use System Restore from the System Recovery Options menu, you cannot undo the restore operation. However, you can run System Restore again and choose a different restore point, if one exists. For more information, see What is System Restore? and System Restore: frequently asked questions.

----

Re:Norton Ghost

[couchslug]

"You work for Symantec?"

It's been faster to download Ghost boot discs than install Ghost since the late 1990s.

So how does one avoid it?

[mark-t]

I've seen junk get onto a computer with all the latest windows updates where the infected user never intentionally ran a single program they downloaded from the web. However the infection happened, it happened without prompting the user to run any install program..

When I disinfected the computer, I could not for the life of me figure out how the infection was actually obtained... if the user had been an administrator, I suspect that the damage would have been more widespread than just that one account.

Re:So how does one avoid it?

[apparently]

I've seen junk get onto a computer with all the latest windows updates where the infected user never intentionally ran a single program they downloaded from the web.

Pro-tip: "all the latest windows updates" don't install updates for java, adobe reader, or adobe flash.

Re:So how does one avoid it?

[Billly+Gates]

Two words Adobe Flash. All you need to do is open your browser. Vector attacks and buffer overflows get ahold that way. Second is Java. When I do a complete wipe and restore the first thing I do is uninstall flash 9. Use chrpme if possible make sure flash is disabled or has later version. Adobe pdf reader is very bad too. Foxit is a good replacement.

Re:So how does one avoid it?

[Control-Z]

I think a lot of malware is getting in through ad banners. You can browse with Firefox and use FlashBlock and Adblock Plus for added safety. FlashBlock will keep Flash from executing unless you specifically allow it.

Forgot a step

They forgot to mention installing a new hard drive. From what I've read some of the latest trojans can even survive an OS re-install. I've got a Mac that dual boots and I had to abandon the Windows 7 part of the hard drive due to a nasty trojan that nothing was able to scrub out. Securty on Windows has become a joke. It's completely impossible to avoid all trojans and viruses. I got nailed with a redirect one that largely bricked my internet. Oddly enough the Mac partition is fine. I've never once had this problem with Mac. I had decided to go pure Mac until the latest Apple fuck up gave me second thoughts. They basically dropped Final Cut Pro and tried to replace it with an iMovie Pro. No one is buying it and most pro users are jumping ship. This screw up is forcing me to switch to Media Composer but then I have to deal with all the Windows BS. I can't win. Essentially everyone is turning their backs on the pro users. We used to be one of the strongest and most devoted areas of the market especially for the Mac but no one wants to waste time on the pro market. It's a perfect time for Linux to step up. With Mac and PC dropping the ball things are wide open to steal the pro market.

Why not the micro-kernel approach

We all need a major re-think of how OS is installed on the computer, how it is architected, etc.

Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go. I the image of any VM gets rooted, you just toss it and revert to last backup. The flash is immune to tricks, because you must insert a hardware key to upgrade it, so trojans could not over-write the FLASH-based kernel, the worst that can happen is that one of the OS images get corrupted, then you just revert to saved.

Why not do this - in the flash, or the BIOS part of the system, have the micro-kernel, be it L4 or Minix, and in the hard drive, have the rest of the OS. Or better still, just as w/ RAM, you have L1 cache, L2 cache and L3 cache before having RAM, on the non-volatile side of things, have a NOR flash that contains the microkernel, have a NAND flash that contains the user level OS (like in Cisco's IOS routers) and above that, applications and everything go into an HDD or SSD. Oh, and both the NOR and NAND flashes will be non-writable, unless one flips a hardware switch on the system itself (like the wireless on/off switch on a laptop)

Of course, this would require re-engineering the system. Since Windows 7 is already both 32-bit and 64-bit, here is a suggestion - re-architect the 64-bit version of the OS to be a microkernal architecture that supports this model: have a common microkernel for Windows 8, Windows Phone, and any other Windows they may do. Then do the main OS, including the APIs, device drivers and all as user space that goes into the NAND. This portion can be varied depending on the platform.

As it is, Microsoft is now faced w/ having to develop for ARM, or remain locked w/ x86, where they have only Intel/AMD, while everyone else in the world is doing ARM. The microkernel approach would help here as well - that's all that would need to be ported, while the rest of the OS could get simply re-compiled to ride on the microkernel. Had Microsoft not dumped its MIPS and Alpha version of NT, they'd have had alternatives to the x86 today, since the 64-bit MIPS prodigy is architecturally capable of beating ARM on the latter's trump card - power consumption, while having top rate performance from the mid-90s.

Re:This technique SHOULD work 100% vs. this rootki

[NotSanguine]

Why do you keep re-posting the same information you've posted at least three times on this thread? And then have the poor taste to put a link to your previous posting of the same information?

What possible value could that add to this discussion?

Restore == reinstall

[dutchwhizzman]

You don't keep the old system but put a new one on. Granted, it's not a bare install, but you wipe every bit of your drive and replace it with a known good config.

Re:Restore == reinstall

[tgd]

No, system restore does NOT work that way. You revert back to a restore point, which is a snapshot of all the protected OS files, assuming you didn't do something stupid like turn off restore points.

Its basically like Time Machine on OSX -- NTFS supports copy-on-write, so the deltas from the snapshots can be tossed. (I don't think its widely known that NTFS can do that because there's no swooshy UI for doing it like on the Mac, but you can do it.)

wouldn't one need admin privileges?

Ain't Linux only safe assuming that 'root' hasn't been compromised? Or else, it would be as vulnerable?

Speaking of which, in Windows 7 Pro, wouldn't such viruses only be allowed to penetrate if someone is working in Admin mode?

TestDisk

I don't remember the specifics, but a few years ago while following a tutorial on making a bootable thumb drive, I had been substituting the filesystem in the tutorial with my own.. Well along came the step which formatted the MBR and by accident I typed the wrong filesystem and whiped out my main drive's mbr (which held a windows partition, a linux partition and a data partition)..
Needless to say I went on a hunt for something to restore my MBR.. after a bit of playing around with some really crappy DOS based utilities I found a cross platform, and amazing tool called TestDisk: http://www.cgsecurity.org/wiki/TestDisk
In just a few minutes it had found my partitions and restored my MBR and my system was up and running as though nothing had ever happened..
Also it looks like a completely free/open source tool that supports most filesystems.. Really a life saver..

Anyways, I'd be this would be able to restore an MBR of an affected system.. If not you could always use a boot cd and install grub..

Re:TestDisk

[Billly+Gates]

Download the ultimate bootCD. It includes FreeDOS and TestDisk and many many other utilities. It was a life saver on my system

Which is the best for the Windows OS?

[Futurepower(R)]

Which of those integrity checkers do you recommend for a shop that mostly uses the Windows OS? An extensive comparison says Samhain is the best.

The FAQsays Samhain works under Windows XP with Cygwin.

In Windows 7 there is a hidden, non-standard partition. I'm guessing that Samhain would not be able to check that partition. Does the design of Windows 7 prevent thorough integrity checking? Microsoft makes more money if Windows is vulnerable to malware. See the New York Times article Corrupted PC's Find New Home in the Dumpster.

Re:Which is the best for the Windows OS?

[fuzzyfuzzyfungus]

I'm not sure, I've only really dealt with them in the linux context. I know that the commercial arm of the Tripwire name has gotten all "enterprise compliance solution" of late, which involves a price tag and some serious buzzwords; but also support for Windows and some of the more enterprise-exclusive unixes.

Re:Which is the best for the Windows OS?

[pnutjam]

non-standard?
it appears to be the standard for win7...

Good.

[Futurepower(R)]

I'm interested.

At least in Linux...

[amn108]

If it was Linux, at least you could automate such "reinstall", but with Windows, and I am saying this as a person who had to do this at least 10 times during the days I were using Windows, the software comes with their own binary installers, which are all dancing to their own tune and as a result nothing really can be automated, you have to babysit human-assisted installations. This is Photoshop, Creative Suite, most games - well, actually, pretty much EVERYTHING. Of course you can take snapshots and do change recordings and "replay" them, but the thing is that many applications break anyway when "reinstalled" that way - because more often than not, at least for the bigger vendors who can afford to spend time on such schemes, the installer generates keys for the registry which work one time only, bind to hardware configurations, time, phase of the moon and what not. In other words, replaying an installation later on results in dead software because even though it worked on your last Windows, it no longer does on your fresh setup. Most of these bummers have to do with flavors of DRM, of course.

Linux has a whole lot of its drawbacks too, but they did something right - distribution and installation of software is managed by a single known entity, that is also very automatable. In Windows, every installer is their own universe - a process that answers and bows to noone.

looking for mbr changes

[aeiah]

how about diffing the mbr with a known good copy, or checksumming on boot? is there any reason why this isnt done as standard for rootkit protection? (genuine question. inb4 "the virus could modify the copy/checksum")

Run as non admin

[Hal_Porter]

I run as non admin. Overwriting the MBR requires a handle to "\\.\PhysicalDriveX". That requires Admin rights, so malware trying to do this would fail on my machine.

Re:Run as non admin

[Billly+Gates]

"Overwriting the MBR requires a handle to "\\.\PhysicalDriveX". That requires Admin rights [microsoft.com], so malware trying to do this would fail on my machine."

Not necessarily, that security is only enforced by the kernel if an app requests to access something thru itvia an API. A buffer overflow or vector go around the kernel and write it directly using assembly and not using the win32 API.

Flash malware is the worse and can do this just by an ad popping up at a website. It will use a vector attack with an image to launch assembly code and install itself without the kernel even knowing what is going on. If you have WindowsXP the problem is worse as the CPU has no way to tell the difference between data and executable bytes. Flash uses images but Windows considers it an executable and will simply let it run full access.

Re:Run as non admin

[Hal_Porter]

> Not necessarily, that security is only enforced by the kernel if an app requests to access something thru itvia an API. A buffer overflow or vector go around the kernel and write it directly using assembly and not using the win32 API.

User mode code can't access hardware registers because they're mapped kernel mode only. So code would need to get into kernel mode which requires an unpatched exploit. Also there are a lot of different types of disk controller out there now - they're not all IDE anymore. So malware than did direct hardware access would need to build in drivers for at least the most popular controller - AHCI. It would be hard to do this by direct hardware access without bricking the system because the Windows driver is accessing the device at the same time. No malware I know of can access disk hardware directly.

> If you have WindowsXP the problem is worse as the CPU has no way to tell the difference between data and executable bytes.

Post SP3 and on pretty much any modern CPU you have DEP which means that the CPU will catch attempts to execute data pages and the OS will abort the process.

> Flash uses images but Windows considers it an executable and will simply let it run full access.

I'm not really sure what you're trying to say here. Flash is an exe file. But the code is run in user mode and if you don't run as admin neither does any process on your machine. So even if you can do a buffer flow exploit in flash and get arbitrary code execution you still need to do another exploit to get admin rights or into kernel mode before you can do any real damage. Non admin user mode code is very limited in terms of what it can do.

Running as non admin is not perfect but it does add one more hurdle exploits have to clear. The other thing you can do is to run Secunia PSI to keep flash patched and run Microsoft Security Essentials to scan for malicious code. Also I run AdBlock on Opera since some ad server sites have accidentally distributed malware in the past. And I don't pirate software. I like Opera but it has a rather low market share - if I were writing malware I'd aim at IE and/or Firefox and ignore the less popular browsers.

I've never had a virus on Windows. Though I suspect if someone skilled really tried hard - e.g. the people that wrote the Aurora malware - they could probably infect machines like mine. But you're talking about governments then - not the sort of people who run botnets made up mostly of low hanging fruit machines. Which are a lot more common than set ups like mine.

It depends on your backup strategy

[cheros]

Personally I have always believed in making sure a backup could be installed from bare metal upwards. An information backup doesn't take into account settings, serial numbers and the desire to hang on to a specific version of Microsoft Office because the next had a neutered UI called the ribbon..

When I felt I needed to rebuild the box I'd restore the first backup and let Windows patching do its evil thing for an hour - also saves having to play disk jockey for hours (pet hate: installers that don't ask all the questions at the beginning so you have to babysit the whole &%*$ process).

However, I must admit I'm not sure the tool I used (Acronis True Image) would also preserve the MBR.

Nowadays I use a Mac - there, a bare metal backup is even usable as system boot disk..

ms-underware-gnomes

[FudRucker]

1. have OEMs sell PCs without windows disk (only a restore partition)

2.release infection and inform everyone disk needs wiped and reinstall to fix...

3.?????? (everyone that wiped their drives has to buy new install CD)

4. PROFIT!!!

MBR boot sector viruses are not new

[pinkushun]

1986: Brain is considered the first IBM PC compatible boot sector virus.
1987: Stoned, another boot sector virus had a one in eight probability that the screen would declare: Your PC is now Stoned!
1988: Ping-Pong virus, if a disk access is made exactly on the half hour and start to show a small "ball" bouncing around the screen. ... and many more in between: http://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms

Re:MBR boot sector viruses are not new

[NJRoadfan]

Believe it or not, I still run across disks infected with NYB and Monkey.B.

Reinstall?

And then download a few gigs of updates.... Or just switch to Mac or Linux.

Y'all be wrong

"A recovery disc returns Windows to its factory settings."

This is wrong too. Mr. Feng in that blog is advocating using an offline boot disk of some sort to clean the machine, not flatten it, and reinstall:

"...we advise you to fix the MBR and then use a recovery CD to RESTORE YOUR SYSTEM TO A PRE-INFECTED STATE (as sometimes restoring a system may not restore the MBR). To fix the MBR, we advise that you use the System Recovery Console, which supports a command called "fixmbr".

So he advocating offline cleaning, and the fixmbr command. Frankly the fixboot command would be a good idea too, since updated versions may decide to also patch the Volume boot record, perhaps not being content with just the Master boot record.

That's pretty much what I always do.

[Lord+Kano]

I will take the time to clear out a nasty infection if it's my machine, but anyone else? I run a restore disk and am done with it.

I'm not taking 6 hours researching and scanning unless it's my computer, otherwise it doesn't make any sense.

LK

There is a way to use a rooted disk

[dbIII]

I managed to put the system disk of a linux machine that had been hacked to good use without reinstalling.
The drive platter makes an excellent coaster.

Lotus notes server at home?

[djjockey]

are you crazy?

Also... i assumed you asked her what happens to her stuff if the server is reset to factory settings?

Re:Lotus notes server at home?

[Belial6]

The discussion was on backing up HER LAPTOP. Backing up her laptop is not the solution to the server being reset to factory settings.

Revenge is sweet

[Dishwasha]

HBGary has finally enacted their revenge with the most heinous rootkit ever conceived by man. BWAHAHAHAHAHAHAHAH!!!!!!!!

It took them this long to release this??

[madhatter256]

I ran into this rootkit before. It was a machine that wasn't heavily infected but NOD32 & MSE kept detecting this rootkit. Malwarebytes/combofix only detected the trojans the rootkit downloads, so it wasn't effective. After backing up the data I did a simply reinstall of the OS (where I did not do a low-level format) and shortly after installing the NIC drivers, a pop-up ad came up, so I reinstalled the AV software and it detected it again. I realized that this was low-level rootkit (MBR) and proceeded to re-do my reinstallation, but this time do a low-level format. I booted up KillDisk and ran it for a few minutes as it initially destroys the MBR. Then I reinstalled the OS and the PC was clean well into the future.

The clients I deal with, a simple format/reinstall is out of the question as these are business machines and although sometimes they get infected when they go 'surf' the internet, a lot of times it's through targeted attacks. I was the go-to guy when it came to infections as I was able to locate and delete a lot of these trojans/rootkits when AV software couldn't locate it. Fortunately, AV software has come a long way, especially free ones.

Re:Free recovery CD/DVDs for most systems

[Kalriath]

Goddamn Ubuntu fanboys are even worse than Mac fanboys. Seriously, every post about an issue with Windows and "Here's your fix right here: www.ubuntu.com herp derp!"

Why?

Why do users of a product (MSWindows) accept this?
"They have sold you a product that can be compromised, solution: return to previous compromisable product"!

Security 101:

[BrokenHalo]

It might not have failed you yet, but this isn't a tactic I would try on a machine that does anything important. The whole point of any rootkit is that it can modify any file, and thus unless you happen to have recent known-good md5sums for every single file on all drives attached to the system (and the time to check them all), you simply cannot trust the machine, and you cannot allow users to log on to it.

Your only option is to re-image or reinstall from scratch.

Re:Security 101:

[Hylandr]

Re-Read what I posted. Also, it breaks down to which option is least expensive for the individual or company to pay to repair. I hate to say it, but I can't fix everyone's virus infested machines for free and still feed the family.

- Dan.

Re:Security 101:

[RockDoctor]

I hate to say it, but I can't fix everyone's virus infested machines for free and still feed the family.

Simple solution : get rid of the family.

Now get back to work!

Re:Norton Ghost

[digitalaudiorock]

I just recently used Clonezilla to clone my work XP machine's drive and restored from the clone to verify that it worked. Awesome project if you ask me. That supports ext4 etc. It also makes it trivial to clone to a network share, something that seems to be absurdly difficult with Ghost.

BIOS isn't used a lot lately

[DrYak]

...except that BIOS isn't much used for anything lately, except boot the OS.

When the OS starts it uses its own SATA/PATA/SAS/SCSI etc. drivers to access the discs.
So the BIOS lock won't help much.

Also, with modern OSes, the translation code in the infected MBR won't be enough. Later stages must be started in the OS too (like hacked drivers or something along these lines).

So back in old-school DOS world, the whole virus could reside in the MBR (or more likely : be loaded from the MBR as Grub does. There isn't much place in the MBR it self, but there are enough free sectors before the OS partition where to store the rest of Grub or Virus code).

Nowadays this MBR part is only good at making sure that later OS stages are still in place and are still going to be loaded early enough in the boot process, in order to be able to bury it-self and use further translation/obfuscation techniques to still go undetected while the rest of the OS is booting.

Use to be the case....

[DrYak]

On old system (and in the director's cut of Terminator 2 movie :-P ), the BIOS was only writeable if you set a hardware switch.
(If I remember correctly, the chip ran on 5v, but needed a 12v to be programmed. The physical jumper enabled this feed).

But it eventually got removed because people found too inconvenient to administer.
Nowadays not only you don't need anymore to open the PC case to upgrade the BIOS, one some machines you can even do it while still running Windows.
That mean that admin can remotely update the BIOS while the OS is still running (over VNC, for exemple).
But that mean that virus writter could do it to (welcome to the fantastic world of BIOS-based viruses)

Excellent suggestion, AV writers should capitalize

[davidwr]

AV writers who ship bootable rescue disks that are pre-loaded with network device drivers can tell their customers "boot with the disk, do the rescue scan and have it check online for updates, and you'll be good to go."

For bonus PR points they can ship a "Popureb-fix.exe" program that you can put on your USB stick, CD (for 2-optical-disk-systems), or of Popureb won't interfere, on the infected hard disk then boot with a Windows recovery disk and fix it.

Those AV vendors not wedded to Windows for their boot media will have even more flexibility. I predict within a week we'll have a special-purpose Linux-based boot disk that does nothing but clean up this infection or at least disable it to the point that currently-available Windows-based AV programs can do the rest.

"Reinstall your system is the only way to fix the problem" should never be the solution.

"Reinstalling your system is the fastest, most sure-fire way to fix your system" is, unfortunately, frequently the case.

You still need a non-writable boot path

[davidwr]

It's worth noting that machines with bios infections can potentially be cleaned through a special disk designed to remove them (usually read only media like CD/DVD. What can be written, can be overwritten in most cases.

You are assuming that the sequence:

"Power on. Check for BIOS-recovery media. Recover BIOS."

never executes write-able BIOS.

If this is not the case then it can be intercepted and a BIOS-resident virus can potentially gain a permanent foothold, requiring hardware modification to bypass.

To spread "The Good Word"

Rootkits are the WORST THREATS is why! Std. tools in AntiVirus &/or AntiSpyware like most folks use WON'T CUT IT usually vs. them, is why!

* That's all...

APK

P.S.=> This SHOULD work to "blow out" the bogus driver that protects & doubtless "rewrites" the bootsector with a bogus one again after FIXMBR tries to...

... apk

Re:To spread "The Good Word"

[NotSanguine]

I get it now. You're an undeservedly supercilious, self-aggrandizing gasbag. Why didn't you just say so? Carry on.

Excellent: & that's all I wanted to see becaus

Rootkits are the WORST THREATS is why! Std. tools in AntiVirus &/or AntiSpyware like most folks use WON'T CUT IT usually vs. them, is why!

* That's all... to spread "the good word" here (hopefully).

APK

P.S.=> This SHOULD work to "blow out" the bogus driver that protects & doubtless "rewrites" the bootsector with a bogus one again after FIXMBR tries to...

... apk

Not THIS particular Windows user...

See subject-line: My roots are in UNIX, VMS, & IBM stuff like OS/400... I actually like command lines (faster, less overheads, better for automation scripts etc./et al) - but, I still like my GUI as well once in Ring 3/RPL 3/UserMode operations!

* Commandlines have their place... network admins use them in say, logon scripts, yes - even in Windows, all the time!

(This is one of them, & it SHOULD work to eradicate the presence of this rootkit, completely)

APK

P.S.=> You may have a point on UNIX being the 1st one with rootkits & the reason why also...

... apk

Compile malware from source and run it

[tepples]

The *nix security model allows a user to execute files that he owns, meaning he could compile malware (that he doesn't know is malware) from source and run it, and the malware would have full access to the user's account. Some larger businesses appear to have moved to the video game console security model, where nothing that isn't signed by a central authority is allowed to execute.

UAC is like the boy who cried "wolf"

[tepples]

The only reason people's systems are getting infected by this is because they gave the software privileges even after being warned it was a security risk.

Which in turn is because the operating system has conditioned the user to think that nothing labeled a security risk is a true security risk. UAC (or counterparts on other operating systems) has cried "wolf" too many times.

It doesn't matter what you do, if you give them the option to bypass security then they voluntarily will.

But is this the case even if the maker of an appliance treats all homemade applications as security risks and sues those who sell the tools needed to bypass the security?

Re:UAC is like the boy who cried "wolf"

[exomondo]

The only reason people's systems are getting infected by this is because they gave the software privileges even after being warned it was a security risk.

Which in turn is because the operating system has conditioned the user to think that nothing labeled a security risk is a true security risk. UAC (or counterparts on other operating systems) has cried "wolf" too many times.

I should have phrased that as 'potential security risk', which of course is a signal to the user that it may not be safe. Following that there is another message that the application requires administrative privileges, but most people don't care about what that means because they just want their xxx screensaver and don't stop and think what could happen.

It doesn't matter what you do, if you give them the option to bypass security then they voluntarily will.

But is this the case even if the maker of an appliance treats all homemade applications as security risks and sues those who sell the tools needed to bypass the security?

I'm not sure what you're referring to there. I'm not suggesting removing the option to bypass security, just that when you leave the decision to the user then this is going to happen in some cases because the user doesn't care until something bad happens.

Krusty's Super Fun House

[tepples]

What does Krusty's Super Fun House have to do with anything?

DOS as well...

See subject-line: Sorry - I omitted listing DOS as well by accident as to where I came from (commandline world of the 1980's during highschool to collegiate academia on my 1st degree, & even into the early 1990's for the most part, using DOS)!

APK

P.S.-=> Strictly speaking though, I shouldn't have put OS/400's "commandline" there (& I really started out on the IBM stuff using its predecessors/ancestors in System 34/36/38 actually)...

IBM "Big Iron" mainframe/midrange 'commandline' is NOT really like the others I noted in UNIX &/or VMS really (in fact, I think it's the BEST "CommandLine" there is, it has a series of fields you use & a built in help system etc. (quite different))

... apk

Product safety

[tepples]

I still think that made sense, but obviously most mainboard vendors find even such simple measures too expensive.

There are lots of sharp pointy objects on a computer's motherboard. Requiring the end user to open the case to set a jumper would run into all sorts of product safety regulation.

Re:Product safety

[Lonewolf666]

If that is the problem, make it a switch on the ATX rear panel. Can be used without opening the case. You might have to sacrifice a USB port to make room. Still worth it.
Besides, the motherboards I've seen are not that sharp and pointy. Cheap computer cases are worse, these sometimes lack deburring on the edges so you can really cut yourself ;-)

Regedit, File Menu, Connect Network Registry

See subject: So, you CAN "point" the registry editor to other machines via its File, Connect Network Registry system...

(HOWEVER - Like yourself? I am NOT 100% sure if that would work under an arrangement like WINE!)

* GOOD POINT on your part though, by all means...

APK

countertrolling & the trolltalk.com crew

Mod themselves up again on pure b.s.: Here's how they downmod others (here is where countertrolling explains what he's doing while he trolls others to his fellow trolltalk.com friends):

http://slashdot.org/comments.pl?sid=2245866&cid=36491652

And, here's where his "troll mechanics" for downmodding others is explained in detail by someone that got sick of it happening:

http://slashdot.org/comments.pl?sid=2271908&cid=36579618

As far as bogus up moderations, the trolltalk.com bunch (tomhudson, countertrolling, & others) collectively "team up" to upmod one another, in teams, as favors to one another.

(Talk about low, and bogus!)

Fixmbr, listsvc, disable Recovery Console tools

Can & will "blow this rootkit away" easily enough. Every Windows installation media in 2000/XP/Server 2003 have it & are NTFS5 version filesystem ready. Fixmbr command "rewrites the bootsector" but this rootkit has a protective driver that just overwrites it again (or blocks access to it). That's where listsvc comes in with disable.

listsvc - shows services AND DRIVERS load states @ bootup
disable - turns off services & drivers (after you find this rootkit's offending protective driver - it probably won't have a descriptive field filled in, so should be easier to spot as std. ones usually do (@ most/worst case, you google for the driver(s) in question to disable it)

See - IF you dig deep enough in the article's sources, you find this pertinent quote/excerpt that describes this rootkit's mechanics:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

So, that's WHY you need to use listsvc, & disable, alongside fixmbr to remove this thing...

(listsvc /? + disable /? show the help/man page for these commands so you can understand how to use them further in cases like this one... they're easy & simple to use!)

* This rootkits an "interesting case", because it's basically what's called a "blended threat" in the security world vs. malware-in-general, in that it uses BOTH bootsector originated rootkit tech, AND memory resident Ring 0/RPL 0 driver based protection...

APK

P.S.=> And, there you go: "Here endeth the lesson..."

... apk

Fixmbr, listsvc, disable Recovery Console tools

Can & will "blow this rootkit away" easily enough. Every Windows installation media in 2000/XP/Server 2003 have it & are NTFS5 version filesystem ready. Fixmbr command "rewrites the bootsector" but this rootkit has a protective driver that just overwrites it again (or blocks access to it). That's where listsvc comes in with disable.

listsvc - shows services AND DRIVERS load states @ bootup
disable - turns off services & drivers (after you find this rootkit's offending protective driver - it probably won't have a descriptive field filled in, so should be easier to spot as std. ones usually do (@ most/worst case, you google for the driver(s) in question to disable it)

See - IF you dig deep enough in the article's sources, you find this pertinent quote/excerpt that describes this rootkit's mechanics:

---

http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx

PERTINENT QUOTE/EXCERPT:

"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"

---

So, that's WHY you need to use listsvc, & disable, alongside fixmbr to remove this thing...

(listsvc /? + disable /? show the help/man page for these commands so you can understand how to use them further in cases like this one... they're easy & simple to use!)

* This rootkits an "interesting case", because it's basically what's called a "blended threat" in the security world vs. malware-in-general, in that it uses BOTH bootsector originated rootkit tech, AND memory resident Ring 0/RPL 0/kernel mode driver based protection...

APK

P.S.=> And, there you go: "Here endeth the lesson..."

... apk

Then you need to back up your notes.id file

Or you will not be able to access any DB with encryption or and ACL.

Sigh. Here we go again..

[toonces33]

I guess I have a couple of comments here..

Any time I get the privilege of cleaning up an infected machine, the first thing I do is stick the drive in an external enclosure and scan it from a different machine. But that's only the first step..

I keep a BartPE boot CD handy - this lets me boot from the CD and inspect the infected disk. I can mount registry hives and clean them if needed.

In an ideal world, all binaries would be digitally signed - this would make it possible to identify all corrupted binaries, and identify all binaries in the windows folder that don't belong there.

But at the end of the day, a reformat/reinstall might end up being the easiest way to clean things up. The users of the machine might object, but if they hadn't gotten the thing infected in the first place they wouldn't have had to deal with the rest. The problem is that the users will want to restore all kinds of stuff from the infected machine, and in amongst this could be the initial attack vector.

Rootkit Infection Requires Window Reinstall

Just another in a very long list of reasons to abandon Window (ME, 2000, NT, XP, Vista, 7) and move to MacOS or iOS.

Where's my TPM chip?

[Chemisor]

I wonder why so few motherboards come with a TPM chip. With TPM you could set up a trusted boot sequence to immediately detect any tampering with the boot sector or the OS. I definitely intend to get a TPM-enabled board on my next upgrade. Unfortunately, now there's only Asus P7 series where you can buy the TPM module to plug in. Anybody know why it isn't available more widely?

Something fishy about the lack of information here

As admin at my place of employment where I am dutifully engaged in running XP systems I figured I should be concerned with how this puppy proliferates. I'm starting to agree with the folks who think this is just a ruse to get people to reinstall, simply because there's no mention of transmission medium at all. Ooh, big scary virus out there! But where am I going to expect to find it? e-mails? PDFs? the web?

Usually companies like Symantec will have some documentation like this and so far I'm unable to find anything. Got linxx?

This is news?

[Caerdwyn]

Once you have been infected with ANY malware capable of installing code, you're a fool to treat it any way other than requiring a nuke-and-pave. There is just no way of knowing what rootkits have been installed, what re-infection vectors have been put in place, or whether you've gotten everything. Sure, an antivirus product's cleaning function will probably get most of it. Maybe all of it. But there's no way to be sure, short of a full wipe.

So functionally, there really isn't any difference between an infection from this or any other download-capable malware. This one just requires what you really needed to do in the case of an infection anyway.

Re:Norton Ghost

[toadlife]

Yeah I was speaking from experience.

I use Clonezilla for a lab I have that is dual boot Windows/Linux. On those machines, Ghost doesn't support ext4 (forces sector by sector copy, which takes FOREVER on a 150GB partition even if your zero the free space), nor does it copy GRUB properly.

Windows is a complete fail.

See, you wouldn't have these problems everyday if you used Unix/Linux!

A dose of "ReVeRsE-PsYcHoLoGy"

".no yrraC ?os yas tsuj uoy t'ndid yhW . gabsag gnizidnargga-fles ,suoilicrepus yldevresednu na er'uoY .won ti teg I" - by NotSanguine - another done nothing with his life "ne'er-do-well" off-topic troll(1917456) on Tuesday June 28, @03:10PM (#36602330)

"???"

* Uhm, lol... Could we get a translation of that off-topic "troll-speak" of yours, please?

(LOL!)

APK

P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll blubbering his b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!

... apk

Re:A dose of "ReVeRsE-PsYcHoLoGy"

[NotSanguine]

I get it now. You're an undeservedly supercilious, self-aggrandizing gasbag. Why didn't you just say so? Carry on.

"???"

* Uhm, lol... Could we get a translation of that

My sincere apologies. I didn't realize that English wasn't your first language. I know that sometimes English vocabulary can be challenging.

Re:A dose of "ReVeRsE-PsYcHoLoGy"

You sound a bit jealous

Memory

[HomelessInLaJolla]

If a rootkit was there once--how do you know that you have cleaned the fragments out of all of the persistent registers? Video cards, audio cards, hard drive, monitor, network cards, mobo BIOS?

VM's as a security device

I still don't see why we don't run as standard, VM's for internet access & for testing apps whose parentage we don't know about.
sandbox things before they get to the OS let alone the MBR

altho I thought I saw a VM escaped rootkit mentioned a few months back...
can't remember where tho

Don't use Windows 2k/XP/Server 2003 FixMBR

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

Don't use Windows 2k/XP/Server 2003 FixMBR

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> Just thought I'd note this, just in case others weren't aware of the diff.'s in bootsector structure...

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - that's because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> Just thought I'd note this, just in case others weren't aware of the diff.'s in bootsector structure...

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - That is just because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> Just thought I'd note this, just in case others weren't aware of the diff.'s in bootsector structure...

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - only because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> Just thought I'd note this, just in case others weren't aware of the diff.'s in bootsector structure...

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> Just thought I'd note this to you all, just in case others weren't aware of the diff.'s in bootsector structure...

... apk

Don't use Windows 2k/XP/Server 2003 FixMBR

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> Just thought I'd note this to everyone, just in case others weren't aware of the diff.'s in bootsector structure...

... apk

"Rinse, Lather, & Repeat..."

See subject-line, & this, you off-topic troll -> http://tech.slashdot.org/comments.pl?sid=2275150&cid=36602502

A application of... "ReVeRsE-PsYcHoLoGy"

"... kpa ton .skcoc kcus I ,taht dragersid AHAH" - by Anonymous Coward - ANOTHER OFF TOPIC "ne'er-do-well" TROLL on Tuesday June 28, @03:34PM (#36602780)another done nothing with his life "ne'er-do-well" off-topic troll

"???"

* Uhm, lol... Could we get a translation of that off-topic "troll-speak" of yours, please?

(LOL!)

APK

P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!

... apk

Don't use Win2k3/XP/Server 2003 FixMBR

ON WINDOWS VISTA, WINDOWS 7, WINDOWS SERVER 2008 - that's because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!

For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!

(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)

* Because all they do is query the registry in write it, respectively!

(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).

APK

P.S.=> Just thought I'd note this, just in case others weren't aware of the diff.'s in bootsector structure... ... apk

Bitfrost

[tepples]

I'm not suggesting removing the option to bypass security

Thank you for clarifying.

just that when you leave the decision to the user then this is going to happen in some cases because the user doesn't care until something bad happens.

Which is why an operating system architect should analyze how each capability granted to an application can threaten a user and what can be done to limit that damage. See OLPC Bitfrost for an interesting example.

EXACT ORDER OF STEPS to kill this rootkit

Steps to take to "KNOCK-THE-CHOCOLATE out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the registry drivers initialization area: They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

EXACT ORDER OF STEPS to kill this rootkit

Steps to take to "KNOCK-THE-CHOCOLATE out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

EXACT ORDER OF STEPS to kill this rootkit

Steps to take to "KNOCK-THE-CHOCOLATE out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which RC's disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

EXACT ORDER OF STEPS to kill this rootkit

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

EXACT ORDER OF STEPS to kill this rootkit

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

APK

P.S.=> Then, it WILL be "reinstall time", if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

EXACT ORDER OF STEPS to kill this rootkit

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work!

(That is, until the rootkit makers CHANGE the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

EXACT ORDER OF STEPS to kill this rootkit

Steps to take to "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable, can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

EXACT ORDER OF STEPS to kill this rootkit

Steps to take 2 "KNOCK-THE-CHOCOLATE" out of this rootkit's current design:

---

1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)

---

* This absolutely WILL work!

(That is, until the rootkit makers change the rootkit's bogus MBR protecting driver to not only protect the fake MBR, but also the rootkit's driver initialization area, in the registry (which disable can stop): They do THAT? "HOUSTON WE HAVE A PROBLEM!" )

APK

P.S.=> Then, it WILL be "reinstall time" if they protect that area of the registry from the DISABLE RC COMMAND above (because that only takes on reboot)

... apk

Group Policy + bcdedit can STOP

The hello_tt.sys UNSIGNED driver from installing (as this rootkit does): easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk

Group Policy + bcdedit can STOP

like hello_tt.sys, the one this rootkit installs, easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk

Group Policy + bcdedit can STOP

Unsigned device driver installs like hello_tty.sys (one this rootkit uses to protect the bogus bootsector) easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" there was "so bad", & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk

Group Policy + bcdedit can STOP

Unsigned device driver installs like hello_tt.sys (one this rootkit installs) easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk

Group Policy + bcdedit can STOP

Unsigned device driver installs (like hello_tt.sys the one this rootkit installs) easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlinesas well!

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" there in that film, & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk

Group Policy + bcdedit can STOP

Unsigned device driver installs (like hello_tt.sys the one this rootkit installs) easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" there in that CLASSIC film, & allegedly "indestructable/unbeatable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk

Group Policy + bcdedit can STOP

Unsigned device driver installs (like hello_tt.sys the one this rootkit installs) easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & "indestructable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk

Group Policy + bcdedit can STOP

Unsigned device driver installs (like hello_tt.sys the one this rootkit installs) easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" + allegedly "indestructable & unbeatable" like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk

Group Policy + bcdedit can STOP

Unsigned device driver installs (like hello_tt.sys the one this rootkit installs) easily & Windows WARNS YOU of "test mode" when one's installed to bypass signed drivers checks - I know this from building & testing filtering drivers in fact:

---

Configure Driver Signing Through Group Policy Editor:

http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/

You can BLOCK it even happening vs. rootkits like this one OR others like it that try to install bogus drivers as this one did in hello_tt.sys!

(In fact... Using GPEDIT.MSC &/or SECPOL.MSC this way is in my "layered-security guide" for Windows -> http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE & has been for YEARS now (since 2007))

---

AND, Again - This can also as a "layered security defense" here too vs. unsigned drivers installations along with the bcdedit commandlines I showed in my post I replied to here as well!

---

I also already posted this DAYS ago here on /., regarding this rootkit, & on the subject of bypassing unsigned driver installs

http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960

PERTINENT QUOTE/EXCERPT:

---

"Should the rootkit/botnet maker alter His rootkit/botnet's design to protect the registry area driver init. section for hello_tt.sys as well as the bootsector as he currently does for this "blended threat tech" rootkit/botnet?

Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):

ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:

---

bcdedit /deletevalue loadoptions

bcdedit -set TESTSIGNING OFF

---

* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)

---

Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes... and in older Windows models prior to Windows 7/VISTA/Server 2008, this can be handled in boot.ini (see a reference to options there)

---

(Once more - Group Policy can too, LAN/WAN wide if needed & iirc, it's ON BY DEFAULT too - but it would adversely affect those who develop device drivers - you might be 'forced into' making another usergroup is all, for devicedriverdevs is all... @ most!)

---

However - The nicest part is here?

Well once more - Windows "warns you" when you enter this mode using UNSIGNED DRIVERS!

(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock TEST MODE when unsigned drivers are allowed during testing of device drivers!)

* Once more/Again? "Here endeth the lesson..."

APK

P.S.=> Quoting my fav. hero as a boy here, from classical Greek Mythos, in AKhilleus (Greek spelling of Achilles), son of Peleus (when middle names are usually those of the father or grandfather = APK, lol!):

---

"Is there no one else? IS THERE NO ONE ELSE??" - Achilles, son of Peleus, portrayed by Brad Pitt in the classic 2004 film, TROY here:

http://www.youtube.com/watch?v=SP74aJBbIoY

---

Play it from 2:50 onwards, for the "FULL EFFECT" (lol) & "Absolutely LIVE!"

(For what I feel I've done to this rootkit, & others like it via my techniques, lol, since "Boagrius" was "so bad" & also allegedly "indestructable + unbeatable", just like this rootkit/botnet was alleged to be, and to my naysayers here also, easily!)

... apk