Slashdot Mirror
Rootkit Infection Requires Windows Reinstall
CWmike writes "Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."
You always do an OSRI if you get infected by any rootkit.
Right advice, wrong OS.
make imaginary.friends COUNT=100 VISIBLE=false
The only way a machine can be trusted after ANY infection is an OS reinstall.
Or as ripley said - nuke it from orbit, its the only way to be sure.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Well sure, if you have a known good checksum for every file on your machine?
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
We all need a major re-think of how OS is installed on the computer, how it is architected, etc.
Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go. I the image of any VM gets rooted, you just toss it and revert to last backup. The flash is immune to tricks, because you must insert a hardware key to upgrade it, so trojans could not over-write the FLASH-based kernel, the worst that can happen is that one of the OS images get corrupted, then you just revert to saved.
Any virus can potentially do anything to your machine, including system restore points. If the machine is owned, it is owned and everything on it should be considered as suspect.
Back in the day there were a couple of BIOS viruses, which were even worse.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
And that's regardless of OS. Any root-kitted linux box should be treated with exactly the same level of quarantine.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Do all Windows PCs ship with a CD? What about retrieving the user's data?
You work for Symantec?... use ntfsclone or partimage from a live CD instead
For justice, we must go to Don Corleone
Don't act the fool my boy..... it is called a "boot rom" for historial reasons, but these days, they are all FLASH based, ain't no real mask-programmed ROMs any more, these days they are al FLASH based and on most mottherboards can easily be written if you simply toggle the correct bits in the hardware control registers.
Hmm, the MS Blog doesn't say you need to do an OS reinstall; only replace the MBR with a clean one; then do a system restore to a point in time PRIOR to the infection - entirely different to a reinstall
Wouldn't a Linux or BSD or Haiku or Hack OS X install fix this too? This headline reads a bit like "Flooding requires rebuilding the exact same structure in the annual floodplain",
http://alternatives.rzero.com/
The Microsoft engineer is quoted as saying, "restore your system to a pre-infected state". The article then says, "a recovery disc returns Windows to its factory settings". This is entirely false. The engineer is not saying to do a factory restore. For the layman using 7: use F8 or a 7 disc and choose "repair your computer", run the command prompt, run fixmbr, run system recovery and go back a day.
Requires a system *restore* not *recovery* and fixmbr. SHOCKING. I do this multiple times a week in my role as a computer fix-it guy. Grandma can't afford to spend the cash to have her system reloaded just because some virus got in there. I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.
Nobodies Prefect
Tidbits for Techs Technology Blog
Sigh. It would 'fix' the potential for getting infected by that particular rootkit on that particular O/S. All those other things are built on floodplains too, it's just that some flood more often than others. Extrapolating future floods based on the past is only going to work until it doesn't.
So they get to choose between a system that is unusable from malware or a system that is unusable because it won't run their Windows applications?
Oh, quit whining and start WINEing.
Help! Help! I'm being repressed!
To continue your flood analogy, you have three options:
1. Build out of so ething floodproof, like concrete. The *entire* house. When a flood happens, no big deal... but making changes to the house would be a big problem. This is the ChromeOS or DeepFreeze aproach: Read-only filesystem and checksums.
2. Build dams, canals and build a few feet into the air. This works for small floods, but if you get something new, it might still wipe you out. This is the Linux aproach: Try to secure things, deal with the few issues as they come up.
3. Build cheaply, and rebuild after each flood. This is the Windows re-image approach: Just assume it's going to get hit, and have a plan to rebuild afterwards.
Just my 2c.
You must live in a VERY small basement.
In what is probably not the world's best news for Symantec, even Microsoft has gotten around to developing a Windows imaging tool that(mostly) works. The "Windows Automated Installation Kit" is something of a baroque monstrosity; but it exists and is offered at no additional cost to Windows customers.
It took 20 years and alarming complexity increases; but it's almost like being able to tar your OS install and then untar it onto a newly created filesystem!
If the root kit works like most older boot sector virus programs, it already functions much like Grub does in the sense that it replaces the code that allows the other code to be found and run. But the code represented to the operating system would have a sector 0 in a different location then the real boot sector.
So while you would effectively have moved the first sector as far as windows is concerned, the virus infection would be able to still tank windows because it would still initially attack sector 0. And if it's the old school infection where it uses int13h calls (the bios) instead of windows and or even the old protect mode access to access the HD, it will effectively move the grub install to a new sector and make it think it is in sector 0 on subsequent boots. It will do this the same way Grub or LiLO would make windows think it was loading from the boot sector when it wasn't.
The problem with a boot sector virus is that if the disk is allowed to load any code at all which is the default in the boot process, the manipulation is already in memory and running. You would essentially need to boot from a start up floppy or CD or something without the hard disk loading at boot.
Some modern BIOS configurations allow you to lock the boot sector of the harddrive down much like they started allowing you to lock flashing the bios down. This is about the only way to preempt this as it would give off a warning about something attempting to write to the boot sector of the hard drive. However, experience tells me that when something is trying to write to the boot sector and it fails to do it, you often need to rebuild the boot sector anyways.
Now that is with the initial infection. The attacks it uses to maintain it's infection would work regardless of the operating system because once infected, it's acting as a translation between the operating system and the harddrive. This is why a restore CD is the recommendation to fixing the issues. The CD loads instead of the drive code loading. This way, you are not fixing an infected machine with infected code.
People still use Windows?
Yeah, about 90% of the computer users in the world still do.
What I do is remove the drive from the system, slap it into an external enclosure and scan from a clean machine after unplugging that machine from the network.
If it kills system files then I replace or repair it once I boot from the recently cleaned hdd. Also, delete the swap file before you plug it back in. hasn't failed me yet.
- Dan.
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Why do you keep re-posting the same information you've posted at least three times on this thread? And then have the poor taste to put a link to your previous posting of the same information?
What possible value could that add to this discussion?
No, no, you're not thinking; you're just being logical. --Niels Bohr
NICs & VGA cards have stopped having flash ever since they moved from ISA to PCI: at that point, in order to cut costs, they moved their firmware storage to the motherboard BIOS flash.
Wrong. All graphics cards have traditional CGA/EGA/VGA BIOS interface implemented for their hardware in their flash. They wouldn't initialize properly without it.
Contrary to the popular belief, there indeed is no God.
Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.
If somebody's the sort of person who gets viruses an antivirus won't save them.
No sig today...
We really need to go back to a simple (so it can be bug free) boot ROM that is proper ROM, not read/write flash. Hold key sequence to select boot media, and then boot from known-clean media. Anything that is read/write and involved in the boot process can potentially be fucked with to own your box. In the past, there have been BIOS viruses which were extremely difficult to remove - essentially as soon as the machine powers up it is owned and ready to infect whatever media you give it or intercept the operation of AV programs.
Its really only because the extra effort isn't worth it that we don't have far more serious viruses out there that are infecting EFI boot partitions, BIOS and other bits of firmware that Windows and its virus scanner software can't fix, these days.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.
If somebody's the sort of person who gets viruses an antivirus won't save them.
If you look at timelines for spreading of the different virus/malware infections, getting protection within a week most definitely helps a lot against the majority of the infection volume. It's crazy how big volumes of infections happens long after antivirus software and OS/software vulnerabilities are patched against it (as also was the case with Conficker).
It's obvious that many posting here don't know the first thing about how Windows works or why it gets infected. The problem isn't in the boot loader. The MBR is just one place that an attacker can find space to store a bootstrap program that will launch his infecting executable from a file on disk, and then, since that area is read and executed each time the PC is started, it writes to so many critical OS files that removing them from the system or disinfecting them becomes impossible without rendering the system inoperable. As the researcher quoted in TFA says, a complete wipe and reinstall is the only way you're going to be certain you have a clean system. And this is one of the many reasons you can't get me to run Windows as my primary OS. Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal. Fucking garbage without any kind of cogent security system is what Windows is.
a complete wipe and reinstall is the only way you're going to be certain you have a clean system. And this is one of the many reasons you can't get me to run Windows as my primary OS. Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal. Fucking garbage without any kind of cogent security system is what Windows is.
Uh. How's that different from a root kit infection on Linux? AFAIK standard practice is if your machine (whether linux or windows) gets infected by a rootkit, you're supposed to reinstall. If you don't then you're just betting/assuming that the attack wasn't so serious. In most cases it isn't, and that's the same for Windows.
The problem is not restricted to Windows. There's a reason why rootkits are called rootkits after all, and not "NT Authority\SystemKits" :).
It might not have failed you yet, but this isn't a tactic I would try on a machine that does anything important. The whole point of any rootkit is that it can modify any file, and thus unless you happen to have recent known-good md5sums for every single file on all drives attached to the system (and the time to check them all), you simply cannot trust the machine, and you cannot allow users to log on to it.
Your only option is to re-image or reinstall from scratch.
Actually that isn't entirely accurate, it depends on the AV. Both Avast free and Comodo IS free have by default heuristics and sandboxing of ALL apps, so you'd be surprised how much herp derp that can protect against.
I have some customers that can get more viruses than a Bangkok whore on a Saturday night and switching to Avast Free (used to use Comodo but it is more fiddly than Avast) I have watched infections plummet. By putting everything in a sandbox away from the actual registry and Program Files it really does help keep the nasties away, and Avast Web Shield really does help against the zero days and nasty JavaScripts.
I hate to sound like an ad but if you don't want to deal with nearly as much herp derp PEBKAC PITA crap try Avast Free. I've found by pairing that with Comodo Dragon (which has excellent anti phisishing and sandboxing of its own) it really does help cut down on the nasties caused by a rampant case of the stupids. Of course that doesn't mean one should forgo backups, far from it, but when dealing with dumbasses all the extra protection you can get helps.
ACs don't waste your time replying, your posts are never seen by me.
Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.
If somebody's the sort of person who gets viruses an antivirus won't save them.
This is so untrue, I have to believe I'm missing something here. Antivirus software can often remove infections after the fact, and is also very useful in stopping infections from occurring in the first place. Sure, it's not 100% foolproof, but calling it "mostly useless" and saying it "won't save them" is completely untrue.
So your answer is to buy nothing? Kinda funny how the web is covered with "replace Windows with Linux" and "save that old machine by putting Linux on it" articles but whe you point out that doesn't actually work you get told to buy some mythical "open source hardware" that frankly the ONLY hardware I've seen with decent reliable open source drivers is top of the line workstation gear that frankly it would be cheaper to just buy Apple.
After all if you look up what RMS uses, which he claims is the ONLY truly "pure" FOSS device he has found so far, it is a Loongson netbook with an ARM CPU which you can't even pick up unless you are heading to the Chinese coast anytime soon.
So if the only answer to the upgrade death march is to buy and use ONLY open source driver supplied hardware? Please do the right thing and say that when you see those "replace Windows with Linux" articles and tell them they are full of shit. Because so far using the same bog standard hardware that is on a good 85%+ of the machines out there...AMD and Intel CPUs, Nvidia and ATI GPUs, Realtek, Via and Sigma sound, Realtek and Via NICs, and Broadcom and no name wireless, I have yet to find a box of consumer level hardware that doesn't shit itself and die if you let it update.
Like I said that answer really doesn't help keep these 4 1.4Ghz with 512Mb of RAM PCs I'm looking at from going to the dumpster and kinda kills the "save a PC with Linux!" meme quite dead. because if I were to listen to you the amount of parts I would have to rip out and replace would cost more than these machines would be worth. So again for the lack of a decent driver model in Linux into the trash they shall go. Shame really but Torvalds hasn't changed his position since 1993 and I doubt anyone will get anything past him until he retires or someone gets tired of the bullshit and forks the kernel..
ACs don't waste your time replying, your posts are never seen by me.