Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit Infection Requires Windows Reinstall

Posted by timothy on from the spring-cleaning-comes-late dept.

CWmike writes "Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

14 of 510 comments (clear)

  1. duh by smash · · Score: 4, Insightful

    The only way a machine can be trusted after ANY infection is an OS reinstall.

    Or as ripley said - nuke it from orbit, its the only way to be sure.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  2. Re:Boot Disc by smash · · Score: 4, Insightful

    Well sure, if you have a known good checksum for every file on your machine?

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  3. time to re-think OS architecture by Anonymous Coward · · Score: 4, Interesting

    We all need a major re-think of how OS is installed on the computer, how it is architected, etc.

    Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go. I the image of any VM gets rooted, you just toss it and revert to last backup. The flash is immune to tricks, because you must insert a hardware key to upgrade it, so trojans could not over-write the FLASH-based kernel, the worst that can happen is that one of the OS images get corrupted, then you just revert to saved.

  4. Re:So system restore points don't work? by smash · · Score: 4, Insightful

    Any virus can potentially do anything to your machine, including system restore points. If the machine is owned, it is owned and everything on it should be considered as suspect.

    Back in the day there were a couple of BIOS viruses, which were even worse.

    --
    I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
  5. Recovery CD? by grolschie · · Score: 4, Insightful

    Do all Windows PCs ship with a CD? What about retrieving the user's data?

  6. Re:Norton Ghost by countertrolling · · Score: 4, Informative

    You work for Symantec?... use ntfsclone or partimage from a live CD instead

    --
    For justice, we must go to Don Corleone
  7. Item Misquotes MS - Reinstall not required by NZKiwi · · Score: 5, Informative

    Hmm, the MS Blog doesn't say you need to do an OS reinstall; only replace the MBR with a clean one; then do a system restore to a point in time PRIOR to the infection - entirely different to a reinstall

  8. Re:Boot Disc by tverbeek · · Score: 5, Funny

    Wouldn't a Linux or BSD or Haiku or Hack OS X install fix this too? This headline reads a bit like "Flooding requires rebuilding the exact same structure in the annual floodplain",

    --
    http://alternatives.rzero.com/
  9. Bad headline, bad article by juventasone · · Score: 5, Informative

    The Microsoft engineer is quoted as saying, "restore your system to a pre-infected state". The article then says, "a recovery disc returns Windows to its factory settings". This is entirely false. The engineer is not saying to do a factory restore. For the layman using 7: use F8 or a 7 disc and choose "repair your computer", run the command prompt, run fixmbr, run system recovery and go back a day.

  10. Uh, RTFA? by toygeek · · Score: 4, Informative

    Requires a system *restore* not *recovery* and fixmbr. SHOCKING. I do this multiple times a week in my role as a computer fix-it guy. Grandma can't afford to spend the cash to have her system reloaded just because some virus got in there. I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.

    --
    Nobodies Prefect
    Tidbits for Techs Technology Blog
  11. Re:Boot Disc by RobbieThe1st · · Score: 5, Insightful

    To continue your flood analogy, you have three options:
    1. Build out of so ething floodproof, like concrete. The *entire* house. When a flood happens, no big deal... but making changes to the house would be a big problem. This is the ChromeOS or DeepFreeze aproach: Read-only filesystem and checksums.

    2. Build dams, canals and build a few feet into the air. This works for small floods, but if you get something new, it might still wipe you out. This is the Linux aproach: Try to secure things, deal with the few issues as they come up.

    3. Build cheaply, and rebuild after each flood. This is the Windows re-image approach: Just assume it's going to get hit, and have a plan to rebuild afterwards.

    Just my 2c.

  12. Re:Yawn, says OSX. by dexomn · · Score: 5, Funny

    You must live in a VERY small basement.

  13. Re:Boot Disc by sumdumass · · Score: 5, Informative

    If the root kit works like most older boot sector virus programs, it already functions much like Grub does in the sense that it replaces the code that allows the other code to be found and run. But the code represented to the operating system would have a sector 0 in a different location then the real boot sector.

    So while you would effectively have moved the first sector as far as windows is concerned, the virus infection would be able to still tank windows because it would still initially attack sector 0. And if it's the old school infection where it uses int13h calls (the bios) instead of windows and or even the old protect mode access to access the HD, it will effectively move the grub install to a new sector and make it think it is in sector 0 on subsequent boots. It will do this the same way Grub or LiLO would make windows think it was loading from the boot sector when it wasn't.

    The problem with a boot sector virus is that if the disk is allowed to load any code at all which is the default in the boot process, the manipulation is already in memory and running. You would essentially need to boot from a start up floppy or CD or something without the hard disk loading at boot.

    Some modern BIOS configurations allow you to lock the boot sector of the harddrive down much like they started allowing you to lock flashing the bios down. This is about the only way to preempt this as it would give off a warning about something attempting to write to the boot sector of the hard drive. However, experience tells me that when something is trying to write to the boot sector and it fails to do it, you often need to rebuild the boot sector anyways.

    Now that is with the initial infection. The attacks it uses to maintain it's infection would work regardless of the operating system because once infected, it's acting as a translation between the operating system and the harddrive. This is why a restore CD is the recommendation to fixing the issues. The CD loads instead of the drive code loading. This way, you are not fixing an infected machine with infected code.

  14. Re:Reinstall, but not Windows by ColdWetDog · · Score: 4, Interesting

    The only purpose it serves is to save the geek the trouble of trying to understand why Linux as a client OS is on life support. StatCounter Global Stats

    Hey, don't count Linux out just yet. It's making progress in some parts of the world..

    Like Norfolk Island. Next year: Some other isolated bit of humanity. You might think it a hopeless endevour, but when the world goes to hell in a handbasket, who's going to be left holding the keys to mankind's future: Isolated tiny islands in the middle of nowhere.

    Face it, you just don't understand the Linux world-domination strategy.

    --
    Faster! Faster! Faster would be better!