Slashdot Mirror
Microsoft Says Reinstall Overkill In Removing Rootkit
CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."
format.
Uninstalling is all thats needed.
*ducks*
If what I just said sounded like a troll, it was probably just a failed attempt at humor.
Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees.
Redundant much? Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?
ms never said to re-install windows in the first place, headlines on sites like slashdot mis-reported it to begin with. from slashdot's summary:
"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."
the summary blurted that the recovery disc returns Windows to its factory settings, and left out how it also is the boot environment for restoring from windows backups, which Feng was clearly talking about ("restore your system to a pre-infected state").
Yesterday it was Poperub. Now it's either Popereb or Popureb.
You think a computer is going to find the thing when nobody can even decide what string matches its name in the 'sploit DB?
I reinstall both my Windows desktop and Linux laptop every year. Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).
My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.'
This statement could be true of any type of malware (MBR rootkit or otherwise). Any kind of malware could theoretically download any other malware; is he advising a complete reinstall in every case of malware infection?
Am I mistaking, or did the BIOS once (let's say 10 years ago) offer some form of protection against MBR virusses?
Do modern BIOSes not support that anymore?
Time for EFI... (mmm... my mac has it like 5 years now).
So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.
http://www.f-secure.com/v-descs/brain.shtml
Like someone said, "Nuke 'em from orbit."
In that case, I'd only save whatever key files I had (pics, MP3's) scanning them as they go, then completely FDISK /mbr , delete and recreate the partition(s), and reformat the drive. Reinstall Winder from a slipstreamed CD, and let 'er rip. I've only had to do this a handful of times for others. So far, so good in practicing SAFE HEX, I haven't had a machine I've owned get infected, yet.
Willie...
How does one do a repair install if Windows 7 won't boot?
It seems silly to restrict repair installs to cases where the OS can boot anyway.
If God forks the Universe every time you roll a die, he'd better have a damned good memory.
standard security practice after a rootkit infection to NOT trust your system anymore. You never know what kind of shit is installed.
Virusscanners are nice, but work mostly on signatures and will not likely detect virusses which aren't in the signature database. Heuristics is still not good enough.
You cannot garantee that the system is 100% clean.
Reinstallation is therefore a necessary step in the proces.
The infection code can simply intercept all the I/O taking place and prevent the MBR from being cleaned, while also making it look like it has (by intercepting the reads, too). You need to boot from non-writable external media to be sure (non-writable just in case you accidentally boot into the hard drive, which will quickly infect any writable media). And if somehow this thing, or the next big virus/trojan, infects the BIOS by reflashing, even this is no good.
now we need to go OSS in diesel cars
I haven't had a machine I've owned get infected, yet, that I know about.
There, fixed that for you. But seriously, not all viruses make a lot of ruckus. Some of the most sinister are those that remain hidden and just copy files and activity that look salable. Another are botnets that only do their activity at night or stay tightly throttled.
Will this cause me trouble on my machine where I'm dual booting Debian and Windows Vista? Or would it just blow up grub and make itself really obvious?
My understanding is a re-install will not do anything if your MBR is infected. you need re-write the MBR and or do a low level format.
It's and interesting problem. Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.
Lots of people do a windows reinstall every year, I tend to ask: If windows is getting slow every year, well what are you installing on it that makes it slow? If you just sit a windows computer and never do anything to it for a year it's not suddenly slower (ignoring the possibility of requiring a reboot). Just because I can't clear out a virus/rootkit by deleting some files by hand doesn't mean AV software can't fix/delete/quarantine those files.
Are driver updates or other software updates leaving behind crud that floats about in memory? If so is there a way to clear that out? There's not much you can do about crud left behind by windows updates, since well, you're installing them whether you reinstall or not hopefully. But other drivers using more memory each time you update them would be a very serious problem (and not entirely unheard of).
Leaving behind temporary files on your hard drive doesn't strike me as all that serious, it doesn't actually slow your computer down unless you're doing very specific tasks. Disk fragmentation, that sort of thing are more or less things of the past problems wise unless you go out of your way to cause them.
Part of why windows starts out fast is that it doesn't do much until you get drivers in there. You can disable all the eye candy, but if you want an anti virus, printer drivers, 3d for games etc. you pretty much have to install programs and device drivers. I'm not sure that it gets any slower after you have all that stuff on, unless you get a virus you don't clean out, but enabling all of those features and devices does tend to both slow down some things and speed up/enable others. An no, linux is not fundamentally much different in that regard, if you want features you have to install the drivers and applications for them, and that may or may not improve performance of the system overall.
If windows (or linux) is slow, you can usually hunt down the culprit and fix it, which is both more useful and more productive than a reinstall which may not solve the problem in the long run, alas most people don't read /. and don't know that.That goes to the root of the matter. Can viruses and rootkits actually be removed, or not? If windows is getting slow every year, well what are you installing on it that makes it slow? If you just sit a windows computer and never do anything to it for a year it's not suddenly slower (ignoring the possibility of requiring a reboot). Just because I can't clear out a virus/rootkit by deleting some files by hand doesn't mean AV software can't fix/delete/quarantine those files.
Are driver updates or other software updates leaving behind crud that floats about in memory? If so is there a way to clear that out? There's not much you can do about crud left behind by windows updates, since well, you're installing them whether you reinstall or not hopefully. But other drivers using more memory each time you update them would be a very serious problem (and not entirely unheard of).
Leaving behind temporary files on your hard drive doesn't strike me as all that serious, it doesn't actually slow your computer down unless you're doing very specific tasks. Disk fragmentation, that sort of thing are more or less things of the past problems wise unless you go out of your way to cause them.
Part of why windows starts out fast is that it doesn't do much until you get drivers in there. You can disable all the eye candy, but if you want an anti virus, printer drivers, 3d for games etc. you pretty much have to install programs and device drivers. I'm not sure that it gets any slower after you have all that
You mean I don't really have to nuke it from orbit to be sure, after all?
SMI
(Someone, please, write a virus in a System Management Interrupt handler. Then people will start caring about NOT HAVING GIANT SECURITY HOLES IN THEIR SYSTEMS IN THE FIRST PLACE).
Contrary to the popular belief, there indeed is no God.
At first glance, to me this seems straight forward to fix. 1. Go into the BIOS, confirm the boot order is Optical Drive first (very important!). Perhaps even go to the extend not including the HDD in the boot order, if possible. 2. Boot from Windows Recovery CD, clean the MBR 3. Boot from a AV Boot CD (plenty of free ones avaible) to run an offline scan to, um, root out the infection. The AV CD may also be able to fix the MBR. 4. Profit? Problems with above are sourcing clean Recovery CD and AV CD, and that not all machines have an Optical drive to use (e.g. netbook), so you may need to rely on boot from USB, but again that needs the boot order setting correctly to boot from USB. Hardware write protected USB drives are useful here. And "Joe Six-pack" may not have the resources to be able to do the above for himself.
http://technet.microsoft.com/en-us/library/cc512587.aspx
Comment removed based on user account deletion
fdisk /mbr
Or use the mbr utility on the XP install CD.
Or just use something other than Windows.
I really am just stating the obvious!
I killed da wabbit -Elmer Fudd
Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".
"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng.
If your recovery CD is pre-infected, then surely you're screwed anyway?
If your recovery CD is pre-infected, then surely you're screwed anyway?
Does that mean the plastic they make a CD from is infected?
Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".
That doesn't make sense and distressing to see on (I guess what used to be) a technical forum. If the OEM doesn't supply recovery discs then they provide a means for you to create them yourself, and yes they are all genuine. If the OEM doesn't do either then you should be concerned about the legitimacy of the OEM. But... One of the things I love about the Internet is that I expect there will be a number of examples posted to prove me wrong. :)
Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:
---
http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx
PERTINENT QUOTE/EXCERPT:
"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"
---
(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)
* ... & there you are!
APK
P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)
... apk
Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:
---
http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx
PERTINENT QUOTE/EXCERPT:
"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way Ã" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"
---
(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)
* ... & there you are!
APK
P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)
... apk
Proof thereof below on WHY those 3 commands (listsvc, disable, fixmbr) WILL work, because this rootkit uses a protective driver:
---
http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx
PERTINENT QUOTE/EXCERPT:
"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way â" by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"
---
(Doing a listsvc /? or disable /? shows their paramter switches for their commandlines)
* ... & there you are!
APK
P.S.=> Assuming this IS the "indestructable rootkit" that came out 2 days ago in the news that is... &, I am PRETTY SURE it is (big news is why)
... apk
ON WINDOWS VISTA, WINDOWS 7, or WINDOWS SERVER 2k8 - because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!
For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!
(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)
* Because all they do is query the registry in write it, respectively!
(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).
APK
P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."
ON WINDOWS VISTA, WINDOWS 7, or WINDOWS SERVER 2k8 - that's simply because the bootsector's structure's is NOT the same iirc as Windows 2000/XP/Server 2003!
For the 3 most modern Windows version in bold above, use their tools for writing the bootsector anew in lieu of the older Windows models' fixmbr program!
(HOWEVER - Theoretically, you COULD use Windows 2000/XP/Server 2003 listsvc & disable though on VISTA/7/Server 2008 though)
* Because all they do is query the registry in write it, respectively!
(The Registry's structure's been essentially the same since Win2k is why, & iirc, perhaps even before that (but, it's been ages since I ran Windows NT 3.51/4.0 here)).
APK
P.S.=> To quote Sean Connery from "The Untouchables"? Well, "Here endeth the lesson..."
simple
... and also all links in the thread (which were partly broken before, but now they're completely broken).
Double right click gives me a context menu in Firefox 5. Right click and middle click work normally in MSIE 9.
according to numerous Windows MBR disassembled reverse engineered blogs states first 300 bytes is the bootstrap executable code pushed into memory by Windows (000h through 012Bh). so in theory, can Microsoft just provide boot image to just boot off USB thumb drive to restore system files (embedded bootstrap files only) and just overwrite first 300 bytes bootstrap code from mbr and call it a day?
I mean, this is chicken and the egg. You can't download BOOTREC.exe on a computer which seldom comes with installation DVD these days. And you can't restore system files from recovery partition (most likely infected). And you can't just copy clean system files from other clean computer over to your computer because of different Windows digital signature on bootstrap. So what the hell.
So why can't Microsoft just issue a recovery boot image to begin with instead of just handing out useless BOOTREC.exe and leave customers like a chicken with its head cut off?
"Don't let fools fool you. They are the clever ones."
Can the hero who down-modded it state why on TECHNICAL GROUNDS, "computing-wise", I wonder?
* "Trolltalk.com"'s troll-crew are @ it again...
( It's just countertrolling/tomhudson & crew, no doubt, trying to "get my goat" here on /. again, & failing... as they did here today in this post vs. myself as well, where they made a HUGE blunder on THEIR parts in regards to the mechanics of this rootkit/botnet threat -> http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266 !
APK
P.S.=> IF the "best you have" is an effete down-moderation, INSTEAD of a technical justification in some mistake I made in regards to combating BOTH bootsector-driven &/or driver-driven rootkits is in error, for instance?
(You KNOW it's not, because it works vs. both types, & even this "blended" combined threat (a portent of things to come is what it REALLY is, imo @ least... In fact, Mark my words on that! Bank on it...))
U FAIL - & I don't want to hear any b.s. that "you posted it multiple times here", yes, I did, because this threat's VERY serious!
In fact, it's unlike any I have seen to date, by using BOTH methods (& my posts show it can/could be a LOT worse, via registry driver load area protection too) & I posted HOW TO STOP IT, so other "techie-types" can deal with it effectively...
... apk
Can the hero who down-modded it state why on TECHNICAL GROUNDS, "computing-wise", I wonder?
* "Trolltalk.com"'s troll-crew are @ it again...
( It's just countertrolling/tomhudson & crew, no doubt, trying to "get my goat" here on /. again, & failing... as they did here today in this post vs. myself as well, where they made a HUGE blunder on THEIR parts in regards to the mechanics of this rootkit/botnet threat -> http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266 !
APK
P.S.=> IF the "best you have" is an effete down-moderation, INSTEAD of a technical justification in some mistake I made in regards to combating BOTH bootsector-driven &/or driver-driven rootkits is in error, for instance?
(You KNOW it's not, because it works vs. both types, & even this "blended" combined threat (a portent of things to come is what it REALLY is, imo @ least... In fact, Mark my words on that! Bank on it...))
U FAIL - & I don't want to hear any b.s. that "you posted it multiple times here", yes, I did, because this threat's VERY serious!
In fact, it's unlike any I have seen to date, by using BOTH methods (& my posts show it can/could be a LOT worse, via registry driver load area protection too) & I posted HOW TO STOP IT, so other "techie-types" can deal with it effectively...
... apk
Can the hero who down-modded it state why on TECHNICAL GROUNDS, "computing-wise", I wonder?
* "Trolltalk.com"'s troll-crew are @ it again...
( It's just countertrolling/tomhudson & crew, no doubt, trying to "get my goat" here on /. again, & failing... as they did here today in this post vs. myself as well, where they made a HUGE blunder on THEIR parts in regards to the mechanics of this rootkit/botnet threat -> http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266 !
APK
P.S.=> IF the "best you have" is an effete down-moderation, INSTEAD of a technical justification in some mistake I made in regards to combating BOTH bootsector-driven &/or driver-driven rootkits is in error, for instance?
(You KNOW it's not, because it works vs. both types, & even this "blended" combined threat (a portent of things to come is what it REALLY is, imo @ least... In fact, Mark my words on that! Bank on it...))
U FAIL - &, I don't want to hear any b.s. that "you posted it multiple times here", yes, I did, because this threat's VERY serious!
** In fact, it's unlike any I have seen to date, by using BOTH methods (& my posts show it can/could be a LOT worse, via registry driver load area protection too) & I posted HOW TO STOP IT, so other "techie-types" can deal with it effectively...
... apk
Can the hero who down-modded it state why on TECHNICAL GROUNDS, "computing-wise", I wonder?
* "Trolltalk.com"'s troll-crew are @ it again...
( It's just countertrolling/tomhudson & crew, no doubt, trying to "get my goat" here on /. again, & failing... as they did here today in this post vs. myself as well, where they made a HUGE blunder on THEIR parts in regards to the mechanics of this rootkit/botnet threat -> http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266 !
APK
P.S.=> IF the "best you have" is an effete down-moderation, INSTEAD of a technical justification in some mistake I made in regards to combating BOTH bootsector-driven &/or driver-driven rootkits is in error, for instance?
(You KNOW it's not, because it works vs. both types, & even this "blended" combined threat (a portent of things to come is what it REALLY is, imo @ least... In fact, Mark my words on that! Bank on it...))
U FAIL - & I don't want to hear any b.s. that "you posted it multiple times here", yes, I did... simply because this threat's VERY serious!
In fact, it's unlike any I have seen to date, by using BOTH methods (& my posts show it can/could be a LOT worse, via registry driver load area protection too) & I posted HOW TO STOP IT, so other "techie-types" can deal with it effectively...
... apk
Can the hero who down-modded it state why on TECHNICAL GROUNDS, "computing-wise", I wonder?
* "Trolltalk.com"'s troll-crew are @ it again...
( It's just countertrolling/tomhudson & crew, no doubt, trying to "get my goat" here on /. again, & failing... as they did here today in this post vs. myself as well, where they made a HUGE blunder on THEIR parts in regards to the mechanics of this rootkit/botnet threat -> http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266 !
APK
P.S.=> IF the "best you have" is an effete down-moderation, INSTEAD of a technical justification in some mistake I made in regards to combating BOTH bootsector-driven &/or driver-driven rootkits is in error, for instance?
(You KNOW it's not, because it works vs. both types, & even this "blended" combined threat (a portent of things to come is what it REALLY is, imo @ least... In fact, Mark my words on that! Bank on it...))
U FAIL - & I don't want to hear any b.s. that "you posted it multiple times here", yes, I did, because this threat's VERY serious!
In fact, it's unlike any I have seen to date, by using BOTH methods (& my posts show it can/could be a LOT worse, via registry driver load area protection too) & I posted HOW TO STOP IT, so other "techie-types" can deal with it effectively...
... apk
Can the hero who down-modded it state why on TECHNICAL GROUNDS, "computing-wise", I wonder?
* "Trolltalk.com"'s troll-crew are @ it again...
( It's just countertrolling/tomhudson & crew, no doubt, trying to "get my goat" here on /. again, & failing... as they did here today in this post vs. myself as well, where they made a HUGE blunder on THEIR parts in regards to the mechanics of this rootkit/botnet threat -> http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266 !
APK
P.S.=> IF the "best you have" is an effete down-moderation, INSTEAD of a technical justification in some mistake I made in regards to combating BOTH bootsector-driven &/or driver-driven rootkits is in error, for instance?
(You KNOW it's not, because it works vs. both types, & even this "blended" combined threat (a portent of things to come is what it REALLY is, imo @ least... In fact, Mark my words on that! Bank on it...))
U FAIL - & I don't want to hear any b.s. that "you posted it multiple times here", yes, I did, because this threat's VERY serious!
In fact, it's unlike any I have seen to date, by using BOTH methods (& my posts show it can/could be a LOT worse, via registry driver load area protection too) & I posted HOW TO STOP IT, so other "techie-types" can deal with it effectively...
... apk
THAT PAGE does NOT mention the Windows Registry. AT ALL.
You're (still) an idiot. And I'm (still) right. And of course, we all (still) knew that already.
Oh: and in response to your question why your COPYPASTA SPAM gets downmodded? Because it is COPYPASTA SPAM. Even if it happens to be correct. Which it doesn't. Now fuck off.
...but, if we're going to reinstall anyway, why not drop fifty bucks on a NEW drive? When I do a rebuild for a customer, they get a new drive... or I don't take the job.
To stop a driver (filtering/hooking type like this one is, or even actual HARDWARE DEVICE context polling types)?
"THAT PAGE does NOT mention the Windows Registry. AT ALL." - by Anonymous Coward on Thursday June 30, @09:35PM (#36629882)
LMAO - New NEWS/NewsFlash, noob: You use the DISABLE command in RC (especially vs. drivers that are used in rootkits)...
Fact/Period!
* ... & what I posted? WORKS! I've used it vs. rootkits of the type discussed there NUMEROUS times in the field professionally!
APK
P.S.=> Ah, yes... in closing: my patented "ReVeRsE-PsyChoLoGy" technique's in order vs. "trollspeak gibberish" now I think:
".ydaerla taht wenk )llits( lla ew ,esruoc fo dnA .thgir )llits( m'I dnA .toidi na )llits( er'uoY .ydaerla taht wenk )llits( lla ew ,esruoc fo dnA .thgir )llits( m'I dnA .toidi na )llits( er'uoY" - by another done nothing with his life "ne'er-do-well" off-topic troll
That's right I was RIGHT/CORRECT on this... & you?
Well - You look stupid as-per-your-usual, countertrolling... & don't even TRY to say it's not you, I know it is!
You've been trolling me here for YEARS now, along with tomhudson!
(And, only to be made FOOLS of as tomhudson was NUMEROUS times vs. myself -> http://slashdot.org/comments.pl?sid=2230966&cid=36418796 (& that's only a SMALL Partial/Fractional list of what I COULD actually put out))!
---
("ReVeRsE-PsYcHoLoGy" courtesy of this code by "yours truly" in less than 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever trollspeak occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
... apk
YMMV but I've never reinstalled Ubuntu since Feisty Fawn (2007.04). My Debian rolling upgrade cycle, which consists of tracking a mix of testing/unstable, would have gone back longer to turn of the millennium if not for the migration to AMD64. Sadly Debian didn't allow a bootstrap upgrade from i386 to AMD64. Only one problem I had all those years, fixing a bad Grub boot-loader config.
If you've got a polite, upstanding and well behaved malware writer they will take care not to do anything other than put their single bit of malware on your machine, not look at your files, not install keyloggers and not install port scanners or spambots. do you really think such a beast exists? If you find malware that means YOU CAN'T TRUST IT and almost nothing on your machine can be assumed to be unchanged. Forget the MS PR guy that has been rolled out for a bit of mindless cheering after a technical rep gave good advice which was not mindless cheering - if some random criminal out on the internet has been wandering all over your PC you can't trust anything on it. Anything that could be used as an attack vector on another machine can not be trusted and even those directories full of mp3 files had better be scanned for somehting lurking there before they go anywhere else.
i bet you keep a dried out old condom from five years ago in your wallet just in case.
Ahem - Do YOU have your:
---
1.) PHD in the Psychiatric sciences?
2.) A license to practice psychiatry professionally??
3.) Years-To-Decades of professional experience in psychiatry???
4.) A formal examination of myself done in a professional environs to make your "snap prognosis/diagnosis" there, Mr. "SiDeWaLk-ShRiNk of /."????
---
NO, to ALL of the above?????
* Thought not... go away troll! , as per usual, vs. myself!
(In your spewing your off-topic b.s. here in some puny attempt @ "Writing Critique" expertise on YOUR part (show us a PHD in English too while you're @ it in addition the the enumerated list above))...
ALL that, in addition to your your OWN obvious "delusions-of-grandeur"!
(I.E.-> Thinking you're the "SiDeWaLk-ShRiNk of /.", Dr. Quack, while libeling myself in the doing of it, you unqualified DOLT, lol!!!)
APK
P.S.=> NOW, in closing/bottom-line:
Since you brought up "mental conditions" & what-not in your puny adhominem 'illogic logic' attack on my personnage?
Well - Then, I *definitely think* it's time for my patented "ReVeRsE-PsyChoLoGy" technique to help you with your condition!
(Simply by throwing your own off-topic adhominem attack forums "illogic logic" right back in your FACE, lol, albeit backwards as your logic is!):
---
".paos s'rennorB .rD fo lebal eht no sgnivar eht ekil sdaer tsop ruoy esuaceb ebyaM" - by Yet another done nothing with his life "ne'er-do-well" off-topic troll
"???"
* Uhm, lol... Could we get a translation of that off-topic "troll-speak" of yours, please?
(LOL!)
P.S.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his off-topic b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!
("ReVeRsE-PsYcHoLoGy" courtesy of this code by "yours truly" in less than 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever trollspeak occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
... apk
To switch to Linux Mint.
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
That is a wipe in my book
http://saveie6.com/
i "-1" you long-time!
Table-ized A.I.
Maybe this is a naive question, but why not make the PC be OS-reinstallable at the push of a button? A ROM chip would contain the virgin OS, and if there are problems, you hook a backup device and the OS knows what are not OS files to backup, and then re-installs the OS from the ROM, and downloads the updates, and then copies the data from the backup device.
I suppose if the OS is corrupt, it could lie about what's not an OS file. However, is MS didn't scatter data files/documents all over the place it would be much easier to know what's data and what's OS.
Ubuntubuntubuntu anyone?
Table-ized A.I.
I've had instances where I've used the OEM (Dell) supplied install disk, on the original hardware, only for the online activation to fail, and had to ring the activation hotline (which is just a different kind of online activation, because it's a voice robot).
Who's to say how long it is before the activation system just refuses to allow me to reinstall XP altogether?
No, it refers to a number of OEM's fucktard tendency to give people a 'recovery CD' that reimages the system as it was when they bought it, instead of proper OS install disks.
What a depressingly stupid machine.
You look around. To your NORTH, you see a LARGE WALL OF CAPITALIZED TEXT. You figure that someone got OVEREXCITED in their Slashdot post, and didn't stop to think that it MAKES THEM LOOK LIKE A SPAZ.
What do you do?
> set fire to text
Luckily the text is made of wood, and burns HOTTER THAN THE GRITS ON NATALIE PORTMAN.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Of cause reinstall is not needed. If people reinstall windows, they might confuse windows and linux install cds.
Somebody at Microsoft skipped security classes again. Reinstall might be not required, but it is still recommended from security point of view.
There are security-conscious people and circles where you'd get laughed at pretty badly if you were to suggest that "just removing" a rootkit is enough. Once a machine (server or not) has been compromised it's time to unplug it and re-install everything from scratch (while keeping or not an image of the infected system).
The very fact that people are saying "a re-install is not mandatory" and the fact that it's what people actually want to hear is sad. It's pathetically sad.
Once a system is 0wned, it's owned. And short of a re-install you're taking way too many risks.
Now of course admin-kits are so common in the Windows world --and Windows is so insecure-- that for a lot of people it would mean nearly constant re-install... So M$ keeps selling its astroturfing fanbois snake oil: "no need to re-install, you're all safe". Sad. Just sad.
to install ubuntu
".ZAPS A EKIL KOOL MEHT SEKAM ti taht kniht ot pots t'ndid dna ,tsop todhsalS rieht ni DETICXEREVO tog enoemos taht erugif uoY .TXET DEZILATIPAC FO LLAW EGRAL a ees uoy ,HTRON ruoy oT .dnuora kool uoY ?od uoy od tahW txet ot erif tes > .NAMTROP EILATAN NO STIRG EHT NAHT RETTOH snrub dna ,doow fo edam si txet eht ylikcuL" - by TheSpoom - another "ne'er-do-well" off topic trolling douchebag(715771) on Friday July 01, @10:06AM (#36633154) Homepage Journal
"???"
* Uhm, lol... Could we get a translation of that off-topic "troll-speak" of yours, please?
(LOL!)
APK
P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his off-topic b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!
("ReVeRsE-PsYcHoLoGy", for trolls - Courtesy of this code by "yours truly" in less than 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever trollspeak gibberish occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite)
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling AND tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling, & tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling, and tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
hello_tt.sys
(Disable that using the disable command from Recovery Console, THEN, reboot to RC again, & use fixmbr to restore a normal bootsector (because it's no longer being "protected" by this driver anymore than from overwrite))
FROM -> http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.E
APK
P.S.=> Despite the jackasses (countertrolling OR tomhudson) down modding my posts, this was meant to help other techs combat this thing & with good intentions from myself - despite the trolls around here!
... apk
An application of "ReVeRsE-PsYcHoLoGy" 4 off-topic trolls like you:
".gnitlusnoc rof elbaliava m'I ,hcus ti gnikam rof saedi deen yeht fi dnA .lufniap s'ti epoh I dnA .remmaps ,eid dna ffo kcuF .remmaps ,uoy kcuF .teg yllufthgir yam uoy taht gniddom nwod eht lla evresed uoY .remmaps a era uoY .eroferehT .egap siht no ereh sruoh 42 ni semit 01 naht erom detsop evah uoY" - by Anonymous Coward on Friday July 01, @10:28PM (#36639312)
"???"
Uhm... Could we get a translation of that off-topic "troll-speak" of yours, please?
* And, you're an off-topic troll - no questions asked...SEE MY SUBJECT LINE ABOVE!
APK
P.S.=> Yes, it must have just have been another off-topic done nothing of significance with his life troll spewing his off-topic b.s. again & not contributing to the ongoing conversations. Oh well - No biggie!
("ReVeRsE-PsYcHoLoGy", for trolls - Courtesy of this code by "yours truly" in less than 1 second flat):
---
#TrollTalkComReversePsychologyKiller.py (Ver #2 by APK)
def reverse(s):
try:
trollstring = ""
for apksays in s:
trollstring = apksays + trollstring
except:
print("error/abend in reverse function")
return trollstring
s = ""
print reverse(s)
try:
s = "Insert whatever trollspeak gibberish occurs here..."
s = reverse(s)
print(s)
except Exception as e:
print(e)
---
... apk
NO REINSTALL's needed either Do this 1st http://it.slashdot.org/comments.pl?sid=2285348&cid=36628922 in the order it is noted in, & it will be"gone with the dawn", 100% guaranteed!
(Where You use RC's disable command on the driver name (hello_tt.sys) for it that protects the bogus bootsector!)
Then, IF this rootkit/botnet combination (that uses "blended threat" tech in a driver & bootsector mix) "hauled in" NEW malware (which it can do, mind you)?
* Then, a tool like Process Explorer can be used to "freeze" (send hlt commands to it) the offending malware (either by std. exe, lib/dll, or service), which then allows you to then destroy/delete it on disk.
APK
P.S.=> Believe me: I have a "playbook" vs. malware from over the years professionally that works... above & beyond "std. tools" in antivirus/antispyware tools most folks use (I start with those, & IF they fail? Out comes the "big guns" in Recovery Console + Process Explorer).
Worked EVERY time too, never fails...
( & I did that for 2++ yrs. as a techie (in between coding jobs &/or network administration jobs the past 17++ yrs. here, professionally), & it worked over roughly 1,000++ service calls, never failing... not once).
... apk
Play 2:53 on, says it for me better than I can -> http://www.youtube.com/watch?v=SP74aJBbIoY
Akhilleus (greek spelling of Achilles) , son of Peleus (middle names are usually that of the father) "KNOCKS THE CHOCOLATE OUT OF YET ANOTHER /. OFF-TOPIC 'Agreus' TROLL!", as-per-my-usual...
* You KNOW you've gotten the best of a troll, when they resort to adhominem attacks, spelling & grammar checks, + going off-topic blatantly...
APK (The "Invincible Winner" vs. /. trolls...)
P.S.=> This? Ah, I just GOTTA say it, as is my usual in my own INIMITABLE 'style' -> This was just "too, Too, TOO EASY - just '2EZ'"
P.S.S.=> I program in a nearly dozen languages (C/C++, Java, Pascal/Delphi, Basic (VB/VBA), Assembly, COBOL, Fortran, SQL (not really language BY ITSELF), PERL, Python, DOS Batch/*NIX shell scripts) since 1982, & since 1994 professionally!
I merely like & started using Python around 2-3 months ago is all, & I like it! Does the job...
Fact is - Python is EXCELLENT for string manipulation, up there with PERL in that capacity in fact, due to RegExp, & "VB-EZ" to pick up (In fact, I am only NOW just beginning to appreciate its merits there)
E.G. #1 -> As I use Python code to 'AUTOMAGICALLY' populate a protective HOSTS file for me ("The Lord of HOSTS here, so-to-speak) that has 1,466,925++ entries in it vs. known BAD sites/servers/hosts-domains for extra "Layered-Security" (best thing we have going currently in fact)
E.G. #2 -> Plus, of COURSE, lol, See "ReVeRsE-PsyChoLoGy" again for reference -> http://it.slashdot.org/comments.pl?sid=2285348&cid=36641916 LMAO!...
... apk
kill urself pls
http://it.slashdot.org/comments.pl?sid=2285348&cid=36643504
You = SPAMMER.
http://it.slashdot.org/comments.pl?sid=2285348&cid=36643504
Because the off-topic troll is YOU. Quit re-posting links to your spammy garbage, you off-topic troll.
Guaranteed, 110%, to remove this rootkit in its current design, via using a read-only media in the Windows installation CD/DVD, with proven tools for the job, that's all.
* Have you done better troll? No.
In fact, rather? LOL - you FIRST messed up hugely here
http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266
AND, again later, here
http://it.slashdot.org/comments.pl?sid=2285348&cid=36630024
When you tried to be on topic & didn't realize this thing uses a driver as well as the bootsector (which my technique solves), and that the registry houses driver load information (which my technique solves)).
APK
P.S.=> Then, after those 2 COLOSSAL "blunders" of yours, You've been off-topic here the entire time as well! Go away now troll - "shoo", lol!
... apk
Good one (it got me seriously LMAO!)
APK
P.S.=> Thank you PNutts - You truly are, hilarious (it's the 2nd time in a month you've had me rolling... your other one was "I have always wondered what the tinfoil hat says")
... apk
This set of steps, executed in THIS order from the Windows installation media & its Recovery Console can kill it, guaranteed:
---
1.) Recovery Console bootup
2.) listsvc command to spot offending bogus MBR protecting driver (hello_tt.sys)
3.) disable command to stop it from loading
4.) Reboot to RC again
5.) Fixmbr command to clear bootsector (no longer protected by said driver since it was disabled from load)
6.) REBOOT NORMALLY (it WILL be gone, guaranteed)
---
* It works vs. the current design of this "blended-threat" rootkit-botnet (until the maker of it starts protecting the registry areas that the hello_tt.sys loads from, that is)...
APK
P.S.=> Just some "FYI" for you... & IF it "hauls in" more malware that operates in "userland" (Ring 3/RPL 3), instead of Ring 0/RPL0/kernel mode (as hello_tt.sys does to protect the bogus bootsector)?
Then, you can use ProcessExplorer.exe to first suspend the bogus processes (even if hidden under other apps because they are implemented in libs/dlls or even services too) to kill it, & it works even when AntiVirus/AntiSpyware signatures based tools fail...
... apk
Fuck you.
4 Non-Destructive removal of the botnet/rootkit -> http://it.slashdot.org/comments.pl?sid=2285348&cid=36649854
(So much for your "adhominem attack" quoted here):
"Fuck you." - by Anonymous Coward on Monday July 04, @12:52AM (#36650186)
NO thank you!
* So, that "all said & aside" - Sorry to disappoint you (or anyone else here, not a homosexual, & I am assuming you are a guy)... not interested... so, "go find yourself another dish - I am NOT on 'the menu'", ok?
APK
P.S.=> Trolls - you're ALL the same, easily dispatched & blown away, with facts & truths... everytime!
... apk
The registry, & what driver does this rootkit use? hello_tt.sys.
That said?
So - How do you stop drivers (or services) from Recovery Console?? Especially bootup from Windows Install Media on CD/DVD since it is READ ONLY???
Well - ListSvc to see it, & disable command to stop it (since it protects the bogus bootsector this rootkit/botnet combination uses in "blended-threat" tech).
Then, Fixmbr to blowout & clean the bootsector (makes it gone in rootkit portion)...
As to the rest, IF ANY, since it can "haul in" other malwares? ProcessExplorer.exe!
(Especially this since it can kill what "std. tools" in antivirus/antispyware usually cannot, in UNKNOWN THREATS vs. their signatures databases (or even heuristics, which typically are not set "on" or "to the max" in most tools of that nature typically)).
* Between the RC & ProcessExplorer? You can tackle this rootkit/botnet & most anything really, from Ring 0/RPL 0/kernelmode threats (like hello_tty.sys) & Ring 3/RPL 3/Usermode threats too, & "WIN", everytime!
APK
P.S.=> Proofs thereof vs. this adhominem attack off topic b.s. from you troll, as is your FAIL usual vs. myself:
"The windows registry DOES have NOTHING to do with this, you fucking retard. And nothing you've posted has proved that it did." - by Anonymous Coward on Monday July 04, @12:56AM (#36650188)
LMAO: See above, & my proofs below... & "eat your words, now flavored with the 'bitter taste of YOUR defeat'" (you defeating yourself thru stupidity).
---
"And quit posting links to posts that YOU posted and claiming that I posted them." - by Anonymous Coward on Monday July 04, @12:56AM (#36650188)
The links I post are not from you, FAR FROM IT (you make TOO MANY ERRORS)... I post links that prove my point, that this rootkit/botnet uses a driver to protect itself (it's bogus bootsector, specifically). See below...
---
"You're too dumb to even get basic computing skills such as copy-and-paste right, and hyperlinks." - by Anonymous Coward on Monday July 04, @12:56AM (#36650188)
Yea, well... I don't "fuckup" majorly as YOU DID FIRST, HERE:
http://it.slashdot.org/comments.pl?sid=2285348&cid=36629266
AND, again later, here
http://it.slashdot.org/comments.pl?sid=2285348&cid=36630024
(That is, when you TRIED @ LEAST FOR ONCE, to be on topic & didn't realize this thing uses a driver as well as the bootsector (which my technique solves), and that the registry houses driver load information (which my technique solves)).
---
"Do us a favor and kill yourself." - by Anonymous Coward on Monday July 04, @12:56AM (#36650188)
No (how's that suit you? I don't take orders from "off-topic trolls" such as yourself, especially massively ERRONEOUS ones like you!)
LMAO, again - See above, & these proofs below:
---
http://blogs.technet.com/b/mmpc/archive/2011/06/22/don-t-write-it-read-it-instead.aspx
PERTINENT QUOTE/EXCERPT:
"now it introduces a driver component to prevent the malicious MBR and other malicious data stored as disk sectors from being changed. The driver component protects the data in an unusual way by hooking the DriverStartIo routine in a hard disk port driver (for example, atapi.sys)"
---
... apk
GROUP POLICY CAN STOP UNSIGNED DRIVER INSTALLS!
In fact, I'd use it in combination with the bcdedit commandlines I noted can (& WFP would protect vs it, and then Windows itself also SIGNALS you're in "TEST MODE" as well indicating something's "wrong" if you're not doing that kind of thing (like when doing driver dev work too!))
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
* You can even BLOCK IT from taking place @ this level also...
---
Layered security vs. it is also available via bcedit commandlines (in more modern Windows variants VISTA onwards), or, boot.ini work in Windows Server 2003/XP/2000:
---
On the subject of bypassing unsigned driver installs http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960 I posted this method, days ago, vs that!
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
* That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes...
** The nice part is here?
Well - Windows "warns you" when you enter this mode!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock "TEST MODE" when unsigned drivers are allowed during testing of device drivers!)
APK
P.S.=> Always more than 1 way to "skin a cat", & also take away his "9 lives" & his coming back again, too... so-to-speak, lol!
... apk
GROUP POLICY CAN STOP UNSIGNED DRIVER INSTALLS & so can bcedit in "layered security fashion" along with it!
In fact, I'd use it in combination with the bcdedit commandlines I noted can!
(& WFP would protect vs it, and then Windows itself also SIGNALS you're in "TEST MODE" as well indicating something's "wrong" if you're not doing that kind of thing (like when doing driver dev work too!))
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
* Thus, You can even BLOCK IT from taking place @ this level also for installing a rootkit driver in the 1st place...
---
And?
Yes - Layered security vs. it is also available via bcedit commandlines (in more modern Windows variants VISTA onwards), or, boot.ini work in Windows Server 2003/XP/2000:
---
On the subject of bypassing unsigned driver installs http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960 I posted this method, days ago, vs that!
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
** That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes...
*** The nicest part is here?
Well - Windows "warns you" when you enter this mode too!
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock "TEST MODE" when unsigned drivers are allowed during testing of device drivers!)
APK
P.S.=> Always more than 1 way to "skin a cat", & also take away his "9 lives" & his coming back again, too... so-to-speak, lol!
... apk
As GROUP POLICY CAN STOP UNSIGNED DRIVER INSTALLS!
In fact, I'd use it in combination with the bcdedit commandlines I noted can help on the same level too!
(& WFP would protect vs it, and then Windows itself also SIGNALS you're in "TEST MODE" as well indicating something's "wrong" if you're not doing that kind of thing (like when doing driver dev work too!))
---
Configure Driver Signing Through Group Policy Editor:
http://www.lockergnome.com/nexus/windows/2006/03/27/configure-driver-signing-through-group-policy-editor-xp-2/
* Thus - You can even BLOCK IT from taking place @ this level also...
---
"Layered-Security vs. it is also available via bcedit commandlines (in more modern Windows variants VISTA onwards), or, in boot.ini work in Windows Server 2003/XP/2000:
---
On the subject of bypassing unsigned driver installs http://it.slashdot.org/comments.pl?sid=2306598&cid=36694960 I posted this method, days ago, vs that!
PERTINENT QUOTE/EXCERPT:
---
"Should the rootkit/botnet maker alter currently does for this "blended threat tech" rootkit/botnet?
Well - You can stop unsigned driver loads & installs, this way, via a .bat batchfile, or .cmd command script (or even a logon script for those amongst you that are networkers):
ADD THESE 2 LINES TO LOGON SCRIPTS or .bat/.cmd scripts to run @ machine startup:
---
bcdedit /deletevalue loadoptions
bcdedit -set TESTSIGNING OFF
---
** That will stop ANY unsigned driver installation bypass used by malware/botnet/rootkit makers attempting to use drivers in their malwares!" - by APK on Friday July 08, @11:11AM (#36694960)
---
Yes - There's also other ways to implement it as well, such as a scheduled task if one wishes, or a network machine level or domain level admin wishes...
*** The nicest part here? Well - Windows "warns you" when you enter this mode for UNSIGNED DRIVER INSTALLATION! SO, if a rootkit tries to install such a driver, you will be "signalled" of it occurring.
(I know this, because when I've built filtering drivers, it says in the lower right-hand corner of your screen, above the clock "TEST MODE" when unsigned drivers are allowed during testing of device drivers!)
APK
P.S.=> Always more than 1 way to "skin a cat", & also take away his "9 lives" & his coming back again, too... so-to-speak, lol!
... apk