Slashdot Mirror
Microsoft Says Reinstall Overkill In Removing Rootkit
CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."
format.
Uninstalling is all thats needed.
*ducks*
If what I just said sounded like a troll, it was probably just a failed attempt at humor.
Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees.
Redundant much? Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?
ms never said to re-install windows in the first place, headlines on sites like slashdot mis-reported it to begin with. from slashdot's summary:
"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."
the summary blurted that the recovery disc returns Windows to its factory settings, and left out how it also is the boot environment for restoring from windows backups, which Feng was clearly talking about ("restore your system to a pre-infected state").
Yesterday it was Poperub. Now it's either Popereb or Popureb.
You think a computer is going to find the thing when nobody can even decide what string matches its name in the 'sploit DB?
So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.
http://www.f-secure.com/v-descs/brain.shtml
Like someone said, "Nuke 'em from orbit."
In that case, I'd only save whatever key files I had (pics, MP3's) scanning them as they go, then completely FDISK /mbr , delete and recreate the partition(s), and reformat the drive. Reinstall Winder from a slipstreamed CD, and let 'er rip. I've only had to do this a handful of times for others. So far, so good in practicing SAFE HEX, I haven't had a machine I've owned get infected, yet.
Willie...
How does one do a repair install if Windows 7 won't boot?
It seems silly to restrict repair installs to cases where the OS can boot anyway.
If God forks the Universe every time you roll a die, he'd better have a damned good memory.
standard security practice after a rootkit infection to NOT trust your system anymore. You never know what kind of shit is installed.
Virusscanners are nice, but work mostly on signatures and will not likely detect virusses which aren't in the signature database. Heuristics is still not good enough.
You cannot garantee that the system is 100% clean.
Reinstallation is therefore a necessary step in the proces.
The infection code can simply intercept all the I/O taking place and prevent the MBR from being cleaned, while also making it look like it has (by intercepting the reads, too). You need to boot from non-writable external media to be sure (non-writable just in case you accidentally boot into the hard drive, which will quickly infect any writable media). And if somehow this thing, or the next big virus/trojan, infects the BIOS by reflashing, even this is no good.
now we need to go OSS in diesel cars
I haven't had a machine I've owned get infected, yet, that I know about.
There, fixed that for you. But seriously, not all viruses make a lot of ruckus. Some of the most sinister are those that remain hidden and just copy files and activity that look salable. Another are botnets that only do their activity at night or stay tightly throttled.
My understanding is a re-install will not do anything if your MBR is infected. you need re-write the MBR and or do a low level format.
It's and interesting problem. Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.
Lots of people do a windows reinstall every year, I tend to ask: If windows is getting slow every year, well what are you installing on it that makes it slow? If you just sit a windows computer and never do anything to it for a year it's not suddenly slower (ignoring the possibility of requiring a reboot). Just because I can't clear out a virus/rootkit by deleting some files by hand doesn't mean AV software can't fix/delete/quarantine those files.
Are driver updates or other software updates leaving behind crud that floats about in memory? If so is there a way to clear that out? There's not much you can do about crud left behind by windows updates, since well, you're installing them whether you reinstall or not hopefully. But other drivers using more memory each time you update them would be a very serious problem (and not entirely unheard of).
Leaving behind temporary files on your hard drive doesn't strike me as all that serious, it doesn't actually slow your computer down unless you're doing very specific tasks. Disk fragmentation, that sort of thing are more or less things of the past problems wise unless you go out of your way to cause them.
Part of why windows starts out fast is that it doesn't do much until you get drivers in there. You can disable all the eye candy, but if you want an anti virus, printer drivers, 3d for games etc. you pretty much have to install programs and device drivers. I'm not sure that it gets any slower after you have all that stuff on, unless you get a virus you don't clean out, but enabling all of those features and devices does tend to both slow down some things and speed up/enable others. An no, linux is not fundamentally much different in that regard, if you want features you have to install the drivers and applications for them, and that may or may not improve performance of the system overall.
If windows (or linux) is slow, you can usually hunt down the culprit and fix it, which is both more useful and more productive than a reinstall which may not solve the problem in the long run, alas most people don't read /. and don't know that.That goes to the root of the matter. Can viruses and rootkits actually be removed, or not? If windows is getting slow every year, well what are you installing on it that makes it slow? If you just sit a windows computer and never do anything to it for a year it's not suddenly slower (ignoring the possibility of requiring a reboot). Just because I can't clear out a virus/rootkit by deleting some files by hand doesn't mean AV software can't fix/delete/quarantine those files.
Are driver updates or other software updates leaving behind crud that floats about in memory? If so is there a way to clear that out? There's not much you can do about crud left behind by windows updates, since well, you're installing them whether you reinstall or not hopefully. But other drivers using more memory each time you update them would be a very serious problem (and not entirely unheard of).
Leaving behind temporary files on your hard drive doesn't strike me as all that serious, it doesn't actually slow your computer down unless you're doing very specific tasks. Disk fragmentation, that sort of thing are more or less things of the past problems wise unless you go out of your way to cause them.
Part of why windows starts out fast is that it doesn't do much until you get drivers in there. You can disable all the eye candy, but if you want an anti virus, printer drivers, 3d for games etc. you pretty much have to install programs and device drivers. I'm not sure that it gets any slower after you have all that
If you're running Linux, you probably don't have any viruses. It seems to me that uninstalling programs you don't use every couple months would be a lot easier than re-installing the OS... ever.
Despite that, I've been running my install of Win7 for over a year now, practice general maintenance, and it's still running as smooth as ever. Having to re-install an OS every year is either the sign of a poorly designed OS or just plain laziness.
I have to say I've never actually reinstalled Linux on a computer. Once it goes on, it stays for years.
SMI
(Someone, please, write a virus in a System Management Interrupt handler. Then people will start caring about NOT HAVING GIANT SECURITY HOLES IN THEIR SYSTEMS IN THE FIRST PLACE).
Contrary to the popular belief, there indeed is no God.
No not that i remember. i DO remember the old bios viruses that would rewrite the bios or otherwise brick the machine. The difficulty of doing so made them not very wide spread. efi on the contrary makes it very easy to have a virus/trojan etc embed it's self in the efi. if efi becomes wide spread then you will not only have to have a windows anti-virus if you run windows. but also a efi anti-virus for all os's.
At first glance, to me this seems straight forward to fix. 1. Go into the BIOS, confirm the boot order is Optical Drive first (very important!). Perhaps even go to the extend not including the HDD in the boot order, if possible. 2. Boot from Windows Recovery CD, clean the MBR 3. Boot from a AV Boot CD (plenty of free ones avaible) to run an offline scan to, um, root out the infection. The AV CD may also be able to fix the MBR. 4. Profit? Problems with above are sourcing clean Recovery CD and AV CD, and that not all machines have an Optical drive to use (e.g. netbook), so you may need to rely on boot from USB, but again that needs the boot order setting correctly to boot from USB. Hardware write protected USB drives are useful here. And "Joe Six-pack" may not have the resources to be able to do the above for himself.
True, though in some cases some do, particularly those with distributions like ubuntu that tend to encourage their users to do a full install to upgrade from version to version every 6 months or so. (admitted I think the current updater will move you up a version, but I recall a time when they didn't). Of course in linux a re-install is extremely painless considering your configurations of just about everything is stored on your home directory, which you shouldn't be formatting, rather then in a complicated registry in which half of your settings will carry over, half will be lost.
If he isn't, he should be.
fdisk /mbr
Or use the mbr utility on the XP install CD.
Or just use something other than Windows.
I really am just stating the obvious!
I killed da wabbit -Elmer Fudd
I think that's only effective when you are calling the BIOS for disk access (int 19 or int 13, i forget specifically.) If you have your own device driver that accesses the hardware directly that kind of protection doesn't work.
Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).
I use Portable Apps wherever possible. (I think the address is portableapps.com, I am not affiliated.) Basically they're just apps that are compressed into a self extracting file. You extract them and they just run, no installation needed. This means after a reinstall (or new computer) I still have my browsers with bookmarks, text/script editors, and a handful of other things I use a lot. When I get a laptop or something I just copy the files over to that machine and I'm running over there, too.
This post is off-topic, but it may help extend the life of your OS's.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".
"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng.
If your recovery CD is pre-infected, then surely you're screwed anyway?
If your recovery CD is pre-infected, then surely you're screwed anyway?
Does that mean the plastic they make a CD from is infected?
I haven't used Linux on my home machine much at all for a couple years, but when I used it more I used Gentoo. A bit less than 5 years ago I managed to mess up Portage enough that I couldn't get Emerge to do anything (except complain a lot), so I gave up and reinstalled. It can definitely happen, even if you know your way around pretty well.
Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".
That doesn't make sense and distressing to see on (I guess what used to be) a technical forum. If the OEM doesn't supply recovery discs then they provide a means for you to create them yourself, and yes they are all genuine. If the OEM doesn't do either then you should be concerned about the legitimacy of the OEM. But... One of the things I love about the Internet is that I expect there will be a number of examples posted to prove me wrong. :)
... and also all links in the thread (which were partly broken before, but now they're completely broken).
Double right click gives me a context menu in Firefox 5. Right click and middle click work normally in MSIE 9.
according to numerous Windows MBR disassembled reverse engineered blogs states first 300 bytes is the bootstrap executable code pushed into memory by Windows (000h through 012Bh). so in theory, can Microsoft just provide boot image to just boot off USB thumb drive to restore system files (embedded bootstrap files only) and just overwrite first 300 bytes bootstrap code from mbr and call it a day?
I mean, this is chicken and the egg. You can't download BOOTREC.exe on a computer which seldom comes with installation DVD these days. And you can't restore system files from recovery partition (most likely infected). And you can't just copy clean system files from other clean computer over to your computer because of different Windows digital signature on bootstrap. So what the hell.
So why can't Microsoft just issue a recovery boot image to begin with instead of just handing out useless BOOTREC.exe and leave customers like a chicken with its head cut off?
"Don't let fools fool you. They are the clever ones."
Reinstalling doesnt remove all viruses:
*The MBR can be infected, surviving reinstalls. This is the type of infection popureb is, in fact.
*downloaded drivers may remain infected, as may any other executable content that you neglect to re-download. (Sality is a common virus that seeks out and infects every binary it can find)
Luckily for you, these two types of virus are incredibly common.
Until the portableapps gets hit by sality, that is.
Im not going to link resources to sality, as the new slashdot wouldnt let you click them anyways. Seriously, how hard is it to keep the website working in at least ONE of the major browsers?
I think what he is talking about is waaaay back in the old days, we are talking 286/386 old days here, some of the business class boards came with what was known as "BIOS Lock" or something similar. what it would do is keep the BIOS read only so that a BIOS bug couldn't write to it.
Now I saw a few where that you could turn it on and off from insides BIOS (not sure how that worked, but if you could turn it off I assume the BIOS bug could too) but most would have a jumper on the board. jumper set? no BIOS tweaks for you and no writing for BIOS bug. Of course the downside and why they most likely fell out of favor (along with how big a PITA it was to write a BIOS bug instead of a DOS/WinBug) was that unless you were in corporate where no cards were ever added most add ons back then were fiddly little bastards that required all kinds of IRQ tweaking and other BIOS fiddling, and having to switch a jumper every time something needed fiddling was a PITA.
As for TFA, how long before the user CAN'T restore, simply because the cheap bastard OEMs use "restore partitions" which the bug should be able to get at? from the first time I saw a restore partition I thought "what bean counting dipshit thought this up" as marking a partition as hidden doesn't magically make it bug proof. All I can figure is that like most criminals malware writers are lazy bastards and haven't bothered cooking up a bug that infects the restore partition the way they infect system restore. But I wouldn't be surprised if in the future using the restore partition simply wipes the user's programs while restoring the malware.
ACs don't waste your time replying, your posts are never seen by me.
YMMV but I've never reinstalled Ubuntu since Feisty Fawn (2007.04). My Debian rolling upgrade cycle, which consists of tracking a mix of testing/unstable, would have gone back longer to turn of the millennium if not for the migration to AMD64. Sadly Debian didn't allow a bootstrap upgrade from i386 to AMD64. Only one problem I had all those years, fixing a bad Grub boot-loader config.
If you've got a polite, upstanding and well behaved malware writer they will take care not to do anything other than put their single bit of malware on your machine, not look at your files, not install keyloggers and not install port scanners or spambots. do you really think such a beast exists? If you find malware that means YOU CAN'T TRUST IT and almost nothing on your machine can be assumed to be unchanged. Forget the MS PR guy that has been rolled out for a bit of mindless cheering after a technical rep gave good advice which was not mindless cheering - if some random criminal out on the internet has been wandering all over your PC you can't trust anything on it. Anything that could be used as an attack vector on another machine can not be trusted and even those directories full of mp3 files had better be scanned for somehting lurking there before they go anywhere else.
"As for TFA, how long before the user CAN'T restore, simply because the cheap bastard OEMs use "restore partitions" which the bug should be able to get at?"
Saw that, in real life. The wife's first Athlon from Compaq had that restore partition. She got infected, and I tried to fix things for her. It took me a few tries, before I figured out that not only had the virus replicated itself to the system restore points, but had also gotten into that restore partition. The only option was to nuke and reinstall - but she insisted that we allow Compaq to do that.
Looking back, it seems that sort of crap "support" from vendors pushed me into the Linux world just as much as any problems with Microsoft.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
more like if you don't know your way well enough.
someday i managed to break portage (screwed up python and more) and half the system for good too but fixed it anyway (at worst, you can find working pre-compiled binaries on net as recovery starting crutch). it only comes down to your skill and patience. my Gentoo survived through 3 HDDs, several MBs and CPUs since its initial installation on old x86_64 AMD-based system. relocation as easy as archiving and extracting everything in another place. x86 CPUs are pretty compatible - once i copied it on Intel-based laptop just for a hell of it and it ran as usual.
Linux systems run and survive as you able to make them so unless your particular distribution made by random-shit-patching hack-loving short-sighted monkeys but even in that case - it's you who installed it.
who dares wins
no way, $50 can buy a lot of groceries for the careful shopper. I use disks until they die (and no, I don't don't lose any data)
Maybe because your post reads like the ravings on the label of Dr. Bronner's soap.
http://web.mit.edu/afs/athena.mit.edu/user/d/r/dryfoo/www/Spritz-yule/bronner.html
more like if you don't know your way well enough. ... it only comes down to your skill and patience.
Well sure. My point is that it's possible for someone who is pretty well-acquainted with Linux (I consider myself to have been in that category even then) to arrive at a situation where less patience seems to be required in order to do a full reinstall than to make your current system work. This is especially true as a reinstallation actually can be a fair bit less work on Linux because of some *nix culture like isolated config files (instead of registry droppings).
To switch to Linux Mint.
I hold very few opinions. I hold information based on observation and fact. If you wish to disagree, please use facts.
OS Installations are only slightly more fun than root-canal and TSA backroom exams.
Table-ized A.I.
That is a wipe in my book
http://saveie6.com/
I do all the time. I end up fucking it up quite regularly
http://saveie6.com/
i "-1" you long-time!
Table-ized A.I.
Maybe this is a naive question, but why not make the PC be OS-reinstallable at the push of a button? A ROM chip would contain the virgin OS, and if there are problems, you hook a backup device and the OS knows what are not OS files to backup, and then re-installs the OS from the ROM, and downloads the updates, and then copies the data from the backup device.
I suppose if the OS is corrupt, it could lie about what's not an OS file. However, is MS didn't scatter data files/documents all over the place it would be much easier to know what's data and what's OS.
Ubuntubuntubuntu anyone?
Table-ized A.I.
I managed to keep both ticking over for over seven years, including cleaning up a couple of windows infections. Best way to keep a windows installation going is to dual boot with Linux and use that Linux boot to do the final repairs and clean up as well as quick simple software backups from the windows partition to the safer Linux controlled partitions.
Poor old stale piss (XP even M$ hates it ~ now) seems to have survived the years and been reasonably reliable as long as you keep a Linux boot on system for repairs.
Chaos - everything, everywhere, everywhen
I feel sorry for you. However I try to balance the statistics by updating/upgrading the same system since something like 2003, when I scrapped my previous system that was maintained since 1996.
new drive? that's a bit lame.. reminds me of story about how infected floppies were shredded at some AV research center.
if you feel the need to physically destroy the drive to clean it from virus, I'd say try Linux or something.
I've had instances where I've used the OEM (Dell) supplied install disk, on the original hardware, only for the online activation to fail, and had to ring the activation hotline (which is just a different kind of online activation, because it's a voice robot).
Who's to say how long it is before the activation system just refuses to allow me to reinstall XP altogether?
No, it refers to a number of OEM's fucktard tendency to give people a 'recovery CD' that reimages the system as it was when they bought it, instead of proper OS install disks.
What a depressingly stupid machine.
You look around. To your NORTH, you see a LARGE WALL OF CAPITALIZED TEXT. You figure that someone got OVEREXCITED in their Slashdot post, and didn't stop to think that it MAKES THEM LOOK LIKE A SPAZ.
What do you do?
> set fire to text
Luckily the text is made of wood, and burns HOTTER THAN THE GRITS ON NATALIE PORTMAN.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Of cause reinstall is not needed. If people reinstall windows, they might confuse windows and linux install cds.
Somebody at Microsoft skipped security classes again. Reinstall might be not required, but it is still recommended from security point of view.