Slashdot Mirror
Microsoft Says Reinstall Overkill In Removing Rootkit
CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."
Uninstalling is all thats needed.
*ducks*
If what I just said sounded like a troll, it was probably just a failed attempt at humor.
Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees.
Redundant much? Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?
ms never said to re-install windows in the first place, headlines on sites like slashdot mis-reported it to begin with. from slashdot's summary:
"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."
the summary blurted that the recovery disc returns Windows to its factory settings, and left out how it also is the boot environment for restoring from windows backups, which Feng was clearly talking about ("restore your system to a pre-infected state").
So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.
http://www.f-secure.com/v-descs/brain.shtml
The infection code can simply intercept all the I/O taking place and prevent the MBR from being cleaned, while also making it look like it has (by intercepting the reads, too). You need to boot from non-writable external media to be sure (non-writable just in case you accidentally boot into the hard drive, which will quickly infect any writable media). And if somehow this thing, or the next big virus/trojan, infects the BIOS by reflashing, even this is no good.
now we need to go OSS in diesel cars
I haven't had a machine I've owned get infected, yet, that I know about.
There, fixed that for you. But seriously, not all viruses make a lot of ruckus. Some of the most sinister are those that remain hidden and just copy files and activity that look salable. Another are botnets that only do their activity at night or stay tightly throttled.
Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.
Viruses have the upper hand because they come first. Although heuristic-driven antivirus has been around for a while, it's never been fully effective. So once the virus gets on the system, you can never know for sure that it's gone. The virus could simply be very effective at hiding itself from the virus scanner. It could be causing the virus scanner to report a status of "Updated" when, to the contrary, updates have not been applied in some time. Ultimately, if the virus is running at the highest privilege level, you just can't trust your system tools to be telling the truth.
That said, a bootable antivirus CD which can update from the Internet eliminates this issue, and could probably definitively tell you that your system is clean of viruses of which it is aware. Even so, if I thought I had a virus, I would reformat and reinstall.
The benefit of regular reinstalls ended with Windows ME.
No, it didn't. Windows 7 is definitely working better for me, but XP required the yearly reinstall just like all the previous Win OS's.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng.
If your recovery CD is pre-infected, then surely you're screwed anyway?
I'll answer that...don't load the taskbar with always running crapola, don't use IE, have a decent AV like Avast Free that doesn't suck resources like a Bangkok whore sucking Japanese businessmen, and finally and most importantly use a decent tool to keep the registry cleaned of leftover third party cruft.
I recommend Tuneup Utilities, as it has some excellent features like Turbo mode for gaming, a process monitor that will keep a program from slamming your CPU to 100% and making the machine unresponsive, and unless you tell it not to its one click maintenance will run silently once every three days to clean the cruft and ensure the health of the machine, such as checking for fragmentation. That said if you balk at paying a whole $30 for a program that takes all the work out of it there is WinUtilities Free or Glary Utilities, but neither of those are full featured or automatic, as automatic cleaning is only for those that buy the pro versions, which if you are gonna pay tuneUp IMHO has the better tools.
So there you go. Follow the above along with keeping your machine updated with WU and you're good to go, your Windows PC will remain clean and fresh smelling and will NOT need any annual reinstalls.
That said if a machine is completely pwned like TFA nuking from orbit is the ONLY way to be sure, but I've found if you follow the above (Both Avast Free and Comodo IS Free have JavaScript scan before load and sandboxing, so either choice will work. I prefer Avast as its less fiddly than Comodo and I like not having to fiddle) and have a decent AV like Avast or Comodo only the most herp derp PEBKAC bullshit will cause you to get infected.
I have had exactly ONE customer get infected after following the above (and I ended up having to tell him to take his business elsewhere as he refused to listen and became belligerent) and that was because he 1.-first tried to disable the AV and then when he couldn't he 2.-uninstalled the AV, all so he could get the "new Limewire" which I had already told him was nothing but a Trojan package. Well he got it alright, more than 70 infections. He actually had the balls to get mad and try to demand a free repair becuase he said the AV must be defective since it wouldn't let him install Limiewire. Finally I said "Look dumbass, you tried to install A VIRUS. The whole POINT of an AV is to keep viruses OFF the PC, not let them on because you like the name of the virus, moron."
So a little common sense and the above instructions will keep your PC running for the life of the machine. The only work I have to do on those that follow my instructions above is the occasional hardware upgrade and I have several that have been running in the field for over 7 years, same install.
ACs don't waste your time replying, your posts are never seen by me.
Well if you completely break a system it is immune to bugs, is that what you are proposing? Because I have YET to see a SINGLE distro that survives the 6 month upgrade death march without at LEAST 1, usually many, drivers that shit themselves and die. that is why everyone else in the free world, Solaris, BSD, OSX, Windows, OS/2 even, have a stable hardware ABI as it takes the bullshit out of drivers.
Windows 2k/XP driver model? 14 YEARS of working drivers. Vista/7 driver model? 4 years so far and has support until at LEAST 2020 so that is another 14 YEARS of driver support. Linux? Doesn't last 6 months. Even if you go LTS you currently have less than a year and a half before you're fucked.
Look as a retailer I WANT Linux to succeed, I really do. I don't like paying for licenses, nor do I like the fact I'm staring at 4 1.4Ghz AMD PCs with 512Mb of RAM I'm gonna have to shitcan because XP licenses would cost more than they are worth. But until you Linux users get together and tell Torvalds to fuck right off and quit using the kernel as his personal play toy? Well then nobody is gonna take your little "advice" seriously.
I'm suppose to tell my customers to learn about EVERY single piece of hardware on their system, learn Man pages and how to recompile drivers, how to tweak "fixes" for said drivers, and finally to have a list of every make/model/rev/firmware of every thing on or attached to their system, so they can go with their hat in their hand to some forum and go "please sir, I can has sound?" only to be told "RTFM Noob or go back to Winblowz LOL!".
Yeah right, your driver model is shit. YOU know it, I know it, hell everyone knows it but nobody has the balls to stand up to Torvalds and tell HIM that. Well I'm saying it here...Linus you are NOT smarter than every OS manufacturer, okay? Your little "No ABI" shit make make it easier for YOU to fiddle with the kernel but you know what? It ain't 1993 anymore, and you ain't passing the new build on IRC to a couple of tweakers. It is a multimillion dollar OS with a hell of a lot of people that need drivers TO JUST WORK which they don't without an ABI. Don't like ABIs? hell I don't care if you use an ABI or sell your first born to Satan to get it to work just FIX THE FUCKING THING.
Excuses are like assholes, everyone has them and they all stink. That is all I've ever gotten from the community when I point out as a retailer why I can't carry your product. Fix the drivers? I'll agree with your advice. Don't? Then you are completely full of shit because the world isn't gonna go through that suffering just for Linux,sorry.
ACs don't waste your time replying, your posts are never seen by me.