Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rootkit Infection Requires Windows Reinstall

timothy posted more than 3 years ago | from the spring-cleaning-comes-late dept.

Windows 510

CWmike writes "Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

Sorry! There are no comments related to the filter you selected.

Boot Disc (1)

toastar (573882) | more than 3 years ago | (#36592646)

um.... Why not just use a boot disc to clear the MBR/infected files?

Re:Boot Disc (4, Insightful)

smash (1351) | more than 3 years ago | (#36592696)

Well sure, if you have a known good checksum for every file on your machine?

Re:Boot Disc (1)

capnkr (1153623) | more than 3 years ago | (#36592782)

In all seriousness, and without much in the way of research just yet: why not preemptively install GRUB, or some other boot loader, even if the machine is only a single boot Win system? Does this thing attack/overwrite _anything_ attempting to write to the MBR, or only Windows? There is no mention of this in the linked FA's, only in their comments...

Re:Boot Disc (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36592834)

Good policy, if a bit upkeep-heavy for your average desktop system. AIDE, Tripwire, Samhain, OSSEC, and quite possibly others will do it for you(at the cost of some administration and system resources) if you have a sufficiently static configuration that it won't drive you to madness...

Re:Boot Disc (0)

Anonymous Coward | more than 3 years ago | (#36592842)

debsums - check...

oh wait, that only works on a real OS ;)

Re:Boot Disc (-1)

Anonymous Coward | more than 3 years ago | (#36592778)

I thought windows doesn't get viruses.

Re:Boot Disc (0, Offtopic)

Anonymous Coward | more than 3 years ago | (#36592818)

I thought Santa Claus exists.

Re:Boot Disc (5, Funny)

tverbeek (457094) | more than 3 years ago | (#36592836)

Wouldn't a Linux or BSD or Haiku or Hack OS X install fix this too? This headline reads a bit like "Flooding requires rebuilding the exact same structure in the annual floodplain",

Re:Boot Disc (2, Insightful)

ghmh (73679) | more than 3 years ago | (#36592942)

Sigh. It would 'fix' the potential for getting infected by that particular rootkit on that particular O/S. All those other things are built on floodplains too, it's just that some flood more often than others. Extrapolating future floods based on the past is only going to work until it doesn't.

Re:Boot Disc (5, Insightful)

RobbieThe1st (1977364) | more than 3 years ago | (#36593086)

To continue your flood analogy, you have three options:
1. Build out of so ething floodproof, like concrete. The *entire* house. When a flood happens, no big deal... but making changes to the house would be a big problem. This is the ChromeOS or DeepFreeze aproach: Read-only filesystem and checksums.

2. Build dams, canals and build a few feet into the air. This works for small floods, but if you get something new, it might still wipe you out. This is the Linux aproach: Try to secure things, deal with the few issues as they come up.

3. Build cheaply, and rebuild after each flood. This is the Windows re-image approach: Just assume it's going to get hit, and have a plan to rebuild afterwards.

Just my 2c.

Re:Boot Disc (1)

w0mprat (1317953) | more than 3 years ago | (#36593048)

I don't see how this infection is not possible to clean. All that would be necessary is to boot another OS and overwrite MBR and clean any infected binaries. Perhaps overwrite Windows binaries with the genunine article from an install CD (downloadable version if updated since disc went RTM) if it's not cleanable.

I'd do this from a Linux live USB and have a Windows install on another partition as source. Linux generally ignores NTFS security should be able to overwrite all necessary files on the Windows install.

Microsoft could release a bootable ISO or live USB image that could easily clean the rootkit.

So (3, Insightful)

Anonymous Coward | more than 3 years ago | (#36592650)

You always do an OSRI if you get infected by any rootkit.

So system restore points don't work? (0, Interesting)

Anonymous Coward | more than 3 years ago | (#36592652)

I had a nasty infection a while ago that corrupted my system restore points. I haven't had a problem like that since I upgraded to Vista or Windows 7.

Does this virus kill system restore too?

And before anyone makes any snarky comments about switching to Linux look at all the nasty software infecting Android phones right now.

Re:So system restore points don't work? (4, Insightful)

smash (1351) | more than 3 years ago | (#36592708)

Any virus can potentially do anything to your machine, including system restore points. If the machine is owned, it is owned and everything on it should be considered as suspect.

Back in the day there were a couple of BIOS viruses, which were even worse.

Re:So system restore points don't work? (3, Insightful)

smash (1351) | more than 3 years ago | (#36592720)

And that's regardless of OS. Any root-kitted linux box should be treated with exactly the same level of quarantine.

Re:So system restore points don't work? (0)

Ethanol-fueled (1125189) | more than 3 years ago | (#36592750)

And before anyone makes any snarky comments about switching to Linux look at all the nasty software infecting Android phones right now.

Ha heh heh, a lot of you guys were always telling us we'd be eating our hats when desktop Linux became popular enough to be a feasible infection vector - then the mobile thing totally drew the fire and became the next big, juicy target - and once again, dumbphone users running desktop Linux are still safe. Shit, was I just trolled again?

It all boils down to patience - if you can't wait to get home to a Linux desktop or laptop for your internet bombardment, you don't deserve to be safe. In before "but there are like 3 viruses for desktop Linux!!!1!!!!"

Re:So system restore points don't work? (1)

RobbieThe1st (1977364) | more than 3 years ago | (#36593106)

Of course, you could always get a (mostly)Desktop Linux-based phone, like the N900. Near as I can see, it has just about 0 viruses, due to being A, Linux and B, ARM(which isn't that popular compared to x86).

Reinstall, but not Windows (2, Insightful)

gstrickler (920733) | more than 3 years ago | (#36592656)

Right advice, wrong OS.

Re:Reinstall, but not Windows (-1, Offtopic)

cheeks5965 (1682996) | more than 3 years ago | (#36592950)

OSX FTW!

Re:Reinstall, but not Windows (0)

Anonymous Coward | more than 3 years ago | (#36593102)

He wants an OS he can actually do things on, so Linux is out of the question.

Always wise anyway (0)

Gothmolly (148874) | more than 3 years ago | (#36592662)

IF you even find you have a rootkit, the only real solution is to throw out the whole machinel. Nuking from orbit is the only way to be sure - otherwise you'll find the virus flashed into your NIC boot ROM, or your VGA or motherboard BIOS.

Re:Always wise anyway (1)

Anonymous Coward | more than 3 years ago | (#36592742)

otherwise you'll find the virus flashed into your NIC boot ROM

you don't seem to know the meaning of 'ROM'.

Re:Always wise anyway (2, Informative)

Anonymous Coward | more than 3 years ago | (#36592774)

Don't act the fool my boy..... it is called a "boot rom" for historial reasons, but these days, they are all FLASH based, ain't no real mask-programmed ROMs any more, these days they are al FLASH based and on most mottherboards can easily be written if you simply toggle the correct bits in the hardware control registers.

Wise grammar Nazi (1)

Datamonstar (845886) | more than 3 years ago | (#36593192)

And you don't seem to know that punctuation goes inside quotations. Sentence capitalization not withstanding.

Re:Always wise anyway (0)

Anonymous Coward | more than 3 years ago | (#36592748)

don't forget your cpu microcode the micro controllers in your usb devices......... lol

Re:Always wise anyway (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36592894)

At least that requires much more platform-specific knowledge(more comforting on some platforms than others, admittedly...)

Some standardized mechanism for offline inspection of a machine's entire nonvolatile storage space by an outside probe, without requiring the cooperation of any of the firmware or programmable embedded hardware would be nice, if probably Not Going To Happen.

duh (4, Insightful)

smash (1351) | more than 3 years ago | (#36592672)

The only way a machine can be trusted after ANY infection is an OS reinstall.

Or as ripley said - nuke it from orbit, its the only way to be sure.

Re:duh (3, Informative)

Anonymous Coward | more than 3 years ago | (#36592888)

Even that isn't 100% true with rootkits that can attach themselves to your PCI devices...

Re:duh (1)

smash (1351) | more than 3 years ago | (#36593128)

True. But thankfully these are few and far between these days.

Re:duh (1)

dotgain (630123) | more than 3 years ago | (#36593146)

I somehow doubt a nuclear blast is in the PCI spec.

Yawn, says OSX. (0, Troll)

Brannon (221550) | more than 3 years ago | (#36592996)

People still use Windows?

Re:Yawn, says OSX. (5, Funny)

dexomn (147950) | more than 3 years ago | (#36593090)

You must live in a VERY small basement.

Re:Yawn, says OSX. (1)

networkzombie (921324) | more than 3 years ago | (#36593096)

No, no one uses Windows. That's why you were modded up! Everyone hates any corporation that makes money without creating a bullet proof product. Here, I'll put it in a car analogy for you: Ford!

News at 11 (0)

kirbysuperstar (1198939) | more than 3 years ago | (#36592692)

I hear the ocean's kinda deep in places.

Norton Ghost (-1)

Anonymous Coward | more than 3 years ago | (#36592698)

You should use Norton's Ghost to image your drive on a regular basis, and if you are regular you will have an image to restore - pristine virginal goodness!

Re:Norton Ghost (4, Informative)

countertrolling (1585477) | more than 3 years ago | (#36592758)

You work for Symantec?... use ntfsclone or partimage from a live CD instead

Re:Norton Ghost (1)

toadlife (301863) | more than 3 years ago | (#36593162)

+1

Ghost is great for Windows only.

Add an ext4 partition and/or GRUB and it all goes to hell.

Re:Norton Ghost (3, Informative)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36593174)

In what is probably not the world's best news for Symantec, even Microsoft has gotten around to developing a Windows imaging tool that(mostly) works. The "Windows Automated Installation Kit" is something of a baroque monstrosity; but it exists and is offered at no additional cost to Windows customers.

It took 20 years and alarming complexity increases; but it's almost like being able to tar your OS install and then untar it onto a newly created filesystem!

Re:Norton Ghost (0)

Anonymous Coward | more than 3 years ago | (#36592882)

i had to read that last part twice. my eyesight gets bad the older i get

time to re-think OS architecture (4, Interesting)

Anonymous Coward | more than 3 years ago | (#36592700)

We all need a major re-think of how OS is installed on the computer, how it is architected, etc.

Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go. I the image of any VM gets rooted, you just toss it and revert to last backup. The flash is immune to tricks, because you must insert a hardware key to upgrade it, so trojans could not over-write the FLASH-based kernel, the worst that can happen is that one of the OS images get corrupted, then you just revert to saved.

Re:time to re-think OS architecture (2)

smash (1351) | more than 3 years ago | (#36592810)

Its called a boot ROM. For all intents and purposes, with a boot ROM physical OS installs are no different from VM installs in your above scenario.

Re:time to re-think OS architecture (0)

Anonymous Coward | more than 3 years ago | (#36592838)

+1 for insightful right there. having any kind of physical lock defeats software any day of the week.

Re:time to re-think OS architecture (1)

The Master Control P (655590) | more than 3 years ago | (#36592900)

Except you and I both know that the idiots who get infected by the new virus every single time, who do the same things we tell them not to every time, will happily open any physical lock because the popup box says to.

Not until they are made to face major financial penalties for repeated stupidity will they stop being stupid. That means NOT repairing their box that they broke by being Fucking Retarded(tm) for the 1000th time.

Re:time to re-think OS architecture (1)

exomondo (1725132) | more than 3 years ago | (#36593084)

Except you and I both know that the idiots who get infected by the new virus every single time, who do the same things we tell them not to every time, will happily open any physical lock because the popup box says to.

Exactly! The only reason people's systems are getting infected by this is because they gave the software privileges even after being warned it was a security risk. It doesn't matter what you do, if you give them the option to bypass security then they voluntarily will.

Re:time to re-think OS architecture (1)

GigaplexNZ (1233886) | more than 3 years ago | (#36592848)

Sure. Let's just employ an army of minions to carry these dongles around to every workstation on the corporate domain so certain Windows Updates can be applied.

Re:time to re-think OS architecture (1)

Skarecrow77 (1714214) | more than 3 years ago | (#36592920)

good idea, but there will always be a backdoor, even to the hardware key, because coders ALWAYS write themselves a back door, and then one day the hackers find it.

Witness the PS3. reverse engineer the service mode dongle, use that to find the backdoor (master key).

Re:time to re-think OS architecture (1)

CharlyFoxtrot (1607527) | more than 3 years ago | (#36593038)

That's the smart phone model. Fully sandboxed, system can only be written after a cryptographic key is obtained from a trusted source (the vendor) and all files synced to another device or the cloud. Get pwned and flash the device with a system image and sync files/settings to get back the exact system state.

Re:time to re-think OS architecture (1)

WaffleMonster (969671) | more than 3 years ago | (#36593062)

Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go.

I don't like it because it makes patching more difficult and does nothing to protect the end users data due to ownage of the guest.

I believe a better policy would just be to not allow untrusted execution of code on lower protection rings even for administrators/root.

Windows CE had a scheme like you describe. When you messed up your PDA you could instantly restore to factory default.

And of course we can't forget AIX which existed on RS6000 with its hardware key at a time when the rest of us were "smart little rodents hideing in the rocks".

Re:time to re-think OS architecture (1)

smash (1351) | more than 3 years ago | (#36593160)

You mean like a trusted platform module?

Wait... wasn't that a bad idea? Or at least thats what the nerds were crying about back in 2005.

Recovery CD? (4, Insightful)

grolschie (610666) | more than 3 years ago | (#36592724)

Do all Windows PCs ship with a CD? What about retrieving the user's data?

Re:Recovery CD? (2)

smash (1351) | more than 3 years ago | (#36592738)

The data is easily restored from your backup media. Oh what you weren't backing your shit up? Bad luck.

Re:Recovery CD? (1)

grolschie (610666) | more than 3 years ago | (#36592780)

I suspect that many Joe Sixpack's don't know about backups, or if they have, haven't set some backup system/process/plan up. I guess it's good that Windows 7 Action Center warns about backups.

Re:Recovery CD? (1)

smash (1351) | more than 3 years ago | (#36592820)

Agreed. However if you're not backing your data up, its obviously not important enough for you to consider loss due to theft, hardware failure, etc either.

Re:Recovery CD? (0)

Anonymous Coward | more than 3 years ago | (#36592886)

Does Joe Sixpack have any important data to back up?

Jane Sixpack maybe has a John list that she has to back up, but Joe knows where to get his next beer or hit: Bitch! Gimme 'nuther!

Re:Recovery CD? (1)

v1 (525388) | more than 3 years ago | (#36592766)

User DATA, provided it's not the "intelligent" sort like MS Word documents that can have macros in them, should be safe. Nothing executable should be trusted.

You COULD try to checksum all system files, but it's so easy to miss something that seems innocuous that is infected and will just use a zeroday to jimmy its way back into restored binaries when you reboot. You really have to nuke and pave it if it's bad enough, the odds of missing something are just too high.

And with joys like windows registry, that damn thing can't even be considered data - with all the "features" in that you have to handle it as though it's an executable, which indicates the "replace" rule. And by design, it's not really practical to replace the registry, and that forces you to try to disinfect your registry instead of replace it, see above.

Re:Recovery CD? (3, Informative)

Anonymous Coward | more than 3 years ago | (#36592946)

Mod parent up. PC's commonly shipped with recovery disks ten years ago, but most OEM vendors have discontinued the practice so they can pass along the savings to the consumer (OK, I just made up the last part).

So unless you were anal enough to make one yourself then if you get an irrecoverable malware like this, you are SOL. Remember to thank the CEOs.

Re:Recovery CD? (1)

juventasone (517959) | more than 3 years ago | (#36593098)

Not recently. Instead they prompt you to create your own. If you failed to do this, and you only needed to access the System Recovery Options mentioned in the TechNet blog, you could use a disc from any PC with the same version of Windows.

Sony? (0)

wideBlueSkies (618979) | more than 3 years ago | (#36592728)

Is Sony getting back at us for bashing them over the last month or so??

Wrong (0)

Anonymous Coward | more than 3 years ago | (#36592740)

A recovery disk will restore your computer to the state it was in when the recovery disk was created. For me, this means that I can always go back to a recovery image made at 3am each and every day and stored off site. While I don't specifically plan on getting infected with a rootkit any time soon, I do plan for the worst.

All this blog entry says is that if you are infected with this rootkit you need to fix your MBR before you restore an image of your system.

wait.... what? (1)

smash (1351) | more than 3 years ago | (#36592784)

Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

When the fuck did AV software stop scanning the boot sector?

Re:wait.... what? (0)

Anonymous Coward | more than 3 years ago | (#36592832)

When you're rooted with software that loads before the OS, no AV software can help you. At best, can detect (if the MBR malware doesn't instruct the bare machine that the area should be replaced by anything the malware wants to make the OS believe it is...) but rarely disinfect it.

Re:wait.... what? (1)

smash (1351) | more than 3 years ago | (#36593168)

No, but the article made it sound like AV software wasn't paying attention to changes to the MBR *before* the infection takes place.

Item Misquotes MS - Reinstall not required (5, Informative)

NZKiwi (317525) | more than 3 years ago | (#36592788)

Hmm, the MS Blog doesn't say you need to do an OS reinstall; only replace the MBR with a clean one; then do a system restore to a point in time PRIOR to the infection - entirely different to a reinstall

Re:Item Misquotes MS - Reinstall not required (1)

JoelKatz (46478) | more than 3 years ago | (#36592856)

I agree. That's the only sensible interpretation of what MS is saying. If you're going to do a complete system restore, why go to the trouble of fixing the MBR first?

Re:Item Misquotes MS - Reinstall not required (0)

Anonymous Coward | more than 3 years ago | (#36592982)

Because the MBR doesn't get completely overwritten during a install/re-install. So if you just re-install and DON'T replace the MBR, there's still hidden files that will replicate and infect the new installation of Windows that you've just put on your system. And visa-versa. Really, having cleaned multiple systems from DEEP infections of RootKits, I've come to implementing a policy of just backing up the files on the machine, writing zeros to the drive, and re-installing. With how fast Windows 7 installs, along with using ninite.com to install every other program I need: a fresh install takes so much less time than deep/entire system scans/cleaning AND gives me the benefit of complete peace of mind. The LONGEST part during a rebuild is always installing updates, so if they sped that part up I would never hesitate about a rebuild again.

Free recovery CD/DVDs for most systems (-1, Troll)

w0mprat (1317953) | more than 3 years ago | (#36592796)

Free offer of recovery CDs for Windows users: http://www.ubuntu.com/download/ubuntu/download [ubuntu.com]

Re:Free recovery CD/DVDs for most systems (0)

Anonymous Coward | more than 3 years ago | (#36592824)

Free offer of recovery CDs for Windows users: http://www.ubuntu.com/download/ubuntu/download [ubuntu.com]

So they get to choose between a system that is unusable from malware or a system that is unusable because it won't run their Windows applications?

Feeding the Troll (2)

scrib (1277042) | more than 3 years ago | (#36593080)

So they get to choose between a system that is unusable from malware or a system that is unusable because it won't run their Windows applications?

Oh, quit whining and start WINEing.

Re:Free recovery CD/DVDs for most systems (1)

RobbieThe1st (1977364) | more than 3 years ago | (#36593152)

Hey, it's got a web browser, and email, so it's already more productive than the malware infected machine.

Bad headline, bad article (5, Informative)

juventasone (517959) | more than 3 years ago | (#36592850)

The Microsoft engineer is quoted as saying, "restore your system to a pre-infected state". The article then says, "a recovery disc returns Windows to its factory settings". This is entirely false. The engineer is not saying to do a factory restore. For the layman using 7: use F8 or a 7 disc and choose "repair your computer", run the command prompt, run fixmbr, run system recovery and go back a day.

Re:Bad headline, bad article (1)

juventasone (517959) | more than 3 years ago | (#36593008)

The "F8" method might not be available because of the broken MBR, so you would have to use a disc. Also, "system recovery" should read "system restore". Going back a day doesn't loose files, it just reverts to previous versions of system files and the registry.

Re:Bad headline, bad article (1)

amicusNYCL (1538833) | more than 3 years ago | (#36593068)

I suspected as much when the phrase "a pre-infected state" was used, but it still raises an interesting point that there's not a reliable disinfection procedure. I've worked on some pretty horrendous machines for "friends" (friendly when they need computer help) where I've often wanted to just reinstall and be done with it. I've always managed to track down a disinfection procedure online for the specific things the machines were infected with (often with help from people like the folks at the dlsreports.com security fora). I can't say that I remember being faced with an infection where the only solution is to nuke it, so that's new.

Re:Bad headline, bad article (1)

SkyDragon (1642677) | more than 3 years ago | (#36593142)

I'm not sure that I would be confident that root kit X would not have the smarts to infect any type of online system backup. The point being made by many is that the only reliable way to get a compromised system back to a guaranteed clean state is to reinstall from a read only install media that comes from a known clean source. The problem then is to ensure that your data is clean before you restore it. Trusting that any tool will completely clean a system of infection without starting from scratch is overestimating the effectiveness of said too, and underestimating the inventiveness of the malware author.

Dunno about anyone else... (1)

TheRedDuke (1734262) | more than 3 years ago | (#36592864)

But if I knew one of my systems is victim to a rootkit, I'd reinstall the OS without thinking twice - otherwise I'd be looking over my shoulder at every executable on that system until the end of time.

Almost right (0)

Anonymous Coward | more than 3 years ago | (#36592872)

He was correct up to the point he said use a "recovery disk".
I recommend installation of a more secure OS. Default install of virtually any *nix OS will do.

Different? (0)

Anonymous Coward | more than 3 years ago | (#36592874)

This is different to most other root kits? I would still trash a machine if I found a root kit somewhere. You do not know what has been done or if it is really gone.

How nice of them (0)

Groo Wanderer (180806) | more than 3 years ago | (#36592890)

Hmmm, the company that has fought tooth and nail to remove all user access to recovery CDs because they might pirate or something now wants us to use them? Bwahahaha. Glad I gave up on Windows a long time ago. Life is better now, not to mention cheaper, faster, less annoying, and less worrisome.

Re:How nice of them (1)

EvanED (569694) | more than 3 years ago | (#36592964)

Say what? Not that I entirely don't believe you, but I don't think I've really heard any noise out of MS on that matter. I put the blame on PC manufacturers who don't want to pay for physical discs.

Re:How nice of them (0)

Anonymous Coward | more than 3 years ago | (#36593060)

Say what? Not that I entirely don't believe you, but I don't think I've really heard any noise out of MS on that matter. I put the blame on PC manufacturers who don't want to pay for physical discs.

Microsoft are equally guilty on this - they won't take a consumer's advice that a retailer won't supply read-only recovery media (CD/DVD), instead, advise the consumer to get the retailer to call them about it. Like that'll ever happen: "Hi Microsoft? Acer Computer here - Just thought we'd have a chat with you about our non-compliance with the licensing agreement we share?"

Yup, a recovery partition is beyond a joke - nothing to stop malware from shitting all over that one when it does all the other crap it does...

More work for me. (0)

Anonymous Coward | more than 3 years ago | (#36592896)

I don't even use Windows, but I shudder to think about all the family computer I'll have to fix due to this shit.

Why doesn't Windows Root-Kit itself? (0)

NotQuiteReal (608241) | more than 3 years ago | (#36592904)

All modern operating systems do it, right? I heard IOS [slashdot.org] locks itself in pretty good. For crying out loud - once you click "accept" to that first question, doesn't that imply you agree forever? C'mon bitch, where's your automatic update now?

Re:Why doesn't Windows Root-Kit itself? (1)

hitmark (640295) | more than 3 years ago | (#36592984)

turtles all the way down...

Btw, this may be the oldest trick in the book. Boot viruses are as old as the x86 IBM compatible.

Uh, RTFA? (4, Informative)

toygeek (473120) | more than 3 years ago | (#36592908)

Requires a system *restore* not *recovery* and fixmbr. SHOCKING. I do this multiple times a week in my role as a computer fix-it guy. Grandma can't afford to spend the cash to have her system reloaded just because some virus got in there. I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.

Re:Uh, RTFA? (0)

Anonymous Coward | more than 3 years ago | (#36592962)

Hey man, you have experience cleaning up this stuff. Most people do not. Please don't crap all over them just because they don't have a fucking clue. Sheesh...

Re:Uh, RTFA? (0)

md65536 (670240) | more than 3 years ago | (#36592970)

I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.

Installing windows or logging into a new account should automatically install some viruses (like it used to be, when installing windows) to force you to learn how to do this and get you used to fixing the system a million times.

Re:Uh, RTFA? (0)

Anonymous Coward | more than 3 years ago | (#36593184)

Installing windows or logging into a new account should automatically install some viruses.

I thought that happened when I connect a clean windows install to the internet!

FUD (1)

Anonymous Coward | more than 3 years ago | (#36592912)

Viruses that infected the MBR and hid themselves by intercepting int13h have been around since at least the early 90's, if not earlier. A boot disk was an easy fix, and AV programs could always bypass BIOS and access the drive directly to find out what was really there.

The original blog posting says nothing about reinstalling windows. The fixmbr tool in the Recovery Console doesn't affect the operating system, and is the same old fix as it's always been. The CW article is a mix of FUD and ignorance.

Hmmm... (0)

Anonymous Coward | more than 3 years ago | (#36592918)

Somebody needs to get tough and track a few of these malware authors down and start breaking their knees, sticking hot soldering irons in their eyes, cutting their hands off, etc...

Wouldn't be long until people would be too scared to even dream about writing malware.

Knoppix (1)

ltwally (313043) | more than 3 years ago | (#36592934)

Simply boot from another OS. Knoppix is an excellent choice: it can read/write NTFS partitions, and provides you with a nice GUI to move/rename/delete files.

This is my method of choice for removing Windows viruses.

The final step for this virus would be to afterwards use the `fixmbr` tool.

Piece of cake. No reformatting necessary.

Re:Knoppix (1)

juventasone (517959) | more than 3 years ago | (#36593158)

What? So you can't use rstrui (system restore) or fixmbr with Knoppix, but you figure this is the best way to do both of these things?

Re:Knoppix (1)

smash (1351) | more than 3 years ago | (#36593178)

If you have an MS volume license, the Win7 DaRT is pretty decent, too.

Summary and TFA incorrect (1)

Torodung (31985) | more than 3 years ago | (#36592986)

If you read the TFA's FBE (F-ing Blog Entry), you'll find that you just use a recovery console, run FIXMBR, and then run a system restore to a date before your system became infected.

Hardly intractable. Not a reinstall. If it goes unnoticed for a very long time, you might not have a restore point early enough, but that goes for any malware.

NO reinstall required (0)

Anonymous Coward | more than 3 years ago | (#36593028)

RTFA.

the technow blog never says you need to reinstall. It says you need to restore the MBR with the recovery console and restore the OS. This can be a system restore point recovered by using the recovery CD. The only reason you need a recovery CD is to avoid booting the system while its still loading the infected disk driver

Did anyone spot the irony? (0)

pecosdave (536896) | more than 3 years ago | (#36593056)

I mean, the fact they don't give recovery CD's anymore. Oh, I'm sure a couple of manufacturers do, maybe on a few models, but really don't give out Windows recovery disk anymore.

Re:Did anyone spot the irony? (1)

juventasone (517959) | more than 3 years ago | (#36593130)

Right. They prompt you to make one. If you consider yourself the type to want to fix your PC, you would of done this, or already have one.

Re:Did anyone spot the irony? (0)

Anonymous Coward | more than 3 years ago | (#36593140)

What? you can create a recovery disk in windows 7 (and probably before). Christ you can boot of the original media and go "recovery mode". No need for a OEM to supply one

ComboFix (1)

ijakings (982830) | more than 3 years ago | (#36593064)

By far the best tool ive ever seen to deal with a rootkit infection is ComboFix. It uses a process I can only describe as black magic to eradicate it. Use at your own risk though.

Which vector and why the lack of expediency? (-1)

Anonymous Coward | more than 3 years ago | (#36593134)

So what hole is this infection initially exploiting to be system resident? A genuine unknown security vulnerability in Windows and IE, or a secondary attack through 3rd party software or add-ins? Is a fully patched Windows system w/ either MAV or 3rd party AV like Sophos or Kaspersky, and users running with non-Admin privileges still at risk? I'm going to assume yes here!

Yes, I read MS blog and only after checking the Popureb.B variant does it only reference I.E. slightly.

This was detected on June 21. It's been a week. For something this serious, and to the vast resources that MS has at their disposal, why is the IT community still in the dark, and just how much of a priority does a Microsoft put on this kind of end user breach?

reinstall disc? (1)

sunfly (1248694) | more than 3 years ago | (#36593138)

Who has them? MS has pushed not shipping them for so many years. Too bad they don't do the right thing, and make install ISO's available with latest patches for XP / Vista / 7

Re:reinstall disc? (1)

juventasone (517959) | more than 3 years ago | (#36593188)

If you buy Windows (whether OEM or retail) you get a disc. If you buy a brand-name PC with Windows, you get prompted to make a disc.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?