Rootkit Infection Requires Windows Reinstall 510
CWmike writes "Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."
Re:Norton Ghost (Score:4, Informative)
You work for Symantec?... use ntfsclone or partimage from a live CD instead
Re:Always wise anyway (Score:2, Informative)
Don't act the fool my boy..... it is called a "boot rom" for historial reasons, but these days, they are all FLASH based, ain't no real mask-programmed ROMs any more, these days they are al FLASH based and on most mottherboards can easily be written if you simply toggle the correct bits in the hardware control registers.
Item Misquotes MS - Reinstall not required (Score:5, Informative)
Bad headline, bad article (Score:5, Informative)
Re:duh (Score:3, Informative)
Even that isn't 100% true with rootkits that can attach themselves to your PCI devices...
Uh, RTFA? (Score:5, Informative)
Requires a system *restore* not *recovery* and fixmbr. SHOCKING. I do this multiple times a week in my role as a computer fix-it guy. Grandma can't afford to spend the cash to have her system reloaded just because some virus got in there. I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.
Re:Recovery CD? (Score:3, Informative)
Mod parent up. PC's commonly shipped with recovery disks ten years ago, but most OEM vendors have discontinued the practice so they can pass along the savings to the consumer (OK, I just made up the last part).
So unless you were anal enough to make one yourself then if you get an irrecoverable malware like this, you are SOL. Remember to thank the CEOs.
Re:Norton Ghost (Score:4, Informative)
It took 20 years and alarming complexity increases; but it's almost like being able to tar your OS install and then untar it onto a newly created filesystem!
Re:Boot Disc (Score:5, Informative)
If the root kit works like most older boot sector virus programs, it already functions much like Grub does in the sense that it replaces the code that allows the other code to be found and run. But the code represented to the operating system would have a sector 0 in a different location then the real boot sector.
So while you would effectively have moved the first sector as far as windows is concerned, the virus infection would be able to still tank windows because it would still initially attack sector 0. And if it's the old school infection where it uses int13h calls (the bios) instead of windows and or even the old protect mode access to access the HD, it will effectively move the grub install to a new sector and make it think it is in sector 0 on subsequent boots. It will do this the same way Grub or LiLO would make windows think it was loading from the boot sector when it wasn't.
The problem with a boot sector virus is that if the disk is allowed to load any code at all which is the default in the boot process, the manipulation is already in memory and running. You would essentially need to boot from a start up floppy or CD or something without the hard disk loading at boot.
Some modern BIOS configurations allow you to lock the boot sector of the harddrive down much like they started allowing you to lock flashing the bios down. This is about the only way to preempt this as it would give off a warning about something attempting to write to the boot sector of the hard drive. However, experience tells me that when something is trying to write to the boot sector and it fails to do it, you often need to rebuild the boot sector anyways.
Now that is with the initial infection. The attacks it uses to maintain it's infection would work regardless of the operating system because once infected, it's acting as a translation between the operating system and the harddrive. This is why a restore CD is the recommendation to fixing the issues. The CD loads instead of the drive code loading. This way, you are not fixing an infected machine with infected code.
Re:Always wise anyway (Score:4, Informative)
NICs & VGA cards have stopped having flash ever since they moved from ISA to PCI: at that point, in order to cut costs, they moved their firmware storage to the motherboard BIOS flash.
Wrong. All graphics cards have traditional CGA/EGA/VGA BIOS interface implemented for their hardware in their flash. They wouldn't initialize properly without it.
Re:Boot Disc (Score:4, Informative)
a complete wipe and reinstall is the only way you're going to be certain you have a clean system. And this is one of the many reasons you can't get me to run Windows as my primary OS. Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal. Fucking garbage without any kind of cogent security system is what Windows is.
Uh. How's that different from a root kit infection on Linux? AFAIK standard practice is if your machine (whether linux or windows) gets infected by a rootkit, you're supposed to reinstall. If you don't then you're just betting/assuming that the attack wasn't so serious. In most cases it isn't, and that's the same for Windows.
The problem is not restricted to Windows. There's a reason why rootkits are called rootkits after all, and not "NT Authority\SystemKits" :).
Comment removed (Score:4, Informative)