Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Windows Technology IT

Rootkit Infection Requires Windows Reinstall 510

Posted by timothy
from the spring-cleaning-comes-late dept.
CWmike writes "Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."
This discussion has been archived. No new comments can be posted.

Rootkit Infection Requires Windows Reinstall

Comments Filter:
  • um.... Why not just use a boot disc to clear the MBR/infected files?
    • Re:Boot Disc (Score:5, Insightful)

      by smash (1351) on Monday June 27, 2011 @10:32PM (#36592696) Homepage Journal
      Well sure, if you have a known good checksum for every file on your machine?
      • by capnkr (1153623)
        In all seriousness, and without much in the way of research just yet: why not preemptively install GRUB, or some other boot loader, even if the machine is only a single boot Win system? Does this thing attack/overwrite _anything_ attempting to write to the MBR, or only Windows? There is no mention of this in the linked FA's, only in their comments...
        • Re:Boot Disc (Score:5, Informative)

          by sumdumass (711423) on Tuesday June 28, 2011 @12:10AM (#36593280) Journal

          If the root kit works like most older boot sector virus programs, it already functions much like Grub does in the sense that it replaces the code that allows the other code to be found and run. But the code represented to the operating system would have a sector 0 in a different location then the real boot sector.

          So while you would effectively have moved the first sector as far as windows is concerned, the virus infection would be able to still tank windows because it would still initially attack sector 0. And if it's the old school infection where it uses int13h calls (the bios) instead of windows and or even the old protect mode access to access the HD, it will effectively move the grub install to a new sector and make it think it is in sector 0 on subsequent boots. It will do this the same way Grub or LiLO would make windows think it was loading from the boot sector when it wasn't.

          The problem with a boot sector virus is that if the disk is allowed to load any code at all which is the default in the boot process, the manipulation is already in memory and running. You would essentially need to boot from a start up floppy or CD or something without the hard disk loading at boot.

          Some modern BIOS configurations allow you to lock the boot sector of the harddrive down much like they started allowing you to lock flashing the bios down. This is about the only way to preempt this as it would give off a warning about something attempting to write to the boot sector of the hard drive. However, experience tells me that when something is trying to write to the boot sector and it fails to do it, you often need to rebuild the boot sector anyways.

          Now that is with the initial infection. The attacks it uses to maintain it's infection would work regardless of the operating system because once infected, it's acting as a translation between the operating system and the harddrive. This is why a restore CD is the recommendation to fixing the issues. The CD loads instead of the drive code loading. This way, you are not fixing an infected machine with infected code.

          • by Arker (91948)

            This is hardly the first or the last to use such tricks. This is why I cannot place any faith in any antivirus being used in the typical configuration - as part of a running Windows system. That just doesnt work.

            Way back In the day you had to load your scanner on a boot floppy. These days a linux boot cd is the replacement. A bit bloated, but at least it does the job.

            • Re:Boot Disc (Score:4, Interesting)

              by Hylandr (813770) on Tuesday June 28, 2011 @01:31AM (#36593740) Homepage

              What I do is remove the drive from the system, slap it into an external enclosure and scan from a clean machine after unplugging that machine from the network.

              If it kills system files then I replace or repair it once I boot from the recently cleaned hdd. Also, delete the swap file before you plug it back in. hasn't failed me yet.

              - Dan.

            • Re:Boot Disc (Score:4, Interesting)

              by Joce640k (829181) on Tuesday June 28, 2011 @03:06AM (#36594190) Homepage

              Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.

              If somebody's the sort of person who gets viruses an antivirus won't save them.

              • by node 3 (115640)

                Yep...once the virus is in the antivirus is useless. The virus will have no problem setting permissions, etc. so your antivirus can't touch it. And...given that most antivirus programs take a week or so to respond to new viruses, it makes them mostly useless.

                If somebody's the sort of person who gets viruses an antivirus won't save them.

                This is so untrue, I have to believe I'm missing something here. Antivirus software can often remove infections after the fact, and is also very useful in stopping infections from occurring in the first place. Sure, it's not 100% foolproof, but calling it "mostly useless" and saying it "won't save them" is completely untrue.

        • It's obvious that many posting here don't know the first thing about how Windows works or why it gets infected. The problem isn't in the boot loader. The MBR is just one place that an attacker can find space to store a bootstrap program that will launch his infecting executable from a file on disk, and then, since that area is read and executed each time the PC is started, it writes to so many critical OS files that removing them from the system or disinfecting them becomes impossible without rendering the

          • Re:Boot Disc (Score:4, Informative)

            by TheLink (130905) on Tuesday June 28, 2011 @08:14AM (#36596008) Journal

            a complete wipe and reinstall is the only way you're going to be certain you have a clean system. And this is one of the many reasons you can't get me to run Windows as my primary OS. Sure, I'll run it in a VM hosted on Linux, but no way would I rely on it for my every day computing needs on the bare metal. Fucking garbage without any kind of cogent security system is what Windows is.

            Uh. How's that different from a root kit infection on Linux? AFAIK standard practice is if your machine (whether linux or windows) gets infected by a rootkit, you're supposed to reinstall. If you don't then you're just betting/assuming that the attack wasn't so serious. In most cases it isn't, and that's the same for Windows.

            The problem is not restricted to Windows. There's a reason why rootkits are called rootkits after all, and not "NT Authority\SystemKits" :).

      • Good policy, if a bit upkeep-heavy for your average desktop system. AIDE, Tripwire, Samhain, OSSEC, and quite possibly others will do it for you(at the cost of some administration and system resources) if you have a sufficiently static configuration that it won't drive you to madness...
    • by tverbeek (457094) on Monday June 27, 2011 @10:51PM (#36592836) Homepage

      Wouldn't a Linux or BSD or Haiku or Hack OS X install fix this too? This headline reads a bit like "Flooding requires rebuilding the exact same structure in the annual floodplain",

      • Re: (Score:3, Insightful)

        by ghmh (73679)
        Sigh. It would 'fix' the potential for getting infected by that particular rootkit on that particular O/S. All those other things are built on floodplains too, it's just that some flood more often than others. Extrapolating future floods based on the past is only going to work until it doesn't.
        • Re:Boot Disc (Score:5, Insightful)

          by RobbieThe1st (1977364) on Monday June 27, 2011 @11:34PM (#36593086)

          To continue your flood analogy, you have three options:
          1. Build out of so ething floodproof, like concrete. The *entire* house. When a flood happens, no big deal... but making changes to the house would be a big problem. This is the ChromeOS or DeepFreeze aproach: Read-only filesystem and checksums.

          2. Build dams, canals and build a few feet into the air. This works for small floods, but if you get something new, it might still wipe you out. This is the Linux aproach: Try to secure things, deal with the few issues as they come up.

          3. Build cheaply, and rebuild after each flood. This is the Windows re-image approach: Just assume it's going to get hit, and have a plan to rebuild afterwards.

          Just my 2c.

      • by artor3 (1344997)

        So your response to flooding is to rebuild in the desert?

    • by w0mprat (1317953)
      I don't see how this infection is not possible to clean. All that would be necessary is to boot another OS and overwrite MBR and clean any infected binaries. Perhaps overwrite Windows binaries with the genunine article from an install CD (downloadable version if updated since disc went RTM) if it's not cleanable.

      I'd do this from a Linux live USB and have a Windows install on another partition as source. Linux generally ignores NTFS security should be able to overwrite all necessary files on the Windows i
  • So (Score:3, Insightful)

    by Anonymous Coward on Monday June 27, 2011 @10:28PM (#36592650)

    You always do an OSRI if you get infected by any rootkit.

  • Right advice, wrong OS.
  • duh (Score:5, Insightful)

    by smash (1351) on Monday June 27, 2011 @10:30PM (#36592672) Homepage Journal

    The only way a machine can be trusted after ANY infection is an OS reinstall.

    Or as ripley said - nuke it from orbit, its the only way to be sure.

  • by Anonymous Coward on Monday June 27, 2011 @10:32PM (#36592700)

    We all need a major re-think of how OS is installed on the computer, how it is architected, etc.

    Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go. I the image of any VM gets rooted, you just toss it and revert to last backup. The flash is immune to tricks, because you must insert a hardware key to upgrade it, so trojans could not over-write the FLASH-based kernel, the worst that can happen is that one of the OS images get corrupted, then you just revert to saved.

    • by smash (1351)
      Its called a boot ROM. For all intents and purposes, with a boot ROM physical OS installs are no different from VM installs in your above scenario.
    • Sure. Let's just employ an army of minions to carry these dongles around to every workstation on the corporate domain so certain Windows Updates can be applied.
      • I hate to be the one to break this to you; but did you remember to tell the minions that, for security reasons, every dongle is paired at the factory with the computer whose flash sector it unlocks, and the TPM won't accept any unlock dongle that wasn't signed with its internal private key?

        Just be sure they don't lose any of them...
      • by sumdumass (711423)

        Well, I guess the unemployment issues might be fixed if that happened.

    • good idea, but there will always be a backdoor, even to the hardware key, because coders ALWAYS write themselves a back door, and then one day the hackers find it.

      Witness the PS3. reverse engineer the service mode dongle, use that to find the backdoor (master key).

    • That's the smart phone model. Fully sandboxed, system can only be written after a cryptographic key is obtained from a trusted source (the vendor) and all files synced to another device or the cloud. Get pwned and flash the device with a system image and sync files/settings to get back the exact system state.

    • Seems to me that a low-level kernel in FLASH, which can only be upgraded with a hardware key inserted (e.g., the kernel FLASH blocks can only be written when there is a physical device plugged into the system), which then supports a number of different OS images using virtual machine concept, is the way to go.

      I don't like it because it makes patching more difficult and does nothing to protect the end users data due to ownage of the guest.

      I believe a better policy would just be to not allow untrusted execution of code on lower protection rings even for administrators/root.

      Windows CE had a scheme like you describe. When you messed up your PDA you could instantly restore to factory default.

      And of course we can't forget AIX which existed on RS6000 with its hardware key at a time when the rest of us were "smart littl

      • by smash (1351)
        You mean like a trusted platform module?

        Wait... wasn't that a bad idea? Or at least thats what the nerds were crying about back in 2005.

        • TPM was (and is) a disastrous idea from the point of view of freedom of choice for users of general purpose computers.

          TPM (or similar systems) are on the other hand a key element in "walled garden" proprietary environments, such as mobile devices and other embedded systems.

          Universal adoption of TPM on PCs would inevitably change them from a "general purpose" into a "walled garden" proprietary environment. Microsoft one. There is not even a faintest doubt about that.

          Fortunately a mere "read only" copy of

  • Recovery CD? (Score:5, Insightful)

    by grolschie (610666) on Monday June 27, 2011 @10:35PM (#36592724)
    Do all Windows PCs ship with a CD? What about retrieving the user's data?
    • by smash (1351)
      The data is easily restored from your backup media. Oh what you weren't backing your shit up? Bad luck.
      • by grolschie (610666)
        I suspect that many Joe Sixpack's don't know about backups, or if they have, haven't set some backup system/process/plan up. I guess it's good that Windows 7 Action Center warns about backups.
        • by smash (1351)
          Agreed. However if you're not backing your data up, its obviously not important enough for you to consider loss due to theft, hardware failure, etc either.
          • by Belial6 (794905)
            That's funny because I was going through and updating the backup system in our house, and asked my wife what she wanted backed up. Her response was "Nothing". She stores everything she wants to keep in a Lotus Notes Database, and that replicates to our server. She was absolutely adamant that she would have no problem if I did a factory reset on her laptop on any random night. Go figure. I guess sometimes people don't need backups. I just never expected it in my own home.
    • by v1 (525388)

      User DATA, provided it's not the "intelligent" sort like MS Word documents that can have macros in them, should be safe. Nothing executable should be trusted.

      You COULD try to checksum all system files, but it's so easy to miss something that seems innocuous that is infected and will just use a zeroday to jimmy its way back into restored binaries when you reboot. You really have to nuke and pave it if it's bad enough, the odds of missing something are just too high.

      And with joys like windows registry, that

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Mod parent up. PC's commonly shipped with recovery disks ten years ago, but most OEM vendors have discontinued the practice so they can pass along the savings to the consumer (OK, I just made up the last part).

      So unless you were anal enough to make one yourself then if you get an irrecoverable malware like this, you are SOL. Remember to thank the CEOs.

      • by Belial6 (794905)
        That is one thing that really bugs me. They want me to make a restore CD at 5 times the price with a 10 times shorter lifespan over a $0.10 piece of plastic.
    • Not recently. Instead they prompt you to create your own. If you failed to do this, and you only needed to access the System Recovery Options mentioned in the TechNet blog, you could use a disc from any PC with the same version of Windows.
    • by mark-t (151149)
      No. Systems these days ship with a facility to create a recovery DVD in the even of a system failure. They do not ship with original disks because most consumers don't need or want them... the customers that do want them have to pay a (not expensive, but not negligible either) fee for them.
    • by CAIMLAS (41445)

      No. And No. The former is uncommon at best; the later is frustrating difficult if there's a possibility that the user profile is infected (due to the 'store shit everywhere, lots of binary files' nature of a profile).

      Windows PCs are disposable. If it's important, assume that the PC is a kiosk. It's not such the case now as in later years, thank god, but it used to be that a Windows reinstall was more time and effort to get 'back up to snuff' as a Gentoo build.

  • Malware like Popureb overwrites the hard drive's master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

    When the fuck did AV software stop scanning the boot sector?

  • by NZKiwi (317525) on Monday June 27, 2011 @10:44PM (#36592788)
    Hmm, the MS Blog doesn't say you need to do an OS reinstall; only replace the MBR with a clean one; then do a system restore to a point in time PRIOR to the infection - entirely different to a reinstall
    • by JoelKatz (46478)

      I agree. That's the only sensible interpretation of what MS is saying. If you're going to do a complete system restore, why go to the trouble of fixing the MBR first?

  • by juventasone (517959) on Monday June 27, 2011 @10:54PM (#36592850)
    The Microsoft engineer is quoted as saying, "restore your system to a pre-infected state". The article then says, "a recovery disc returns Windows to its factory settings". This is entirely false. The engineer is not saying to do a factory restore. For the layman using 7: use F8 or a 7 disc and choose "repair your computer", run the command prompt, run fixmbr, run system recovery and go back a day.
    • The "F8" method might not be available because of the broken MBR, so you would have to use a disc. Also, "system recovery" should read "system restore". Going back a day doesn't loose files, it just reverts to previous versions of system files and the registry.
      • by sumdumass (711423)

        This is all incidental to the problem of the boot sector code. It changes write functions to read functions so the disk will return a response and windows will believe everything worked. IT does this because it infects the boot sector which loads code into memory before windows even thinks about loading anything into memory. It then hides and stops itself from being removed while hiding and running other code from windows.

        Using system restore will not address this in the least. You will still be infected, y

    • I suspected as much when the phrase "a pre-infected state" was used, but it still raises an interesting point that there's not a reliable disinfection procedure. I've worked on some pretty horrendous machines for "friends" (friendly when they need computer help) where I've often wanted to just reinstall and be done with it. I've always managed to track down a disinfection procedure online for the specific things the machines were infected with (often with help from people like the folks at the dlsreports.

  • But if I knew one of my systems is victim to a rootkit, I'd reinstall the OS without thinking twice - otherwise I'd be looking over my shoulder at every executable on that system until the end of time.
  • Uh, RTFA? (Score:5, Informative)

    by toygeek (473120) on Monday June 27, 2011 @11:02PM (#36592908) Homepage Journal

    Requires a system *restore* not *recovery* and fixmbr. SHOCKING. I do this multiple times a week in my role as a computer fix-it guy. Grandma can't afford to spend the cash to have her system reloaded just because some virus got in there. I've cleaned out some pretty nasty rootkits and virii that only took me a few minutes with a Linux boot CD and then fixmbr. It doesn't take long if you've done it a million times.

  • Simply boot from another OS. Knoppix is an excellent choice: it can read/write NTFS partitions, and provides you with a nice GUI to move/rename/delete files.

    This is my method of choice for removing Windows viruses.

    The final step for this virus would be to afterwards use the `fixmbr` tool.

    Piece of cake. No reformatting necessary.
    • What? So you can't use rstrui (system restore) or fixmbr with Knoppix, but you figure this is the best way to do both of these things?
    • by smash (1351)
      If you have an MS volume license, the Win7 DaRT is pretty decent, too.
  • If you read the TFA's FBE (F-ing Blog Entry), you'll find that you just use a recovery console, run FIXMBR, and then run a system restore to a date before your system became infected.

    Hardly intractable. Not a reinstall. If it goes unnoticed for a very long time, you might not have a restore point early enough, but that goes for any malware.

  • Anyone who believes this, much less preaches it, is an absolute moron. There are vulnerabilities in any working system. There always have been and there always will be. Consumer distributions of Linux might not have the same holes that Windows has, but that doesnt mean there are none. It may be harder to achieve process escalation, but that doesnt mean its impossible. After all, a dumb user is still the weakest link in a security system.
  • This is the Windows 7 System restore option, which is as follows according to MS:
    see: System Restore [microsoft.com]

    ---
    Restores your computer's system files to an earlier point in time without affecting your files, such as email, documents, or photos.

    If you use System Restore from the System Recovery Options menu, you cannot undo the restore operation. However, you can run System Restore again and choose a different restore point, if one exists. For more information, see What is System Restore? and System Restore: frequ

  • I've seen junk get onto a computer with all the latest windows updates where the infected user never intentionally ran a single program they downloaded from the web. However the infection happened, it happened without prompting the user to run any install program..

    When I disinfected the computer, I could not for the life of me figure out how the infection was actually obtained... if the user had been an administrator, I suspect that the damage would have been more widespread than just that one account.

1 Billion dollars of budget deficit = 1 Gramm-Rudman

Working...