Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Windows Technology

Microsoft Says Reinstall Overkill In Removing Rootkit 203

CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."
This discussion has been archived. No new comments can be posted.

Microsoft Says Reinstall Overkill In Removing Rootkit

Comments Filter:
  • by Anonymous Coward
    format.
    • by Z00L00K ( 682162 )

      It's starting to get time for the yearly reinstall anyway. My Windows is getting slow, and a reinstall really clears things up.

      • Getting a router, never loging in under admin credentials, passwording all accounts, running my virus/malware software on Max security, regularly clearing out all browser history, blocking ads using the HOSTS file all seemed to have greatly reduced the need for re-installs. See, that's all ya have to do.
      • Comment removed based on user account deletion
        • Christ, I stopped using those registry cleaners around windows 98 SE. They do more damage than they do good these days. If you don't know how to identify and remove crapola from the system and registry by hand, don't mess with it. That said it is fine to use a tool to assist you, but use one that identifies the keys for you to remove so you can use your good judgement too, not one that goes through and tells you it used some sort of voodoo to fix 9,218 errors and now your computer will be 1000% faster.
    • Give us Windows users credit, we are trained to back up our data!

    • Full Disk Erase is exactly what you do.

      On Windows, You have no idea what the rootkit did while it was active on your system. It probably messed with your registry and opened up back doors for either reinfection or eavesdropping. And I'll guarantee it nuked your system restore so you can't roll the settings back.

      External Hard drives are cheap. Windows 7 has a good and easy to set up backup. Back it up with a system image at least once a month and keep it disconnected once you backup. If you get infected, wip

  • Uninstalling is all thats needed.

    *ducks*

  • by Lunix Nutcase ( 1092239 ) on Thursday June 30, 2011 @04:39PM (#36628116)

    Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees.

    Redundant much? Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?

    • by Ant P. ( 974313 )

      Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?

      Challenge Accepted?

    • by Tarlus ( 1000874 )

      Not to mention the "Popereb" and "Popureb" inconsistency.

    • by Rary ( 566291 )

      Maybe what he's trying to say is this:

      1. Several researchers agree with Microsoft.
      2. A noted botnet expert disagrees with Microsoft.
      3. A (different) internationally-known botnet expert disagrees with the noted botnet expert, thereby agreeing with Microsoft.

      Okay, not likely. I should know better than to try to defend Slashdot "editors", who are only marginally more useful than the Slashdot programmers, who I noticed have changed the header and footer of the comment section, and in doing so broke the "post an

      • More like...
        1. Microsoft revised it's advise to short of a nuke/repave path for handling a bootkit virus
        2. Several security researchers agree with MS
        3. A noted researcher doubts the trust that this will allow for a detectably clean PC
        4. Another noted researcher also disagrees with MS, prefering the nuke/repave path for handling bootkits
        • More like Microsoft corrected the once-again incorrect slashdot headlines, which misquoted them. The original statement refered to restoring the MBR, then performing a system recovery; the headline indicated "REFORMAT ZOMG".

      • ... and also all links in the thread (which were partly broken before, but now they're completely broken).

        Double right click gives me a context menu in Firefox 5. Right click and middle click work normally in MSIE 9.

      • Try:
        1. Several researchers agree with Microsoft
        2. A noted botnet expert is not so sure
        3. Another, Dell, botnet expert is entirely sure that he disagrees

  • by jcombel ( 1557059 ) on Thursday June 30, 2011 @04:42PM (#36628146)

    ms never said to re-install windows in the first place, headlines on sites like slashdot mis-reported it to begin with. from slashdot's summary:

    "'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

    the summary blurted that the recovery disc returns Windows to its factory settings, and left out how it also is the boot environment for restoring from windows backups, which Feng was clearly talking about ("restore your system to a pre-infected state").

    • by 0123456 ( 636235 )

      "'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng.

      If your recovery CD is pre-infected, then surely you're screwed anyway?

      • by PNutts ( 199112 )

        If your recovery CD is pre-infected, then surely you're screwed anyway?

        Does that mean the plastic they make a CD from is infected?

        • No, it refers to a number of OEM's fucktard tendency to give people a 'recovery CD' that reimages the system as it was when they bought it, instead of proper OS install disks.

    • by dbIII ( 701233 )
      If you've got a polite, upstanding and well behaved malware writer they will take care not to do anything other than put their single bit of malware on your machine, not look at your files, not install keyloggers and not install port scanners or spambots. do you really think such a beast exists? If you find malware that means YOU CAN'T TRUST IT and almost nothing on your machine can be assumed to be unchanged. Forget the MS PR guy that has been rolled out for a bit of mindless cheering after a technical r
  • Yesterday it was Poperub. Now it's either Popereb or Popureb.

    You think a computer is going to find the thing when nobody can even decide what string matches its name in the 'sploit DB?

  • I reinstall both my Windows desktop and Linux laptop every year. Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).

    • by ctrimm ( 1955430 )
      If you're running Linux, you probably don't have any viruses. It seems to me that uninstalling programs you don't use every couple months would be a lot easier than re-installing the OS... ever.

      Despite that, I've been running my install of Win7 for over a year now, practice general maintenance, and it's still running as smooth as ever. Having to re-install an OS every year is either the sign of a poorly designed OS or just plain laziness.
    • I have to say I've never actually reinstalled Linux on a computer. Once it goes on, it stays for years.

      • True, though in some cases some do, particularly those with distributions like ubuntu that tend to encourage their users to do a full install to upgrade from version to version every 6 months or so. (admitted I think the current updater will move you up a version, but I recall a time when they didn't). Of course in linux a re-install is extremely painless considering your configurations of just about everything is stored on your home directory, which you shouldn't be formatting, rather then in a complicated
      • by EvanED ( 569694 )

        I haven't used Linux on my home machine much at all for a couple years, but when I used it more I used Gentoo. A bit less than 5 years ago I managed to mess up Portage enough that I couldn't get Emerge to do anything (except complain a lot), so I gave up and reinstalled. It can definitely happen, even if you know your way around pretty well.

    • Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).

      I use Portable Apps wherever possible. (I think the address is portableapps.com, I am not affiliated.) Basically they're just apps that are compressed into a self extracting file. You extract them and they just run, no installation needed. This means after a reinstall (or new computer) I still have my browsers with bookmarks, text/script editors, and a handful of other things I use a lot. When I get a laptop or something I just copy the files over to that machine and I'm running over there, too.

      This p

      • Until the portableapps gets hit by sality, that is.

        Im not going to link resources to sality, as the new slashdot wouldnt let you click them anyways. Seriously, how hard is it to keep the website working in at least ONE of the major browsers?

    • Reinstalling doesnt remove all viruses:
      *The MBR can be infected, surviving reinstalls. This is the type of infection popureb is, in fact.
      *downloaded drivers may remain infected, as may any other executable content that you neglect to re-download. (Sality is a common virus that seeks out and infects every binary it can find)

      Luckily for you, these two types of virus are incredibly common.

    • by rtb61 ( 674572 )

      I managed to keep both ticking over for over seven years, including cleaning up a couple of windows infections. Best way to keep a windows installation going is to dual boot with Linux and use that Linux boot to do the final repairs and clean up as well as quick simple software backups from the windows partition to the safer Linux controlled partitions.

      Poor old stale piss (XP even M$ hates it ~ now) seems to have survived the years and been reasonably reliable as long as you keep a Linux boot on system f

    • by rastos1 ( 601318 )

      I reinstall both my Windows desktop and Linux laptop every year. Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).

      I feel sorry for you. However I try to balance the statistics by updating/upgrading the same system since something like 2003, when I scrapped my previous system that was maintained since 1996.

  • Eyeroll (Score:5, Informative)

    by goodmanj ( 234846 ) on Thursday June 30, 2011 @04:47PM (#36628206)

    MBR rootkit malware is among the most advanced of all threats.

    So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.

    http://www.f-secure.com/v-descs/brain.shtml [f-secure.com]

    • So advanced, it's been around for 25 years.

      Non sequitur. Just because something is old does not precluded it from being advanced or the "most advanced" of whatever category you are talking about.

      • Your average Clovis point arrowhead is a pretty advanced bit of stoneworking too: see what I did there? But the point is that if something's been around as long as flint arrows or boot sector viruses, we've usually come up with a good defense against it.

        • by lennier ( 44736 )

          But the point is that if something's been around as long as flint arrows or boot sector viruses, we've usually come up with a good defense against it.

          Yes, and in both cases, the best defence is still generally 'don't get hit with one'.

          Never underestimate the power of primitive attacks to overcome sophisticated defences.

          • by maugle ( 1369813 )

            But the point is that if something's been around as long as flint arrows or boot sector viruses, we've usually come up with a good defense against it.

            Yes, and in both cases, the best defence is still generally 'don't get hit with one'.

            Never underestimate the power of primitive attacks to overcome sophisticated defences.

            The best defence is a good offence. So go find a shifty-looking programmer and punch him in the face.

        • Most malware is made up of compiled assembly language instructions. I guess that means there are no advanced viruses, since they had compiled assembly language instruction-based viruses 25 years ago.

          See what I did there?

          Modern bootkits remain quite advanced, combining MBR manipulation with hidden partitions running special, encrypted filesystems, downloading instructions from a P2P network guarded with public key cryptography all the while cloaking its activity from detection by all but the most advanced d

    • I know. Michelangelo'd floppies are probably deadlier than conficker... :( Today's viruses act so much like 90's hollywood viruses enough to bury the old school boot sector virus concept.
    • by yuhong ( 1378501 )

      But most of the old ones was designed for DOS, which was easy since it called the BIOS. Injecting a rootkit into an modern OS beginning with MBR code is not nearly as easy.

    • The difference is that now we have VT and a rootkit can meaningfully hide from the OS...

  • Like someone said, "Nuke 'em from orbit."

    In that case, I'd only save whatever key files I had (pics, MP3's) scanning them as they go, then completely FDISK /mbr , delete and recreate the partition(s), and reformat the drive. Reinstall Winder from a slipstreamed CD, and let 'er rip. I've only had to do this a handful of times for others. So far, so good in practicing SAFE HEX, I haven't had a machine I've owned get infected, yet.

    • by Anonymous Coward

      I haven't had a machine I've owned get infected, yet, that I know about.

      There, fixed that for you. But seriously, not all viruses make a lot of ruckus. Some of the most sinister are those that remain hidden and just copy files and activity that look salable. Another are botnets that only do their activity at night or stay tightly throttled.

  • How does one do a repair install if Windows 7 won't boot?

    It seems silly to restrict repair installs to cases where the OS can boot anyway.

    • by lennier ( 44736 )

      How does one do a repair install if Windows 7 won't boot?

      Boot off your recovery DVD? You did make one, right?

      Actually I have no idea if 'recovery media' these days are even bootable. Back in the day, we used to get real Windows install disks with our computers. No lie! They just handed 'em out in the box like they were candy, or at least not radioactive contraband which mere users couldn't be trusted to touch.

  • standard security practice after a rootkit infection to NOT trust your system anymore. You never know what kind of shit is installed.
    Virusscanners are nice, but work mostly on signatures and will not likely detect virusses which aren't in the signature database. Heuristics is still not good enough.
    You cannot garantee that the system is 100% clean.
    Reinstallation is therefore a necessary step in the proces.

  • by Skapare ( 16644 ) on Thursday June 30, 2011 @04:54PM (#36628292) Homepage

    The infection code can simply intercept all the I/O taking place and prevent the MBR from being cleaned, while also making it look like it has (by intercepting the reads, too). You need to boot from non-writable external media to be sure (non-writable just in case you accidentally boot into the hard drive, which will quickly infect any writable media). And if somehow this thing, or the next big virus/trojan, infects the BIOS by reflashing, even this is no good.

  • by Anonymous Coward

    My understanding is a re-install will not do anything if your MBR is infected. you need re-write the MBR and or do a low level format.

    • I believe most installs involve creating the MBR to inform it where the current OS and/or boot loader is.
  • It's and interesting problem. Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.

    Lots of people do a windows reinstall every year, I tend to ask: If windows is getting slow every year, well what are y

    • by Sancho ( 17056 ) *

      Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.

      Viruses have the upper hand because they come first. Although heuristic-driven antivirus has been around for a while, it's never been fully effective. So once the virus gets on the system, you can never know for sure that it's gone. The virus could simply be very effective at hiding itself from the virus scanner. It could be causing the virus scanner to report a status of "Updated" when, to the contrary, updates have not been applied in some time. Ultimately, if the virus is running at the highest priv

    • No. It is impossible to verify that a machine is virus-free. The presence of any malware indicates that the machine has been used in an insecure manner at some time in the past. The particular piece of malware that was discovered may have been used as a back door to install other malware on the machine (keyloggers, etc.), or may have been installed in that way itself. The purpose of antivirus software is to alert the user that at least one virus is present on the machine, and that it is time to backup c
      • by Anonymous Coward

        The purpose of antivirus software is to alert the user that at least one virus is present on the machine, and that it is time to reformat, and restore critical data from backup

        There, fixed that for you

      • by PNutts ( 199112 )

        The presence of any malware indicates that the machine has been used in an insecure manner at some time in the past.

        I disagree. A co-worker was bit on his corporate PC when he visited The Drudge Report and I assume got nailed by a rouge ad server. Like everyone else have defenses at the firewall and Symantec on the PC. I'll also add that zero-day or an exploit doesn't necessarily mean it was used insecurely, it's just not protected for that particular attack.

  • SMI

    (Someone, please, write a virus in a System Management Interrupt handler. Then people will start caring about NOT HAVING GIANT SECURITY HOLES IN THEIR SYSTEMS IN THE FIRST PLACE).

    • by lennier ( 44736 )

      SMI

      (Someone, please, write a virus in a System Management Interrupt handler. Then people will start caring about NOT HAVING GIANT SECURITY HOLES IN THEIR SYSTEMS IN THE FIRST PLACE).

      What! Next you will be saying that the USB standard shouldn't auto-install random device drivers and that we should have some kind of removable media devices that would always be perfectly safe to plug in and read because they'd only be a filesystem, even if you found them in the bathroom stall at a LulzSec convention. That'd be madness!

  • At first glance, to me this seems straight forward to fix. 1. Go into the BIOS, confirm the boot order is Optical Drive first (very important!). Perhaps even go to the extend not including the HDD in the boot order, if possible. 2. Boot from Windows Recovery CD, clean the MBR 3. Boot from a AV Boot CD (plenty of free ones avaible) to run an offline scan to, um, root out the infection. The AV CD may also be able to fix the MBR. 4. Profit? Problems with above are sourcing clean Recovery CD and AV CD, and th
  • Comment removed based on user account deletion
    • Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".
      • by PNutts ( 199112 )

        Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".

        That doesn't make sense and distressing to see on (I guess what used to be) a technical forum. If the OEM doesn't supply recovery discs then they provide a means for you to create them yourself, and yes they are all genuine. If the OEM doesn't do either then you should be concerned about the legitimacy of the OEM. But... One of the things I love about the Internet is that I expect there will be a number of examples posted to prove me wrong. :)

        • I've had instances where I've used the OEM (Dell) supplied install disk, on the original hardware, only for the online activation to fail, and had to ring the activation hotline (which is just a different kind of online activation, because it's a voice robot).

          Who's to say how long it is before the activation system just refuses to allow me to reinstall XP altogether?

  • fdisk /mbr

    Or use the mbr utility on the XP install CD.

    Or just use something other than Windows.

    I really am just stating the obvious!

  • according to numerous Windows MBR disassembled reverse engineered blogs states first 300 bytes is the bootstrap executable code pushed into memory by Windows (000h through 012Bh). so in theory, can Microsoft just provide boot image to just boot off USB thumb drive to restore system files (embedded bootstrap files only) and just overwrite first 300 bytes bootstrap code from mbr and call it a day?

    I mean, this is chicken and the egg. You can't download BOOTREC.exe on a computer which seldom comes with instal

  • ...but, if we're going to reinstall anyway, why not drop fifty bucks on a NEW drive? When I do a rebuild for a customer, they get a new drive... or I don't take the job.
    • no way, $50 can buy a lot of groceries for the careful shopper. I use disks until they die (and no, I don't don't lose any data)
  • To switch to Linux Mint.

  • Maybe this is a naive question, but why not make the PC be OS-reinstallable at the push of a button? A ROM chip would contain the virgin OS, and if there are problems, you hook a backup device and the OS knows what are not OS files to backup, and then re-installs the OS from the ROM, and downloads the updates, and then copies the data from the backup device.

    I suppose if the OS is corrupt, it could lie about what's not an OS file. However, is MS didn't scatter data files/documents all over the place it would

    • Dealextreme has some really cheap PCI cards for this purpose. You can buy really expensive ones elsewhere, too.

      The backup, however, is stored on the same disk, so it's security by obscurity all over again.

news: gotcha

Working...