Microsoft Says Reinstall Overkill In Removing Rootkit 203
CWmike writes "Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."
When in doubt... (Score:1)
Re: (Score:2)
It's starting to get time for the yearly reinstall anyway. My Windows is getting slow, and a reinstall really clears things up.
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
You know, I talk a good game about Linux, but I do an install of Ubuntu just about every 6 months...
Alright, to be fair, it's closer to annual. I think they know they have to deal with the LTS releases longer and they have seemed more stable to me. That's why they did Unity right AFTER the last LTS, to give them several tries to get it right before 12.04...
Upgrade not install (Score:1)
YMMV but I've never reinstalled Ubuntu since Feisty Fawn (2007.04). My Debian rolling upgrade cycle, which consists of tracking a mix of testing/unstable, would have gone back longer to turn of the millennium if not for the migration to AMD64. Sadly Debian didn't allow a bootstrap upgrade from i386 to AMD64. Only one problem I had all those years, fixing a bad Grub boot-loader config.
Re: (Score:2)
Your update cycle is shorter than my uptimes.
A modern linux distro ought be able to just update with a quick shuffle of the sources.list and an apt-get update ;; apt-get distro-upgrade every new release.
The lack of mysteriousness under the hood of a linux box (Its just a kernel with some drivers, some libraries, X and a desktop manager really) means that theres really not a pressing reason to ever reformat and re-install unless you've utterly monged the filesystem and even thats pretty hard to do these days
Re: (Score:2)
Technically, no. I could just do the dist-upgrade, but, I hate to say it, there are often little 'gotchas'. I have two Ubuntu partitions going on my drive. One is generally my stable setup, the other the latest build of the upcoming release. I jump back and forth between them trying things out.
The gotchas have been diminishing, too, since Ubuntu is so popular distributors who care about Linux at all tend to stay on top of the new releases. For a while, each new release was an adventure with the video card d
Re: (Score:2)
"It was around 9.10 that I felt like 64 bit had enough support"
I guess we have different ideas on that. When I bought my first 64 bit Opteron, I decided that I was going to run a 64 bit OS, come hell or high water. At that point in time, nothing wanted to work out of the box. I experimented with everything that I could find an ISO for. Many of the problems were over my head, and unsolvable. Then, I stumbled over a Suse release that "just worked" - everything was detected, everything worked, including m
Re: (Score:3)
The benefit of regular reinstalls ended with Windows ME.
No, it didn't. Windows 7 is definitely working better for me, but XP required the yearly reinstall just like all the previous Win OS's.
Re: (Score:2)
but XP required the yearly reinstall just like all the previous Win OS's.
No, it didn't. I ran XP for years without a reinstall. For that matter, I ran 98 for years without a reinstall. You're doing it wrong.
Re: (Score:2)
Okay, what am I doing wrong?
Re: (Score:1)
Re: (Score:2)
I think you're right. Registry rot....
I've noticed my Windows installs last a lot longer when I use portable apps. (i.e. apps that don't require an install.)
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Or run pagedefrag by sysinternals (now Microsoft). Free and if set to run with no delay at every XP boot adds a barely noticable delay.
Re: (Score:2)
Just a thought... although I agree, if you install and then do not use Windows it will remain clean and fresh, well, almost forever.
Oh, you mean you want to USE the operating system? Well, that's not recommended. Of course you'll get infected and sooner or later break things if you actually use it.
rgb
(My own favorite way to keep Windows clean is to run i
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Give us Windows users credit, we are trained to back up our data!
Re: (Score:2)
Full Disk Erase is exactly what you do.
On Windows, You have no idea what the rootkit did while it was active on your system. It probably messed with your registry and opened up back doors for either reinfection or eavesdropping. And I'll guarantee it nuked your system restore so you can't roll the settings back.
External Hard drives are cheap. Windows 7 has a good and easy to set up backup. Back it up with a system image at least once a month and keep it disconnected once you backup. If you get infected, wip
I agree (Score:2)
Uninstalling is all thats needed.
*ducks*
Edit this shit timothy! (Score:5, Insightful)
Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees.
Redundant much? Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?
Re: (Score:3)
Could the "editors" possibly make themselves look any more lazy and incompetent if they tried?
Challenge Accepted?
Re: (Score:2)
Not to mention the "Popereb" and "Popureb" inconsistency.
Re: (Score:3)
Maybe what he's trying to say is this:
1. Several researchers agree with Microsoft.
2. A noted botnet expert disagrees with Microsoft.
3. A (different) internationally-known botnet expert disagrees with the noted botnet expert, thereby agreeing with Microsoft.
Okay, not likely. I should know better than to try to defend Slashdot "editors", who are only marginally more useful than the Slashdot programmers, who I noticed have changed the header and footer of the comment section, and in doing so broke the "post an
Re: (Score:1)
Re: (Score:2)
More like Microsoft corrected the once-again incorrect slashdot headlines, which misquoted them. The original statement refered to restoring the MBR, then performing a system recovery; the headline indicated "REFORMAT ZOMG".
Linkadoddledo. (Score:1)
... and also all links in the thread (which were partly broken before, but now they're completely broken).
Double right click gives me a context menu in Firefox 5. Right click and middle click work normally in MSIE 9.
Re: (Score:2)
Try:
1. Several researchers agree with Microsoft
2. A noted botnet expert is not so sure
3. Another, Dell, botnet expert is entirely sure that he disagrees
Re: (Score:2)
So then maybe the editors should actually "edit" the articles so they don't look so lazy and stupid?
a 'gotcha,' when it was misreported to begin with (Score:5, Informative)
ms never said to re-install windows in the first place, headlines on sites like slashdot mis-reported it to begin with. from slashdot's summary:
"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."
the summary blurted that the recovery disc returns Windows to its factory settings, and left out how it also is the boot environment for restoring from windows backups, which Feng was clearly talking about ("restore your system to a pre-infected state").
Re: (Score:3)
"'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng.
If your recovery CD is pre-infected, then surely you're screwed anyway?
Re: (Score:2)
If your recovery CD is pre-infected, then surely you're screwed anyway?
Does that mean the plastic they make a CD from is infected?
Re: (Score:2)
No, it refers to a number of OEM's fucktard tendency to give people a 'recovery CD' that reimages the system as it was when they bought it, instead of proper OS install disks.
Re: (Score:2)
Yesterday (Score:2)
Yesterday it was Poperub. Now it's either Popereb or Popureb.
You think a computer is going to find the thing when nobody can even decide what string matches its name in the 'sploit DB?
Re: (Score:1)
Good practice anyway (Score:1)
I reinstall both my Windows desktop and Linux laptop every year. Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).
Re: (Score:1)
Despite that, I've been running my install of Win7 for over a year now, practice general maintenance, and it's still running as smooth as ever. Having to re-install an OS every year is either the sign of a poorly designed OS or just plain laziness.
Re: (Score:2)
I have to say I've never actually reinstalled Linux on a computer. Once it goes on, it stays for years.
Re: (Score:2)
Re: (Score:2)
I haven't used Linux on my home machine much at all for a couple years, but when I used it more I used Gentoo. A bit less than 5 years ago I managed to mess up Portage enough that I couldn't get Emerge to do anything (except complain a lot), so I gave up and reinstalled. It can definitely happen, even if you know your way around pretty well.
Re: (Score:2)
Keeps them clean and removes a lot of crap (not just viruses, but old unwanted programs).
I use Portable Apps wherever possible. (I think the address is portableapps.com, I am not affiliated.) Basically they're just apps that are compressed into a self extracting file. You extract them and they just run, no installation needed. This means after a reinstall (or new computer) I still have my browsers with bookmarks, text/script editors, and a handful of other things I use a lot. When I get a laptop or something I just copy the files over to that machine and I'm running over there, too.
This p
Re: (Score:2)
Until the portableapps gets hit by sality, that is.
Im not going to link resources to sality, as the new slashdot wouldnt let you click them anyways. Seriously, how hard is it to keep the website working in at least ONE of the major browsers?
Re: (Score:2)
Reinstalling doesnt remove all viruses:
*The MBR can be infected, surviving reinstalls. This is the type of infection popureb is, in fact.
*downloaded drivers may remain infected, as may any other executable content that you neglect to re-download. (Sality is a common virus that seeks out and infects every binary it can find)
Luckily for you, these two types of virus are incredibly common.
Re: (Score:2)
I managed to keep both ticking over for over seven years, including cleaning up a couple of windows infections. Best way to keep a windows installation going is to dual boot with Linux and use that Linux boot to do the final repairs and clean up as well as quick simple software backups from the windows partition to the safer Linux controlled partitions.
Poor old stale piss (XP even M$ hates it ~ now) seems to have survived the years and been reasonably reliable as long as you keep a Linux boot on system f
Re: (Score:2)
I feel sorry for you. However I try to balance the statistics by updating/upgrading the same system since something like 2003, when I scrapped my previous system that was maintained since 1996.
Eyeroll (Score:5, Informative)
So advanced, it's been around for 25 years. Boot sector manipulation is like the flint arrowhead of virus tech.
http://www.f-secure.com/v-descs/brain.shtml [f-secure.com]
Re: (Score:3)
So advanced, it's been around for 25 years.
Non sequitur. Just because something is old does not precluded it from being advanced or the "most advanced" of whatever category you are talking about.
Re: (Score:3)
Your average Clovis point arrowhead is a pretty advanced bit of stoneworking too: see what I did there? But the point is that if something's been around as long as flint arrows or boot sector viruses, we've usually come up with a good defense against it.
Re: (Score:2)
But the point is that if something's been around as long as flint arrows or boot sector viruses, we've usually come up with a good defense against it.
Yes, and in both cases, the best defence is still generally 'don't get hit with one'.
Never underestimate the power of primitive attacks to overcome sophisticated defences.
Re: (Score:2)
But the point is that if something's been around as long as flint arrows or boot sector viruses, we've usually come up with a good defense against it.
Yes, and in both cases, the best defence is still generally 'don't get hit with one'.
Never underestimate the power of primitive attacks to overcome sophisticated defences.
The best defence is a good offence. So go find a shifty-looking programmer and punch him in the face.
Re: (Score:2)
Those "spear chuckers" don't use radar to detect enemy craft, therefore your stealth capability is useless against them.
Plus, they obviously have a rocket science geek amongst them. Those spears, they're just not natural, I tells ya!
Ahh Civ, how I love thee.
Re: (Score:2)
Most malware is made up of compiled assembly language instructions. I guess that means there are no advanced viruses, since they had compiled assembly language instruction-based viruses 25 years ago.
See what I did there?
Modern bootkits remain quite advanced, combining MBR manipulation with hidden partitions running special, encrypted filesystems, downloading instructions from a P2P network guarded with public key cryptography all the while cloaking its activity from detection by all but the most advanced d
Re: (Score:1)
Re: (Score:2)
But most of the old ones was designed for DOS, which was easy since it called the BIOS. Injecting a rootkit into an modern OS beginning with MBR code is not nearly as easy.
Re: (Score:2)
The difference is that now we have VT and a rootkit can meaningfully hide from the OS...
Re: (Score:2)
You look around. To your NORTH, you see a LARGE WALL OF CAPITALIZED TEXT. You figure that someone got OVEREXCITED in their Slashdot post, and didn't stop to think that it MAKES THEM LOOK LIKE A SPAZ.
What do you do?
> set fire to text
Luckily the text is made of wood, and burns HOTTER THAN THE GRITS ON NATALIE PORTMAN.
Re: (Score:2)
Maybe because your post reads like the ravings on the label of Dr. Bronner's soap.
http://web.mit.edu/afs/athena.mit.edu/user/d/r/dryfoo/www/Spritz-yule/bronner.html [mit.edu]
The only way to be sure... (Score:2, Insightful)
Like someone said, "Nuke 'em from orbit."
In that case, I'd only save whatever key files I had (pics, MP3's) scanning them as they go, then completely FDISK /mbr , delete and recreate the partition(s), and reformat the drive. Reinstall Winder from a slipstreamed CD, and let 'er rip. I've only had to do this a handful of times for others. So far, so good in practicing SAFE HEX, I haven't had a machine I've owned get infected, yet.
Obligatory response, but I cannot help myself (Score:2, Insightful)
I haven't had a machine I've owned get infected, yet, that I know about.
There, fixed that for you. But seriously, not all viruses make a lot of ruckus. Some of the most sinister are those that remain hidden and just copy files and activity that look salable. Another are botnets that only do their activity at night or stay tightly throttled.
Sort of off-topic but I could use some advice (Score:2)
How does one do a repair install if Windows 7 won't boot?
It seems silly to restrict repair installs to cases where the OS can boot anyway.
Re: (Score:2)
How does one do a repair install if Windows 7 won't boot?
Boot off your recovery DVD? You did make one, right?
Actually I have no idea if 'recovery media' these days are even bootable. Back in the day, we used to get real Windows install disks with our computers. No lie! They just handed 'em out in the box like they were candy, or at least not radioactive contraband which mere users couldn't be trusted to touch.
Re: (Score:1)
Re: (Score:2)
You don't need a repair install to fix the MBR. You only need the recovery console.
after rootkit infection, don't trust your system (Score:1)
standard security practice after a rootkit infection to NOT trust your system anymore. You never know what kind of shit is installed.
Virusscanners are nice, but work mostly on signatures and will not likely detect virusses which aren't in the signature database. Heuristics is still not good enough.
You cannot garantee that the system is 100% clean.
Reinstallation is therefore a necessary step in the proces.
Is the MBR really clean? (Score:4, Informative)
The infection code can simply intercept all the I/O taking place and prevent the MBR from being cleaned, while also making it look like it has (by intercepting the reads, too). You need to boot from non-writable external media to be sure (non-writable just in case you accidentally boot into the hard drive, which will quickly infect any writable media). And if somehow this thing, or the next big virus/trojan, infects the BIOS by reflashing, even this is no good.
Re: (Score:2)
Psst: the Windows recovery console is run from a CD or USB stick.
re-install will not fix infected MBR (Score:1)
My understanding is a re-install will not do anything if your MBR is infected. you need re-write the MBR and or do a low level format.
Re: (Score:2)
So can an AV actually fix something?.... (Score:2)
It's and interesting problem. Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.
Lots of people do a windows reinstall every year, I tend to ask: If windows is getting slow every year, well what are y
Re: (Score:3)
Can viruses and rootkits actually be removed, or not? If you fix the MBR and have some tool that claims to find and remove the rootkit is it actually gone, or do you always need to format and reinstall? Is there stuff, even non virus stuff, just floating around that's mucking up your system that nothing can get rid of? That seems unlikely in this day and age.
Viruses have the upper hand because they come first. Although heuristic-driven antivirus has been around for a while, it's never been fully effective. So once the virus gets on the system, you can never know for sure that it's gone. The virus could simply be very effective at hiding itself from the virus scanner. It could be causing the virus scanner to report a status of "Updated" when, to the contrary, updates have not been applied in some time. Ultimately, if the virus is running at the highest priv
Re: (Score:2)
Re: (Score:1)
The purpose of antivirus software is to alert the user that at least one virus is present on the machine, and that it is time to reformat, and restore critical data from backup
There, fixed that for you
Re: (Score:2)
The presence of any malware indicates that the machine has been used in an insecure manner at some time in the past.
I disagree. A co-worker was bit on his corporate PC when he visited The Drudge Report and I assume got nailed by a rouge ad server. Like everyone else have defenses at the firewall and Symantec on the PC. I'll also add that zero-day or an exploit doesn't necessarily mean it was used insecurely, it's just not protected for that particular attack.
Three letters: (Score:2)
SMI
(Someone, please, write a virus in a System Management Interrupt handler. Then people will start caring about NOT HAVING GIANT SECURITY HOLES IN THEIR SYSTEMS IN THE FIRST PLACE).
Re: (Score:2)
SMI
(Someone, please, write a virus in a System Management Interrupt handler. Then people will start caring about NOT HAVING GIANT SECURITY HOLES IN THEIR SYSTEMS IN THE FIRST PLACE).
What! Next you will be saying that the USB standard shouldn't auto-install random device drivers and that we should have some kind of removable media devices that would always be perfectly safe to plug in and read because they'd only be a filesystem, even if you found them in the bathroom stall at a LulzSec convention. That'd be madness!
Offline AV scan and repair? (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
Most people weren't granted an installation disc, and if with such a precious treasure in hand who knows if Microsoft will be so kind as to bless the installation as "genuine".
That doesn't make sense and distressing to see on (I guess what used to be) a technical forum. If the OEM doesn't supply recovery discs then they provide a means for you to create them yourself, and yes they are all genuine. If the OEM doesn't do either then you should be concerned about the legitimacy of the OEM. But... One of the things I love about the Internet is that I expect there will be a number of examples posted to prove me wrong. :)
Re: (Score:2)
I've had instances where I've used the OEM (Dell) supplied install disk, on the original hardware, only for the online activation to fail, and had to ring the activation hotline (which is just a different kind of online activation, because it's a voice robot).
Who's to say how long it is before the activation system just refuses to allow me to reinstall XP altogether?
Dos boot disk (usb) (Score:2)
fdisk /mbr
Or use the mbr utility on the XP install CD.
Or just use something other than Windows.
I really am just stating the obvious!
why not boot image instead of BOOTREC.exe? (Score:2)
according to numerous Windows MBR disassembled reverse engineered blogs states first 300 bytes is the bootstrap executable code pushed into memory by Windows (000h through 012Bh). so in theory, can Microsoft just provide boot image to just boot off USB thumb drive to restore system files (embedded bootstrap files only) and just overwrite first 300 bytes bootstrap code from mbr and call it a day?
I mean, this is chicken and the egg. You can't download BOOTREC.exe on a computer which seldom comes with instal
I know times are tough... (Score:1)
Re: (Score:2)
Yet another reason: (Score:2)
To switch to Linux Mint.
Auto-reinstall-OS? (Score:2)
Maybe this is a naive question, but why not make the PC be OS-reinstallable at the push of a button? A ROM chip would contain the virgin OS, and if there are problems, you hook a backup device and the OS knows what are not OS files to backup, and then re-installs the OS from the ROM, and downloads the updates, and then copies the data from the backup device.
I suppose if the OS is corrupt, it could lie about what's not an OS file. However, is MS didn't scatter data files/documents all over the place it would
Re: (Score:2)
Dealextreme has some really cheap PCI cards for this purpose. You can buy really expensive ones elsewhere, too.
The backup, however, is stored on the same disk, so it's security by obscurity all over again.
Re: (Score:1)
No not that i remember. i DO remember the old bios viruses that would rewrite the bios or otherwise brick the machine. The difficulty of doing so made them not very wide spread. efi on the contrary makes it very easy to have a virus/trojan etc embed it's self in the efi. if efi becomes wide spread then you will not only have to have a windows anti-virus if you run windows. but also a efi anti-virus for all os's.
Re: (Score:2)
Re: (Score:2)
"As for TFA, how long before the user CAN'T restore, simply because the cheap bastard OEMs use "restore partitions" which the bug should be able to get at?"
Saw that, in real life. The wife's first Athlon from Compaq had that restore partition. She got infected, and I tried to fix things for her. It took me a few tries, before I figured out that not only had the virus replicated itself to the system restore points, but had also gotten into that restore partition. The only option was to nuke and reinstall
Re: (Score:2)
I think that's only effective when you are calling the BIOS for disk access (int 19 or int 13, i forget specifically.) If you have your own device driver that accesses the hardware directly that kind of protection doesn't work.
Re: (Score:2)