Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection requires Windows reinstall, says Microsoft


  • Please log in to reply
13 replies to this topic

#1 Allan

Allan

  • BC Advisor
  • 8,629 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:44 AM

Posted 27 June 2011 - 05:22 PM

Computerworld - Microsoft is telling Windows users that they'll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine's boot sector.

A new variant of a Trojan Microsoft calls "Popureb" digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog.

Full Story here: http://www.computerworld.com/s/article/9217953/Rootkit_infection_requires_Windows_reinstall_says_Microsoft?taxonomyId=17

Thanks to RichieUK at Tweaks for bringing this to my attention.






BC AdBot (Login to Remove)

 


#2 killerx525

killerx525

    Bleepin' Aussie


  • Members
  • 7,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Melbourne, Australia
  • Local time:01:44 AM

Posted 27 June 2011 - 05:36 PM

Holy Crap! Hopefully Griner has a solution to that.

>Michael 
System1: CPU- Intel Core i7-5820K @ 4.4GHz, CPU Cooler- Noctua NH-D14, RAM- G.Skill Ripjaws 16GB Kit(4Gx4) DDR3 2133MHz, SSD/HDD- Samsung 850 EVO 250GB/Western Digital Caviar Black 1TB/Seagate Barracuada 3TB, GPU- 2x EVGA GTX980 Superclocked @1360/MHz1900MHz, Motherboard- Asus X99 Deluxe, Case- Custom Mac G5, PSU- EVGA P2-1000W, Soundcard- Realtek High Definition Audio, OS- Windows 10 Pro 64-Bit
Games: APB: Reloaded, Hours played: 3100+  System2: Late 2011 Macbook Pro 15inch   OFw63FY.png


#3 Hungry Man

Hungry Man

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:44 AM

Posted 27 June 2011 - 05:41 PM

Actually they're telling them to system restore.

#4 Platypus

Platypus

  • Global Moderator
  • 15,167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:44 AM

Posted 27 June 2011 - 08:06 PM

It does seem to me that Computerworld are overstating the case in stating "A recovery disc returns Windows to its factory settings". It would be more correct to say "A recovery disc may return Windows to its factory settings". It also may not.

But neither is Microsoft simply advising system restore. The links at the bottom of Chun Feng's blog article discuss the possible recovery options, and in the context of the stated aim of "a pre-infected state", indicate that a recovery CD may constitute a manufacturer's full factory-state reversion, or Windows recovery options.
Top 5 things that never get done:

1.

#5 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:44 AM

Posted 27 June 2011 - 09:05 PM

I hope this is a misquote:

"If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state," said Feng.

I tend to believe, that "an engineer with the Microsoft Malware Protection Center (MMPC)" knows the difference between system restore and system recovery (to factory settings).

use a recovery CD to restore your system to a pre-infected state
"green" part suggest factory reset, "blue" part indicates system restore.
Can't be both for Pete's sake.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,735 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:07:44 AM

Posted 27 June 2011 - 09:08 PM

Then, nothing new....
We already know some type of infection, which are not curable, like Virut, or Sality. Reinstalling Windows is the only option.
We also know, that with some type of infections, like backdoor trojans, the cure is possible, but it'll never guarantee 100% computer safety.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 Platypus

Platypus

  • Global Moderator
  • 15,167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:44 AM

Posted 28 June 2011 - 12:48 AM

system restore.
Can't be both for Pete's sake.

Depends whether a particular system has a Recovery disc that is manufacturer set to revert to factory condition, or a Windows Recovery disc.

You have to follow through the links at the bottom of the article - MS says:

"Note

If your computer does not include the System Recovery Options menu, your computer manufacturer might have provided other recovery options. Check the information that came with your computer or go to the manufacturer's website for more information."

Whilst a manufacturer's recovery disc may only revert to factory state, the Windows Recovery Options include Startup Repair, System Restore and Complete PC Restore(Vista)/System Image Recovery(7).

I suspect the Computerworld article was created without fully investigating these Windows System Recovery options before they defined what a Recovery Disc would do.

Edited by Platypus, 28 June 2011 - 12:52 AM.

Top 5 things that never get done:

1.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:02:44 PM

Posted 28 June 2011 - 06:49 AM

It also depends on the context of the words chosen, and their meanings:

As seen here:
Main Entry: recovery
Part of Speech: noun
Definition: the act of returning to normal
Synonyms: improvement, improving, readjustment, reconstruction, recreation, reestablishment, reformation, rehabilitation, reinstatement, replacement, restoration, resumption, return

From:
http://thesaurus.com/browse/recovery

So in a way the words chosen by this engineer are correct.


Below is for the B variant of this malware.
According to this: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Popureb.B

You can use the following http://www.microsoft.com/security/scanner/en-us/default.aspx to fix it.

Edited by cryptodan, 28 June 2011 - 07:05 AM.


#9 Allan

Allan
  • Topic Starter

  • BC Advisor
  • 8,629 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:44 AM

Posted 28 June 2011 - 07:06 AM

Keep in mind we are talking about an infection of the Master Boot Record. Boot sector viruses are VERY rare, but unquestionably among the most dangerous and difficult to address. While I'm by no means a malware expert, I'm fairly well informed on the subject. My recommendation for anyone infected with a boot sector virus has always been a low level format and a reinstallation of the OS. But as I said, I'm not a malware expert.

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,311 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 PM

Posted 28 June 2011 - 08:00 AM

Keep in mind we are talking about an infection of the Master Boot Record. Boot sector viruses are VERY rare,

First of all, MBR (Master boot record) and boot sector are two different things.

MBR infections are very common these days and pretty easy to fix, although the security implications (backdoor capability) is another story.
The following quote from the originally linked to article, makes me think the authors have mixed up boot sector and MBR:

"If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state," said Feng.

In other words, they are talking about an MBR rootkit, which is really nothing new; MBR rootkits nowadays can infect both 32 bit and 64 bit versions of Windows and are as common as other malware.

Microsofts malware encyclopedia provides zero useful information as to what we are dealing with exactly.

My recommendation for anyone infected with a boot sector virus has always been a low level format and a reinstallation of the OS.

I agree with this; I would never trust a windows installation that has had any rootkit infection and I always recommend others I'm helping to consider a complete reformat and reinstall.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Allan

Allan
  • Topic Starter

  • BC Advisor
  • 8,629 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:44 AM

Posted 28 June 2011 - 08:11 AM

Keep in mind we are talking about an infection of the Master Boot Record. Boot sector viruses are VERY rare,

First of all, MBR (Master boot record) and boot sector are two different things.


semantics :)
http://www.dewassoc.com/kbase/hard_drives/master_boot_record.htm

#12 Platypus

Platypus

  • Global Moderator
  • 15,167 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:01:44 AM

Posted 28 June 2011 - 09:20 AM

semantics

Important semantics... :)

The MBR is a data structure, a boot sector is a physical location. A boot sector virus for example may not be in the MBR.
Top 5 things that never get done:

1.

#13 Allan

Allan
  • Topic Starter

  • BC Advisor
  • 8,629 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:10:44 AM

Posted 28 June 2011 - 09:31 AM

It depends on whether or not it is the active partition. Here is the explanation from MS: http://support.microsoft.com/kb/140418
But I really do think we're getting into semantics here and taking this a little off track.

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,311 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:44 PM

Posted 30 June 2011 - 12:19 PM

Microsoft has now updated its advisory according to TheRegister

Microsoft has since updated its advisory to provide more detailed clean-up information. Separately Redmond has been in touch to say that, contrary to media reports of the problem, users won't need to re-install Windows.


Microsoft's Malware Protection Center about Popureb-E

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users