Windows Rootkit Requires Reinstall?

In a ComputerWorld article Gregg Kaiser cites a Microsoft engineer as saying that the trojan that Microsoft calls “Popureb” digs so deeply that the only way to eradicate it is to reinstall the operating system.

If you read the Microsoft blog Feng didn’t actually say that this is the only way to eradicate the trojan. In fact, the advice to restore a system to its factory state is wise advice for many infections. If the MS tool fixmbr can fix the MBR and the recovery CD and eradicate the trojan, then there are most definitely other programmatic means to remove the trojan, but that is not the whole picture.

When a malicious program that can download other programs is installed it can install all kinds of other malicious programs and there is no guarantee that any AV product in the world can detect all of them. The bad guys have the resources for quality control and can test their software to ensure that no product detects their malware initially. Using anti-virus means that you find what the product knows, not that you found everything.

If maximum system security is a high priority, then a restore to a known clean state is often the only assurance of a clean machine. The one critical piece of advice that was missing from the blog and the ComputerWorld article is that it is essential that when you clean up after such an infection, regardless if you disinfect or reinstall the OS, you have to use a new login password. If you keep other passwords on your computer in an unencrypted file, then you need to change all of those as well.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America

Author ESET Research, ESET

  • Tank Williams

    Gregg Kaiser is sounding the alarm to end users about a serious threat to their operating system, but even Randy Abrams didn't mention or care to point out this threat was made possible by the design defect built into windows since Windows 95….  the bloody insecure method of executing icons, ink files, etc… You know it would be easy to tag executable files, using digital signitures, to identify to the user who is responsible for that executable file… We don't even need to depend upon Microsoft's own signed files and certifciates at all. the end user can sign it's own files, and thus any file (executable) that isn't your own, can popup the idenity of that sign file to question if you want to run it, and be given a choice to run it in a virtual environment, that's isolated from the system…. sand box, etc…
    Trust must be earned, and Windows lets everyone toss anything at it…. as if everyone s trusted…. A data base online could be established to check any executable hash, to see if everyone else trusted it to be safe… too!
    When you get th community feedback, this will lower the threats, and hackers will NOT be able as easily to trick end users into running thei craft.
    Another design flaw is the leaf certifciates, letting anyone sign a certifciate, as an intermediate authority. SSL and encrypted websites can be attacked in this way too…  Why should any program put at trisk the whole operting system? No program needs system wide access anyhow…  at least not administrator access
    So in conclusion, Windows end users will see a more hostile environment if Windows isn't made to be more secure, rather than as an instructment of obscurity. A method of trust needs to be provided on the end user level, as we can see trusting from server side is one sided and lacks an ability to insure what we acess is safe on their end.
    Almost all the PC infections are stored on server sided machines… them websites hosted on servers!  Even the email host the packets of data, they get redistributed by servers….   The Pc client is usually the end point, where you get the damage….  
    By giving the user the ability to assign trust, we could eliminate the majority of server sided malware. It's the same when you open your door at home, you would ask who is it, before opeing right?  Whe in doubt you call for help, so why shouldn't there be help online just for that? 
     

  • Randy Abrams

    Rootkits originated in Unix. The methodologies you support work fairly well with a sophisticated user, but most users do not understand enough to make the proper decisions. Office 97 was the perfect example. despite warnings that the document contained macros users almost always chose to run them. Windows Vista, Windows 7 and Snow Leopard all put up dialog boxes before running a downloaded executable, but the average user doesn't understand the choice they are making and chooses to run the program. The operating systems are designed to run the programs in a less privileged role, but must allow users to run some programs as administrator and that is where social engineering is easy to use. Stuxnet code was digitally signed with a valid certificate. Windows generally restricts driver installation without such a cert, but no bullet-proof multi-purpose operating system has yet been designed. Ultimately there must be a compbination of technology and education to arrive at the safest place, but don't forget, we are talking about crime and that has not been eradicated to date.

  • Esher

    "Using anti-virus means that you find what the product knows, not that you found everything."
    While this is true for the most part, heuristic scanning has come a long way, and as such not everything the program finds will be what it already knows. Heuristics in NOD32 for example are quite effective at detecting previously unknown varients and infections.
    A reinstallation of Windows however, is always the best solution for a virus infection of any kind, no matter how severe or mild it may seem.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
28 Jun 2011
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.