While not broadly publicized, Microsoft has developed a tool to remove rootkits and other advanced malware from systems running these versions of the Windows operating system: Windows XP Service Pack 3; Windows Vista (RTM, Service Pack 1, or Service Pack 2, or higher); Windows 7 (RTM, Service Pack 1, or higher) in both 32-bit and 64-bit editions. The tool is called “Microsoft Standalone System Sweeper Beta.” Looks like it has been designed for use by support personnel.
Thank you for contacting Microsoft Support. You have been directed here to download and install the beta version of Microsoft Standalone System Sweeper Beta, a recovery tool that can help you start an infected PC and perform an offline scan to help identify and remove rootkits and other advanced malware. In addition, Microsoft Standalone System Sweeper Beta can be used if you cannot install or start an antivirus solution on your PC, or if the installed solution can’t detect or remove malware on your PC.
Microsoft Standalone System Sweeper Beta is not a replacement for a full antivirus solution providing ongoing protection; it is meant to be used in situations where you cannot start your PC due to a virus or other malware infection.
I haven’t tried it out yet, but it’s probably a good idea to download and build bootable media for both the 32-bit and 64-bit editions.
If anyone tests this before I do, please leave a comment.]]>
Using Windows XP as a testbed, AV-Test pitted MSE against 545,000 current computer worms, viruses, backdoors, bots and Trojan horses; MSE detected more than 98 percent. It detected just over 90 percent of adware and spyware samples and excelled at detecting and removing rootkits.
My experience with MSE so far mirrors the company’s claims that the program “…runs quietly and efficiently in the background so that you are free to use your Windows-based PC the way you want—without interruptions or long computer wait times.”
Any way you look at it, MSE is a game changer. While it’s currently only available as a downloadable add-on to Windows, I doubt it will be long before it comes bundled with the OS on new PCs. When that happens, the AV giants are going to find themselves hard pressed to come up with legitimate reasons for someone to purchase their products.]]>
MRBTool is a freeware DOS program designed to backup, restore, and manipulate your hard disk MBR. The latest version includes a boot disk builder that will allow you to create a diskette or bootable CD/DVD, making it ideal for recovering from a Mebroot infection. If you are sure the target machine is clean, or you have a clean image that you can restore, you simply use MBRTool to make a backup of the valid MBR. In the event of infection, use the boot disk to start the machine and restore the valid MBR. Bye, Bye, Mebroot!
Going beyond simple recovery, you could use MBRTool to make a copy of and examine an infected MBR to compare its code against known Mebroot variants. But, be careful: you don’t want that infected MBR to get away from you.]]>
I’ve been using F-Secure’s BlackLight Rootkit Eliminator ever since it was first released in early 2005. It’s a solid tool and has saved me from having to completely reload a system on at least three occasions, so I don’t know why I didn’t think of it as a weapon against Mebroot. Thanks to a news update from Windows Secrets, I visited F-Secure’s site and discovered the following in a March 31, 2008 blog post:
“A while ago we blogged about the MBR rootkit, which has been getting attention from all security vendors. We’re glad to inform you that the latest version of the F-Secure BlackLight standalone rootkit scanner now detects MBR rootkit infections.
“BlackLight has stood the test of time ever since it was released in the beginning of 2005. A new rootkit technique that has been able to evade detection has been a very rare event. The MBR rootkit is quite different from other rootkits we’ve seen over the years, so we had to add completely new technology into BlackLight to detect it successfully.”
Needless to say, I immediately downloaded the latest version and have it ready to go for any suspected Mebroot infections. Of course, I used it to check all of my own systems and am happy to report that the tool didn’t find anything wrong with my MBR. You can download the standalone BlackLight here.
In my next post, I’ll give you two more tools that you can use to combat this sinister threat: MBR BIOS locking and an MBR backup tool.]]>
“The key to Sinowal/Mebroot’s ‘success’ is that it’s so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn’t run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn’t start until 10 minutes after that.
“Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process.”
Also contributing to the Trojan’s effectiveness is that it’s constantly changing. Washington Post journalist Brian Krebs posted a chilling overview of Sinowal’s criminal mischief in his October 31, 2008 column, “Virtual Heist Nets 500,000+ Bank, Credit Accounts:”
“Sinowal…constantly morphs its appearance to slip past security software. Between April and October, researchers spotted an average of 60 to 80 new Sinowal variants per month…
“On Oct. 21, a new Sinowal variant was submitted to Virustotal.com, which scans incoming files against nearly three dozen commercial anti-virus programs and maintains a historical record of those results. Only 10 out of 35 of those security programs – or 28.5 percent – identified it as such or even flagged it as suspicious.”
Very scary, but here are seven things you can do to protect yourself:
As always, constant vigilance is necessary on the Wild, Wild, Web.]]>
From: Google Adwords account [mailto:firstname.lastname@example.org]
Sent: Monday, September 29, 2008 8:52 PM
To: <potential victim>
Subject: Google Adwords Alert
Attention GOOGLE ADWORDS Customers!
For certain services, such as our advertising programs, we request 128-bit SSL security information which we maintain in encrypted form on secure servers.
We take appropriate security measures to protect against unauthorized access to our unauthorized alteration, disclosure or destruction of data.
Please download latest SSL protection certificate
Unprotected browsers will not be able to Log in after September 30, 2008
Sincerely, Genaro Escobar.
2008 Google Adwords, Developing new services.
Unsuspecting victims who click on the “Read more” link are taken to a malicious website where their machine is infected with a keylogger rootkit. The URL of the site varies, but is similar to this one:
Of course, the actual domain the person arrives at isn’t google.com, but, in this case, mekefri.com.
A good rundown on this attack can be found at: Digital Certificate Spammer Goes for Google Adwords]]>
US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed.
Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.
For now, the attack is easily detected (though variants of the rootkit will likely change its behavior): The attack creates a directory “/etc/khubd.p2/” that is hidden from “ls,” but it can be entered with “cd /etc/khubd.p2″. Any directory named “khubd.p2,” regardless of its location, is hidden from “ls” but can be entered using “cd.” Additionally, “/dev/shm/” may contain files from the attack, so anything unusual in there is suspect. You can also try searching for hidden processes and checking the reference count in “/etc” against the number of directories shown by “ls”.
Check out the full article, “SSH Key-based Attacks” for complete details on risk mitigation and compromise response.]]>
CAN-SPAM did little to deter or eliminate spammers, and today the spam problem is even worse thanks to huge botnets run by organized cyber-crime syndicates. Phishing attacks are harder to detect and more frequent. Recently, I spent the better part of two days cleaning up the aftermath of a mass mailer worm infection for one of our clients; their email is still being blocked by some servers. In its September 2005 issue, Consumer Reports said, “One Third Of Net Users Damaged By Malware.” Considering that article is three years old, I’d wager that the number of infected computers has doubled since then.
In my job as a systems engineer for Connective Computing, Inc., I deal with the effects of malware nearly every day. My previous releases of this article, “Seven Steps to System Security – 2004″ , and “Eight Steps to System Security – 2005“, listed the field-proven steps I recommend to everyone I know. It’s been nearly three years since I published the last guide, but those eight steps haven’t changed much; they just need to be brought up to date, and a new step involving disabling scripting in the browser has been added. Computer users still haven’t learned safe surfing practices, however (will they ever?), and must modify their on-line behavior–particularly by applying the first step–for rest of these steps to be truly effective.
Did I mention these things are proven? They are. These are practices have been protecting computer users in homes and businesses for as long as I’ve been using them. This is free advice that’s really worth something:
While total immunity is impossible – new infections and variations on existing exploits appear daily – these nine steps will help prevent, catch, or clean 98 percent of the junkware out there. As for the other two percent – or if you are already badly infected – you’ll need to hire a geek like me.]]>
There’s no such thing as forgiveness in security; once a machine has been compromised, you can never be certain that it’s free of malware unless you completely wipe it out and start from scratch. Just because everything appears to be working properly after your “cleanup” doesn’t mean it is. Modern malware is designed to be tenacious and stealthy. Many malicious programs leave behind remnants of themselves even when good anti-malware software is able to take the venom out of them. Rootkit technology is becoming so sophisticated that normal means of detection don’t work as this article in The Register explains.
It’s a matter of trust; it’s also a security maxim. So without further ado, I present How to Secure Your Computer, Maxim #12:
Once a PC is infected with malware, you can’t trust it. The only way to restore trust is to wipe the hard drive clean and reload the operating system.