Microsoft clarifies MBR rootkit removal advice
Now says users don't have to reinstall Windows to remove super-stealthy malware, but botnet expert disagrees
Computerworld - Microsoft yesterday clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit that buries itself on the hard drive's boot sector.
Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC.
Last week, the Microsoft Malware Protection Center (MMPC) highlighted a new Trojan, dubbed "Popureb," and said that the only way to eradicate the malware was to use a recovery disc.
Because a recovery disc returns Windows to its factory settings, Microsoft was essentially telling users that they needed to reinstall Windows to completely clean an infected PC.
That recommendation was similar to what Microsoft had offered more than a year ago, when another Trojan buried rootkit code into the master boot record (MBR) of the PC's hard drive.
On Wednesday, MMPC engineer Chun Feng clarified Microsoft's advice.
"If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state," Feng wrote on an updated blog yesterday.
Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7.
Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added.
Malware like Popureb is especially difficult to detect and delete once it's on a system because it overwrites the hard drive's MBR, the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because it hides on the MBR, the rootkit installed by Popureb makes not only itself, but any follow-on malware installed by it later, invisible to both the operating system and security software.
MBR rootkit malware is among the most advanced of all threats, researchers said yesterday during interviews about a different family, called "TDL-4," a bot whose collection of compromised computers they called "practically indestructible."
Several security firms have also weighed in on the debate about whether users need to reinstall Windows.
"Reinstalling is definitely overkill for this malware problem," said Vikram Thakur, principal security response manager with Symantec, in an interview today. "It can be resolved simply by fixing the MBR via an external disk."
Symantec offers a tool to help users do that.
Named "Norton Bootable Discovery Tool," the free download creates a boot disc for starting up the PC without accessing the hard drive -- and thus without loading the infected MBR. Once the Windows machine boots using the recovery disc, the tool downloads new malware signatures -- the digital "fingerprints" antivirus software uses to detect threats -- sniffs out signs of infection and if necessary, cleans the MBR.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts