Post #343,609
6/11/11 9:06:21 PM
6/11/11 9:44:50 PM
|
It's getting very rough out there.
Infections these days go right on in regardless of what anti-virus and anti-spyware is installed - and those programs are helpless to remove them.
It used to be we were dealing with cleverly hidden scumware.
Then we got scumware with root kits that prevented you from removing it - it just came right back. Some removal programs would just go into an infinite loop.
Now we have boot kits that prevent you from removing the root kits. These live in an "enhanced" MBR (Master Boot Record) and store their stuff in a non-standard filesystem in an unallocated space on the hard disk so only they can detect it. The boot kit
program runs before the bootstrap loader so it's already in memory before Windows starts to start up.
If a scanning program checks the MBR, the infection detects that, steps back, and presents it with the original MBR. If you rewrite the MBR, it does the same thing,
so you just overwrite the original MBR.
Even if you format the disk and reinstall completely, it's still infected.
And to top that off, many infections are now doing very serious damage to Windows to prevent the computer from being used at all, even after removing the infection.
|
Post #343,611
6/11/11 10:25:58 PM
|
Joy.
As long as something has write access, it can be infected.
Apple's distributing its next OS via iTunes. MS probably will do something similar eventually (and they already do their "Anytime Upgrade" that way, I think). I suspect at some point in the not too distant future OSes and the partitions on which they live will become read-only. You need an OS update? You flash a new ROM area on your main Flash storage. It won't get rid of viruses that are only RAM based, but it'll prevent the bare OS from being a vector. User files and programs could still be infected, of course.
This will work as long as the OS vendor is virus-free.... :-/
Cheers,
Scott.
|
Post #343,613
6/11/11 11:59:06 PM
|
Malware is one of the things that drove me off Windows.
Not my #1, but it was in the top 5.
Wade.
|
Post #343,614
6/12/11 1:05:58 AM
|
Well, it may drive more off.
I've kept a top limit of US $110 to charge home and small business people for cleaning up a machine. I'm probably going to have to raise that limit significantly, given the way things are going.
|
Post #343,615
6/12/11 4:12:02 AM
|
Re: It's getting very rough out there.
re Even if you format the disk and reinstall completely, it's still infected.
I presume you mean that, via the boot-kit the MBR-dance remains, faking-out the new 'install' as before.
So then, if HD is removed, erased say, in a *nix box and all bits set to (00000 or whatever) -- is that sufficient?
(Or is the base-format itself changed by the boot-kit, such that the special n sectors appear to be "(B)ad", also a clue?)
Would latest SpinRite handle the mangled sectors via its recovery scrubbing, then ID-ing the oddly-formatted "secret/Bad" sectors?
Maybe seeing the 'damage' as merely a need for a sector-level base-format rewrite.
Would that process not restore hygiene, or am I missing something more subtle?
(You say 'unallocated space', mayhap some few bytes in-between Partitions, thus never available for normal data R/W?)
I don't know how SpinRite treats such anomalous places, though clearly the entire base-format is rewritten on every full run, cylinder by cylinder.
Which should catch these moles I'da thunk..
In any event, for 99% of users who would comprehend none of this -- how long, do ya guesstimate? before the IntarWeb majority has an epiphany
== generally comes to realize that the game has entered a new dimension / that Redmond still flunks security 101
... and a (very)-critical-mass goes viral with multiple horror stories ??
And we haven't yet had WCW-1, yet [World-Cyber-War] -- the practical application of [n!] writ Large.
YPB--millions, eh?
|
Post #343,619
6/12/11 10:52:02 AM
|
It shouldn't
Assuming the repairs are attempted after cold booting from clean CD or flash drive, the pre boot code will not be run. If anything, it is because the standard formatting tools do not touch the boot sector as it is not part of any partition. The bootsector needs to be reset separately (e.g. via fdisk).
Spinrite and the secure erase tools that write over the entire HDD will clean it out as well.
|
Post #343,621
6/12/11 12:44:56 PM
|
Re: It's getting very rough out there.
If you look with allocation tools like fdisk, there's usually about 8 megs of unalocated space. That's where the infection would place its file system.
Kaspersky's tdsskiller utility is supposed to detect these infections and clean them up. Haven't tried that yet, because I got this one by another means. Only by doing so was I able to find out what to look for to fix it.
I ran Combofix in Safe Mode. It found root kit activity as usual and started its special reboot for clean-up (which doesn't work in this case). I killed the reboot, booted into Recovery Console and replaced the MBR using fixmbr (which runs only from the recovery console). I then rebooted into Safe Mode. The startup was intercepted by Combofix as usual but this time it detected TDS4 infection and killed it.
I don't know if fdisk would cure this problem - it might, but it might not. If I really wanted to be sure, I'd hook the drive to another system and use a disk editor to overwrite the whole MBR with $00.
|
Post #343,638
6/12/11 7:28:34 PM
|
dd if=/dev/zero of=/dev/hda bs=1048576 count=1024
That will get past the 1024 limit just fine... Though 100MB should be fine.
|
Post #343,682
6/13/11 11:18:25 PM
|
Re: dd if=/dev/zero of=/dev/hda bs=1048576 count=1024
That's exactly what I thought of when I read Andrew's post.
God, I've become a Unix junkie. What has happened to me? ;)
|
Post #343,686
6/14/11 12:13:04 AM
|
Hey... you see that... +
That is the world's smallest digital violin playing for you.
|
Post #343,637
6/12/11 7:24:36 PM
|
Sound a lot like..
the one I found in Firmware for a 5 channel DASD card from IBM.
It never worked in Linux of BSD... just Windows.
Effectively you are going to have to BLANK the MBR upto 1024MB total.
Booted from a separate boot media. This mean 100% of the Windows partition is gone.
Yeah its getting bad.
|
Post #344,365
6/29/11 8:08:16 PM
|
It does have some virtues...
http://www.theregist...alureon_advances/
Additional changes include a new antivirus feature that rids TDSS-infected machines of 20 rival malware titles, including ZeuS, Gbot, and Optima. It also blacklists the addresses of command and control servers used by these competing programs to prevent them from working properly. :-/
The article also mentions it can act as a DHCP server. If it does that all the time it would make infected machines pretty easy to spot on a corporate network.
|
