Microsoft Beta's Rootkit Removal Tool

peet · Post by **peet** » Sun Jul 03, 2011 4:02 pm

http://isc.sans.edu/diary.html

Read very careful (I quote):

The problem with this new bootkit is that it forges the cleaning part. For example, when the security product tries a Write method, the trojan will change to Read. This will make the security product believe that the cleaning was successful while it was not. (*)

and

Regarding MS's Popureb, the current recommendation is to fix the MBR and rebuild the machine.

(*) edit to clarify: this forging of cleaning is when the user has an antivirus running inside the infected operating system. A good antivirus can potentially block the installation of a virus. More advanced cleaning options on an infected operating system can be available with livecd's containing an antivirus product.

coopertronic · Post by **coopertronic** » Sun Jul 03, 2011 11:02 pm

You're scaring the living daylights out of me. i'M SCANNING ALL MY PC'S NOW.

I'm running 4 Linux boxes and 3 Windows boxes here. I'll post the results tomorrow, it's a bit late here now. I did have grub2 menus disaper off a system last week. It was easy to fix with the live disk, but I'm $#@!ed if I know what caused it.

I got 1 warning lwp-request has bee replaced by a script lwp-request which is a perl -w script. This is on linux Mint 10 Julia.

This is the only warning I got. All my machines are virus free and rootkit free.

Admitidly Linux can get infected but I just haven't seen it yet. I see it all the time with Windows machines.

peet · Post by **peet** » Mon Jul 11, 2011 11:48 am

Matt made a video about this M$ tool, so you can see for yourself if it's something for you or not.

http://www.youtube.com/watch?v=oJV12mftZMY

Bard · Post by **Bard** » Mon Jul 11, 2011 12:14 pm

coopertronic wrote:QUOTE (coopertronic @ Jul 3 2011, 06:02 PM) You're scaring the living daylights out of me. i'M SCANNING ALL MY PC'S NOW.

I'm running 4 Linux boxes and 3 Windows boxes here. I'll post the results tomorrow, it's a bit late here now. I did have grub2 menus disaper off a system last week. It was easy to fix with the live disk, but I'm $#@!ed if I know what caused it.

I got 1 warning lwp-request has bee replaced by a script lwp-request which is a perl -w script. This is on linux Mint 10 Julia.

This is the only warning I got. All my machines are virus free and rootkit free.

Admitidly Linux can get infected but I just haven't seen it yet. I see it all the time with Windows machines.

Ask Dorjan about Linux boxes getting infected. Apache servers in particular! `gu

coopertronic · Post by **coopertronic** » Mon Jul 11, 2011 12:36 pm

This is looking good. Malewarebytes is still pretty much essencial and I'm sure there will be a fix for the activation before long. All round it's bloody usful live disk to have.

Dorjan · Post by **Dorjan** » Mon Jul 11, 2011 1:30 pm

Bard wrote:QUOTE (Bard @ Jul 11 2011, 12:14 PM) Ask Dorjan about Linux boxes getting infected. Apache servers in particular! `gu

I was thinking the same thing...

Andon · Post by **Andon** » Mon Jul 11, 2011 4:59 pm

Everything can be rooted, regardless of what's on there - for the simple reason that with the pace that code is added/removed, you add an exploit for each one you fix. It's just a matter of time before they're found.

raumvogel · Post by **raumvogel** » Mon Jul 11, 2011 5:58 pm

Andon wrote:QUOTE (Andon @ Jul 11 2011, 12:59 PM) Everything can be rooted, regardless of what's on there - for the simple reason that with the pace that code is added/removed, you add an exploit for each one you fix. It's just a matter of time before they're found.

And with the entire world looking for them, it won't take long.