Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>Antivirus tools try to remove Sinowal/Mebroot

Windows Secrets Newsletter • Issue 176 • 2008-11-26 • Circulation: over 400,000

Table of contents 
  • Bonus: Last week to get a free excerpt of ‘Pleasure’
  • Introduction: A news update to bring you rootkit solutions
  • Top Story: Antivirus tools try to remove Sinowal/Mebroot
 
Bonus

Last week to get a free excerpt of ‘Pleasure’

As often as possible, Windows Secrets licenses some new content that all of our readers can download and enjoy at no cost. This month, our bonus download reveals hidden motivations that operate beneath the level of our conscious mind.

Our exclusive excerpt of The Pleasure Instinct: Why We Crave Adventure, Chocolate, Pheromones, and Music explains why everything from the smell of cocoa to a whiff of an expensive perfume moves us in unexpected ways.

The printed book won’t be available in stores until mid-December, but you can get our PDF e-book excerpt now through Dec. 3, 2008. Simply visit your preferences page, update your entries, press the Save button, and a download link will appear. Thanks for your support! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere
 
Introduction

A news update to bring you rootkit solutions

Brian livingston By Brian Livingston

I thought that trying to take a week off for Thanksgiving was too good to be true.

To prove that nature abhors a vacuum, we’re publishing today a special “news update” to bring you Woody Leonhard’s findings on rootkit removal tools.

Woody’s column on Nov. 20 explained how to update your apps to prevent rootkits from infecting your PC. His article received a very high rating of 4.02 out of 5, indicating high reader interest. Today, Woody describes antivirus utilities that attempt to detect and remove dangerous Sinowal/Mebroot variants and other rootkits that hide from ordinary AV programs.

Everyone here at Windows Secrets hopes this two-part series will help you recover from this threat — or, preferably, avoid it entirely.

‘Tis the season — promote your biz for free

I’ve been looking for ways to give something to Windows Secrets subscribers for the holidays. Many of our readers work in or operate small businesses. So we’ve decided to offer our small-business friends a free ad in our Dec. 4 newsletter at the height of the shopping season.

That’s right: your business can submit an ad for our Dec. 4 newsletter and pay nothing. The rules for this offer are as follows:
  • Anyone who places an ad before our ad deadline — Dec. 1 at 2 p.m. Pacific Time — is eligible to receive a free ad in the Dec. 4 newsletter.
  • No more than 12 ads will be accepted in the Dec. 4 newsletter. If more than 12 ads are submitted, 12 will be chosen at random. In a regular newsletter, no more than 9 ads are accepted.
  • A valid credit card must be entered, but your card will not be charged for the Dec. 4 newsletter.
  • Free ads in the Dec. 4 newsletter will be positioned in random order, so there’s no reason to enter an exaggerated bid. Simply enter a reasonable bid: whatever you’d be willing to pay if your ad continued to run in the Dec. 11 newsletter.
  • On Dec. 5, we’ll send you an e-mail showing the number of click-throughs your ad generated in the first 24 hours. If the response is worth it, make no changes and your ad will continue to run. If not, you can cancel your ad and pay nothing.
  • All ads run until you cancel them. You may cancel an ad by changing your bid to zero (0) at any time before the ad deadline for our Dec. 11 newsletter — Dec. 8 at 2 p.m. Pacific Time. Before the ad deadline, you can also reduce or increase your bid to obtain a better position.
To place your ad, start at the Web page in the link below and follow the instructions:

Windows Secrets advertising page

Many small businesses are struggling in the current global economic slowdown. We hope to give a few of our subscribers’ products and services a bit more exposure. Have a great holiday!

No paid content in news updates; next issue Dec. 4

This is a special news update, which has the same content for all free and paying subscribers. There is no paid content in news updates.

Our next regular newsletter will be published on Thurs., Dec. 4, 2008. Windows Secrets skips publication on the 5th Thursday of the month, the last two weeks of August and December, and (usually) the week of Thanksgiving.

I promise you, we won’t be publishing another newsletter this Thursday!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.
 
Top Story

Antivirus tools try to remove Sinowal/Mebroot

Woody leonhard By Woody Leonhard

I wrote last Thursday about ways to protect your PC from infection by Sinowal/Mebroot, a devilishly effective rootkit that can evade antivirus programs.

This week, I’ll concentrate on the best available techniques to try to remove the offender, if you’re one of the unfortunates who’ve already been hit.

My Top Story Nov. 20 focused on prevention, because it can be hard as heck to get rid of Sinowal/Mebroot once your PC’s got it. (Sinowal is the name of an older variant and Mebroot is its newer form, so I’ll simply call the threat Mebroot in the remainder of this article.)

Mebroot infects a PC’s Master Boot Record (MBR), the first sector on a hard drive, where it’s invisible to ordinary antivirus agents. As I stated last week, your best defense against infection is to use, on a regular basis, a software scanner such as Secunia’s free Personal Software Inspector (get it from Secunia’s download page).

Ideally, you should run a PSI scan right after you install Microsoft’s Patch Tuesday updates for Windows. The PSI scan tests your third-party applications, so you can patch them with the latest fixes. Unpatched media-player apps — Adobe Reader, Flash Player, Apple QuickTime, and the like — are particularly vulnerable to Mebroot and other threats, so it’s vital to keep your players up-to-date.

Most Windows Secrets readers are probably not infected with Mebroot. Sophisticated PC users are less likely than novices to visit “celebrity video” sites and leave their PCs’ third-party applications unpatched for months or years at a time.

But, as careful as you are, it’s possible that your PC became infected when you visited some seemingly legitimate site with a less-than-fully-updated browser or while you were running an application with an unpatched security hole.

Washington Post blogger Brian Krebs wrote last month that a new sample of Sinowal/Mebroot was submitted to VirusTotal, an antivirus testing firm, on Oct. 21. Only 10 out of 35 antivirus programs (28.6%) correctly identified the sample or flagged it as suspicious, Krebs says.

If your PC is infected, Mebroot removal tools developed by a few security vendors may be able to help you. The bad news is that even the best tool can’t be 100% effective against a threat that’s evolving as quickly as this li’l terror.

Use F-Secure’s utility to clean out rootkits

Security firm F-Secure is at the forefront of the industry’s response to Mebroot. F-Secure researcher Kimmo Kasslin gave a presentation to a packed conference hall at the Virus Bulletin conference in October, during which he explained the Mebroot menace in these terms:
  • Mebroot is the most advanced and stealthiest malware seen so far.
  • When an infected machine is started, Mebroot loads first and survives through the Windows boot.
  • Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder.
  • As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines.
For a complete outline of Kasslin’s points and a downloadable PDF version of his conference presentation, see the F-Secure blog page.

The company claims that its BlackLight rootkit scanner detects and removes Mebroot. F-Secure also says Mebroot required the development of entirely new detection techniques.

Mebroot’s programmers are smart and fast. How smart? When the authors of the rootkit detector GMER discovered how to recognize a particular behavior in Mebroot, the bad guys replaced some code in a driver initializer that threw GMER off the track. (For more information, see Trend Micro’s blog entry on this subject.) Detecting and preventing Mebroot is a cat-and-mouse game, and the black cats are winning.

BlackLight is built into F-Secure’s commercial products, such as F-Secure Internet Security 2008. A free, standalone BlackLight download is also available. (The utility requires administrator privileges to run.)

For information on the products and a link to the download, see F-Secure’s BlackLight page.

To get the best detection odds, you can test your PC with multiple antirootkit programs, many of which are free. For a complete review of several top offerings, see Scott Spanbauer’s May 22 Best Software column.

Unfortunately, I don’t know of any software maker that claims it can reliably detect — much less remove — every possible variant of Mebroot.

Your only real remedy may be a clean start

Right now, I believe one of my Windows XP machines is infected with Mebroot, but I can’t tell for sure. I’ve quarantined the system by disconnecting it from my network, and I’m in the process of copying a small handful of vital data files off the PC and onto a USB drive.

Once I’ve copied the files, I’ll reformat the machine’s hard drive, reinstall Windows and my apps, and then carefully copy the data back — being very sure to hold down the Shift key every time I insert the USB drive. The Shift key circumvents Windows’ AutoPlay behavior, thereby making any malware that might have sneaked onto the thumb drive less likely to run automatically.

Finally, I’ll install and religiously use Secunia’s Personal Software Inspector every month. Then I’ll rub my lucky rabbit’s foot (lot of good it did the rabbit), knock on wood, cross my fingers (does wonders for my typing), and hope that Mebroot doesn’t bite me again.

My long-range plan is to upgrade the video cards on all of my Windows XP machines so they can limp along with their OS upgraded to Vista. At present, the User Account Control (UAC) function of the latest update of Vista does at least warn against Mebroot’s initial attempt to activate. For other, more-technical reasons why Vista is not yet at risk from Mebroot, see the “Affected Systems” section of software engineer Peter Kleissner’s analysis.

Of course, by the time I’ve done a clean install, the Mebroot gang may well have found a way to make even Vista as vulnerable as XP is now.

Helluva situation, isn’t it?

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He is also a co-author of the encyclopedic Special Edition Using Office 2007. Woody’s column regularly appears in the paid content of Windows Secrets.
YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Beating back Duku and a plethora of other threats 4.20
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb