Antivirus tools try to remove Sinowal/Mebroot

Woody leonhard By Woody Leonhard

I wrote last Thursday about ways to protect your PC from infection by Sinowal/Mebroot, a devilishly effective rootkit that can evade antivirus programs.

This week, I’ll concentrate on the best available techniques to try to remove the offender, if you’re one of the unfortunates who’ve already been hit.

My Top Story Nov. 20 focused on prevention, because it can be hard as heck to get rid of Sinowal/Mebroot once your PC’s got it. (Sinowal is the name of an older variant and Mebroot is its newer form, so I’ll simply call the threat Mebroot in the remainder of this article.)

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

PC Drive Maintenance (Excerpt)

Subscribe and get our monthly bonuses - free!

Your hard drives store photos, books, music and film libraries, letters, financial documents and so on. This ebook is aimed at helping you understand your hard drives, expand their capacities and length of life, and recover what you can from them when they fail. We're offering you a FREE Excerpt! Get this excerpt and other 4 bonuses if you subscribe FREE now!



Mebroot infects a PC’s Master Boot Record (MBR), the first sector on a hard drive, where it’s invisible to ordinary antivirus agents. As I stated last week, your best defense against infection is to use, on a regular basis, a software scanner such as Secunia’s free Personal Software Inspector (get it from Secunia’s download page).

Ideally, you should run a PSI scan right after you install Microsoft’s Patch Tuesday updates for Windows. The PSI scan tests your third-party applications, so you can patch them with the latest fixes. Unpatched media-player apps — Adobe Reader, Flash Player, Apple QuickTime, and the like — are particularly vulnerable to Mebroot and other threats, so it’s vital to keep your players up-to-date.

Most Windows Secrets readers are probably not infected with Mebroot. Sophisticated PC users are less likely than novices to visit “celebrity video” sites and leave their PCs’ third-party applications unpatched for months or years at a time.

But, as careful as you are, it’s possible that your PC became infected when you visited some seemingly legitimate site with a less-than-fully-updated browser or while you were running an application with an unpatched security hole.

Washington Post blogger Brian Krebs wrote last month that a new sample of Sinowal/Mebroot was submitted to VirusTotal, an antivirus testing firm, on Oct. 21. Only 10 out of 35 antivirus programs (28.6%) correctly identified the sample or flagged it as suspicious, Krebs says.

If your PC is infected, Mebroot removal tools developed by a few security vendors may be able to help you. The bad news is that even the best tool can’t be 100% effective against a threat that’s evolving as quickly as this li’l terror.

Use F-Secure’s utility to clean out rootkits

Security firm F-Secure is at the forefront of the industry’s response to Mebroot. F-Secure researcher Kimmo Kasslin gave a presentation to a packed conference hall at the Virus Bulletin conference in October, during which he explained the Mebroot menace in these terms:
  • Mebroot is the most advanced and stealthiest malware seen so far.
  • When an infected machine is started, Mebroot loads first and survives through the Windows boot.
  • Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder.
  • As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines.
For a complete outline of Kasslin’s points and a downloadable PDF version of his conference presentation, see the F-Secure blog page.

The company claims that its BlackLight rootkit scanner detects and removes Mebroot. F-Secure also says Mebroot required the development of entirely new detection techniques.

Mebroot’s programmers are smart and fast. How smart? When the authors of the rootkit detector GMER discovered how to recognize a particular behavior in Mebroot, the bad guys replaced some code in a driver initializer that threw GMER off the track. (For more information, see Trend Micro’s blog entry on this subject.) Detecting and preventing Mebroot is a cat-and-mouse game, and the black cats are winning.

BlackLight is built into F-Secure’s commercial products, such as F-Secure Internet Security 2008. A free, standalone BlackLight download is also available. (The utility requires administrator privileges to run.)

For information on the products and a link to the download, see F-Secure’s BlackLight page.

To get the best detection odds, you can test your PC with multiple antirootkit programs, many of which are free. For a complete review of several top offerings, see Scott Spanbauer’s May 22 Best Software column.

Unfortunately, I don’t know of any software maker that claims it can reliably detect — much less remove — every possible variant of Mebroot.

Your only real remedy may be a clean start

Right now, I believe one of my Windows XP machines is infected with Mebroot, but I can’t tell for sure. I’ve quarantined the system by disconnecting it from my network, and I’m in the process of copying a small handful of vital data files off the PC and onto a USB drive.

Once I’ve copied the files, I’ll reformat the machine’s hard drive, reinstall Windows and my apps, and then carefully copy the data back — being very sure to hold down the Shift key every time I insert the USB drive. The Shift key circumvents Windows’ AutoPlay behavior, thereby making any malware that might have sneaked onto the thumb drive less likely to run automatically.

Finally, I’ll install and religiously use Secunia’s Personal Software Inspector every month. Then I’ll rub my lucky rabbit’s foot (lot of good it did the rabbit), knock on wood, cross my fingers (does wonders for my typing), and hope that Mebroot doesn’t bite me again.

My long-range plan is to upgrade the video cards on all of my Windows XP machines so they can limp along with their OS upgraded to Vista. At present, the User Account Control (UAC) function of the latest update of Vista does at least warn against Mebroot’s initial attempt to activate. For other, more-technical reasons why Vista is not yet at risk from Mebroot, see the “Affected Systems” section of software engineer Peter Kleissner’s analysis.

Of course, by the time I’ve done a clean install, the Mebroot gang may well have found a way to make even Vista as vulnerable as XP is now.

Helluva situation, isn’t it?

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He is also a co-author of the encyclopedic Special Edition Using Office 2007. Woody’s column regularly appears in the paid content of Windows Secrets.
= Paid content

All Windows Secrets articles posted on 2008-11-26:

Woody Leonhard

About Woody Leonhard

Woody Leonhard is a Windows Secrets senior editor and a senior contributing editor at InfoWorld. His latest book, the comprehensive 1,080-page Windows 8 All-In-One For Dummies, delves into all the Win8 nooks and crannies. His many writings tell it like it is — whether Microsoft likes it or not.