Re: Symantec Please Speak Up About Rash of Trojans

car825 · ‎03-28-2009

Twixt,

Great writeup. I would appreciate your comments on the System Image capability that is included with Windows 7. Does it do the "Nuke-'n-Pave" thing when restoring from a Windows 7 system image?.

twixt · ‎09-26-2011

huwyngr wrote:
Twixt,

Many thanks for that detailed explanation.

I'd appreciate a comment on: I use a utility called EasyBCD and I also make images of my hard drive.

1-- EasyBCD offers the ability to recreate the MBR/Bootloader

2 -- When I restore an image (I normally use a version of Acronis True Image which you can download free from the maker of most hard drives) I seem to remember that one of the options is to restore the MBR or not.

Am I right in thinking that these do offer a way of repairing the MBR in the event of malware having infected it?

Hi, Hugh.

1. Yes, EasyBCD is a godsend. It's part of my toolkit here as well. I won't leave home without it.

2. Yes, both Ghost and Acronis True Image offer an option to restore the backed-up-copy of the MBR along with the Target Partition when restoring an image. IMO, it is appropriate to replace the MBR whenever you Restore an Image because "something is goofy" about how your OS is running.

Some other things about Images:

1. Nowadays, having a single-level or even a 3-level image stack is insufficient. I run a 5-level stack here. The reason for this is because it is not always obvious that you've been infected with a rootkit/bootkit.

Reasons for the above:

1. The very best rootkit/bootkit code is as completely-stealth as possible.

2. The code modulates its CPU usage so that it does not load the CPU when the machine is idle. You will not be able to tell you are infected simply because the CPU usage spikes when you know that "nothing" is supposed to be going on. The code ensures that it only adds to an existing CPU load - thus masking itself from simple detection by the presence of CPU activity when the machine should supposedly be idle.

3. The code modulates its activity such that its network traffic only occurs when other legitimate traffic is also taking place. You will not be able to tell you are infected simply because the Router shows network traffic when you know that "nothing" is supposed to be happening.

4. Thus, if you don't know what to look for - you can go for weeks with a keylogger in place (harvesting your bank login data) and have no idea you're infected. Meanwhile, you are diligently doing your backups and creating new infected Images - which you dutifully restore when NIS is updated to the point it can detect that particular set of stealth routines. And then, when you restore an infected image - NIS promptly informs you after the restore is complete (and NIS is brought up to date using Live Update) that you are still infected.

5. You need multi-generational backups that go far enough back in time that you can be sure you have a clean OS Image back there somewhere. Even if it's 5 weeks old - having a clean Image in the stack is preferable to having to reload the entire OS from scratch.

6. Another thing I do is Archive an OS Image separately from the stack every month, and keep a 3-month-interval stack of archives back from the current 3 months. I keep as many of these on my External Hard Disk set as is consistent with maintaining enough free space to allow the 5-level-stack to maintain itself automatically. This ensures that even if the stack is completely infected - I've got something that isn't - as long as I go far enough back in time.

7. Please note that the procedure detailed in Item 5 is a relative of the procedure used for Permanent Archiving in Commercial or Government arenas - where it is utterly necessary to have a reliable audit trail for the 7 years mandated by Law for legal liability. None of what I am describing is new - but it is only recently, with the effectiveness of stealth rootkit/bootkit technology - that it has become important for typical Computer Users to adopt the backup techniques used in Commercial and Government agencies for decades.

Hope this helps your understanding.

twixt · ‎09-26-2011

car825 wrote:
Twixt,

Great writeup. I would appreciate your comments on the System Image capability that is included with Windows 7. Does it do the "Nuke-'n-Pave" thing when restoring from a Windows 7 system image?.

Hi, car825. To be honest - I've never trusted a Microsoft-supplied "Backup" procedure as far as I can throw the Empire State Building.

I have no idea whether or not W7's Backup has the ability to restore the MBR as part of its Image restore procedure - because I've never tested it. Norton Ghost, Acronis True Image and BootIt Bare Metal are my Image Software packages of choice.

IMO, W7's Backup is the first-candidate Backup that has the capabilities required to be an effective piece of Backup software. Regardless, it does not permit restore of individual files from an Image without mounting the Image - which I feel is an unreasonably-tedious limitation as well as an unacceptable security and re-infection risk when restoring datafiles from a known-infected Image.

W7's Backup is closer to soup - but it's not soup yet. I'd suggest avoiding W7's backup - and get something coded by people who make it their business to do it Backup/Restore right.

Hope this helps.

sturgess · ‎05-06-2011

Hi twixt,

Windows 8 has a " Remove everything and reinstall Windows" option, would this be a fix ? Enjoyed reading your post.

ablatt · ‎05-19-2008

I haven't done an exhaustive search but I just browsed through the Kaspersky forums and did not see a flood of trojan-related posts like the ones here.

If they're not affected in the same way, I have to wonder, as a long time Norton user, why?

This 'rash of trojans' is very disconcerting, especially as it has shaken my faith in the security of the 64-bit Windows O/S.

It also has to make people look elsewhere, if Norton is not able to keep up.

Bombastus · ‎11-16-2009

Kaspersky support offers to help with malware removal http://usa.kaspersky.com/support/home/consumer-support-open-ticket?ICID=INT1675371 and unlike Norton, they don't charge the user for it, so maybe they get less people on the forums looking for help there.

huwyngr · ‎04-13-2008

ThanksTwixt for all that valuable information.

I'm fortuante that my system is not 'mission critical" but I see the importance of all you say.

One thing I'd like to emphasise is that my query about the MBR restore was not intended to bypass or shortcut the kind of work that Quads does but was two fold --

1 -- to generate an answer to the earlier question as to whether an infection could survive formatting (and if so how).

2 -- to increase my own knowledge as a user of EasyBCD and TI and never quite sure whether to check the Restore MBR funcitonor not. I think I tend not to for normal restores as in the beta testing here because I have a multiboot system and might restore a MBR from prior to adding an additional OS (I have 4 at the moment <s>)

So thanks for the education.

Hugh

Calls · ‎10-07-2009

man, sometimes it just seems like using the internet is not even worth it
: (

Calls · ‎10-07-2009

so the fact that it appears other product forums don't show the flood of Trojan infections raises a few questions.
1. The av would have to be able to detect the infection for folks to be trying to get rid of it. So maybe other AV products are not detecting it?
2. could what we are seeing here in these forums be false positives?
3. And this is not finger pointing, but it would be interesting to note if a majority of folks with infections here are using expired product, not getting Norton updates, disabling parts of Norton, and/or enging in more dangerous practices like file sharing?
Perhaps this could narrow some of the variables leading to infection s?