Antivirus tools try to remove Sinowal/Mebroot

Last week to get a free excerpt of 'Pleasure'

As often as possible, Windows Secrets licenses some new content that all of our readers can download and enjoy at no cost. This month, our bonus download reveals hidden motivations that operate beneath the level of our conscious mind.

Our exclusive excerpt of The Pleasure Instinct: Why We Crave Adventure, Chocolate, Pheromones, and Music explains why everything from the smell of cocoa to a whiff of an expensive perfume moves us in unexpected ways.

The printed book won’t be available in stores until mid-December, but you can get our PDF e-book excerpt now through Dec. 3, 2008. Simply visit your preferences page, update your entries, press the Save button, and a download link will appear. Thanks for your support! —Brian Livingston, editorial director

All subscribers: Set your preferences and download your bonus
Info on the printed book: United States / Canada / Elsewhere

A news update to bring you rootkit solutions

By Brian Livingston

I thought that trying to take a week off for Thanksgiving was too good to be true.

To prove that nature abhors a vacuum, we’re publishing today a special “news update” to bring you Woody Leonhard’s findings on rootkit removal tools.

Woody’s column on Nov. 20 explained how to update your apps to prevent rootkits from infecting your PC. His article received a very high rating of 4.02 out of 5, indicating high reader interest. Today, Woody describes antivirus utilities that attempt to detect and remove dangerous Sinowal/Mebroot variants and other rootkits that hide from ordinary AV programs.

Everyone here at Windows Secrets hopes this two-part series will help you recover from this threat — or, preferably, avoid it entirely.

‘Tis the season — promote your biz for free

I’ve been looking for ways to give something to Windows Secrets subscribers for the holidays. Many of our readers work in or operate small businesses. So we’ve decided to offer our small-business friends a free ad in our Dec. 4 newsletter at the height of the shopping season.

That’s right: your business can submit an ad for our Dec. 4 newsletter and pay nothing. The rules for this offer are as follows:

• Anyone who places an ad before our ad deadline — Dec. 1 at 2 p.m. Pacific Time — is eligible to receive a free ad in the Dec. 4 newsletter.
• No more than 12 ads will be accepted in the Dec. 4 newsletter. If more than 12 ads are submitted, 12 will be chosen at random. In a regular newsletter, no more than 9 ads are accepted.
• A valid credit card must be entered, but your card will not be charged for the Dec. 4 newsletter.
• Free ads in the Dec. 4 newsletter will be positioned in random order, so there’s no reason to enter an exaggerated bid. Simply enter a reasonable bid: whatever you’d be willing to pay if your ad continued to run in the Dec. 11 newsletter.
• On Dec. 5, we’ll send you an e-mail showing the number of click-throughs your ad generated in the first 24 hours. If the response is worth it, make no changes and your ad will continue to run. If not, you can cancel your ad and pay nothing.
• All ads run until you cancel them. You may cancel an ad by changing your bid to zero (0) at any time before the ad deadline for our Dec. 11 newsletter — Dec. 8 at 2 p.m. Pacific Time. Before the ad deadline, you can also reduce or increase your bid to obtain a better position.

To place your ad, start at the Web page in the link below and follow the instructions:

Windows Secrets advertising page

Many small businesses are struggling in the current global economic slowdown. We hope to give a few of our subscribers’ products and services a bit more exposure. Have a great holiday!

No paid content in news updates; next issue Dec. 4

This is a special news update, which has the same content for all free and paying subscribers. There is no paid content in news updates.

Our next regular newsletter will be published on Thurs., Dec. 4, 2008. Windows Secrets skips publication on the 5th Thursday of the month, the last two weeks of August and December, and (usually) the week of Thanksgiving.

I promise you, we won’t be publishing another newsletter this Thursday!

Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books.

Antivirus tools try to remove Sinowal/Mebroot

By Woody Leonhard I wrote last Thursday about ways to protect your PC from infection by Sinowal/Mebroot, a devilishly effective rootkit that can evade antivirus programs. This week, I’ll concentrate on the best available techniques to try to remove the offender, if you’re one of the unfortunates who’ve already been hit.

My Top Story Nov. 20 focused on prevention, because it can be hard as heck to get rid of Sinowal/Mebroot once your PC’s got it. (Sinowal is the name of an older variant and Mebroot is its newer form, so I’ll simply call the threat Mebroot in the remainder of this article.)

Mebroot infects a PC’s Master Boot Record (MBR), the first sector on a hard drive, where it’s invisible to ordinary antivirus agents. As I stated last week, your best defense against infection is to use, on a regular basis, a software scanner such as Secunia’s free Personal Software Inspector (get it from Secunia’s download page).

Ideally, you should run a PSI scan right after you install Microsoft’s Patch Tuesday updates for Windows. The PSI scan tests your third-party applications, so you can patch them with the latest fixes. Unpatched media-player apps — Adobe Reader, Flash Player, Apple QuickTime, and the like — are particularly vulnerable to Mebroot and other threats, so it’s vital to keep your players up-to-date.

Most Windows Secrets readers are probably not infected with Mebroot. Sophisticated PC users are less likely than novices to visit “celebrity video” sites and leave their PCs’ third-party applications unpatched for months or years at a time.

But, as careful as you are, it’s possible that your PC became infected when you visited some seemingly legitimate site with a less-than-fully-updated browser or while you were running an application with an unpatched security hole.

Washington Post blogger Brian Krebs wrote last month that a new sample of Sinowal/Mebroot was submitted to VirusTotal, an antivirus testing firm, on Oct. 21. Only 10 out of 35 antivirus programs (28.6%) correctly identified the sample or flagged it as suspicious, Krebs says.

If your PC is infected, Mebroot removal tools developed by a few security vendors may be able to help you. The bad news is that even the best tool can’t be 100% effective against a threat that’s evolving as quickly as this li’l terror.

Use F-Secure’s utility to clean out rootkits

Security firm F-Secure is at the forefront of the industry’s response to Mebroot. F-Secure researcher Kimmo Kasslin gave a presentation to a packed conference hall at the Virus Bulletin conference in October, during which he explained the Mebroot menace in these terms:

• Mebroot is the most advanced and stealthiest malware seen so far.
• When an infected machine is started, Mebroot loads first and survives through the Windows boot.
• Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder.
• As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines.

For a complete outline of Kasslin’s points and a downloadable PDF version of his conference presentation, see the F-Secure blog page.

The company claims that its BlackLight rootkit scanner detects and removes Mebroot. F-Secure also says Mebroot required the development of entirely new detection techniques.

Mebroot’s programmers are smart and fast. How smart? When the authors of the rootkit detector GMER discovered how to recognize a particular behavior in Mebroot, the bad guys replaced some code in a driver initializer that threw GMER off the track. (For more information, see Trend Micro’s blog entry on this subject.) Detecting and preventing Mebroot is a cat-and-mouse game, and the black cats are winning.

BlackLight is built into F-Secure’s commercial products, such as F-Secure Internet Security 2008. A free, standalone BlackLight download is also available. (The utility requires administrator privileges to run.)

For information on the products and a link to the download, see F-Secure’s BlackLight page.

To get the best detection odds, you can test your PC with multiple antirootkit programs, many of which are free. For a complete review of several top offerings, see Scott Spanbauer’s May 22 Best Software column.

Unfortunately, I don’t know of any software maker that claims it can reliably detect — much less remove — every possible variant of Mebroot.

Your only real remedy may be a clean start

Right now, I believe one of my Windows XP machines is infected with Mebroot, but I can’t tell for sure. I’ve quarantined the system by disconnecting it from my network, and I’m in the process of copying a small handful of vital data files off the PC and onto a USB drive.

Once I’ve copied the files, I’ll reformat the machine’s hard drive, reinstall Windows and my apps, and then carefully copy the data back — being very sure to hold down the Shift key every time I insert the USB drive. The Shift key circumvents Windows’ AutoPlay behavior, thereby making any malware that might have sneaked onto the thumb drive less likely to run automatically.

Finally, I’ll install and religiously use Secunia’s Personal Software Inspector every month. Then I’ll rub my lucky rabbit’s foot (lot of good it did the rabbit), knock on wood, cross my fingers (does wonders for my typing), and hope that Mebroot doesn’t bite me again.

My long-range plan is to upgrade the video cards on all of my Windows XP machines so they can limp along with their OS upgraded to Vista. At present, the User Account Control (UAC) function of the latest update of Vista does at least warn against Mebroot’s initial attempt to activate. For other, more-technical reasons why Vista is not yet at risk from Mebroot, see the “Affected Systems” section of software engineer Peter Kleissner’s analysis.

Of course, by the time I’ve done a clean install, the Mebroot gang may well have found a way to make even Vista as vulnerable as XP is now.

Helluva situation, isn’t it?

Woody Leonhard‘s latest books — Windows Vista All-In-One Desk Reference For Dummies and Windows Vista Timesaving Techniques For Dummies — explore what you need to know about Vista in a way that won’t put you to sleep. He is also a co-author of the encyclopedic Special Edition Using Office 2007. Woody’s column regularly appears in the paid content of Windows Secrets.