If your software garbles this newsletter, read this issue at WindowsSecrets.com.
 | YOUR NEWSLETTER PREFERENCES Change Delivery address: cpedley.kill-that-computer@blogger.com Alternate address: cgpedley@gmail.com Locale: Canada L3B 5N5 Reader number: 35034-18272 |
|
| Windows Secrets NEWS UPDATE • Issue 176a • 2008-11-26 • Circulation: over 400,000
|
| Table of contents INTRODUCTION: A news update to bring you rootkit solutions TOP STORY: Antivirus tools try to remove Sinowal/Mebroot |
| You're receiving only our free content. Use the following link to upgrade and get our paid content immediately: |
| INTRODUCTION A news update to bring you rootkit solutions  By Brian Livingston I thought that trying to take a week off for Thanksgiving was too good to be true. To prove that nature abhors a vacuum, we're publishing today a special "news update" to bring you Woody Leonhard's findings on rootkit removal tools. Woody's column on Nov. 20 explained how to update your apps to prevent rootkits from infecting your PC. His article received a very high rating of 4.02 out of 5, indicating high reader interest. Today, Woody describes antivirus utilities that attempt to detect and remove dangerous Sinowal/Mebroot variants and other rootkits that hide from ordinary AV programs. Everyone here at Windows Secrets hopes this two-part series will help you recover from this threat — or, preferably, avoid it entirely. 'Tis the season — promote your biz for free I've been looking for ways to give something to Windows Secrets subscribers for the holidays. Many of our readers work in or operate small businesses. So we've decided to offer our small-business friends a free ad in our Dec. 4 newsletter at the height of the shopping season. That's right: your business can submit an ad for our Dec. 4 newsletter and pay nothing. The rules for this offer are as follows:
Windows Secrets advertising page Many small businesses are struggling in the current global economic slowdown. We hope to give a few of our subscribers' products and services a bit more exposure. Have a great holiday! No paid content in news updates; next issue Dec. 4 This is a special news update, which has the same content for all free and paying subscribers. There is no paid content in news updates. Our next regular newsletter will be published on Thurs., Dec. 4, 2008. Windows Secrets skips publication on the 5th Thursday of the month, the last two weeks of August and December, and (usually) the week of Thanksgiving. I promise you, we won't be publishing another newsletter this Thursday! Brian Livingston is editorial director of WindowsSecrets.com and co-author of Windows Vista Secrets and 10 other books. |
| ADS
|
| TOP STORY Antivirus tools try to remove Sinowal/Mebroot
My Top Story Nov. 20 focused on prevention, because it can be hard as heck to get rid of Sinowal/Mebroot once your PC's got it. (Sinowal is the name of an older variant and Mebroot is its newer form, so I'll simply call the threat Mebroot in the remainder of this article.) Mebroot infects a PC's Master Boot Record (MBR), the first sector on a hard drive, where it's invisible to ordinary antivirus agents. As I stated last week, your best defense against infection is to use, on a regular basis, a software scanner such as Secunia's free Personal Software Inspector (get it from Secunia's download page). Ideally, you should run a PSI scan right after you install Microsoft's Patch Tuesday updates for Windows. The PSI scan tests your third-party applications, so you can patch them with the latest fixes. Unpatched media-player apps — Adobe Reader, Flash Player, Apple QuickTime, and the like — are particularly vulnerable to Mebroot and other threats, so it's vital to keep your players up-to-date. Most Windows Secrets readers are probably not infected with Mebroot. Sophisticated PC users are less likely than novices to visit "celebrity video" sites and leave their PCs' third-party applications unpatched for months or years at a time. But, as careful as you are, it's possible that your PC became infected when you visited some seemingly legitimate site with a less-than-fully-updated browser or while you were running an application with an unpatched security hole. Washington Post blogger Brian Krebs wrote last month that a new sample of Sinowal/Mebroot was submitted to VirusTotal, an antivirus testing firm, on Oct. 21. Only 10 out of 35 antivirus programs (28.6%) correctly identified the sample or flagged it as suspicious, Krebs says. If your PC is infected, Mebroot removal tools developed by a few security vendors may be able to help you. The bad news is that even the best tool can't be 100% effective against a threat that's evolving as quickly as this li'l terror. Use F-Secure's utility to clean out rootkits Security firm F-Secure is at the forefront of the industry's response to Mebroot. F-Secure researcher Kimmo Kasslin gave a presentation to a packed conference hall at the Virus Bulletin conference in October, during which he explained the Mebroot menace in these terms:
The company claims that its BlackLight rootkit scanner detects and removes Mebroot. F-Secure also says Mebroot required the development of entirely new detection techniques. Mebroot's programmers are smart and fast. How smart? When the authors of the rootkit detector GMER discovered how to recognize a particular behavior in Mebroot, the bad guys replaced some code in a driver initializer that threw GMER off the track. (For more information, see Trend Micro's blog entry on this subject.) Detecting and preventing Mebroot is a cat-and-mouse game, and the black cats are winning. BlackLight is built into F-Secure's commercial products, such as F-Secure Internet Security 2008. A free, standalone BlackLight download is also available. (The utility requires administrator privileges to run.) For information on the products and a link to the download, see F-Secure's BlackLight page. To get the best detection odds, you can test your PC with multiple antirootkit programs, many of which are free. For a complete review of several top offerings, see Scott Spanbauer's May 22 Best Software column. Unfortunately, I don't know of any software maker that claims it can reliably detect — much less remove — every possible variant of Mebroot. Your only real remedy may be a clean start Right now, I believe one of my Windows XP machines is infected with Mebroot, but I can't tell for sure. I've quarantined the system by disconnecting it from my network, and I'm in the process of copying a small handful of vital data files off the PC and onto a USB drive. Once I've copied the files, I'll reformat the machine's hard drive, reinstall Windows and my apps, and then carefully copy the data back — being very sure to hold down the Shift key every time I insert the USB drive. The Shift key circumvents Windows' AutoPlay behavior, thereby making any malware that might have sneaked onto the thumb drive less likely to run automatically. Finally, I'll install and religiously use Secunia's Personal Software Inspector every month. Then I'll rub my lucky rabbit's foot (lot of good it did the rabbit), knock on wood, cross my fingers (does wonders for my typing), and hope that Mebroot doesn't bite me again. My long-range plan is to upgrade the video cards on all of my Windows XP machines so they can limp along with their OS upgraded to Vista. At present, the User Account Control (UAC) function of the latest update of Vista does at least warn against Mebroot's initial attempt to activate. For other, more-technical reasons why Vista is not yet at risk from Mebroot, see the "Affected Systems" section of software engineer Peter Kleissner's analysis. Of course, by the time I've done a clean install, the Mebroot gang may well have found a way to make even Vista as vulnerable as XP is now. Helluva situation, isn't it?
| ||||||||||||||||
| ADS
|
| PERMALINKS Use these permalinks to share info with friends We love it when you include the links shown below in e-mails to your friends. This is better than forwarding your copy of our e-mail newsletter. (When our newsletter is forwarded, some recipients click "report as spam" and corporate filters start blocking our e-mails.) The following link includes all articles this week: http://WindowsSecrets.com/comp/081126 Free content posted on Nov. 26, 2008:
Thanks in advance for your support! |
| YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets resulted from the merger of several publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008. Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Senior Editor: Ian Richards. Editor-at-Large: Fred Langa. Technical Editor: Dennis O'Reilly. Associate Editors: Scott Dunn, Stuart J. Johnston. Program Director: Tony Johnston. Program Manager: Ryan Biesemeyer. Web Developer: Damian Wadley. Editorial Assistant: Katy Abby. Copyeditor: Roberta Scholz. Chief Marketing Officer: Jake Ludington. Contributing Editors: Susan Bradley, Mark Joseph Edwards, Woody Leonhard, Ryan Russell, Scott Spanbauer, Becky Waring. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. YOUR SUBSCRIPTION PREFERENCES (change your preferences): Delivery address: cpedley.kill-that-computer@blogger.com Alternate address: cgpedley@gmail.com Country: Canada ZIP or postal code: L3B 5N5 Reader number: 35034-18272 Bounce count: 0 Your bounce count is the number of times your server has bounced a newsletter back to us since the last time you visited your preferences page. We cannot send newsletters to you after your bounce count reaches 3, due to ISP policies. If your bounce count is higher than 0 or blank, please visit your preferences page. This automatically resets your bounce count to 0. To change your preferences: Please visit your preferences page. To access all past issues: Please visit our past issues page. To upgrade your free subscription to paid: Please visit our upgrade page. To resend a missed newsletter to yourself: If your mail server filtered out a newsletter, you can resend the current week's issue to yourself. To do so, visit your preferences page and use the Resend link. To get subscription help by e-mail (fastest method): Visit our contact page. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours). HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe cpedley.kill-that-computer@blogger.com from the Windows Secrets Newsletter,
|
No comments:
Post a Comment
Thanks for understanding that we need to prevent the nasties.