February 11, 2009

Antivirus tools try to remove Sinowal/Mebroot

Antivirus tools try to remove Sinowal/Mebroot

Woody Leonhard By Woody Leonhard

I wrote last Thursday about ways to protect your PC from infection by Sinowal/Mebroot, a devilishly effective rootkit that can evade antivirus programs.

This week, I'll concentrate on the best available techniques to try to remove the offender, if you're one of the unfortunates who've already been hit.

My Top Story Nov. 20 focused on prevention, because it can be hard as heck to get rid of Sinowal/Mebroot once your PC's got it. (Sinowal is the name of an older variant and Mebroot is its newer form, so I'll simply call the threat Mebroot in the remainder of this article.)

Mebroot infects a PC's Master Boot Record (MBR), the first sector on a hard drive, where it's invisible to ordinary antivirus agents. As I stated last week, your best defense against infection is to use, on a regular basis, a software scanner such as Secunia's free Personal Software Inspector (get it from Secunia's download page).

Ideally, you should run a PSI scan right after you install Microsoft's Patch Tuesday updates for Windows. The PSI scan tests your third-party applications, so you can patch them with the latest fixes. Unpatched media-player apps — Adobe Reader, Flash Player, Apple QuickTime, and the like — are particularly vulnerable to Mebroot and other threats, so it's vital to keep your players up-to-date.

Most Windows Secrets readers are probably not infected with Mebroot. Sophisticated PC users are less likely than novices to visit "celebrity video" sites and leave their PCs' third-party applications unpatched for months or years at a time.

But, as careful as you are, it's possible that your PC became infected when you visited some seemingly legitimate site with a less-than-fully-updated browser or while you were running an application with an unpatched security hole.

Washington Post blogger Brian Krebs wrote last month that a new sample of Sinowal/Mebroot was submitted to VirusTotal, an antivirus testing firm, on Oct. 21. Only 10 out of 35 antivirus programs (28.6%) correctly identified the sample or flagged it as suspicious, Krebs says.

If your PC is infected, Mebroot removal tools developed by a few security vendors may be able to help you. The bad news is that even the best tool can't be 100% effective against a threat that's evolving as quickly as this li'l terror.

Use F-Secure's utility to clean out rootkits

Security firm F-Secure is at the forefront of the industry's response to Mebroot. F-Secure researcher Kimmo Kasslin gave a presentation to a packed conference hall at the Virus Bulletin conference in October, during which he explained the Mebroot menace in these terms:

  • Mebroot is the most advanced and stealthiest malware seen so far.
  • When an infected machine is started, Mebroot loads first and survives through the Windows boot.
  • Mebroot uses a very complex installation mechanism, trying to bypass security products and to make automatic analysis harder.
  • As a payload, Mebroot attacks over 100 European online banks, trying to steal money as users do their online banking on infected machines.

For a complete outline of Kasslin's points and a downloadable PDF version of his conference presentation, see the F-Secure blog page.

The company claims that its BlackLight rootkit scanner detects and removes Mebroot. F-Secure also says Mebroot required the development of entirely new detection techniques.

Mebroot's programmers are smart and fast. How smart? When the authors of the rootkit detector GMER discovered how to recognize a particular behavior in Mebroot, the bad guys replaced some code in a driver initializer that threw GMER off the track. (For more information, see Trend Micro's blog entry on this subject.) Detecting and preventing Mebroot cialis generic brand is a cat-and-mouse game, and the black cats are winning.

BlackLight is built into F-Secure's commercial products, such as F-Secure Internet Security 2008. A free, standalone BlackLight download is also available. (The utility requires administrator privileges to run.)

For information on the products and a link to the download, see F-Secure's BlackLight page.

To get the best detection odds, you can test your PC with multiple antirootkit programs, many of which are free. For a complete review of several top offerings, see Scott Spanbauer's May 22 Best Software column.

Unfortunately, I don't know of any software maker that claims it can reliably detect — much less remove — every possible variant of Mebroot.

Your only real remedy may be a clean start

Right now, I believe one of my Windows XP machines is infected with Mebroot, but I can't tell for sure. I've quarantined the system by disconnecting it from my network, and I'm in the process of copying a small handful of vital data files off the PC and onto a USB drive.

Once I've copied the files, I'll reformat the machine's hard drive, reinstall Windows and my apps, and then carefully copy the data back — being very sure to hold down the Shift key every time I insert the USB drive. The Shift key circumvents Windows' AutoPlay behavior, thereby making any malware that might have sneaked onto the thumb drive less likely to run automatically.

Finally, I'll install and religiously use Secunia's Personal Software Inspector every month. Then I'll rub my lucky rabbit's foot (lot of good it did the rabbit), knock on wood, cross my fingers (does wonders for my typing), and hope that Mebroot doesn't bite me again.

My long-range plan is to upgrade the video cards on all of my Windows XP machines so they can limp along with their OS upgraded to Vista. At present, the User Account Control (UAC) function of the latest update of Vista does at least warn against Mebroot's initial attempt to activate. For other, more-technical reasons why Vista is not yet at risk from Mebroot, see the "Affected Systems" section of software engineer Peter Kleissner's analysis.

Of course, by the time I've done a clean install, the Mebroot gang may well have found a way to make even Vista as vulnerable as XP is now.

Helluva situation, isn't it?

Permalink • Print • Comment

Don’t be a victim of Sinowal, the super-Trojan

Woody Leonhard By Woody Leonhard

The sneaky "drive-by download" known as Sinowal has been, uh, credited with stealing more than 500,000 bank-account passwords, credit-card numbers, and other sensitive financial information.

This exploit has foiled antivirus software manufacturers time and again over the years, and it provides us in real time a look at the future of Windows infections.

Imagine a very clever keylogger sitting on your system, watching unobtrusively as you type, kicking in and recording your keystrokes only when you visit one of 2,700 sensitive sites. The list is controlled by the malware's creators and includes many of the world's most popular banking and investment services.

That's Sinowal, a super-Trojan that uses a technique called HTML injection to put ersatz information on your browser's screen. The bad info prompts you to type an account number and/or a password. Of course, Sinowal gathers all the information and sends it back home — over a fancy, secure, encrypted connection, no less.

Washington Post journalist Brian Krebs wrote the definitive overview of Sinowal's criminal tendencies in his Oct. 31, 2008, column titled "Virtual Heist Nets 500,000+ Bank, Credit Accounts" — a headline that's hard to ignore. Krebs cites a detailed analysis by RSA's FraudAction Research Lab: "One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts."

Sinowal has been around for many years. (Most virus researchers nowadays refer to Sinowal as "Mebroot," but Sinowal is the name you'll see most often in the press. Parts of the old Sinowal went into making Mebroot. It isn't clear whether the same programmers who originally came up with Sinowal are also now working on Mebroot. Mebroot's the current villain.)

Microsoft's Robert Hensing and Scott Molenkamp blogged cialis generic best price about the current incarnation of Sinowal/Mebroot back in January. RSA has collected data swiped by Sinowal/Mebroot infections dating to 2006. EEye Digital Security demonstrated its "BootRoot" project — which contains several elements similar to Sinowal/Mebroot — at the Black Hat conference in July 2005.

That's a long, long lifespan for a Trojan. It's important for you to know how to protect yourself.

A serious infection most antivirus apps miss

I haven't even told you the scariest part yet.

Sinowal/Mebroot works by infecting Windows XP's Master Boot Record (MBR) — it takes over the tiny program that's used to boot Windows. MBR infections have existed since the dawn of DOS. (You'd think that Microsoft would've figured out a way to protect the MBR by now — but you'd be wrong.)

Vista SP1 blocks the simplest MBR access, but the initial sectors are still programmatically accessible, according to a highly technical post by GMER, the antirootkit software manufacturer.

The key to Sinowal/Mebroot's "success" is that it's so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn't run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn't start until 10 minutes after that.

Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process. Peter Kleissner, Software Engineer at Vienna Computer Products, has posted a detailed analysis of the infection method and the intricate interrupt-hooking steps, including the timing and the machine code for the obfuscated parts.

Once Sinowal/Mebroot is in your system, the Trojan runs stealthily, loading itself in true rootkit fashion before Windows starts. The worm flies under the radar by running inside the kernel, the lowest level of Windows, where it sets up its own network communication system, whose external data transmissions use 128-bit encryption. The people who run Sinowal/Mebroot have registered thousands of .com, .net, and .biz domains for use in the scheme.

Wait, there's more: Sinowal/Mebroot cloaks itself entirely and uses no executable files that you can see. The changes it makes to the Registry are very hard to find. Also, there's no driver module in the module list, and no Sinowal/Mebroot-related svchost.exe or rundll32.exe processes appear in the Task Manager's Processes list.

Once Sinowal/Mebroot has established its own internal communication software, the Trojan can download and run software fed to it by its creators. Likewise, the downloaded programs can run undetected at the kernel level.

Sinowal/Mebroot isn't so much a Trojan as a parasitic operating system that runs inside Windows.

Windows XP users are particularly vulnerable

So, what can you do to thwart this menace? Your firewall won't help: Sinowal/Mebroot bypasses Windows' normal communication routines, so it works outside your computer's firewall.

Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection. AV vendors scramble to catch the latest versions, but with one or two new Sinowal/Mebroot iterations being released every month, the vendors are trying to hit a very fleet — and intelligent — target.

Peter Kleissner told me, "I think Sinowal has been so successful because it's always changing … it is adjusting to new conditions instantly. We see Sinowal changing its infection methods and exploits all the time."

Similarly, you can't rely on rootkit scanners for protection. Even the best rootkit scanners miss some versions of Sinowal/Mebroot. (See Scott Spanbauer's review of free rootkit removers in May 22's Best Software column and Mark Edwards' review of rootkit-remover effectiveness in his May 22 PC Tune-Up column; paid subscription required for the latter.)

Truth be told, there is no single way to reliably protect yourself from Sinowal/Mebroot, short of disconnecting your computer from the Internet and not opening any files. But there are some historical patterns to the exploit that you can learn from.

First of all, most of the Sinowal/Mebroot infections I've heard about got into the afflicted PCs via well-known and already-patched security holes in Adobe Reader, Flash Player, or Apple QuickTime. These are not the only Sinowal/Mebroot infection vectors by a long shot, but they seem to be preferred by the Trojan's creators. You can minimize your risk of infection by keeping all of your third-party programs updated to the latest versions.

Windows Secrets associate editor Scott Dunn explained how to use the free Secunia Software Inspector service to test your third-party apps, and how to schedule a monthly check-up for your system, in his Sept. 6, 2007, column.

In addition, according to Peter Kleissner, Sinowal/Mebroot — at least in its current incarnation — doesn't infect Vista systems. Windows XP remains its primary target, because Vista's boot method is different and its User Account Control regime gets in the worm's way.

Don't look to your bank for Sinowal safeguards

So, you'd figure the banks and financial institutions being targeted by Sinowal/Mebroot would be up in arms, right? Half a million compromised accounts for sale by an unknown, sophisticated, and capable team that's still harvesting accounts should send a shiver up any banker's spine.

I asked Rob Rosenberger about it, and he laughed. Rosenberger's one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.

"I'll be labeled a heretic for saying this, but … from a banking perspective, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.

"Banks have dealt with this kind of fraud for many, many decades," Rosenberger continued. "Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud."

If the bankers aren't going to take up the fight against Sinowal/Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.

In this particular case, the major AV packages have failed to detect Sinowal/Mebroot over and over again. It's hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they've left the barn, so to speak.

The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.

The only company that seems to be in a position to fix the Master Boot Record problem is Microsoft. But it's hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP's successors (I use the term lightly) don't appear to have the same flaw.

This is short-sighted, however. It's only a matter of time before Sinowal/Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.

If Microsoft decides to take on Sinowal/Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says "I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup."

As Peter Kleissner puts it, "I personally think most people behind the [Sinowal] code do not know what they have done. I would bet that more than half of the code was written by students around the world."

Kleissner's in a good position to judge. He's a student himself, 18 years old. I'm glad he's on our side.

Permalink • Print • Comment

How to maintain XP after Microsoft ends support

Stuart Johnston By Stuart J. Johnston

Microsoft CEO Steve Ballmer said recently that it's OK with him if you want to stick with Windows XP until Windows 7 is available late next year.

XP lovers may still be able to buy a new PC with that operating system installed for another year or so, but unfortunately, Microsoft plans to end most free support for the OS within months.

On that date — Apr. 14, 2009 — millions of PC users, some of whom bought their systems less than a year earlier, will be left in the lurch. These users will have to pay Microsoft for Windows XP support, although downloading critical security patches is expected to remain free of charge.

The end of support is planned despite the fact that consumers can still buy a new PC that runs XP rather than Vista, which was released nearly two years ago. It's ironic that no less a personage than Microsoft chief Ballmer tells users that staying with XP until Windows 7 ships late next year is a viable option.

What's a poor Windows XP user to do?

Third-party vendors pledge XP compatibility

Ballmer has said repeatedly over the past 10 to 15 years that the stiffest competition a new version of Windows confronts in the marketplace is the previous version of Windows. If the previous version is "good enough," then a lot of people won't buy the upgrade. XP just may prove Ballmer right.

According to a study by Gartner, there will be more than 1 billion computers in use worldwide by the end of 2008. The vast majority of them run Windows XP.

In fact, according to an analysis by Web analytics firm Net Applications, some 68 percent of the client computers in use around the world use XP. The OS's closest challenger — Vista — represents just over 19 percent of the worldwide PC market. If these stats are accurate, there are nearly 700 million copies of XP on the planet.

While Vista has been picking up steam in recent months, it has a long way to go to catch up with its older, more mature sibling. Even if Microsoft redoubles its efforts to market Vista, it's unlikely the newer version could pass XP in installed numbers by late 2009, which is when Microsoft officials hint that Windows 7 will be available.

Anyone who uses XP — whether on a new machine or an early-2000s model — has to wonder whether new hardware and software will continue to support the old OS.

The answer is a qualified "yes."

XP's huge installed base helps to ensure that hardware and software companies are continuing to support their existing XP users while also making sure their new products will work with the OS. Every one of several third-party hardware and software firms I checked with claims its new products will be compatible with both Vista and XP.

For now, anyway, losing the support of third-party vendors is far from the biggest threat facing anyone who sticks with XP. The bigger problem is Microsoft's impending free-support cutoff date for the OS.

XP's support has been extended once before

Microsoft's policy is to support each version of its operating system for 10 years. For the first five years, users get "mainstream" support, which combines free help and fee-based services. This is in addition to the standard patches and hotfixes that Microsoft periodically releases.

The second five-year period constitutes "extended" support. During this time, users must pay for cialis free support, aside from critical patches that continue to be offered by the company for free.

XP will reach the end of mainstream support on Apr. 14, 2009, despite the fact that Service Pack 3 for XP was released just last spring. (XP first shipped in late 2001, so the end of its mainstream support is coming more than two years later than is typical — a testament to XP's popularity.)

After April 2009, XP moves into the extended-support period, which is expected to last through Apr. 8, 2014.

Under extended support, if you encounter problems installing a security patch or other critical fix, tech support will help you free of charge. Any other help from Microsoft tech support, however, will be on a pay-per-incident basis. Microsoft currently charges $59 per incident for help with operating-system problems.

If you bought a new PC with XP preinstalled, it's important to note that you must contact your PC maker for all support. Microsoft has assembled a list of phone numbers and support sites for major PC vendors.

Even though Microsoft has cut off retail sales of XP, the company will continue to allow PC vendors to sell XP Professional on new systems at least through the end of January 2009.

Today, that's usually done by opting for the vendor's "downgrade" license, which lets the buyer choose between Vista and XP Pro.

For example, Dell Computer says it will sell systems with XP as a downgrade option through 2009 and possibly longer.

There are plenty of XP resources out there

Of course, you aren't stuck with Microsoft when it comes to your XP support options. If you're looking for an XP device driver, and you're not having much luck with the vendors' sites, try browsing through the posts at various PC community forums.

Forums are great places to post questions and (hopefully) receive answers from other users who have experienced the same problems and found solutions. Microsoft's XP newsgroups are a good place to start.

Other useful XP support sites include the TechArena community, BoardReader, and AllExperts.

You'll find all types of XP support from the members of PC user groups, many of which offer live, in-person meetings where participants exchange tips and solutions. Listings for Microsoft user groups are available at the Microsoft Mindshare site.

These are by no means all the support options available to XP users, but they provide a starting point to help you keep XP alive and well until something better comes along — whether another flavor of Windows or something completely different.

Permalink • Print • Comment

XP and Vista Uptime

If you leave your computer running 24/7 (24 hours a day, 7 days a week), you might be interested in determining the amount of uptime that has accumulated since your last reboot. Luckily, it's very easy to find that information in both Windows XP and Vista. Let's take a look!

Tracking Uptime in Vista

To find Vista’s uptime, right click on your taskbar and select Task Manager.

Now, with the Task Manager open, click on the Performance tab and you'll see the amount of uptime listed under the System cialis free offer section.

Tracking Uptime in XP

To find the uptime in XP, go to Start, Run, type in "cmd" and then click OK.

That will bring up a command prompt. Type in “systeminfo” (without the quotes) and then hit Enter. It will take a few minutes for the analysis to complete and get your results, but when it's finished, you'll see your uptime listed in days, hours, minutes and seconds.

Find your uptime today!

Permalink • Print • Comment
Made with WordPress and an easy to use WordPress theme • Sky Gold skin by Denis de Bernardy