Malware, Rootkits and MBR Viruses – Oh My!

time March 30th, 2011 time Posted in MBR Viruses, Rootkits, Spyware Prevention, Spyware Removal

rootkitsThe Fake Antivirus Programs are really getting irritating lately as the usual methods to clean them are not as effective as they used to be. I used to see rootkits only a few times a year, but ever since around October last year when online shopping began to surge for the holidays, I started seeing them every week until now when I am seeing them practically everyday. Even worse, they are now being bundled with Master Boot Record (MBR) infections as well. Now MBR infections are not that difficult to remove as long as you don’t have a non-standard MBR created from a 3rd party boot manager, but the rootkits are a pain, even for a seasoned technician.

What is a Rootkit?

First of all, the type of rootkits I am discussing here are the ones associated with malware. A rootkit is software that enables privileged access to a computer while hiding itself from administrators by subverting standard operating system functionality or other applications. In simple laymans terms, it is an invisible trojan.

Detecting rootkits is difficult because rootkits subvert the security software that is intended to find it. Ever wonder why your antivirus program didn’t detect it? After you think you tried everything, and you still see the symptoms of an infection such as pop-ups or a hijacked internet browser, sometimes you just raise your hands and say “It must be a rootkit”. At least then, you know you have to use a whole different arsenal of tools, many of which are free. Some of these tools are for detecting specific types of rootkits, so just because it doesn’t find anything doesn’t mean your computer is clean from rootkits if you still have the symptoms of one.

Another method I routinely use to clean rootkits is by removing the hard drive and slaving it to another computer and then scanning it, or by booting to a Live Windows-CD and scanning it that way. Sadly, the average person does not have a Live Windows-CD, although you can make one for free if you are adventurous and want to learn about building one with Bart PE. Even so, removal can be complicated or practically impossible, especially in cases where the rootkit resides in the kernel; sometimes a clean reinstallation of the Windows Operating System is the only alternative.

Tips on Cleaning MBR Viruses

This is in no way a complete guide to cleaning MBR viruses, it is just my 2 cents. Anyway, an antivirus program may be able to detect an MBR virus but it is unlikely that it will be able to clean it. The good news is now you at least know you have an MBR infection.

The problem has gotten so bad lately that now I routinely check the MBR with a free program I recently discovered called MBRCheck. It has features to replace the infected MBR code with default values for each Windows operating system, although I’m not confident that it really works 100% of the time. So mainly, I just use it to check the MBR code and if it reports that it has an unknown, non-standard, or infected MBR, then I will use the Windows Recovery Console or Recovery Environment to fix it.

In Windows 2000 or XP, the Recovery Console can be used to write new MBR code to the Hard Drive using the “fixmbr” command in the Recovery Console. In Windows Vista and Windows 7, the built-in Recovery Environment can be used to write new MBR code to a Hard Drive by clicking on Command Prompt and then typing “bootrec.exe /fixmbr” and pressing Enter. Yes, there is a space before the slash.

For Windows 2000 or XP, you will need the Windows Operating System CD to load the Recovery Console if it is not already pre-installed. Most HPs with XP have it pre-installed. For Vista/Win7, it is called the Recovery Environment, which can be invoked by pressing the F8 key after boot-up (similar to entering Safe Mode), and selecting Startup Repair. You will need to know the password to an Administrator account. Below are a few resources for cleaning MBR infections.

Tips on Cleaning Rootkits

Again, this is just my 2 cents. As I mentioned before, rootkits may be cleaned by slaving the drive to another computer or by booting to a Live Windows-CD and then scanning it. Of course, I don’t just rely on automatic scanning to do the job, I always poke around in all the usual places malware hides as well as loading the registry hives so I can manually clean the registry as well. These techniques are advanced so I definitely won’t be getting into that here.

But if you are looking for the next best thing to a magic pill to do the job, then you need ComboFix. I have mentioned it before and if you decide to use it, you need to learn how to use it first. Please don’t download it and double-click without reading the disclaimers and instructions. While I have always had good results with ComboFix, I have heard of others having problems, but I suspect they were careless users. Anyway, I am not responsible for any negative problems that you might experience from using ComboFix. All I can say, is that I have been using it successfully for years. The creators of ComboFix are awesome. I have already posted info about  this tool before under the subheading “Powerful Help With a Powerful Warning” at http://spywarepreventionguy.com/fake-antivirus-programs/

Anyway, these types of infections creep in because of risky internet surfing habits combined with poor security software, and un-patched Windows vulnerabilities.  As always, prevention is the key, so get some good security software (you know what I recommend), install your Windows Security Updates, and get street-smart on the internet … and not just you, but “everyone” that uses your computer.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply



XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>