Archive for June, 2011

Rootkit infection requires Windows reinstall, says Microsoft

IT Solutions – Microsoft is telling Windows users that they’ll have to reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector.

A new variant of a Trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group’s blog.

“If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,” said Feng.

A recovery disc returns Windows to its factory settings.

Malware like Popureb overwrites the hard drive’s master boot record (MBR), the first sector — sector 0 — where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to both the operating system and security software.

According to Feng, Popureb detects write operations aimed at the MBR — operations designed to scrub the MBR or other disk sectors containing attack code — and then swaps out the write operation with a read operation.

Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed.

Feng provided links to MBR-fixing instructions for XP, Vista and Windows 7

Rootkits are often planted by attackers to hide follow-on malware, such as banking password-stealing Trojans. They’re not a new phenomenon on Windows.

In early 2010, for example, Microsoft contended with a rootkit dubbed “Alureon” that infected Windows XP systems and crippled machines after a Microsoft security update.

At the time, Microsoft’s advice was similar to what Feng is now offering for Popureb.

If you need help and support with virus removal please don’t hesitate to contact us.

IT Solutions Support Team


Hotmail and Yahoo Mail hit with similar attacks as GMail, says report

Earlier this week, Google announced that hundreds of its GMail accounts were affected by an attack designed to forward the account’s emails to other accounts. Google claims that the attacks originated from China and while they did not directly blame the Chinese government for the attacks that didn’t stop that government from denying any involvement. Now a new report from Trend Micro says that similar attacks have also affected accounts recently for Microsoft’s Hotmail and Yahoo’s Yahoo Mail services.

According to the report, Trend Micro team members found  a “phishing” attack on Hotmail that disguised itself as an email from Facebook’s security team. The report says that users would be affected by the email just by previewing it rather than opening the email up. In addition the report states, “We recently alerted Yahoo! of an attempt to exploit Yahoo! Email by stealing users’ cookies in order to gain access to their email accounts. While this attempt appeared to fail, it does signify that attackers are attempting to attack Yahoo! Email users as well.”

While these kinds of attacks may be hard to defend against there are some clues that a user of web-based email system can use to fight off against these “phishing” attacks. Trend Micro says that users can look for spelling or grammatical errors in these so-called “official” emails. Also you can use a two step email verification system to help make sure any emails you receive are genuine. Trend Micro also decided to promote its own software programs at the end of the report for defense against malicious emails.