Bootkit(s) just too stealthy!

[emmjay]

I came across 'BOOTKIT' for the first time today. I had not heard of it before, so I did a search on Gizmo and found a definition, but not anything else in my search. I took a look around some other security sites on the web and most of the references to Bootkits are before 2009 ... very few in 2010.

Do not know what to assume from this ... better detection/removal in security apps now or fewer bootkit nasties on the loose. Maybe they are just too stealthy. I read that AV heuristics can not detect them

Some AV sites recommend running MBAM to get a bootkit infection verified. Most of the AV sites had nothing on bootkits (rootkit references mostly). Anyways, I learned something new today and that's good!

Is XP more likely to be attacked by a bootkit, then say W7. Does anybody know this?

[J_L]

XP is definitely more vulnerable compared to Windows 7 64-bit, because of PatchGuard and incompatibility with 32-bit rootkits.

The best software to scan for rootkits is Hitman Pro imo.

[emmjay]

Quote:

Originally Posted by J.L.

XP is definitely more vulnerable compared to Windows 7 64-bit, because of PatchGuard and incompatibility with 32-bit rootkits.

The best software to scan for rootkits is Hitman Pro imo.

Tnx J.L. for responding. Can Hitman Pro remove the 'stoned' bootkit?

I was reading that a new version of 'stoned' is out there infecting PCs (XP, Vista and W7) and it is called 'Whistler'. The Germans are having quite a bit of trouble with right now. Maybe it originated there (I do not know). There is supposedly a 64bit version of whistler out there too. Those infected have tried apps like GMER (others too) but they can not remove it. I could not find anything about this bootkit being a problem in North America as yet. It is new.

I read that 'Whistler' opens advertisements on browsers and it also disables your sound. So far users have to reinstall their OS to recover their systems.

[J_L]

Quote:

Originally Posted by emmjay

Tnx J.L. for responding. Can Hitman Pro remove the 'stoned' bootkit?

I was reading that a new version of 'stoned' is out there infecting PCs (XP, Vista and W7) and it is called 'Whistler'. The Germans are having quite a bit of trouble with right now. Maybe it originated there (I do not know). There is supposedly a 64bit version of whistler out there too. Those infected have tried apps like GMER (others too) but they can not remove it. I could not find anything about this bootkit being a problem in North America as yet. It is new.

I read that 'Whistler' opens advertisements on browsers and it also disables your sound. So far users have to reinstall their OS to recover their systems.

That's why prevention is always better than a cure.

Best examples are Sandboxie (or other virtualizing app) and hardening Windows itself (Limited User Account, Default-Deny Software Restriction Policy, etc).
Disk images are quite useful too, instead of re-installing windows.

[Anupam]

I don't know if there exists any protection from bootkits, or even if they can be removed by the security programs. Rootkits are very hard to remove, and difficult to detect. But bootkits are even harder to detect, and very difficult to remove. Bootkits affect the boot sector of the hard disk. That's why its becoming a major threat now. I would like to know how many and which security software offer protection, detection, and removal of these bootkits.

[J_L]

Quote:

Originally Posted by Anupam

I don't know if there exists any protection from bootkits, or even if they can be removed by the security programs. Rootkits are very hard to remove, and difficult to detect. But bootkits are even harder to detect, and very difficult to remove. Bootkits affect the boot sector of the hard disk. That's why its becoming a major threat now. I would like to know how many and which security software offer protection, detection, and removal of these bootkits.

It's not always about detection and removal in security.

Virtualization programs like SandBoxie puts the program in a separate, limited environment where it can't do harm. Very, very little gets passed.
Sandboxie itself was never publicly broken in many tests, and can be made more secure. It's very configurable.

System hardening is something all users should've done in the beginning. Linux uses a limited account by default, and that's one big reason for its relative security.
Software Restriction Policy is built-in for Windows Pro. It is checked by Windows itself before even executing files. Add a good whitelist, then you're very secure.

Once you get infected though, it's a different story.
Good imaging apps can backup your boot sector as well. There's no need to even re-install Windows.

[emmjay]

Quote:

Originally Posted by Anupam

I don't know if there exists any protection from bootkits, or even if they can be removed by the security programs. Rootkits are very hard to remove, and difficult to detect. But bootkits are even harder to detect, and very difficult to remove. Bootkits affect the boot sector of the hard disk. That's why its becoming a major threat now. I would like to know how many and which security software offer protection, detection, and removal of these bootkits.

Hi Aunupam. I have been looking at a lot of sites to find out if it is indeed possible to detect, protect and remove a bootkit (which was the topic of my original post). It seems detection is not possible.

J.L. gives us the best protection advise (tnx J.L.). Maybe these nasties have found a way to penetrate our tried and true defenses!

None of the AV sites offered an in-house solution for the removal of a bootkit that has worked with the new bootkits (I took a look at all the freeware sites that we consider top products here at Gizmo). Some forums offered malware sites as a references for help.

Many of the users could not get rid of a bootkit especially if it lodged itself as an svchost service. The standard removal process crashed MS (closing an essential service was sited as the reason). Some users stated that the removal worked if they got into the BIOS and executed a removal process, but then found that the bootkit just re-established itself as a new service when the system was rebooted (Whistler does this).

I did not open all of the google search sites that offered removal help for Whistler or Stoned. There may be something in there that worked just fine.

After much searching I found a post on MBAM from a user who was infected. MBAM tried but could not help, however the user forged ahead. They posted their experience (a very involved and complicated process ... they provided a translation from German, so it is a little hard to follow). The user believes the bootkit was removed using a fix they got from another source. They provided a link to the fix (it is a rar). I can provide a link to it, if it is allowed here at Gizmo (not sure where you stand on these types of links). Hopefully it will help if one of our members or guests get infected, let me know.

NB: I also searched 'paid versions' of security software. Rootkit removal was offered by many (and the paid only versions of freeware seem to be the norm), but none had an in-house solution for a bootkit (may have missed it along the way... correct me if I am wrong). Some had nothing on bootkits and others referenced malware removal sites as a reference.

[Anupam]

Hi Emmjay, I had read about boot sector viruses on the internet long time ago, when someone had mentioned about it here on the forum I think. I had read they are hard to detect, and equally hard to remove. At that time, I had found that Avira site has a tool to remove boot sector virus. It can be found here :

http://www.avira.com/en/support/support_downloads.html

I don't know if boot sector virus are known as bootkits too, but its a useful tool to keep. I have it on my PC, in case I ever need it. I don't know though, if this tool would work on the bootkits like Whistler and Stoned which you mentioned in your posts. I haven't read much about bootkits.

As J.L. said, protection is the best way to avoid such horrific malicious software.

[emmjay]

Quote:

Originally Posted by Anupam

Hi Emmjay, I had read about boot sector viruses on the internet long time ago, when someone had mentioned about it here on the forum I think. I had read they are hard to detect, and equally hard to remove. At that time, I had found that Avira site has a tool to remove boot sector virus. It can be found here :

http://www.avira.com/en/support/support_downloads.html

I don't know if boot sector virus are known as bootkits too, but its a useful tool to keep. I have it on my PC, in case I ever need it. I don't know though, if this tool would work on the bootkits like Whistler and Stoned which you mentioned in your posts. I haven't read much about bootkits.

I did see this one but it did not address the way Whistler imbeds itself in your OS. I think it might clear it from the BIOS, but not the system itself. I am not a member of the Avira forum, so maybe if you are a member you could submit a post asking if the bootwizard has had success in removing the likes of Whistler (32 and 64 bit ... not sure if the malware behaves differently in 64).

[Anupam]

I am not a member of Avira forum either. Have been using Avast for years . But, I do intend to read more about the bootkits, when I find some time.