Someone tries to post a helpful PSA type message and predictably the comments section is immediately flooded with people who have nothing of any value to say, but can't help but be assholes and make some kind of stupid "Windoze $ux!" type comment. We're all happy that Linux, macOS, or whatever the fuck else you might be using works for you, now kindly take your insecurities back to Linux or Mac forums where you can blissfully live out the rest of your days in a happy echo chamber where no one will ever chal
"Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help."
I have never in my life ever heard of any type of malware or code that can be written that can :
"Be removed with human assistance" that cannot be removed by a program.
If someone were even a mildly competent "security researcher", they would write a script or a program that would do the removal that is needed as well as provide detailed instructions of how to use it if necessary.
Under no circumstance should you ever trust anyone who claims to be competent in security who is not able to do this. And as such, you should never let them connect to your computer.
I mean seriously, CVEs are how we report vulnerabilities of this sort. Once the CVE is reported and someone shares the virus with programmers (which are like security researchers but tend to fix problems instead of updating the LinkedIn everytime they learn a new buzz word), the virus/malware is disassembled/decompiled as well as run in sandboxes with all system calls hooked and the attack vectors are identified. Once this is known, it is possible to undo pretty much anything that has been done.
So... if you don't know enough about security to do those things and you make comments about how something can't be done without human intervention, then you're more or less useless when it comes to security.
If you happen to have a computer infected with this virus, contact any of the many antivirus companies out there and pass it along to them. They'll properly document it and make a removal tool for it. It's not particularly difficult.
I have never in my life ever heard of any type of malware or code that can be written that can :
"Be removed with human assistance" that cannot be removed by a program.
Those have been around for over a decade.
They work by replacing some core part of the OS, like the SATA driver or the filesystem driver. That makes it impossible for anti-virus software to clean the infected files, because the rootkit can block writes to those files and hand the AV software clean copies when it scans them. They operate at such a deep level, running inside the kernel, that the best AV software can do is detect their secondary effects and try to suppress them.
The only way around this is to manually boot from a recovery CD and replace the infected files. Some AV companies provide bootable CDs that can run their software. The best ones use Linux because the Linux NTFS driver just ignores permissions and lets them access those system files and delete them. Then you can use a Windows install disk or the Windows 10 recovery system to replace them and get the system running.
It's a manual process, the rebooting from CD/USB drive and then running the Windows recovery can't be automated.
Push a patch as a UEFI module and reboot? SecureBoot will validate itâ€(TM)s signature and it can be staged to run before the drive firmware.
I suppose there are still machines running BIOS, but I donâ€(TM)t think I have owned any in several years.
I certainly would hope that the â€oesecurity companies†have the ability to do this.
I ran across a particularly devious malware tactic recently. The malware was purposely setting the NTFS "dirty" flag repeatedly, so the filesystem was flagged as needing repair. That, in turn, prevented most of the bootable virus cleanup/recovery discs from cleaning the system. They'd boot up but report they could only mount the target filesystem as "read only" because it was damaged and needed to be repaired first!
I guess you've never heard of bios or boot sector virus/trojan. This is well documented over the last 3 decades. There are trojans that can infect drivers or system services, which in many cases can't be automatically removed. In those cases, the best bet is to wipe the system and do a fresh install. Back in the 90's there was a particularly bad boot sector virus that bricked thousands of systems. That was before bios had any virus protection. These days most MB have bios virus protection, so bricking a MB
About the time we think we can make ends meet, somebody moves the ends.
-- Herbert Hoover
This is why we can't have nice things (Score:1)
Someone tries to post a helpful PSA type message and predictably the comments section is immediately flooded with people who have nothing of any value to say, but can't help but be assholes and make some kind of stupid "Windoze $ux!" type comment. We're all happy that Linux, macOS, or whatever the fuck else you might be using works for you, now kindly take your insecurities back to Linux or Mac forums where you can blissfully live out the rest of your days in a happy echo chamber where no one will ever chal
Re:This is why we can't have nice things (Score:3)
"Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help."
I have never in my life ever heard of any type of malware or code that can be written that can :
"Be removed with human assistance" that cannot be removed by a program.
If someone were even a mildly competent "security researcher", they would write a script or a program that would do the removal that is needed as well as provide detailed instructions of how to use it if necessary.
Under no circumstance should you ever trust anyone who claims to be competent in security who is not able to do this. And as such, you should never let them connect to your computer.
I mean seriously, CVEs are how we report vulnerabilities of this sort. Once the CVE is reported and someone shares the virus with programmers (which are like security researchers but tend to fix problems instead of updating the LinkedIn everytime they learn a new buzz word), the virus/malware is disassembled/decompiled as well as run in sandboxes with all system calls hooked and the attack vectors are identified. Once this is known, it is possible to undo pretty much anything that has been done.
So... if you don't know enough about security to do those things and you make comments about how something can't be done without human intervention, then you're more or less useless when it comes to security.
If you happen to have a computer infected with this virus, contact any of the many antivirus companies out there and pass it along to them. They'll properly document it and make a removal tool for it. It's not particularly difficult.
Re:This is why we can't have nice things (Score:5, Informative)
I have never in my life ever heard of any type of malware or code that can be written that can :
"Be removed with human assistance" that cannot be removed by a program.
Those have been around for over a decade.
They work by replacing some core part of the OS, like the SATA driver or the filesystem driver. That makes it impossible for anti-virus software to clean the infected files, because the rootkit can block writes to those files and hand the AV software clean copies when it scans them. They operate at such a deep level, running inside the kernel, that the best AV software can do is detect their secondary effects and try to suppress them.
The only way around this is to manually boot from a recovery CD and replace the infected files. Some AV companies provide bootable CDs that can run their software. The best ones use Linux because the Linux NTFS driver just ignores permissions and lets them access those system files and delete them. Then you can use a Windows install disk or the Windows 10 recovery system to replace them and get the system running.
It's a manual process, the rebooting from CD/USB drive and then running the Windows recovery can't be automated.
Re: This is why we can't have nice things (Score:2)
I suppose there are still machines running BIOS, but I donâ€(TM)t think I have owned any in several years.
I certainly would hope that the â€oesecurity companies†have the ability to do this.
Re: (Score:2)
Does AV software having the ability to push UEFI modules sound like a good idea?
re: Another devious malware trick (Score:3)
I ran across a particularly devious malware tactic recently. The malware was purposely setting the NTFS "dirty" flag repeatedly, so the filesystem was flagged as needing repair. That, in turn, prevented most of the bootable virus cleanup/recovery discs from cleaning the system. They'd boot up but report they could only mount the target filesystem as "read only" because it was damaged and needed to be repaired first!
Re: (Score:2)
Thanks, I hadn't seen that one but will look out for it.
Re: (Score:1)