All-Radio 4.27 Portable Can't Be Removed? Then Your PC Is Severely Infected

CaptainDork shares a report from Bleeping Computer: Starting yesterday, there have been numerous reports of people's Windows computers being infected with something called "All-Radio 4.27 Portable." After researching this heavily today, it has been determined that seeing this program is a symptom of a much bigger problem on your computer. If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.

Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help. Due to this, if you are infected with this malware, I strongly suggest that you create a malware removal help topic in our Virus Removal forum in order to receive one-on-one help in cleaning your computer. Some of the VirusTotal scans associated with this infection have also indicated that an information stealing Trojan could have been installed by this malware bundle as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected. 6/29/18: The story has been updated to specify that this malware campaign is targeting Windows computers.

Dammit!

[Ol Olsoc]

Windows users get all the cool stuff.

It is available in the apt and yum repositories.

[Kludge]

No, not really. Sorry.

Re:

[moronoxyd]

So you are saying tht the exact same numbers of malware and virus exist for Linux and PC, and that Windows is just as secure?

I don't see that statement in QPs comment.
So... you like putting words in other peoples mouths to make a point?

Silly AC - this is not a tit for tat, where you point out a Linux problem as if it were teh equal of a Windows problem. Sorry, but we are talking about a body of work, and Windows is lapping the field several timas regarding it's abysmal security.

Is it not true that Linux is used on many millions of IoT and network devices? Is it not true that oftentimes the makers of these devices do not provide any meaningful support after the release of the devices? Is it not true that over and over again such devices are found to have fixed passwords, gaping security holes ore are using libraries with known security problems?

That doesn't make the proble

Re:

[Ol Olsoc]

So you are saying taht the exact same numbers of malware and virus exist for Linux and PC, and that Windows is just as secure?

I don't see that statement in QPs comment.

So... you like putting words in other peoples mouths to make a point?

I like cutting to the chase. Trying to parse his comment wasn't easy, bit in the end, I just decided that since he was expounding something superior abut Windows over Linux with the cryptic at least they can be fixed comment - I just took a stab at what he was trying to say. Don't like it? sue me.

Silly AC - this is not a tit for tat, where you point out a Linux problem as if it were teh equal of a Windows problem. Sorry, but we are talking about a body of work, and Windows is lapping the field several timas regarding it's abysmal security.

Is it not true that Linux is used on many millions of IoT and network devices? Is it not true that oftentimes the makers of these devices do not provide any meaningful support after the release of the devices? Is it not true that over and over again such devices are found to have fixed passwords, gaping security holes ore are using libraries with known security problems?

And trying to conflate the issues of IOT with a Linux install on a PC is disingenuous. Having a fixed password and lack of support or updates is a manufacturer's issue, not a problem with Linux My Linux installs

Re:

[Ol Olsoc]

He was only responding with a smart assed remark since you posted your own smart assed remark.

You're way too serious, old man.

PS, fuck your lawn.

ps.. Not exactly serious - more like enjoying trolling some folks. Jes sayin'

Re:

I don't know about Olsoc's installation but maybe because it's not possible. For example, I have 100+ VST instruments and effects installed on my Windows machine, each of them with a complicated DRM scheme that requires sending emails, logging into websites, etc. It takes about one week of full work or 4-6 weeks of spare-time work to restore the system into a workable state. I know that because I recently changed my system.

Sure you can blame the software companies for their crappy DRM schemes, but for some

Re:

[pnutjam]

If that's the case you should have a spare HD with a cloned image, or take regular images with an appropriate tool. I used to use a pxe boot server and image systems to samba share. A real easy way is to use this guy [system-rescue-cd.org]When you boot back to windows, that space is invisible and unaccessible to malware. You can always boot back to linux and restore your system.

Re:

[pnutjam]

lost some comment there with a open tag.
use the system rescue cd to resize your disk (gparted), and leave empty space at the end. Format that end space with a linux filesystem (xfs). Windows can't see it, but you can store a compressed image of your system using dd, partimage, or fsarchiver.

Re:

[Ol Olsoc]

If that's the case you should have a spare HD with a cloned image, or take regular images with an appropriate tool. I used to use a pxe boot server and image systems to samba share. A real easy way is to use this guy [system-rescue-cd.org]When you boot back to windows, that space is invisible and unaccessible to malware. You can always boot back to linux and restore your system.

And you hope that there isn't malware on that clone. the concept of re-cloning every time you get an update - which for the number of programs I have would mean every day - is not a solution, it's masochism.

I suppose for people that only have the basics of Microsoft office, a peripheral or two and it wouldn't matter.

On my Mac, Time Machine can reinstall everything, but even that takes a good while. On my PC's, I just plan on nucing it from orbit in the unulikely event it gets pwned.

Re:

[Ol Olsoc]

"I wonder if they replace the engine every time they need to change oil?"

Now you're just being silly. We replace the car since you never know if any of the oil managed to get out and stuck to something else.

Gotta think ahead. That's why linux users will never see their year on the desktop.

ahhh, my bad!

Re:

[Ol Olsoc]

Not true. I am porting it to Linux. You can get it from the Gentoo Github (while stocks last).

Thank you, you are doing a good thing. This will be the year of Linux getting the malware they need.

Microsoft Windows only

[smoothnorman]

Would it be so difficult to place somewhere in an "Operating System" tagged posting which operating system was affected? Slashdot folks really might have more than one OS in their areas and it would be nice to know which is at risk right at the top.

Re:Microsoft Windows only

[Black Diamond]

If you don't see an operating system listed, you can rest assured that it's windows.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[pauljlucas]

Yes, and the point was in those rare events, they typically do mention the OS. Hence when they don't, again, you can rest assured it's Windows.

Re:

[SigmundFloyd]

If you don't see an operating system listed, you can rest assured that it's windows.

It shouldn't be that way on Slashdot. And, yes, it should have been mentioned in the summary, but doing so would require real editors.

Re: Microsoft Windows only

[Anonymous Coward]

If malware does attack your linux computer, rest assured that only all of your personal content in your home directory will be wiped. The actual OS and software that you can download and install again for free is protected.

Re:

[AmiMoJo]

Actually Linux is more vulnerable than Windows to this kind of attack because most Linux systems do not implement any kind of secure boot procedure.

These rootkits work by replacing some parts of the OS that are loaded very early in the boot process, things like core SATA drivers needed to read in the rest of the OS or parts of the kernel. That makes them very hard to detect and remove, because any software running on the OS that tries to read those files can be supplied with a clean copy by the rootkit. Eve

Re:

[Xenx]

Well, the severity of the two problems likely comes down to whether it's for personal use or not. Servers or multi-user workstations probably care a lot more about the system still being usable, vs a user losing their stuff.

Re: Microsoft Windows only

[Gavagai80]

In reality though, my PCs have never been compromised in 18 years running desktop Linux... and never needed an antivirus. It's true that running as a limited user isn't a huge advantage in itself, just a small one. The main thing that makes Linux safer, I think, is that nearly everything I install is from a trusted repository -- not random websites that may have been compromised themselves. Microsoft tried to copy that with Windows Store, but they allow adware and don't review the source code to prevent outright malware either so it doesn't really help.

Re:

[f3rret]

In 30 years of using Windows, my Windows machine has never been compromised.
Thus I can conclude that Windows is completely 100% secure.

Re:

[Trax3001BBS]

Yeah or maybe just read the article.

Meanwhile, Linux users rest easy assuming no harm can penetrate Fortress Europe.

I dual boot; going to https://haveibeenpwned.com/ [haveibeenpwned.com] says my Email address is public domain because of Linux Mint, I thought damn...
How this happened: https://www.zdnet.com/article/... [zdnet.com]

Re:

[Ol Olsoc]

Would it be so difficult to place somewhere in an "Operating System" tagged posting which operating system was affected?

Oh, its Windows alright.

What I am interested in is the delivery system. The program is a crack of a popular and legit Russian program. But following the links, adware is mentioned once, and an admonition to avoid cracked programs.

So it's a Windows issue, and probably served up in ads and delivered when people click on them.

Which everyone should think about the next time they go to a website that won't let them in unless they turn off their ad blocker. Hopefully people her are smart enough to not cl

Re:

[TeknoHog]

It does say "PC" which I believe stands for "personal computer", as in "My Computer", as in Bill Gates's personal computer.

Lie down with dogs, you're bound to get fleas

[EvilSS]

From the article

When malware removal expert, Aura, started helping these victims he noticed a common theme. Most of the users reported being infected after they downloaded and installed game cracks and Windows activation tools such as KMSpico.

So don't do that.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

Oh Gawd! LOL, too funny.

There's no honor among thieves.

There's plenty of honour among thieves unless you're thieving for dishonourable reasons.

KMSPico's creators have never shipped malware. Neither have crackers working for reputable groups. There are however hundreds of KMSPico versions out there absolutely infested with shit.

When someone pirates the pirate things start getting nasty.

Re:

[DontBeAMoran]

What's wrong with the neat "Please active Windows" watermark anyway? It's like a friend, always there for you!

Re:

[phantomfive]

Last time I installed Windows, I was too lazy to type in the code. I had it right there on my desk, but laziness knows no bounds. The watermark stayed there for years until Win 7 ended.

Re:

[DontBeAMoran]

When I'm surfing for porn, I do it inside a browser in incognito mode and I've never had aBUY VIAGRA TODAY!ny problem.

Re:

[Ol Olsoc]

lol bullshit. i've pirated pretty much every game EVER.

Many people who buy legit copies have to use a pirated copy because it's the only one that works.

Re:

[Ol Olsoc]

Here is an idea... if the legit copy doesn't work, then don't support them with money until they can produce something that does work? Crazy, I know.

The problem of course, is that you don't know until you try it after you buy it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Data yes, OS and programs, no

[raymorris]

Absolutely you're right the best way to handle a rootkit is restore from a known-good backup. Just like you practiced, last month when you tested it when found and fixed the problem with backup system.

Unfortunately, 90% of people don't have a proper backup system. Probably over half of systems that are being "backed up" can't actually be restored because the backup media went bad a year ago or whatever.

For the people who don't have a solid backup:

> some IT professional who sells himself to a client by cl

Re:

[LostMyBeaver]

Huh? What operating system are you using?

Out of the box, Windows sets you up with OneDrive and points all of your storage stuff to OneDrive. The result is that all your files are backed up.

Out of the box, Apple sets up iCloud and points all your file storage to iCloud. The result is that all your files are backed up.

You can use DropBox or a thousand alternatives if you want.

If you want a better solution, you can use either Windows Backup and Restore or Apple Time Machine which does pretty much the same thin

Two infected, fire-burned copies isn't backup

[raymorris]

Thank you for post. You've done great job listing things that fool smart, conscientious people into thinking they have a backup. That's why I said a "proper backup", proper being an important word. Those things all LOOK a lot like proper backup, don't they? And yet people who do those things end up asking me to try forensic techniques to recover their data. You seem like you know a few things, so I don't need to tell you exactly how you should do a backup, but let me point out a few common pitfalls to avoi

Re:

[phantomfive]

I mentioned before backups must be tested regularly. Backups that haven't been recently tested have a failure rate of about 50%, in my experience.

What kinds of failures do you see? In the days of tape, 50% (or probably higher) was pretty common, but most people are using the 'cloud' now.

Re:

[Thor Ablestar]

In the day of half inch 9-track tape the tape format was able to recover multiple single-track errors, be it NRZI or PE. But I have never seen the actual mini computer controller that could do this recovery. No wonder the success rate was near 50 per cent.

Many different problems. Keys, space, directories

[raymorris]

Several times I've seen the backup server ran out of space. The ssh key was changed. The list of directories to backup or not backup wasn't up to date. Those are a few things that have broken it after it was setup and running.

All of these can be detected by occasionally doing a test restore, perhaps to a VM, and checking that the important files are there and important functionality works.

Re:

[Wolfrider]

> Ransomware reminds us of another requirement - the system being backed up (which may get ransomware) can not have the ability to delete or modify the backups. Sending backups to a network drive just means the ransomware or disgruntled employee will destroy two copies of the data

--ZFS+Snapshots+Samba works pretty well for this. Keeping a ZFS snapshot every (2) hours for a month (as well as changing file permissions) is pretty easy on a Linux server.

Re:

[Lord_Jeremy]

Amen.

Nearly 10 years ago, I suffered from a hard drive crash and I lost a ton of data. Ever since that issue, I’ve been religious about backups. I used Mac OS’s built-in backup software and I copied all my documents and work files to a flash drive daily. I instructed my family to grab the NAS drive on the way out of the house in the event of fire.

I subscribed to Crashplan cloud backup at some point. They went belly-up but I had already switched to Backlaze. It sounded like it would be a hass

Re:

[Thor Ablestar]

Some 15 years ago I worked in some institution. My policy is:

1) Install the new system on new HDD.
2) Copy all work files to the new HDD.
3) Hide the old HDD.
4) When it's known that everything works then save some critical work files somewhere, test and reuse the HDD.

I asked the management that I need a new HDD. The institution head told my boss to supply me with HDD. My boss left the resolution "You don't need a new HDD". I copied the work files, erased the HDD and reinstalled the system. Then it appeared th

Re:

[AmiMoJo]

SpiderOak is good for Linux. It can only cover your data, apps will need to be reinstalled but at least on Linux that's fairly easy.

On Windows there is Chocolately for installing and updating apps, but I haven't tried it.

Rpm -qa, cat mdstat, gdisk -l

[raymorris]

> apps will need to be reinstalled but at least on Linux that's fairly easy.

Re-installing the software is REALLY easy if your data includes the output of rpm -qa.

Also sometimes very handy when things go wrong -
cat /proc/mdstat, pvdisplay, lvmbackup, and gdisk -l

I'm recovering an old customer's data right now. He no longer has backups with me and someone built a new, wmpty raid on his drives, making it "impossible" to recover his data. However, the old copies of mdstat and the partition layout were still

Sync isn't backup

[swb]

Sync to OneDrive, et al, isn't backup.

Most malware doesn't immediately destroy your computer, it cripples it over days or weeks. I can't tell you the number of people who told me "Yeah, I noticed something last week and it's been flaky since then."

Meanwhile, you've been syncing your infection up to the cloud the whole time so now your cloud storage is infected, too. You may get some of it back, but I've also seen people just re-infect themselves, too.

Some cloud storage often at higher tiers will offer some kind of versioning and let you restore pre-infected files, but for most people this isn't the default or isn't even a feature they have.

The only way cloud sync really works as a backup is if you have a spare computer you only bring online periodically that syncs itself and that you then take offline again, but now all you've done is add a complex network transaction to what amounts to a local backup.

Re:

[Wolfrider]

>to be honest, I have absolutely no idea how to maintain good backups of my Linux systems

--Tar and fsarchiver. Send me a private email and I can send you my root admin scripts, complete with bare-metal restore ability.

Re:

[strikethree]

That said, to be honest, I have absolutely no idea how to maintain good backups of my Linux systems.

I don't mean to be rude, but you should turn in your geek card. Maintaining good backups is even easier in Linux than any other operating system.

Everything unique will be under /home/username. You can back this up with rsync, cp, tar, or even dd if it is a partition. There is no hand holding, but then, it really shouldn't be necessary when the design itself is so elegantly simple. What is even cooler is that this knowledge of backing up carries across to the various BSDs and other Unix-like operating system

Re:

[Wolfrider]

> We dragged all his files to an external USB. I determined that there were thousands fewer files on the backup, but we pressed on nevertheless. It turned out that I had not backed up any of his Thunderbird POP3 mailboxes, where all his business-critical data was stored

--If you don't know what you did wrong, you shouldn't be trying to help friends with upgrades. Next time go to Folder Options and Show Hidden Files. And either use Xcopy from CMD window or a modern file copier like Teracopy.

--Also, grab

Re:

[GuB-42]

Absolutely you're right the best way to handle a rootkit is restore from a known-good backup.

What is a "known-good" backup? A rootkit is here to conceal its existence. You don't really know when the infection started, and which backups are good.

Great question. I wish the answer wasn't secret

[raymorris]

That's a very good question. You can use diff to see what the differences are between different backups. That normally makes it pretty obvious. You pretty much know which files were supposed to change and which weren't. This can even give you good hints as to HOW you got infected.

There are even faster ways to tell because rootkits tend to re-send the same components. I can normally see a rootkit on a Linux system in seconds, without even actively looking for it. I'm not going to post the trick here because

Format conversion for sterilization. Word - WPS

[raymorris]

One technique for data sterilization is to convert to a different format. For example, converting a Word document to WordPerfect will make sure there are no macros, I believe. Then convert back. Even better, convert to plain text if possible, and leave it as plain text. JPG to bump, etc.

Re:

[HiThere]

Sorry, but Perl and Python code is programs. You don't trust them from an infected system. Text files you can usually trust, and html that doesn't use javascript or some such. (Not just javascript. You've also got to be careful about allowing CSS, with simple formatting being safe, but anything else needing to be carefully hand checked.) For spreadsheets you should recover from CSV files, but the CSV files can be stored on the disk that got infected. Etc.

But just running code in a virtual machine does

Re:

[Ol Olsoc]

No, no, no. If you are infected with deep malware, you do not go whining to some dude's Internet forum with a request for help. You run DBAN on your system's disks. Then you enter the combination to your fireproof safe, extract your OS and backup media, and start from scratch.

That's what my Grandma does.

There are two problems with your approach.

Most users will read what you wrote and ask "What the hell is he talking about?"

Second is that most everyone who does what you demand isn't likely to have the problem in the first place.

My backups are similar to yours, except I have multiple. I take the added measure that anything critical is not on my Windows machines. No personal information, or cards, and even the emails on it are throwaway accounts.

I check my Wireshark lo

Re:

[phantomfive]

I check my Wireshark logs a lot too. Probably 1 out of every 500 users will do that sort of thing.

I would bet that's closer to one in every 500,000 users. Even security researchers don't do that (of course some do).

Re:

[Ol Olsoc]

I check my Wireshark logs a lot too. Probably 1 out of every 500 users will do that sort of thing.

I would bet that's closer to one in every 500,000 users. Even security researchers don't do that (of course some do).

I suppose some would call me paranoid, but I just kind of enjoy it. And people would be surprised at what they find.

It all started when I was having issues with brittle networking software coupled with bad documentation. Then I got hooked.

Re:

[phantomfive]

Yeah, I should do that more. You aare right, every time I do, I find something I didn't expect.

Virus Protection is So Good

[phantomfive]

Yet another reason to not waste your money on "virus protection." Use the free Windows Defender if you must, and make sure you have good backups.

Re:

[Peter P Peters]

Yet another reason to not waste your money on "virus protection." Use the free Windows Defender if you must, and make sure you have good backups.

I stopped using AV about 10 years ago after numerous performance issues with flaky AV products. 10 years on and no issues! Sensible browsing/downloading/email behaviour is 99% of the battle

Re:

[HiThere]

I think you overestimate the degree to which "sensible" browsing will protect you. I might go a high as 90%, which is no small advantage. Of course if by sensible browsing you mean avoiding browsers that allow javascript and never downloading anything executable, then I'd go as high as 99.9%.

Re:

[Thor Ablestar]

Once upon a time I worked in some institution that had access to the corporate network only. We bought a new notebook, attached it to the network and did nothing more. It became infected in 15 minutes. Were we the other 0.0001%?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LostMyBeaver]

You're telling me!!!

Gnome... I honestly have no idea how this thing has survived this long.

KDE... don't get me wrong... Mattias Etttrich is one of my favorite people but KDE has evolved into what looks and feels like retro computing.

The entire Linux desktop is in such utter and total disarray in 2018, these days, I just configure runlevel 3 and remote in if I need it. ElementaryOS is pretty, and I like it, but heaven forbid you actually need to do something on it.

Now.. if someone were to take Linux as a des

Re:

[pi_rules]

Have you tried Mint? The default Cinnamon desktop install works pretty well for me. I've been running Linux as a home desktop since 1998 or so and that's probably the best out of the box setup I've ever seen.

Radio.slashdot.org?

[93 Escort Wagon]

Donâ(TM)t look now, but this All-Radio Trojan seems to have control of your DNS server!

In other news...

[nuckfuts]

Some viruses are hard to remove

Spending one day looking into something is now called "researching heavily".

On the serious side, I've often been annoyed by Windows 10 aggressively pushing updates, but there have been some interesting security features added to recent builds. Microsoft has a demo website [microsoft.com] with some good information, along with some tools for testing [msft.net] your configuration.

There is also a video [youtube.com] online that details the new features.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anne Thwacks]

The term PC does NOT imply MS Windows

However the term malware does imply Windows, so no harm done.

Huh

[cshark]

Phishing by means of slashdot post.
Fascinating.

Re: One-on-one-help

[Anonymous Coward]

Hello, my name is Vikash and I am from Microsoft. I am calling because you are the infected PC. I can do the needful but you must revert with all CC number and bank detail. I am also to be posting on the Slashdot with relevant detail. Please to revert immediately.

Re:

[Anonymous Coward]

Greetings! Kindly install the attached program so as to remote into your Windows and remove bug. But first visit link below and provide credit card information so as to I can verify your computer fingerprint identity. Seeing many scams, rest assured I want to remove virus and send you on happy day. Salutations, Chris from Salina, Kansas

Re:

[DontBeAMoran]

Yes sir immediately, I will call Bob and Mova for help, please hold.

Re:Poor Microsoft

[l0ungeb0y]

You clearly have no clue as to how expensive writing a new Operating System would be. Hell, just look back at when Apple needed to replace Mac OS and had to endure bringing back that smug turtle neck wearing megalomaniac bastard as CEO just to get an OS that wasn't some Open Source cheeseball

Re:

[DontBeAMoran]

Which one is a better alternative to macOS? OpenBSD or FreeBSD?

Re:

[DontBeAMoran]

Thank you for the comparison.

Re:

[thePsychologist]

Sorry to say but Microsoft doesn't care about this level of security. Their experts have already determined that the effect of current malware is already an acceptable tradeoff, and they continue to put just enough emphasis on security research and prevention to maintain this level.

Re:

[Narcocide]

For every five hundred thousand or so obstinate windows users who think they are punishing us, there is one that it might sink through to. We'll continue to try to save the ones that deserve it, thank you. You can strive to become worthy or you can continue to get bent.

Re:

[LostMyBeaver]

Here's the problem.

"Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help."

I have never in my life ever heard of any type of malware or code that can be written that can :
"Be removed with human assistance" that cannot be removed by a program.

If someone were even a mildly competent "security researcher", they would write a script or a program that would do the removal that is needed as well as provide detailed ins

Re:This is why we can't have nice things

[AmiMoJo]

I have never in my life ever heard of any type of malware or code that can be written that can :
        "Be removed with human assistance" that cannot be removed by a program.

Those have been around for over a decade.

They work by replacing some core part of the OS, like the SATA driver or the filesystem driver. That makes it impossible for anti-virus software to clean the infected files, because the rootkit can block writes to those files and hand the AV software clean copies when it scans them. They operate at such a deep level, running inside the kernel, that the best AV software can do is detect their secondary effects and try to suppress them.

The only way around this is to manually boot from a recovery CD and replace the infected files. Some AV companies provide bootable CDs that can run their software. The best ones use Linux because the Linux NTFS driver just ignores permissions and lets them access those system files and delete them. Then you can use a Windows install disk or the Windows 10 recovery system to replace them and get the system running.

It's a manual process, the rebooting from CD/USB drive and then running the Windows recovery can't be automated.

Re: This is why we can't have nice things

[LostMyBeaver]

Push a patch as a UEFI module and reboot? SecureBoot will validate itâ€(TM)s signature and it can be staged to run before the drive firmware.

I suppose there are still machines running BIOS, but I donâ€(TM)t think I have owned any in several years.

I certainly would hope that the â€oesecurity companies†have the ability to do this.

Re:

[AmiMoJo]

Does AV software having the ability to push UEFI modules sound like a good idea?

re: Another devious malware trick

[King_TJ]

I ran across a particularly devious malware tactic recently. The malware was purposely setting the NTFS "dirty" flag repeatedly, so the filesystem was flagged as needing repair. That, in turn, prevented most of the bootable virus cleanup/recovery discs from cleaning the system. They'd boot up but report they could only mount the target filesystem as "read only" because it was damaged and needed to be repaired first!

Re:

[LostMyBeaver]

Dude, I'm a Microsoft fanboi... also a Linux fanboi... WSL is like Christmas every day for me.

I have Macs also... I don't really know why... but they are pretty. I buy them and swear I'll use them someday. I am an iPhone user though. I have and love my iPhone 6S Plus and can't wait to get a new battery for it in Paris in a few weeks.

People like debating about which OS is best. The answer is pretty simple... they're all pretty great these days... though if I ever see Gnome again, I'll vomit on whoever's keyb

Re:

[OrangeTide]

To be fair, it's less work for everyone involved to format and re-install, even if you can manually fix something major. And with a Windows box you'll probably have to re-install sometime in the next 5 years anyways.

Re:

[rally2xs]

Reinstall? I think it would probably take me months to re-install all my programs, fight with the companies that have "activation" while attempting to explain why I need to re-active the old program, maybe $100's or $1000's to re-purchase the software where I was unsuccessful at fighting with the companies that have the "activation" nonsense, re-install stuff, and just generally get my computer back to the way it was. I have LOTS of stuff on my computer - my backup file is around 800 Gb, and it doesn't

Re:

[pnutjam]

This Winlink [winlink.org]? It looks like there are plenty of options. Even so, slapping it in a vm that you can snapshot and maintain would be way less work then maintaining your behemoth pc.

Re: Nuke & Pave

[Anonymous Coward]

Security Program Manager, Microsoft Corporation

I Got Hacked, What Do I Do?
https://technet.microsoft.com/en-us/library/cc700813.aspx

So the parent was modded up before, suddenly it gets modded down. Really slashdot moderation has been trashed recently. It's worth saying why this was the money post. The only post in the whole thread which really mattersL:

The key quote you have to follow is:

The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that.

But it's the bit before that which really matters:

You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. Note that if you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you can’t guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you can’t just patch the system.

Below there are people proposing reverse engineering the malware and then, if you know what it does, you can clean it up by reversing that. However, one thing most malware does is open up to the network and let the malware authors do what they want, so even if you know what this malware does you don't know what all malware does. Anything more could have happened to your system.

Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.

Re: Nuke & Pave

[Anonymous Brave Guy]

Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.

Sadly today that last part is also very significant. Thanks to the mess of modern infrastructure like UEFI, everybody's device having embedded functionality that can be updated, and processors-within-processors, it's basically impossible to ever fully trust a system that has been compromised now, no matter how drastic your recovery procedures might be. Of course, for similar reasons it's also basically impossible to trust a system that you don't know has been compromised either. Security in modern tech is broken, and the tech industry and security services broke it.

Re:

[pnutjam]

True, cleaning up is usually at least 3 to 4 times more expensive in time and the end product is always suspect.

What happened to bootdisks ?!

[DrYak]

But it's the bit before that which really matters:

You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it.

That why you don't try anything from within the compromised system.
Either you try all your effort from a known clean bootdisk (CD, USB stick, etc),
or even better, you disconnect the drive and connect it to a known clean machine.

A non compromised OS will not lie about what is on the disk of another system, even if that other (non-currently running system) happens to be compromised.

(The sole exception being malware like ransomware that encrypt your data. Then nobody except the hacker holding the decryption key can read that disk).

Reinstall from original installation media and pray to god that your system's onboard firmware is not compromised.

Well, the attack of firmware (UEFI) or "management chips" running their own firmware (Intel ME engine and co) is indeed an entirely different level of scary.

And given the almost total disappearance of socketed flashchips to hold these firmwares, any chance to recover from that becomes bleak.

Re:

[Mike Frett]

As someone that worked in a PC shop, all we ever did for a solution was run a virus scan, format then reinstall Windows. It usually fixed 99% of the problems and you payed us a nice, fat sum for it.

Re:

[Joce640k]

Why bother with a virus scan if you're going to format? Did nobody explain even the basic concepts to you?

Re:

[Raistlin77]

The lazy fuck ran a virus scan just to show the customer that there was a virus. You missed the point of his post - he just flat out told you how he would intentionally screw customers and get paid.

I'll bet the "PC shop" he worked for was Geek Squad. So yes, someone likely did explain the basic concepts to him: do as little work as possible, charge as much as possible, rinse, repeat.

Re:

[Killall -9 Bash]

So, that guy seems like a douche, but I did basically the same when working at a repair shop. Run scan to find proof of virus infection. Format & reinstall for 100% reliable malware removal. Anything less than format was about a 50/50 as to whether you really removed ALL of the malware. Nuke it from orbit. It's the only way to be sure.

Re:

[Joce640k]

I'm amazed at how they still haven't managed to load antivirus software before the viruses.

It's what, 2018 now?

(and also amazed that Windows "safe" mode still loads everything in the "run at startup" registry key... safe or otherwise)

Re:

[Joce640k]

Ummm.... no.

Re:

[pnutjam]

If you ensure you completely wipe the drive, by "nuking" it or formatting with different filesystems, for example xfs before reinstalling windows, it's pretty safe.

Re:Windows in a VM

[jfdavis668]

I run Windows in a VM on Windows. Get twice the updates!

Re:

[thegarbz]

If you run Windows inside a VM in your house because you're constantly getting your windows corrupted by viruses, then maybe you shouldn't be let near a computer .... like ... ever.

Re:

[LostMyBeaver]

"so you can actually run a properly designed, maintained, and supportable operating system"

So, it's designed, maintained and able to be supported but doesn't actually have support?

I'm struggling here. Which operating system are you suggesting is designed, maintained and supportable?

I've been using Linux since pretty much the first time I managed to borrow an Yggdrasil CD from a friend and eventually figured out how to make the boot floppies. I've used many operating systems before and after that.

I've only e

Re:

[e432776]

Though I like Win10, I have noticed it installing things I never asked it to. Bubble crush saga or some such thing. I guess (another) bad thing about this bad behavior is that the appearance of random new "apps" is may not be a surprise to anyone, thus inuring them to their potential infection!

BTW, this does seem like an ad more than a legit story.