Wednesday, May 11, 2011

How to remove a bootkit

How to remove a bootkit

In this section you will find recommendations how to fight malicious programs which cannot be disinfected by Kaspersky Lab's products. In order to disinfect/remove malicious programs you may have to modify the system registry or use an additional utility. If you failed to find the necessary information or you find these recommendations too complicated or inadequate, please send a request to the Technical Support service via the HelpDesk form.

A bootkit is a piece of malware that infects the Master Boot Record (MBR).

This infection method allows the malicious program to be executed before the operating system boots. As soon as BIOS (Basic Input Output System) selects to boot from the infected volume (it can be a hard disk or a flash drive), the bootkit that resides in the MBR starts executing its code. Once the bootkit receives the control, it usually starts preparing itself (reads and decrypts its auxiliary files in its own file system that it has created somewhere in the unallocated disk space) and returns the control to the legitimate boot loader overseeing all stages of the boot process.

The main trait of a bootkit is that it cannot be detected by standard means of an operating system because all its components reside outside of the standard MS Windows file system.

Some types of bootkits hide even the fact that the MBR has been compromised by returning the legitimate version of the MBR when an attempt to read it has been made.

A system infected with a bootkit can be cured with the TDSSKiller utility. The utility has a graphical interface.

It supports 32 and 64 bit operating systems.

It detects the following known bootkits:


* Sinowal (Mebroot, MaosBoot);
* Phanta (Phantom, Mebratix);
* Trup (Alipop);
* Whistler;
* Stoned,

as well as yet unknown bootkits (using a heuristic analyzer).

How to disinfect a compromised system

* Download the archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);
* Run the TDSSKiller.exe file;
* Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed .

How to use the utility

* The utility starts scanning the system for malicious and suspicious objects when you click the button Start scan.

# If the utility detects an infection with the MBR bootkit, it will report the it has detected an infected object type “Physical drive” and prompt for action:

* Cure. This action is only available if the utility has identified the exact type of the bootkit. If it has detected an unknown bootkit, it will be reported as Rootkit.Win32.BackBoot.gen.

* Skip.
* Quarantine. The utility quarantines the infected MBR.
* Restore. The utility restores a standard MBR.

A reboot might require after the disinfection has been completed.

Command line keys for the TDSSKiller.exe utility:

-l <file_name> - save a log into the file;

-qpath <folder_path> - quarantine folder path (automatically created if it does not exist);
-h – this help;
-sigcheck – detect all not signed drivers as suspicious;
-tdlfs – detect the TDLFS file system, that the TDL 3 / 4 rootkits create in the last sectors of a hard disk for storing its files. It is possible to quarantine all these files.

The following keys allow to execute the utility in the silent mode:

-qall – quarantine all objects (including clean ones);

-qsus – quarantine suspicious objects only;
-qmbr – quarantine all MBRs;
-qcsvc <service_name> - quarantine the service;
-dcsvc <service_name> - delete the service.

For example, the following command tells the utility to scan the computer, and save a detailed log into the report.txt file (created in the TDSSKiller.exe utility folder):

TDSSKiller.exe -l report.txt

No comments:

Post a Comment