Stan's Chrome-Plated Tech Tips

Monday, January 30, 2012


The Nastiest of Viruses - the SST Rootkit

Viruses are getting particularly nasty these days. They've become a big business, and that's a big reason why they're getting more and more prevalent. Just recently a hacking group collected $14 million dollars in advertising revenues by infecting over four million unsuspecting users.  Just read THIS and you'll see what I'm talking about. This type of virus-for-profit scam isn't going anywhere, and you holier-than-thou Mac users aren't immune either.

We see them here all the time in the garage, and while they are an annoying part of computer ownership, they're generally removable.  They normally start with some sort of legit looking alert telling you your computer is infected, hard drive is failing, and the world as you know it is crumbling.  Something that probably looks like this: But fear not, this magic popup will lead you to believe it has the cure for what ails your computer.  It's lying.  It has no cure.  It is the disease.  The only thing it will cure is your credit card of it's available credit limit.  So just for the record, there is nothing on your computer that will ever ask you for your credit card outside a secure web browser.  Nothing.  If something does, it's fake, and it's going screw you over.  Trust me on that.

Now getting this first thing off your computer is generally fairly straightforward.  Reboot your computer in Safe Mode, run Malwarebytes or something similar of your preference, and it'll most likely nab this most obvious part of the infection.  But what it'll miss is the most insidious type of virus: the boot sector virus.

The boot sector of your hard drive is what actually tells your computer how to start up and load Windows.  If a virus resides there, it generally will get overlooked by most types of basic scanners and simply block many removal tools from getting at it.  So what can you do?  Well the most common one we've seen here repairing computers in Los Angeles come from the SST rootkit family. The latest variant, the SST.BOOT.ROOTKIT.B virus is a persistent sucker and getting rid of this one can be tricky.

There are two methods we've found capable of removing these SST viruses from our good friends at Kaspersky Labs.  The first, and simpler, method is to use their root kit remover TDSSKILLER.   Download the utility on another computer and copy it to a flash drive.  Change the name of the tdsskiller.exe to something random (the virus can oftentimes neutralize known removal tools based on the filenames), reboot the infected machine in safe mode, and attempt to run TDSSKILLER.  If successful, it'll say it found the rootkit and successfully removed it, and a reboot is required.  If this doesn't do the trick, the next step would be to try the Kaspersky rescue disk.  Burn the image to CD/DVD or to a flash drive, boot the infected machine off it, run the quick scan, and it should and clean the rootkit.

Now here's the rub - the rootkit resides in your computer's master boot record.  Either of these methods can render your computer un-bootable.  Your data should be safe, but that's not going to do you much good if it won't start up.  I suggest performing a full image-based backup with a utility llike Acronis before attempting either of these methods.

The bottom line is Viruses aren't going anywhere anytime soon.  In a connected world, it's just par for the course that scammers are going to try and make a buck off you.  Get yourself a good antivirus product, keep your system up-to-date, and practice common sense when online.


As always,

I'm not a Geek.  I'm your friend, and I'm here to help.

Labels: , , , , , , ,

Comments: Post a Comment

Subscribe to Post Comments [Atom]

<< Home

7867 1/2 Santa Monica Blvd. West Hollywood, CA (map)



Stan Recommends


April 2010   September 2010   October 2010   November 2010   January 2011   February 2011   July 2011   August 2011   September 2011   October 2011   November 2011   December 2011   January 2012   February 2012   March 2012   April 2012   June 2012   September 2012   October 2012   January 2013   May 2013   June 2013   July 2013   August 2013   September 2013   November 2013   February 2014   April 2014   May 2014