The Microsoft Malware Protection Center (MMPC) has identified a new “severe threat level” rootkit, dubbed “Trojan:Win32/Popureb.E.” This rootkit variant burrows so deeply, Microsoft recommends reinstalling the operating system and then rebooting to a restore point prior to the infection. That’s a pretty extreme repair suggestion coming from Microsoft! This has rightfully led to some raucous laughter from the Mac and Linux camps.
In this day and age there are only a few ways to get a rootkit installed:
1) Your web protection doesn’t filter out hostile links on legitimate sites.
2) Your email protection doesn’t filter out hostile attachments and spam messages.
3) Your users click on everything they see in their browser and/or email clients without any thought regarding where it came from.
4) Your users plug USB devices brought from home into their work systems.
5) Your desktop systems are configured to boot from sources other than the hard disk.
Items 1 through 4 are easily solved with a quality AV solution that offers gateway filtering for email and web, as well as an endpoint device control policy.
Item 5 is perhaps most critical. Passwords and domain level authentication are easily avoided when bypassing the hard drive and booting from an alternative source, thus an open door for a rootkit to install itself. I suggest taking a quick visit to your local bookstore, perusing the magazine section and then grabbing one of the many Linux Live DVDs floating in the pages of your favorite tech mag. This nifty (and free) DVD allows you to run a full-featured OS, including network discovery tools, rainbow tables and system recovery tools that allow you to mount the hard drive and do all manner of evil to it. Imagine your office midnight cleaning crew taking a well deserved break, seating themselves down at your workstation, booting off of live CD they happen to have, and surfing the internet/torrenting software which they’ll copy to a USB drive they’ve also connected.
Everything I just mentioned in item 5, however, can be defeated by disabling secondary boot options in BIOS and setting an admin password to protect it from unwanted changes. With time, tools and knowhow, someone could open the case and reset the BIOS by pulling the battery or shorting out the reset pin, but that takes time and effort. What this is intended to do is stop end users from leaving CD/DVDs in the PC or inadvertently booting from USB hard drives or flash drives and possibly infecting the hard drive outside of the operating system protection.