Security Watch | Matt Hines | InfoWorld | Those in front use Firefox, or is it IE7? | October 21, 2006 12:38 PM

MORE ENTRIES

Those in front use Firefox, or is it IE7?

October 21, 2006 | Comments: (0)

Those in front use Firefox, or is it IE7?

I was doing some testing with a rootkit infected machine this week and found that once IE6 is damaged by certain rootkits there's just no getting it back.

Okay, so there's really no new news there.

The problem was that once this rootkit had nested on the machine under test every time that IE6 started up it would crash pretty much immediately with a nice Windows message telling me that a Windows error had occurred and would I like to send this information to Microsoft. Yeah, like that would help me, right there, right then. Although I did fantasize that I would get an immediate call on my cell phone from Microsoft, telling me in an automated voice that my problem had been analyzed and a fix was on the way. Then the voice would go on to say, "You will receive a fix for your problem in 100,646 hours and 53 minutes" at which point I hang up the phone and bang my head against the desk.

So, once back to reality and having squashed the infection with several tools, I went ahead and tried to reload IE6 (since it was still crashing even after the rootkit had been removed). It seems you can't do that. After downloading a fresh copy of IE6 from Microsoft and trying to install it I would get the message that it detected a newer version of IE6 installed on the machine and poop out. And of course I couldn't completely uninstall IE6 and do a fresh install because of, well, it's just the way Windows XP is designed (okay you can remove IE6 completely, but I wasn't going to spend literally another 100,000 hours doing that).

So my choices were:

1) Reload the OS. No, not in the mood.
2) Use Firefox, or my personal favorite browser, Opera. Sounds like a good solution.
3) But wait, it was Wednesday and the production version IE7 just came out. Okay, let's try that.

First off, take a look at Brian Kreb's blog on some of the rumors flying around about supposed problems with IE7.

And pay attention to the part about turning off other anti-virus and anti-spyware products before installing IE7.

Okay, I download IE7, did the install and, well, done.

It works and isn't having any problems.

Humm, whadda ya know, something that fixes things right off the bat and is actually more secure than the previous version of IE.

Okay, I don't like the IE7 installation process; When Windows boots is gives that Battlestar Galactica, Cylon Centurion like, stream of colors across the screen. Well, when IE7 is installing it does the same thing. But for all I know the process could be hung and never return. Give me the more informative Windows Update status where it tells me line by line what's being installed and how much more there is to go. Stop being cute and give me a current live status.

And now, of course, Microsoft validates your copy of Windows during the IE7 installation.

Well, it solved my problem. At least for now.

I also had to do an Office Professional repair to fix other issues on this machine. But that's another story...

Posted by Victor R. Garza on October 21, 2006 12:38 PM

RATE THIS ARTICLE:

COMMENTS

jw, did you have to restart your computer *twice* in order to complete the install?

Posted by: tg at October 22, 2006 12:35 PM

You know, I don't recall. I was fixated on the annoying installation display. I'm pretty sure the system rebooted at least one more time but I'm not sure. Next time I do that install/upgrade I'll remember to take a look at that.

Posted by: Victor R. Garza at October 22, 2006 04:09 PM

What are you talking about? If you have a real Rootkit infection you need to reformat and reinstall your OS. IE6 has nothing to do with it and Firefox is anything but secure, get the facts:

www.FirefoxMyths.com

Posted by: Andrew at October 23, 2006 03:46 AM

Although I have been running IE7 for several days, I did not discover until last night (when trying to watch NFL clips of my beloved Falcons), THAT THERE IS NO APPROVED VIDEO PLUG IN for IE7 yet.

HOW and WHY would they release a browser with no video capabilities? (Media 11 will not be released for a while.)

I DO, however, like the zoom and text enlargement capabilities...

Posted by: Melissa at October 23, 2006 04:03 AM

Andrew, interesting comment.

What do you consider a rootkit? Hogland (who runs http://www.rootkit.com and wrote a pretty good book on the topic) defines "a rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer". That includes injection by patching, easter eggs, spyware among other means of kernel or application level subversion. But does not define that certain types of (in this case application level) subversion cannot be undone, albeit at the loss of time and expense.

Rootkits, once detected, can be cleaned to an extent, but they usually leave behind corrupted data and trash that part of the OS. That's the reason IE6 was still crashing after cleanup.

I didn't say that Firefox was the answer, and I'd rather run Opera as a more secure (or should I say obscure) browser, but that's better than putting my head in the sand and giving up.

We'll see how IE7 stands up to these attacks in the future.

Posted by: Victor R. Garza at October 23, 2006 10:01 AM

Victor,

what rootkit or rootkits were on your rootkit infected machine?

regards

Steo

Posted by: Steo at October 23, 2006 05:23 PM

Steo,

I seem to recall that one was generic rootkit.a using hide_evr2.sys files.

Posted by: Victor R. Garza at October 23, 2006 06:55 PM

Andrew wrote:

> Firefox is anything but secure, get the facts:
>
> www.FirefoxMyths.com

I'd agree there are myths about Firefox, but just because it's not not perfect does not mean it cannot make a decent case to be the best current browser. Whoever created this site is choosing their "facts" very selectively. And claiming Opera is more secure, when Opera currently has a critical unpatched vulnerability (see Secunia) - and Firefox does not - is highly dodgy. Both browsers in fact have good security records compared with Internet Explorer.

Posted by: Jez at October 24, 2006 02:17 AM

When invited, I downloaded the new Internet Explorer version 7.0, but it lost me the ability to 'Edit' (therefore the chance of pasting & copying which I use regularly), File, View, etc (top line on IE 6).
Frustrated, I reverted back to before the download in order to return to IE6; got my editing facility back - BUT computer keeps doing strange things eg when moving around my chat site, I get chucked out and site disappears.
Any advice please - IN VERY SIMPLE terms, please, for this silver surfer!

Posted by: Rosemary Haines at October 24, 2006 11:32 AM

If you indeed have a rootkit, the only really safe thing to do is re-install the OS. Updating a browser is not removing the rootkit even if the browser itself starts working after the update.

Posted by: Mario at October 24, 2006 12:00 PM

Rosemary,

I haven't experienced either of the problems you've been going through. Hopefully, one of the other readers can drop me an email or post with some advice that I'll forward.

I'll ask around as well and see what I may be able to find out.

Best.

Posted by: Victor R. Garza at October 24, 2006 12:37 PM

If a rootkit has a "undetectable presence on a computer" then how can you have detected it and cleaned it? Logic failure! Either the definition is wrong or you didn't have a rootkit! Some worm/trojan/nastyware perhaps.

Jolyon

Posted by: Jolyon Ralph at October 24, 2006 12:39 PM

Rosemary,

I havent installed IE7 yet but believe that the file, edit, view, copy & paste options are hidden on IE7 by default.

Posted by: Chris at October 24, 2006 12:49 PM

Mario,

Agreed. As I've stated before, while this test system is still functioning after clean up, it is still slightly unstable and the best thing to do is reimage it.

Jolyon,

While I can't help with logic failures, I can say that the open source and vendor communities are detecting many active rootkits.

Lucky for us, the inherent stealth of many of these rootkits is only temporary.

Take a look here for some excellent resources on the subject. http://en.wikipedia.org/wiki/Rootkit#External_links

Posted by: Victor R. Garza at October 24, 2006 01:01 PM

ZERO DAY PODCAST

Listen to the latest podcast:

MP3 •