Windows 8.1 app starts splashes then disappears

[VirtualLarry]

There is no such thing as malware that can "hide" from a format. It's impossible.

To be pedantic, doing a high-level (filesystem) format on a Windows box, does NOT re-write the boot sector nor the partition table, so if you get a boot-sector virus, it can remain hidden there, even after a "re-format" (or a factory restore). The only way to get rid of those is to wipe the drive (or at least the first / last million sectors, such a as a DISKPART.EXE "clean" command).

 

[pclaptop23hour]

Can anyone explain KAPTOXA then? It arrives undetected, stays undetected, and leaves with no trace of it ever being there! If malware(virii included) cant hide, where is it that KAPTOXA exists?

VirtualLarry just what is it that DISKPART.EXE "clean" command does to the drive? Write 0's to those millions of sectors or something else?

thanks again pclaptop

 

[pclaptop23hour]

How can both of these statements be true?

"There is no such thing as malware that can "hide" from a format. It's impossible."

and . . . .

"To be pedantic, doing a high-level (filesystem) format on a Windows box, does NOT re-write the boot sector nor the partition table, so if you get a boot-sector virus, it can remain hidden there, even after a "re-format" (or a factory restore)."

 

[code65536]

To be pedantic, doing a high-level (filesystem) format on a Windows box, does NOT re-write the boot sector nor the partition table, so if you get a boot-sector virus, it can remain hidden there, even after a "re-format" (or a factory restore). The only way to get rid of those is to wipe the drive (or at least the first / last million sectors, such a as a DISKPART.EXE "clean" command).

Yes, you should delete and recreate the partition table if you want to be thorough. But that's still a quick format (no need to wipe the first million sectors--just delete the partition table). (And... boot sector viruses? This ain't the 90's. )

VirtualLarry just what is it that DISKPART.EXE "clean" command does to the drive? Write 0's to those millions of sectors or something else?

It deletes the partition table.

Can anyone explain KAPTOXA then? It arrives undetected, stays undetected, and leaves with no trace of it ever being there! If malware(virii included) cant hide, where is it that KAPTOXA exists?

Obviously not since it was eventually detected. There is a difference between undetectable (no such thing) and not detected. The latter can be because of a variety of reasons, from the mundane (not detected because it avoids drawing attention to itself and nobody knew they should even be looking for it) to the sophisticated (rootkits that compromise basic OS functionality so that detection tools on that OS would not work as intended--a problem that can be bypassed by offline analysis, i.e., searching the disk using another OS so that the compromised OS is not executed; remember the Cardinal Rule). Again, nothing is immune from a format (and one where you delete and recreate the partition tables).

How can both of these statements be true?

"There is no such thing as malware that can "hide" from a format. It's impossible."

and . . . .

"To be pedantic, doing a high-level (filesystem) format on a Windows box, does NOT re-write the boot sector nor the partition table, so if you get a boot-sector virus, it can remain hidden there, even after a "re-format" (or a factory restore)."

Note his use of the word "pedantic". Because this is an edge-case problem.

Because, depending on how you define a format, you could just be formatting one partition. And with the virus residing in a boot partition (boot sector viruses are a relic from another era), that partition won't be affected if you're formatting only the OS partition. Again, this is very rare--malware living in the boot partition is extremely uncommon and is more of a theoretical threat than a real one.

In either case, simply reformatting all partitions (or just deleting the partition table) will be comprehensive.

 

[pclaptop23hour]

If root kit type virii/malware are the 90's, where is the non-detected (I say un-detectable because it hasn't had it's location detected and its been over 9 mos) KAPTOXA hiding in the 10's?

 

[VirtualLarry]

And with the virus residing in a boot partition (boot sector viruses are a relic from another era), that partition won't be affected if you're formatting only the OS partition. Again, this is very rare--malware living in the boot partition is extremely uncommon and is more of a theoretical threat than a real one.

So "theoretical", that MS invented UEFI "Secure Boot", to prevent exactly this attack vector on the PC's boot process.

I think that you would be surprised to hear that boot-sector infectors, as well as rootkits, have merged. They call them "bootkits", and they are on the rise.

Therefore, a "clean" (which wipes more than just the partition table), is important, and if you really want to be sure, a "clean all" will wipe the entire host-addressable LBA range with zeros.

 

[pclaptop23hour]

It just seems that everyone (AV/Malware software companies) aren't saying $ H ! T about KAPTOXA cause they cant find it! Target was hit in January and it had probably been resident long before that! and Home Depot JUST reported the other day they were infected/compromised in April!

What I'm saying in total here is there is a whole new strain of malware that, SO FAR, is UNDETECTABLE!

The only way I've been able to remove it is the LLF/reinitialization/whatever you want to call it, write 0 process!

 

[pclaptop23hour]

hmmm two different schools of thought between code65536 and VirtualLarry!

one says it isn't and there ain't the other says it is and there are!

ying/yang?

 

[Gunbuster]

Is your claim that kaptoxa is attacking your friends windows 8 machines? I find it hard to believe that the attack tailored to big retail unpatched XP embedded POS boxes is also seeking out win 8.1 Podunk users. More likely they opened a "voicmail" attachment they got in email. Clicked past two or three windows are you really sure prompts and then infected themselves.

 

[code65536]

So "theoretical", that MS invented UEFI "Secure Boot", to prevent exactly this attack vector on the PC's boot process.

I think that you would be surprised to hear that boot-sector infectors, as well as rootkits, have merged. They call them "bootkits", and they are on the rise.

Therefore, a "clean" (which wipes more than just the partition table), is important, and if you really want to be sure, a "clean all" will wipe the entire host-addressable LBA range with zeros.

On the rise? Really?

The security community has an affinity for the exotic. Which is understandable. Yes, bootkits exist. There are even some that make use of VT-x and act as a hypervisor (which was a great excuse for Sony to go around disabling VT-x with no way of turning it back on some years ago). But they are "theoretical" (okay, poor choice of wording: I should've said "effectively theoretical") because they are virtually never seen in the wild. And when they do appear, they are used in highly-targeted attacks against high-value targets. They make for great showpieces at security conferences and in research papers, but their real-world viability is... questionable. Not something that most people would have to worry about.

Anyway, I hope you are not forgetting that the boot sector is literally just that: a single 512-byte LBA sector. GPT extends this to about a few dozen sectors. We're talking about a region that's measured in kilobytes. Wiping the first "million sectors" puts you well past the MBR and into the actual partitions themselves, which in modern Windows starts at 1 MiB (it starts much earlier in NT 5.x and earlier--after just a single "track", which is defined as 63 512-byte sectors). Wiping the first million bytes will destroy anything that exists before the partitions themselves (and let's throw in the final million bytes to wipe the backup table for GPT). There is absolutely no need to wipe anything beyond that, and certainly no need for a wipe of the entire LBA range. That's useful only for scrubbing data from a drive that you are discarding or selling to prevent someone from salvaging private data from it. But from a malware security standpoint, there is absolutely no benefit whatsoever from something like that. Period.



In any case, I think we all agree that malware targeted at point-of-sale machines designed specifically to steal card data in-memory after a swipe is... not going to be seen anywhere outside of point-of-sale machines.

And our only disagreement is my assertion that there is no evidence that boot attacks are anything but rare and targeted. When I "format" a disk in preparation for a fresh new Windows install, I actually just use the Windows installer to delete all the partitions and let Windows recreate everything from scratch (the installer will automatically create a new MBR in this case and/or convert between MBR and GPT as needed). This is trivially simple to do and does not involve unnecessarily zeroing out an entire disk.

 

[pclaptop23hour]

Is your claim that kaptoxa is attacking your friends windows 8 machines? I find it hard to believe that the attack tailored to big retail unpatched XP embedded POS boxes is also seeking out win 8.1 Podunk users. More likely they opened a "voicmail" attachment they got in email. Clicked past two or three windows are you really sure prompts and then infected themselves.

The "INTRUSION" method KAPTOXA, is for sale on the internet. A 17 year old Russian kid bought it and added the BLACKPOS payload! ANYONE could have bought KAPTOXA and added whatever payload they wanted no matter how significant or insignificant it may be! And NO I don't believe that which attacked TARGET and HOME DEPOT is what was on my friends computers/laptops!

But that was not what I asked you, if no malware can hide how is KAPTOXA doing it, regardless of who it is intended for? And wouldn't BIG business have a much more thorough intensive intrusion prevention system?

 

[pclaptop23hour]

code65536 said, "When I "format" a disk in preparation for a fresh new Windows install, I actually just use the Windows installer to delete all the partitions and let Windows recreate everything from scratch (the installer will automatically create a new MBR in this case and/or convert between MBR and GPT as needed). This is trivially simple to do and does not involve unnecessarily zeroing out an entire disk."

I tried this on the affected laptop and 2/3 of the way thru I got an error message that said, "there are corrupt files on this installation and the install is halted" that is not ver batum but is what was conveyed to stop the new "fresh" install! And this was after the Win7 install deleted all partitions and formatted a new one using all of the hard drive. I even burned a new DVD and still the same result up and until I "LLF/re-initialized/wrote 0'S" to the hard drive. I will agree that most lilkely the whole hard drive need not be ZERO'ed out! but I had time on my hands so no big deal! After the ZEROING the first Win7 "corrupt files" DVD disk installed fine!

 

[VirtualLarry]

On the rise? Really?

If they weren't, why would a large for-profit company like Microsoft put in all of the effort?

Anyway, I hope you are not forgetting that the boot sector is literally just that: a single 512-byte LBA sector. GPT extends this to about a few dozen sectors. We're talking about a region that's measured in kilobytes. Wiping the first "million sectors" puts you well past the MBR and into the actual partitions themselves, which in modern Windows starts at 1 MiB (it starts much earlier in NT 5.x and earlier--after just a single "track", which is defined as 63 512-byte sectors). Wiping the first million bytes will destroy anything that exists before the partitions themselves (and let's throw in the final million bytes to wipe the backup table for GPT). There is absolutely no need to wipe anything beyond that, and certainly no need for a wipe of the entire LBA range. That's useful only for scrubbing data from a drive that you are discarding or selling to prevent someone from salvaging private data from it. But from a malware security standpoint, there is absolutely no benefit whatsoever from something like that. Period.

At least you are now admitting to the usefulness of wiping the first and last million sectors, rather than just erasing the partition table. Which, btw, doesn't wipe the MBR without doing a "clean".

When I "format" a disk in preparation for a fresh new Windows install, I actually just use the Windows installer to delete all the partitions and let Windows recreate everything from scratch (the installer will automatically create a new MBR in this case and/or convert between MBR and GPT as needed). This is trivially simple to do and does not involve unnecessarily zeroing out an entire disk.

That will not wipe the MBR, nor will it "automagically" convert between GPT and MBR as needed. You must hit "SHIFT+F10", bring up a command prompt window, run DISKPART.EXE, and "clean" the drive in question, and then re-scan the disk(s) in the installer, in order to convert between MBR and GPT and vice-versa.

This is proven by several threads on how to install Linux or Windows 7, on a PC or laptop that came pre-installed in UEFI mode with Windows 8/8.1. Not to mention, disabling Secure Boot and Fast Boot.

 

[pclaptop23hour]

code65536 you said in post #29, "Obviously not since it was eventually detected." but it was NOT KAPTOXA that detected but the payload, BLACKPOS, that was attached to KAPTOXA! Apparently a re-direct in BLACKPOS that sent the credit card data to another location to be stored until it was sent out, is the code string that was uncovered. It identified BLACKPOS which ultimately showed an intrusion by KAPTOXA! If someone else purchases the KAPTOXA intrusion code and attaches a DIFFERENT payload . . .

 

[code65536]

If they weren't, why would a large for-profit company like Microsoft put in all of the effort?

That doesn't make the threat widespread, and you know it. It's a relatively easy thing to do, compared to other things in the fight against malware.

At least you are now admitting to the usefulness of wiping the first and last million sectors, rather than just erasing the partition table. Which, btw, doesn't wipe the MBR without doing a "clean".

Bytes, not sectors. Never, ever did I admit to the usefulness of wiping a whole GB of space, which is what the first and last million sectors would be. And when I say partition table, I mean the MBR along with it, because that's effectively what you're doing anyway. The MBR itself is a mere half kilobyte and contains the partition table (or, in the case of GPT, a mere stub that is a part of the partition table). So if it makes you happier, I'll call it the "header" for disambiguation. Still, it's something that takes up kilobytes of data, with unused space set aside in the current implementation to allow for future expansion up to a megabyte. Not a million sectors by any stretch of the imagination.

That will not wipe the MBR, nor will it "automagically" convert between GPT and MBR as needed. You must hit "SHIFT+F10", bring up a command prompt window, run DISKPART.EXE, and "clean" the drive in question, and then re-scan the disk(s) in the installer, in order to convert between MBR and GPT and vice-versa.

Um, I'm speaking from personal experience. Yes, it does do that. Don't take some forum thread's word for it. Heck, don't even take my word for it. Try it yourself. Modern Windows installers aren't as dumb as you think it is.

 

[code65536]

I tried this on the affected laptop and 2/3 of the way thru I got an error message that said, "there are corrupt files on this installation and the install is halted" that is not ver batum but is what was conveyed to stop the new "fresh" install! And this was after the Win7 install deleted all partitions and formatted a new one using all of the hard drive. I even burned a new DVD and still the same result up and until I "LLF/re-initialized/wrote 0'S" to the hard drive. I will agree that most lilkely the whole hard drive need not be ZERO'ed out! but I had time on my hands so no big deal! After the ZEROING the first Win7 "corrupt files" DVD disk installed fine!

That sounds more like an intermittent error with your optical disc. If it were a hard drive problem, it would instead be an unrecoverable write error. If it was a hard drive problem, a zeroing of the drive (or other forced write of the whole drive) could force the drive's firmware to remap bad sectors if there were any. This is still unrelated to malware or security. I still think that it's an intermittent DVD error--a marginal DVD (and/or a marginal drive) may fail some times and get through some other times, and that it worked after a "LLF" is coincidence and likely not causal.

code65536 you said in post #29, "Obviously not since it was eventually detected." but it was NOT KAPTOXA that detected but the payload, BLACKPOS, that was attached to KAPTOXA! Apparently a re-direct in BLACKPOS that sent the credit card data to another location to be stored until it was sent out, is the code string that was uncovered. It identified BLACKPOS which ultimately showed an intrusion by KAPTOXA! If someone else purchases the KAPTOXA intrusion code and attaches a DIFFERENT payload . . .

Why are you so obsessed with malware that is extremely targeted at specific types of machines at specific places? And yes, it can be detected. How they came to find it is irrelevant. The point is, it is IMPOSSIBLE to "hide" from a disk format. And because we are reminded that bootkits exist in the same way lottery jackpot winners exist, I'll define "disk format" as anything that wipes the header and backup header from a disk, which is a couple of megabytes, at most. Period. End of story.

 

[pclaptop23hour]

code65536That sounds more like an intermittent error with your optical disc.

Why did the SAME optical drive work fine AFTER the LLF or whatever you want to call it, or is that the same kind of COINCIDENCE as the LLF removing the virus code? There was NOTHING wrong with the Optical drive it was brand new! END OF STORY!

code65536 "The point is, it is IMPOSSIBLE to "hide" from a disk format."

VirtualLarry "so if you get a boot-sector virus, it can remain hidden there, even after a "re-format" (or a factory restore)."

Now I obviously come here for help because I am old enough to know that I don't know everything. What I do know is what worked however contrary to your insistent objections! Now I have to decide which is which in the statements above! How do I do that beings that I do not know either of you?

I look at your specs, you joined in Mar 2006 and have 991 posts! VirtualLarry joined in Aug 2001 and has 25,550 posts? There would be alot of ways to interpret this as I'm sure you might or maybe not even bother. I don't know. But it occurs to me if I were to take as fact what you say, which counters EVERYTHING I have done to successfully fix/repair many laptops that have that RANDOM infection that may or may not have been Kaptoxa or another virus with similar qualities, them I'm just lucky!

Or, VirtualLarry who statements support that which HAS worked for me and maybe his 25,000 plus posts weren't all babble from some unsupported links?

Tough call for me. END OF STORY

Again thanks all this has been an interesting thread and has been very enlightening!