-{ Quote: "
When MBR rootkit came out on late 2007 - early 2008, it was immediately clear that it was a breakthrough infection, different from every other kind of rootkit infection seen in the wild. The proof of concept was known since 2005 but no one was expecting to see a malware using this technology in the wild. It took only few months to quickly become one of the worst threats of the last year, with ten of thousands of infected PC.

Even if the first MBR rootkit variant is still undetected by some antivirus vendors, its creators decided to develop a new version of it, virtually able to bypass almost all security products, even the ones able to detect the first version. Our research lab started to receive new reports of this infection since the first days of April.

.....

We have already detected many infections caused by the new MBR rootkit and we expect to see this number to quickly increase, like the old MBR rootkit did last year.
" }-

http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html

Damn it! Last night I got an infection alert from Prevx Edge. It said:

\\PhysicalDrive\MBR - Possible Malicious Rootkit

And I couldn't remove or block it :(

A scan with GMER and nothing popped up?

Ahh just found out GMER does NOT detect the rootkit. I'm stuffed for a little while :(

What is the best way to prevent a MBR Rootkit?

Thank you.

-{ Quote: "What is the best way to prevent a MBR Rootkit?

Thank you." }-

unplugging ur PC ;D

-{ Quote: "Damn it! Last night I got an infection alert from Prevx Edge. It said:

\\PhysicalDrive\MBR - Possible Malicious Rootkit

And I couldn't remove or block it :(
" }-

Wonder why Prevx didn't block it. Was it the trial version?

I also see he runs Defensewall. Wonder how it got by that?

-{ Quote: "unplugging ur PC ;D" }-

Seriously? Is there a way to configure HIPS to protect from this? Say for example... DriveSentry?

Just Curious

Thanks in advance,
Toby

-{ Quote: "Wonder why Prevx didn't block it. Was it the trial version?" }-

Yeah. :(

Does Avira detect it? If you installed it in "safer mode" then it might pick it up.

Wow...with all the security you are running, I am surprised it wasn't picked up!

So how does this thing get installed? I suppose the user has to install it themselves.

two questions........
1.could something like sandboxie..returnil prevent it from infecting pc in first place?
2.once infected could something like rollback snapshot restore save one the pain of cleaning the mess?

-{ Quote: "Damn it! Last night I got an infection alert from Prevx Edge. It said:

\\PhysicalDrive\MBR - Possible Malicious Rootkit

And I couldn't remove or block it :(

A scan with GMER and nothing popped up?" }-

Well, it says 'possible', I suppose that FPs can happen for rootkits as well.

-{ Quote: "Well, it says 'possible', I suppose that FPs can happen for rootkits as well." }-

Yes it could be. But the detection of this new rootkit coincides with when Prevx detected it on my computer.

I am unsure as I did install Eaz-Fix just before that.

So for the mean time it's better to be safe then sorry :)

As per the comments on the blog by Marco:
-{ Quote: "No, current GMER release can't detect this rootkit nor can SVV. Fixmbr, which is run outside the system, can fix the mbr.

Marco" }-
So if you have backup ( I have with MbrFix ) , you could apply that too.

Plus it looks like PrevX will be kind enough to release the fix for free, so better wait a few days IMO.
-{ Quote: "We have already detected many infections caused by the new MBR rootkit and we expect to see this number to quickly increase, like the old MBR rootkit did last year.

We have already written detection and cleanup routine for this nasty infection. The major update we're going to release in some days to our Prevx products will include this feature. Cleanup of this infection will be released for free." }-

Just write a new MBR and it's gone.

Manual removal. Load up the recovery console or repair tools by inserting the Windows disk, type fixmbr, reboot. The command writes a new boot sector which erases the rootkit.

edit : just read at Sysinternals of another ark tool that detects.

CodeWalker (http://cmcinfosec.com/download/cmcark_024500scrshot.jpg)
-{ Quote: "I recently got the sample from one of Mebroot drive-by exploit site (*********.com), got infected and, my CodeWalker (0.2.4.500) now can detect it at next reboot :)

I tested it on 9 different samples of Mebroot's authors campaign from 03/31 and today, and none failed.

" }-

cmcinfosecdotcom (http://translate.google.co.uk/translate?hl=en&sl=vi&u=http://www.cmcinfosec.com/&ei=UVfkSb_jDNK1_AaBhMWfCQ&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3Dcmcinfosec.com%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-GB:official%26hs%3DjGf%26sa%3DG)

CodeWalker didn't work on my virtual machine. I managed to get infected the VM and I checked with GMER: result is the presence of many system threads without a known origin.

I tried CodeWalker but it says the MBR is clean :(

-{ Quote: "Damn it! Last night I got an infection alert from Prevx Edge. It said:

\\PhysicalDrive\MBR - Possible Malicious Rootkit

And I couldn't remove or block it :(

A scan with GMER and nothing popped up?" }-

-{ Quote: "Yes it could be. But the detection of this new rootkit coincides with when Prevx detected it on my computer.

I am unsure as I did install Eaz-Fix just before that.

So for the mean time it's better to be safe then sorry :)" }-


Are you useing the beta or last stable version of prevx?
A few days ago Prevx edge beta was giving a FP on Rollback Rx as a rootkit.

http://www.wilderssecurity.com/showthread.php?t=225190&page=132

ExFix is basicly the same. I would send your scan log if possiable to Prevx to check out.
Or post in the thread linked above with your find so if it is a FP it can be fixed.

See reply from 'mysec'
http://www.dslreports.com/forum/r22231286-New-Mebroot-spreading-around-and-got-undetected

-{ Quote: "Damn it! Last night I got an infection alert from Prevx Edge. It said:

\\PhysicalDrive\MBR - Possible Malicious Rootkit

And I couldn't remove or block it :(

A scan with GMER and nothing popped up?" }-

Are you using beta version of Prevx?
Did you install eaz-fix?

If so, please send me a Prevx scan log at falsipositivi[-aT]pcalsicuro[dOt]com and I'll have a look at it :)

:) -{ Quote: "Yes it could be. But the detection of this new rootkit coincides with when Prevx detected it on my computer.

I am unsure as I did install Eaz-Fix just before that.

So for the mean time it's better to be safe then sorry :)" }-

I had the same prompt from Edge (paid), while installing Eaz-Fix and assumed it related to Eaz-Fiz so completed the installation, I guess it must be a FP.

gh113

Wouldnt BIOS option named BOOT VIRUS PROTECTION keep us safe against MBR rootkits?
Or its useless at this moment?

Hello all,
Some programs like Rollback Rx (and maybe EAZ-fix as well) modify the MBR in a non-malicious manner but our realtime MBR scanning will detect the change and alert the user just to be safe.

We are offering MBR rootkit cleanup for free, but the new, difficult to detect MBR rootkit is detected only in the beta version (which will be released officially this week).

Conventional AVs can block the infection before it enters (as they do with other threats) but that doesn't help if you're already infected or if they don't have a signature for it (i.e. Conficker).

The problem with this infection is that once it gets in, every AV simply cannot read the MBR - it is a highly intelligent rootkit which is very effective at hiding the contents from the AVs. We had to develop an alternate engine to find this file and AFAIK no one else detects it yet.

mysec at DSLReports missed the point that what we're outlining here is NOT about the means of getting infected, its what happens AFTER you get infected. Threats get past AVs all the time and once they're in, they can generally be removed relatively easily. This one cannot, however.

-{ Quote: "Just write a new MBR and it's gone." }-

You'll have to write a new MBR from outside of the OS as the rootkit filters any attempt to write the MBR when loaded.

-{ Quote: "You'll have to write a new MBR from outside of the OS as the rootkit filters any attempt to write the MBR when loaded." }-
That's where the good old UBCD4Win comes into play,removal/detection is a doddle.Rootkitty then mbrwiz and voila.;)

What about a HIPS like Comodo or Malware Defender, will the rootkit be able to sneak past them as well?

-{ Quote: "What about a HIPS like Comodo or Malware Defender, will the rootkit be able to sneak past them as well?" }-

It depends on how strict the rules are. All that the rootkit does is rewrite the MBR and then lock it down very tightly. The main issue isn't prevention (that's always an issue with any threat so that isn't anything new :)), the real issue is detection once infected and cleanup after detection. The droppers we've encountered so far are very cautious and just infect the MBR and then remain quiet without any visible signs.

Isn't LUA simply the solution?

PrevXHelp, why not simply explain this is an easy solution, which complements so well your security solution (or maybe it is the other way around, isn't it? :wacko: )

-{ Quote: "Isn't LUA simply the solution?

PrevXHelp, why not simply explain this is an easy solution, which complements so well your security solution (or maybe it is the other way around, isn't it? :wacko: )" }-

LUA is a solution to a majority of malware problems but it simply isn't viable for a majority of home users, which is why most people don't use it (its just too restrictive).

However, if you do run EVERYTHING under LUA, you should be completely safe from this threat :thumb:

-{ Quote: "It depends on how strict the rules are. All that the rootkit does is rewrite the MBR and then lock it down very tightly. The main issue isn't prevention (that's always an issue with any threat so that isn't anything new :)), the real issue is detection once infected and cleanup after detection. The droppers we've encountered so far are very cautious and just infect the MBR and then remain quiet without any visible signs." }-

So does it mean that HIPS applications won't be able to do much, once the rootkit succeeds in digging itself into the system?

How does the same file, intercepted during it's attempt to get into the PC, suddenly cloak itself once it manages to do so? Isn't that basically what HIPSs monitor? Wouldn't every files/process residing in the PC be under the watch of a HIPS?

-{ Quote: "LUA is a solution to a majority of malware problems but it simply isn't viable for a majority of home users, which is why most people don't use it (its just too restrictive)." }-

Well, maybe prior Vista. With Vista, I really not see much point to use administrator account. IMO :)

-{ Quote: "So does it mean that HIPS applications won't be able to do much, once the rootkit succeeds in digging itself into the system?" }-

That's correct. Once its in, you'll need a standalone scanner to find it because the behaviors occur in hidden threads which aren't visible by "normal" HIPS methods.

-{ Quote: "That's correct. Once its in, you'll need a standalone scanner to find it because the behaviors occur in hidden threads which aren't visible by "normal" HIPS methods." }-

Understood.

-{ Quote: "That's correct. Once its in, you'll need a standalone scanner to find it because the behaviors occur in hidden threads which aren't visible by "normal" HIPS methods." }-

Not even Prevx? ;D

-{ Quote: "LUA is a solution to a majority of malware problems but it simply isn't viable for a majority of home users, which is why most people don't use it (its just too restrictive)." }-
I find it works well, if I need more privilege I can do that, run as admin or log into the admin account,..XP Pro.

-{ Quote: "Not even Prevx? ;D" }-

We do now, but to be completely honest - we didn't before ;D Sure, we blocked the dropper, but that's not difficult. The real challenge with this threat is finding it on an infected system (without forcing users to resort to a boot cd :))

I don't doubt TF would miss it also - I've been a very big fanboy of it lately, but atleast I'm being open-minded and honest about its mistakes. ;D

I think you also need to be open minded from what is reported and what is actually true. And that bothers me. F-Secure has been on top of this one from the start, even before Prevx.

-{ Quote: "I think you also need to be open minded from what is reported and what is actually true. And that bothers me. F-Secure has been on top of this one from the start, even before Prevx." }-

Do you know what version of F-Secure detects/cleans this threat? I tried last week with F-Secure 2009 and it didn't find it at all, but I'm reinstalling again now to see.

Set your settings at high.

-{ Quote: "I think you also need to be open minded from what is reported and what is actually true. And that bothers me. F-Secure has been on top of this one from the start, even before Prevx." }-

I can only speak from my personal experience, and that's exactly what I do - and that's true for F-Secure as well. I'd past bad experience with it and the prog. is not for me, but I never doubt that it's one awesome product that's just becoming better.

The same goes for Prevx. I've got many FPs with it, and not surprisingly especially with the beta, so even if running it with a license atleast till it runs out and hope that real "1 PC" support is there when it does so I can hesitate less on renewing it, I can't set automatic removal feature to on even if it's there - and I personally like automatic operation - because of personal experience. Personal experience also makes me choose TF before it.

F-Secure is a beauty if you treat her nice, Edge is a Philly kicking her legs out to see what the world holds. And then, there is, Norman.;D

-{ Quote: "F-Secure is a beauty if you treat her nice, Edge is a Philly kicking her legs out to see what the world holds. And then, there is, Norman.;D" }-

I ran a "Quick Rootkit Scan" with FS2009 and it came up empty on "High" with the newest definitions. I'm running a full scan now but it looks like it may take a while - I'll report back once its finished.

thanks Joe. I would like to know from what I lead to know.

After I had a look at them, anyone of commercial antirootkits nor most of standalone free antirootkits are able to detect the rootkit once is active in the system

My F-Secure 2009 scan has finished on a bare install of XP SP2 with the new MBR rootkit active and it was not detected with the newest definitions (updated directly before the scan on the High level of protection).

PrevxHelp or if i can call you joe ;D

did you tried kaspersky 2009 ?? on-demand & on-access

-{ Quote: "PrevxHelp or if i can call you joe ;D

did you tried kaspersky 2009 ?? on-demand & on-access" }-

KIS 2009 misses it on-demand. A number of vendors have added this particular sample to detection on-access but the problem lies in detecting already infected computers :-\

what about drweb and superantispyware?
im sure other vendors will be able to detect it when active soon.
last time drweb was first followed by KLand later on f-secure.

-{ Quote: "what about drweb and superantispyware?
im sure other vendors will be able to detect it when active soon.
last time drweb was first followed by KLand later on f-secure." }-

I know Dr. Web is working on it, but AFAICT they don't yet. We've been sharing information with a number of other AV companies so I suspect others will be adding detection for it soon :)

-{ Quote: "We do now, but to be completely honest - we didn't before ;D Sure, we blocked the dropper, but that's not difficult. The real challenge with this threat is finding it on an infected system (without forcing users to resort to a boot cd :))" }-

Is an update needed for detection? If so, which version detects it?

-{ Quote: "Is an update needed for detection? If so, which version detects it?" }-

The current beta version detects it and we will be releasing it officially to all users by tomorrow morning. v3.0.1.47+ detect and clean the infection (released first on April 8th).

-{ Quote: "That's correct. Once its in, you'll need a standalone scanner to find it because the behaviors occur in hidden threads which aren't visible by "normal" HIPS methods." }-

Wouldn't AVG Identity Protection (based on SANA's product) be able to spot it? I believe it works different from "normal" HIPS?

-{ Quote: "Wouldn't AVG Identity Protection (based on SANA's product) be able to spot it? I believe it works different from "normal" HIPS?" }-

Its a completely different threat - the behavior which it has is built to just hide itself as thoroughly as possible within the system.

No current HIPS product can see what its doing once the system is infected because the changes it makes are hidden via a new spin on old rootkit techniques.

However a HIPS which intercepts raw disk writes "may" be able to see the initial infection, but it highly depends on the HIPS.

-{ Quote: "
However a HIPS which intercepts raw disk writes "may" be able to see the initial infection, but it highly depends on the HIPS." }-

I wish I could test it with DriveSentry.

-{ Quote: "I wish I could test it with DriveSentry." }-

Samples have been distributed on many research lists and to antivirus vendors. We're quite busy but I'll see if we can do any testing with DriveSentry :)

PrevX support.Are you working on a complete solution to prevent this type of threat (and similar) rather than individual variants? If so how's it going?

-{ Quote: "PrevX support.Are you working on a complete solution to prevent this type of threat (and similar) rather than individual variants? If so how's it going?" }-

Yes, we have "Realtime MBR Rootkit Detection" which detects it generically in realtime and our detection/cleanup is not dependent on this variant at all.

Our previous detection routine for the older MBR rootkit also never changed since we released it > 1 year ago across the few hundred variants released for the MBR rootkit.

-{ Quote: "Samples have been distributed on many research lists and to antivirus vendors. We're quite busy but I'll see if we can do any testing with DriveSentry :)" }-

Thank You

-{ Quote: "So how does this thing get installed? I suppose the user has to install it themselves." }-All known exploits are by remote code execution (drive-by download) triggered by code on web sites that exploit known vulnerabilities in IE and various applications, such as Adobe (PDF), Flash (SWF).

Mebroot - Advanced and Stealthy MBR based Rootkit
http://msmvps.com/blogs/harrywaldron/archive/2009/02/19/mebroot-advanced-and-stealthy-mbr-based-rootkit.aspx
-{ Quote: "
• The Mebroot gang has so far registered around 1000 com/net/biz domain names for their communication needs" }-

-{ Quote: "What is the best way to prevent a MBR Rootkit?

Thank you." }-1) Configure Software Restriction Policies

2) Get any program that has execution prevention (blocks unauthorized executables from running)

Those sites I've found in Malware Lists have already been taken down, but here is a Mebroot exploit from 2008 using MS06-014 (MDAC) where the downloaded executable is copied to %User% as svchost.exe
and attempts to execute and is blocked:

207886


If I find a current live site, I'll test and post a screenshot.


----
rich

For technical users this could work, but if a threat like Conficker was able to spread to millions of users via simplistic exploits and USB drives, its very possible that another threat can spread similarly (as they have many many times in the past). Using an anti-executable program like this isn't really a fair way to say you're blocking a threat - its as effective as turning a computer off as nothing should technically be able to get through but you'll get a popup everytime a new program runs :)

However, a less "draconian" approach from a complete anti-executable solution would be to use a limited user account, which should be equally effective without the overly suspicious prompting.

-{ Quote: "Yes, we have "Realtime MBR Rootkit Detection" which detects it generically in realtime and our detection/cleanup is not dependent on this variant at all.

Our previous detection routine for the older MBR rootkit also never changed since we released it > 1 year ago across the few hundred variants released for the MBR rootkit." }-
That's good to see:thumb: Will these detection routines be incorporated into CSI?

-{ Quote: "For technical users this could work, but if a threat like Conficker was able to spread to millions of users via simplistic exploits and USB drives, its very possible that another threat can spread similarly (as they have many many times in the past). Using an anti-executable program like this isn't really a fair way to say you're blocking a threat - its as effective as turning a computer off as nothing should technically be able to get through but you'll get a popup everytime a new program runs :)" }-With all due respect, your comments show a lack of understanding about execution prevention (White Listing)

I would argue that it is the most effective way of blocking this type of threat (remote code execution).

There is no requirement that the user have technical knowledge. I've installed such protection in many home systems with no problems. Popups (alerts) come only when an executable attempts to run without permission. To install a program (executable) you grant permission, as in the case where the user grants Administrative privileges.

Conficker is a wonderful example. Anyone with execution prevention would have been protected from both of the two attack vectors,

1) RPC via Ports 139,445 to set up a shell to call out to the malicious server to download the DLL (unauthorized executable).

2) Autorun.inf which triggers run32dll.exe to load the DLL.


----
rich

I agree that blocking all new executable code is very effective from a technical perspective, however, if a user receives a prompt every time they install a new piece of software, that requires user education to discern between a legitimate program and a malicious program and, with all due respect to users everywhere, whenever a user has to make a decision, they tend to decide wrong.

Ideally, security should be silent and not require any prompting but an anti-executable approach is the opposite, prompting on every new program.

Also (out of curiosity as I haven't actually used an anti-executable product), do they only focus on ".exe" executables or do they also prompt on every new individual module loaded as well? If the former, that introduces a major vulnerability as a threat doesn't have to enter as an executable itself but can easily enter from a dropped module.

My personal effective and non-technical method is to always boot from a frozen snapshot and use a web browser within a software sandbox. Obviously, when buying things online I use a virtual credit card with one-time passwords generated by a key fob. I will "unfreeze" the OS snapshot only when I install softwares once in a long time. Just joking but I do use Prevx Edge and it works pretty well so far. :)

-{ Quote: "two questions........
1.could something like sandboxie..returnil prevent it from infecting pc in first place?
2.once infected could something like rollback snapshot restore save one the pain of cleaning the mess?" }-

I know Returnil denies access to the MBR when active.

-{ Quote: "I know Returnil denies access to the MBR when active." }-
According to some poster in the Returnil forum, this MBR Rootkit is able to bypass Returnil when it is active.

-{ Quote: "All known exploits are by remote code execution (drive-by download) triggered by code on web sites that exploit known vulnerabilities in IE and various applications, such as Adobe (PDF), Flash (SWF)." }-
Thank you Rmus. Theoretically with Sandboxie I should be good to go. If I had a test machine I would give it a go but this is a serious bug. I'd like to see how Sandboxie's Start/Run Access (anti-exec.) and Drop Rights features hold up. Then again, my OS or an app. would have to be vulnerable.

Why do these articles not focus on prevention or methods of infection? :(

-{ Quote: "
Why do these articles not focus on prevention or methods of infection? :(" }-

At this point the threat is relatively limited. The new MBR rootkit is only being spread from a handful of URLs as a simplistic driveby download but we suspect it will be put inside another infection or placed behind a more powerful exploit.

Luckily it currently looks like the authors spent 95% of their effort on the engineering of the infection itself and 5% thinking about how to infect people which should give vendors a good heads up on detection/cleanup before it becomes a threat to a wider audience.

-{ Quote: "At this point the threat is relatively limited. The new MBR rootkit is only being spread from a handful of URLs as a simplistic driveby download but we suspect it will be put inside another infection or placed behind a more powerful exploit.

Luckily it currently looks like the authors spent 95% of their effort on the engineering of the infection itself and 5% thinking about how to infect people which should give vendors a good heads up on detection/cleanup before it becomes a threat to a wider audience." }-
Thanks for your reply. While I can appreciate an articles details of the inner workings of an infection, they are way over my head. What I can understand is how to keep it off my machine but only if I know how it gets installed. If that requires a workaround or an update, that's a simple fix which most can do. Without details as to how it gets installed we are in the dark.

Anyways, good to hear it's a small threat for the time being. Please keep us updated if and when anything changes.

-{ Quote: "but only if I know how it gets installed" }-
i think....no i assume...this way....
-{ Quote: " The new MBR rootkit is only being spread from a handful of URLs as a simplistic driveby download " }-
the problem.........av's can't detect it....but can something like rollback to clean snapshot save one's day?

-{ Quote: "I agree that blocking all new executable code is very effective from a technical perspective, however, if a user receives a prompt every time they install a new piece of software, that requires user education to discern between a legitimate program and a malicious program and, with all due respect to users everywhere, whenever a user has to make a decision, they tend to decide wrong.
Ideally, security should be silent and not require any prompting but an anti-executable approach is the opposite, prompting on every new program." }-

@PrevX Help & EraserHW:
Apologies to OP; slightly OT here:...

First a question:
That silent all knowing all caring utility will never exist will it.
Even PX's 'in the cloud' db will not have zeroday protection.
Are you saying that PrevX would not have blocked installation of this mal, rather, just detected it after it's installed ??

Still running Px2 here and setup to block anything not approved for 'run' or 'connect' etc.
Does the new PrevX not have this capability easily visible ( think I've asked this before ? )
Am I in fact better off with execution blocking with PX2 rather than handing over all my trust to PX3 ??

Second: an observation (s):
-{ Quote: "security should be silent and not require any prompting but an anti-executable approach is the opposite, prompting on every new program." }-
That is a slight hyperbole: as noted the user only gets prompted with a new install.
FWIW, I have not really installed anything "new" for months: (very boring here: ;) aiming for productivity these days, and in fact; stripping out lots of 'tools' I have never really used) ergo -no popups- , and in reality it is not a heavy burden. In fact I am reassured whenever I see the "do you want to or not" or " Blocked this executable" popups and will occasionally do a blind run for testing.

PX by default uses a type of whitelisting at the core, yes?
Fastest db out there, yes?
Easy to see the benefits of that.

-{ Quote: "Why do these articles not focus on prevention or methods of infection? :(" }-Without that information, you are right: How do you know what you are protecting against? Ideally, analyses would give the reader that information right up front.

When the digital picture frame exploits began to surface, there was a lot of confusion about how the infection actually took place. Numerous articles made statements that all you had to do was connect the picture frame to your computer and you were automatically infected. I confess that at first I didn't realize that the frame is just a USB device, meaning that the triggering mechanism was the autorun.inf file.

Finally, it became apparent that the autorun.inf file triggered the running of an executable. Many people at that time used autorun, so were potentially vulnerable, unless other preventative measures against such a payload were in place, as was the case with those I helped at that time:

207889

-{ Quote: "While I can appreciate an articles details of the inner workings of an infection, they are way over my head. What I can understand is how to keep it off my machine but only if I know how it gets installed. If that requires a workaround or an update, that's a simple fix which most can do. Without details as to how it gets installed we are in the dark." }-You are right: This is the proper way to deal with exploits - how do they install.

The explanations do not have to be technical. The inner workings of an infection are relevant only to detection/removal. For example, with Mebroot: while the intricacies of infecting the MBR are certainly impressive, nonetheless they are irrelevant to the preventing of Mebroot from installing in the first place. It has to install before it can touch the MBR.

No security-minded people I know wait around for something to detect an exploit. They get the pertinent information about the attack methods and the payload and go from there.

All that is needed is for the analysis to have a brief description of how the exploit gets installed. It doesn't have to be overly technical. Preventative measures will then be discerned.

Let's look at some examples, beginning with the one I just mentioned.

Digital Frame Exploit

The only information that is needed is:

the attack method uses autorun.inf
the payload is a trojan executablePrevention is obvious:

disable autorun
have protection against the payload: installation of unauthorized executableMebroot

The only information that is needed is:

remote code execution attacks via web sites, vulnerabilities in IE, various applications.
the payload is a trojan executablePrevention is obvious:

patches for the vulnerable applications you use
have protection against the payload: installation of unauthorized executableAs has been suggested, another method of exploitation may surface. If that happens, hopefully the security vendors will explain so that other appropriate preventative measures, if necessary, can be put into place.


Conficker

The only information that is needed is:

The attack method for conficker.A utilizes open Ports 139, 145
later, conficker.B attacked via USB autorunBesides the patch for MS08-067, the other preventative measures are obvious. By the way, some articles misled people into thinking that the patch protected against conficker.B via USB.

There is nothing I've listed that is overly technical. There is no reason why analyses of exploits cannot begin with a simple description of how the exploit attacks, followed by preventative measures, before delving into the intricacies of how the infection works once installed.

If it can't install, it can't infect (someone else thought of that line!)


----
rich

-{ Quote: "There is nothing I've listed that is overly technical. There is no reason why analyses of exploits cannot begin with a simple description of how the exploit attacks, followed by preventative measures, before delving into the intricacies of how the infection works once installed.

If it can't install, it can't infect (someone else thought of that line!)" }-Thanks much Rich. I have archive many of your posts from this forum and they always make for a great educational read when pc treats prevention matters arise. Keep it rolling, your contribution is big and essential asset for this community imho.

Hi

I've been reading about the malware here
http://www.trustdefender.com/blog/2009/04/04/new-mebrootsinowalmbrtorpig-variant-in-the-wild-virtually-undetected-and-more-dangerous-than-ever/

It seems that it did not create an executable ( *.exe file )?

In the latest version ( according to the link ) it seems to have created a process directly ?

Can anyone comment if this would be picked up by anti-virus software ?

Also the installation method of the first "beta" version was AFAIK via the creation of a *.tmp file in the windows temp folder.

Could/would an anti-executable type set-up have blocked these?

-{ Quote: "Wouldnt BIOS option named BOOT VIRUS PROTECTION keep us safe against MBR rootkits?
Or its useless at this moment?" }-

Sorry for disturbing you with my nab question ,will this BIOS option preotect us against this MBR rootkit or not?

-{ Quote: "
Are you saying that PrevX would not have blocked installation of this mal, rather, just detected it after it's installed ??

Still running Px2 here and setup to block anything not approved for 'run' or 'connect' etc.
Does the new PrevX not have this capability easily visible ( think I've asked this before ? )
Am I in fact better off with execution blocking with PX2 rather than handing over all my trust to PX3 ??
" }-

No, we have always blocked the installation of it - we just wouldn't have detected it if you installed us AFTER you got infected. We don't have the more granular information in Edge and because of the very low volume of requests for it, we currently are not integrating it.

As for your second observation: so you do not get a prompt on every update ???

If you aren't getting re-prompted for each update of every piece of software you have on your system, then you are extremely vulnerable as it is trusting everything by filename, rather than looking at unique hashes. An infection could just copy over an existing file using a script or something which isn't intercepted and then it would have free reign over your system. (Correct me if I'm wrong, of course :))

Our whitelisting is based on unique file hashes which is really the only safe way to do it - on every update, files need to be re-whitelisted as they have changed and need to be checked again to see if they are indeed still secure :)

-{ Quote: "We don't have the more granular information in Edge and because of the very low volume of requests for it, we currently are not integrating it." }-;D I'll do what I can. Nice to be held in such regard. There are a couple of dinosaurs still here. ;D

i dont want this to become another 'PrevX thread', so I'll make this my last post as such:
-{ Quote: "so you do not get a prompt on every update" }-;) depends.
I still regard that as "control" and as stated, do not regard it as a burden.
Dont have that much software that wants to update itself that often. ( lol exception: MS)
Dont get me wrong: I am full of admiration for what PrevX has done recently.
MG's blog about this MEB and variants was terrific and your response has been terrific. Lots of "admiration" around the web for the coders of the MEB. 8)
-{ Quote: "That silent all knowing all caring utility will never exist will it.
Even PX's 'in the cloud' db will not have zeroday protection. " }- Hhmm??

-{ Quote: "Our whitelisting is based on unique file hashes which is really the only safe way to do it - on every update, files need to be re-whitelisted as they have changed and need to be checked again to see if they are indeed still secure" }-Taking the 'burden' out of endusers experience. No issue there. But what about zeroday ?? What prompts does PrevX3 give for unknowns ?? Wont the user still install ??
However; as one of the expert members said to me about PX3: "stop your complaining:get over it: take it as is or get off the pot. "

Couple of interesting threads re MEB, easy reading for technodopes cest moi:
http://forum.sysinternals.com/forum_posts.asp?TID=18626
http://forum.sysinternals.com/forum_posts.asp?TID=18486

It depends on your definition of zero-day. If you use the maximum settings in Edge, you can block any program seen by less than x% of the Prevx population, effectively blocking any threat that would come through but this does generate extra prompting.

The levels below that all block other zero-day malware, but the definition of zero-day malware is very clouded now. In the past a "zero-day" threat was a wide spreading infection hitting a large number of users at the same time. Now it is just detecting the threat as soon as it comes out...

We add detection for literally thousands of brand new pieces of malware every day - all on the "zero-day".

If you're looking for zero-day protection as being 100% protection, we could never offer that, nor any other company besides your electricity company that can cut off your power :)

Hmm.. so far detection on VT is by :

DrWeb( Trojan.Packed.2447), McAfee+Artemis( Generic!Artemis), F-Secure( Trojan:W32/Mebroot.gen!A), Prevx1 v2 (High Risk Worm), VirusBuster (Trojan.DR.Sinowal.Gen.11) and CAT-QuickHeal( Suspicious- DNAScan).

It is for the dropper but I did not try to execute it yet.

Can someone tel me how can I detect and possibly clean it after it is allowed to execute and infect a test system.

Thansk

Well this is a pretty good description of how this MBR is different from the norm ( quality wise ).

http://www.f-secure.com/weblog/archives/vb2008_kasslin_florio.pdf

I think the one in the wild now will be a little different.

I'd be very interested to see in a LUA will prevent it or maybe TF ?

It does create an exe and dll so I think they should be able to be picked up ?

( see also my earlier post with Q's on this ).

-{ Quote: "Hmm.. so far detection on VT is by :

DrWeb( Trojan.Packed.2447), McAfee+Artemis( Generic!Artemis), F-Secure( Trojan:W32/Mebroot.gen!A), Prevx1 v2 (High Risk Worm), VirusBuster (Trojan.DR.Sinowal.Gen.11) and CAT-QuickHeal( Suspicious- DNAScan).

It is for the dropper but I did not try to execute it yet.

Can someone tel me how can I detect and possibly clean it after it is allowed to execute and infect a test system.

Thansk" }-
The most reliable method to detect the presence of this would be to run a rootkit scanner such as rootkitty from a live cd and compare it with a scan from within Windows to find any discrepancies.Removal is simply a case of overwriting the MBR.UBCD4Win contains everything you need for the job.;)

-{ Quote: "The most reliable method to detect the presence of this would be to run a rootkit scanner such as rootkitty from a live cd and compare it with a scan from within Windows to find any discrepancies.Removal is simply a case of overwriting the MBR.UBCD4Win contains everything you need for the job.;)" }-

That actually wouldn't be reliable as the rootkit doesn't hide any files, it just lives within the MBR - you would need to save the MBR from a boot CD and then boot into Windows and save the MBR and compare them.

-{ Quote: "That actually wouldn't be reliable as the rootkit doesn't hide any files, it just lives within the MBR - you would need to save the MBR from a boot CD and then boot into Windows and save the MBR and compare them." }-
Fair enough,it'd be even easier in that case.:thumb:

you can download Mbrfix from here:
http://www.sysint.no/Download/tabid/162/language/en-US/Default.aspx

Then run the plugin on PE and compare.

Does CSI detect this btw?

The antirootkit for download from cmcinfosec posted by Meriadoc is detected as a rootkit by several av's at virustotal including avira and avast!. False Positive? Also to andyman35 what program do you use to compare the two MBR binary files?

-{ Quote: "Fair enough,it'd be even easier in that case.:thumb:

you can download Mbrfix from here:
http://www.sysint.no/Download/tabid/162/language/en-US/Default.aspx

Then run the plugin on PE and compare.

Does CSI detect this btw?" }-

Yes, all Prevx software detects/cleans/blocks this MBR rootkit and all variants :)

-{ Quote: "Yes, all Prevx software detects/cleans/blocks this MBR rootkit and all variants :)" }-
I just read it does,good news.:thumb:

-{ Quote: "Yes, all Prevx software detects/cleans/blocks this MBR rootkit and all variants :)" }-

When will the free tool that some guys are speaking of be available - that's, the removal tool for this malware specifically?

-{ Quote: "The antirootkit for download from cmcinfosec posted by Meriadoc is detected as a rootkit by several av's at virustotal including avira and avast!. False Positive? Also to andyman35 what program do you use to compare the two MBR binary files?" }-
I use a hex editor XVI32

-{ Quote: "When will the free tool that some guys are speaking of be available - that's, the removal tool for this malware specifically?" }-

We aren't making a standalone tool because that could lead users into a false sense of security so we've built it into the default scan of Prevx 3.0 which you can download from http://www.prevx.com/freescan.asp

Ah, now I remember that you said that - that that scan would remove the infection for free. Thx for the info.! :)

Thanks andyman. I did some searching and came across a freeware program that can compare 2 binary files side by side and shows the differences in color. But, it does not do any hex editing.

http://www.aptedit.com/aptdiff.htm

-{ Quote: "Thanks andyman. I did some searching and came across a freeware program that can compare 2 binary files side by side and shows the differences in color. But, it does not do any hex editing.

http://www.aptedit.com/aptdiff.htm" }-

You can also take the easy route and use the "fc" program which comes with Windows :)

fc /b c:\file1.bin c:\file2.bin

will produce a listing of each byte which is different on any OS by default :)

Thanks for the tip Prevx. I will do that instead.

Today, April 15th, 2009: GMER Update: to detect and remove latest variant of rootkit please use mbr.exe v0.3.1: http://www2.gmer.net/mbr/ - link at the bottom of the page.

Thanks, PROROOTECT:thumb:

-{ Quote: "Thanks andyman. I did some searching and came across a freeware program that can compare 2 binary files side by side and shows the differences in color. But, it does not do any hex editing.

http://www.aptedit.com/aptdiff.htm" }-
Looks interesting i'll have a play with that.:thumb:

-{ Quote: "Today, April 15th, 2009: GMER Update: to detect and remove latest variant of rootkit please use mbr.exe v0.3.1: http://www2.gmer.net/mbr/ - link at the bottom of the page.

Thanks, PROROOTECT:thumb:" }-

We've tested it and GMER does indeed detect/clean this variant of the rootkit :) It is a bit specific to this variant, but it works well :thumb:

I greatly appreciate your generosity of spirit, which is not partisan, but professional.

Congrats, PrevxHelp!:thumb:


Respectfully, PROROOTECT

-{ Quote: "I greatly appreciate your generosity of spirit, which is not partisan, but professional.

Congrats, PrevxHelp!:thumb:


Respectfully, PROROOTECT" }-

I agree Joe is a great professional!:thumb:

TH

-{ Quote: "I agree Joe is a great professional!:thumb:

TH" }-
Yes and always very informative and interesting to read.:thumb:

Tried it with CFP Defence Plus. Can intercept its install. GesWall also stopped it.

207918
207919
207920
207921
207922

GREAT TOPIC and answers without equal.

So if i understand it right, another alternative in like manner of a system image taken for restoring purposes later should the need arise, would also be to use any app designed to safely COPY your entire MBR and PARTITION TABLE (because they will likely fudge that up too) to any external media, and if by chance the apps mentioned failed for whatever reason which isn;t likely we hope, it's but a simple matter of restoring BOTH of those critical boot componants either over the malicious boot rootkit or even clean or wipe those sectors and replace with the saved copies made to fully restore functionality once again.

Does this seem sound alternative advice in your opinions as another method?

EASTER

-{ Quote: "GREAT TOPIC and answers without equal.

So if i understand it right, another alternative in like manner of a system image taken for restoring purposes later should the need arise, would also be to use any app desined to COPY the entire MBR and PARTITION TABLE (because they will likely fudge that up too) to any external media, and if by chance the apps mentioned failed for whatever reason which isn;t likely we hope, it's but a simple matter of restoring BOTH of those critical boot componants either over the malicious boot rootkit or even clean or wipe those sectors and replace with the saved copies made to fully restore functionality once again.

Does this seem sound alternative advice in your opinions as another method?

EASTER" }-

If you have a clean image or a boot CD, removal is straightforward by "fixmbr" or "fdisk /mbr" or any other method to write a clean MBR to the drive, and you should be able to boot cleanly directly after without needing to modify any other data (however, a majority of users don't have those "luxuries" :().

The primary rootkit loader infects and secures the first 512 bytes of the harddisk so if you can either replace those or take an image which doesn't include those bytes, you should be safe :)

From what I've seen, the partition table remains untouched and I suspect it will stay that way as the rootkit tries to remain as compatible as possible by modifying as little as possible.

Thanks PrevxHelp

I always depended on ERD Commander which most folks never heard of let alone what it can do by loading your system into it's artificial environment, then free to browse the entire gambit of files and such and pull away stubborn infections as well as though insidious Root\Legacy entried in the registry that more or less due to permissions, LOCK their supporting files and system drivers as well as concealing them. BTW, RegistryCrawler is one of my best investments ever. If a registry item such as ENUM\ROOT\Legacy Keys doesn't delete, it JUMPS at-once to the registry line locked and saves a lot of time by changing permissions then deleting the foul flypaper entry and it's history.

The straightforward approach you mention is by far the easiest and quickest way i must agree but the normal user knowing not what in the world is happened to them are left gasping in panic should such a MBR rootkit attach untouched and whatever else it might been designed to do to a system.

But your approach for those like us should be a piece of cake.

EASTER

Before I test DriveSentry...will a system restore undo this infection?

Will Sandboxie prevent this MBR Rootkit from installing?

I currently rely heavily on Sandboxie to protect me. I am thinking about adding another layer of defense, if necessary.

Thank you.

-{ Quote: "Will Sandboxie prevent this MBR Rootkit from installing?

I currently rely heavily on Sandboxie to protect me. I am thinking about adding another layer of defense, if necessary.

Thank you." }-

Yes, as long as the file is run completely within the sandbox, Sandboxie does block it from installing by preventing it from accessing the disk directly :)

-{ Quote: "Before I test DriveSentry...will a system restore undo this infection?" }-

Anyone? I'm waiting to test DS ;D

DriveSentry intercepts installation.

-{ Quote: "DriveSentry intercepts installation." }-
Did you seriously run this infection with the hopes of system restore fixing everything? I'm no expert but system restore is limited in what it can fix/undo. At a minimum you want a good clean image to restore.

I do hope you know more than your letting on. Usually when people test malware such as this it's on a test machine and/or within a virtual machine. I have Returnil and I'm not touching this malware because it's my only machine.

Anyways, good to hear DS was able to block the installation :thumb:. DS should give you a free license for your faith in them ;D.

-{ Quote: "Did you seriously run this infection with the hopes of system restore fixing everything? I'm no expert but system restore is limited in what it can fix/undo. At a minimum you want a good clean image to restore.

I do hope you know more than your letting on. Usually when people test malware such as this it's on a test machine and/or within a virtual machine. I have Returnil and I'm not touching this malware because it's my only machine.

Anyways, good to hear DS was able to block the installation :thumb:. DS should give you a free license for your faith in them ;D." }-

Yeah, I'm using a test machine. A $400 acer special dedicated to testing malware. I do have a backup image but I hate using it because the image is from way back when...I'd have to install all my current security software all over again. I need to make another image...just takes too damn long on a 250 gig drive....maybe this weekend though.

I'm tonite on a strickly test machine so all bets are off. Not only that but as much as i don't prefer XP3 it;s going on tonite too.

I got to give this piece of junk a run inside if it can do it, i have the tools to pull it off if needed.

I rarely go all out like this unless i throw aution to the wind, and this is one of them that i;m going to find out what it;s made of.

Wish me luck. Bunk i say to VMware fearful. LoL Take it to the raw metal and then observe.

EASTER

-{ Quote: "Yeah, I'm using a test machine. A $400 acer special dedicated to testing malware. I do have a backup image but I hate using it because the image is from way back when...I'd have to install all my current security software all over again. I need to make another image...just takes too damn long on a 250 gig drive....maybe this weekend though." }-
Good to hear! You had me a bit worried for a minute LOL. I hope to get a used computer someday to play around with.

EASTER,

Have fun and good luck. If you can, get a few pics if your running security software.

FWIW, SP3 isn't that bad. I've been using since I built this rig a year ago.

Thanks as always greets innerpeace!

I don't see why some programmer, if thats what it takes, can build a ring around the MBR to repel and alert to anything trying to change it;s code.

-{ Quote: "Thanks as always greets innerpeace!

I don't see why some programmer, if thats what it takes, can build a ring around the MBR to repel and alert to anything trying to change it;s code." }-

That's what we have in Prevx 3.0 - realtime MBR monitoring, as well as on-demand scanning/cleaning which will work if you're installing Prevx 3.0 after you've been infected. (The realtime piece helps if the rootkit gets past every other line of defense, allowing you to be warned and clean up the infection immediately).

-{ Quote: "Wouldnt BIOS option named BOOT VIRUS PROTECTION keep us safe against MBR rootkits?
Or its useless at this moment?" }-
My BIOS has what is called "Boot Sector Protection" but the manual says it's for protecting the the BIOS from viruses (ie unauthorized flashing). Have a look in your manual and see what it states.

What is a problem here? every decent HIPS can stop this infection, even Outpost can stop it since they incorporate direct disk access protection in newer builds, even KIS without signature can stop it on Vista...
(see screeny)


207933

P.S. Threads with this type of infection and testing was here couple of times before (e.g. killdisk malware) and I don't see any reason for this thread except for prevx promotion which (BTW.) still acts as rogue antimalware in trialing mode and do not do its job of preventing from infection...

-{ Quote: " I don't see any reason for this thread except for prevx promotion which (BTW.) still acts as rogue antimalware in trialing mode and do not do its job of preventing from infection..." }-

Oh God :)

When last year everyone alerted about MBR Rootkit, everyone was right (and we have been among firsts). Now that we alerted about this new variant, this is only promotion ::)

BTW: MBR rootkit cleanup is free for all

I won't comment the last sentence, because it's evident you don't know how does Prevx work :)

-{ Quote: "Oh God :)

When last year everyone alerted about MBR Rootkit, everyone was right (and we have been among firsts). Now that we alerted about this new variant, this is only promotion ::)

BTW: MBR rootkit cleanup is free for all

I won't comment the last sentence, because it's evident you don't know how does Prevx work :)" }-

Comodo for instance have direct disk access protection since they introduced v3 and this technique is known for long time also with any sandbox you simply cant infect your system, and I know how prevx work and it act as rogue soft, there is one thing which difference you from "real" rogue, you have uninstallation procedure, which is very good, number of FPs is about same and not realtime protection in trialing mode is the same as in rogue AM...

It's good seeing people test their security programs against this variation.

Maybe someone can test Shadow Defender? Would be interested to find out if a reboot removes the infection.

But regarding once it is already installed, I think what Joe from Prevx was saying earlier, was that products may detect/block it, but not many (or any at the moment) will clean the infection once it is installed.

About promoting your product, I think it's a good thing, whether for Avira, Panda, Dr.Web, Prevx, and all the rest, if a program is making progress against difficult malware, I'd like to be aware of it, otherwise I won't know. :-)

-{ Quote: "It's good seeing people test their security programs against this variation.

Maybe someone can test Shadow Defender? Would be interested to find out if a reboot removes the infection.

But regarding once it is already installed, I think what Joe from Prevx was saying earlier, was that products may detect it, but not many (or any at the moment) will clean the infection once it is installed.

About promoting your product, I think it's a good thing, whether for Avira, Panda, Dr.Web, Prevx, and all the rest, if a program is making progress against difficult malware, I'd like to be aware of it, otherwise I won't know. :-)" }-

Imagine you infected your system at the time and you running prevx in trial mode, how much you could wait till purchase license?

-{ Quote: "Imagine you infected your system at the time and you running prevx in trial mode, how much you could wait till purchase license?" }-

You could use dedicated free malware removal tools at that time such as SAS, MBAM and DWCt and be happy for the free realtime detection/headsup PX3 provided you.

Some behaviours from PX wich differs from rogue apps: 1 False positives are unintentional 2 Real malware detection present 3 Constant program updates 4 Splendid support

-{ Quote: "You could use dedicated free malware removal tools at that time such as SAS, MBAM and DWCt and be happy for the free realtime detection/headsup PX3 provided you.
" }-
what if infection stealing your bank account, what then?

-{ Quote: "Some behaviours from PX wich differs from rogue apps: 1 False positives are unintentional 2 Real malware detection present 3 Constant program updates 4 Splendid support" }-
So you have infection detected by prevx and after you purchase your license, to at last you found out it is one of many, many fp, I doubt number of FP are unintentional, it is here also to allure new customers...

-{ Quote: "Comodo for instance have direct disk access protection since they introduced v3 and this technique is known for long time also with any sandbox you simply cant infect your system, and I know how prevx work and it act as rogue soft, there is one thing which difference you from "real" rogue, you have uninstallation procedure, which is very good, number of FPs is about same and not realtime protection in trialing mode is the same as in rogue AM..." }-

If you are able to understand and use a sandbox or you're able to rightly answer to Comodo questions, I feel happy for you and you're a level upper average users.

My mother, lot of people working in offices, and I could quote much more people, do not even know what does "malware" mean and they often do not want to know it. They just want something that is able to protect them while they are working, without any kind of trouble.

False positives is a problem for every security software, and it's more a problem concerning who really use advanced heuristic technology. Luckily enough, most part of our customers are happy and they do not have any kind of trouble with false positives. Moreover, if you had tried it, you would have seen that our technical support is quite fast in fixing false positives if you report them. We take care of every false positive reported and we try to fix it as soon as we can.

A customer support which reply to your questions, a technical support that clean your PC by remote if Prevx has not been able to clean an infection, and much more. I don't think "rogue app" is the best definition for us.

Whatever, I can't forcedly change your mind, so just think what you want :)

As much as I'd like things to be, not every program is free. ;)

Without taking this off topic, Prevx is a smaller company, not as well known as the Norton's and Kaspersky's of the world (Kaspersky, which I think is A+), so they might not be able to provide a trial as their program works on checking files with their server/database, as opposed to an AV which pushes out a small definition. So prevx, I can see, could be abused by users installing for free.

But on the other hand, sometimes it's the larger companies which offer restrictions. I know the Kaspersky AVP tool exists, but on the Kaspersky website, their online scanner is detect only - finds infections but won't remove them. Whereas Emsisoft (a-squared) and ESET, provide detection and removal with their online scanners - allowing users to completely clean their systems.

Just the way things go. Anyway, disregard my post, back on topic! :P

-{ Quote: " . . . and much more. I don't think "rogue app" is the best definition for us.

Whatever, I can't forcedly change your mind, so just think what you want :)" }-

Respect

You surely must be passionate about your product. What a nuanced reply on a awkard "rogue app" definition.

Newby

-{ Quote: "As much as I'd like things to be, not every program is free. ;)

Without taking this off topic, Prevx is a smaller company, not as well known as the Norton's and Kaspersky's of the world (Kaspersky, which I think is A+), so they might not be able to provide a trial as their program works on checking files with their server/database, as opposed to an AV which pushes out a small definition. So prevx, I can see, could be abused by users installing for free.

But on the other hand, sometimes it's the larger companies which offer restrictions. I know the Kaspersky AVP tool exists, but on the Kaspersky website, their online scanner is detect only - finds infections but won't remove them. Whereas Emsisoft and ESET, provide detection and removal with their online scanners - allowing users to completely clean their systems.

Just the way things go. Anyway, disregard my post, back on topic! :P" }-With their policy they will always stay small company, every but every (ok almost, not sure 100%) security company have 30 or less/more dayz free full functional trial... they haven't as every but every (ok almost, not sure 100%) rogue soft.

For their cleaning response time, it is necessary for them to have fast one (which is not case in this occasion), if not their whole concept of unlimited trial/not real time blocking in trialing mode goes down the drain,

-{ Quote: "-{ Quote: "what if infection stealing your bank account, what then?" }-

First off how are they going to do that? 2ndly let them, chances it will happen is as large as someone stealing my house - both arent my properties anyway. Do you really think my name and banc account No is going to do anyone any good?

-{ Quote: "So you have infection detected by prevx and after you purchase your license, to at last you found out it is one of many, many fp, I doubt number of FP are unintentional, it is here also to allure new customers..." }-

I think your more paranoid then you should be + buying a license is volunteraly and i hardly imagine lots of non security folks ever even heard of Prevx.

Heres what i think are Px's main userbase: Wilders Security folks + friends/family/colleguescompanies, PXs staff + friends/family and IT companies.

I really dont c average Joe or Anita with a Cita going oh man Px CIPS i really gotta have that with their patented in the cloud tech n all.

-{ Quote: "About promoting your product, I think it's a good thing, whether for Avira, Panda, Dr.Web, Prevx, and all the rest, if a program is making progress against difficult malware, I'd like to be aware of it, otherwise I won't know. :-)" }-

Couldn't agree more with this one. If company X is good at something, it has all the rights to be proud of it's work.

The main thing is: If company can avoid thousands of infected computers with it's promotion, then it is more than welcome. Remember, the "promotion" which prevx has been doing, has already saved many computer users, and we are not talking only prevx users...

Someone takes always credit, if company A doesn't want it, company B sure does...

-{ Quote: "

First off how are they going to do that? 2ndly let them, chances it will happen is as large as someone stealing my house - both arent my properties anyway. Do you really think my name and banc account No is going to do anyone any good?



I think your more paranoid then you should be + buying a license is volunteraly and i hardly imagine lots of non security folks ever even heard of Prevx.

Heres what i think are Px's main userbase: Wilders Security folks + friends/family/colleguescompanies, PXs staff + friends/family and IT companies.

I really dont c average Joe or Anita with a Cita going oh man Px CIPS i really gotta have that with their patented in the cloud tech n all." }-

even more prosaic, you could lose wow account or your entire my documents folder could be encrypted, there is many more, am I mentioned killdisk where you could lose your entire windows installation ::) while using prevx in trialing mode...
and yes almost everything is voluntarily... nobody forced you to download rogue AV or anything

I've mentioned it previously, as prevx keep upgrading and updating their versions, maybe a seven-day trial might be on the horizon, where the program then reverts after seven days to detect only.

Or that might never be on the agenda.

Whatever the outcome, eraser and prevxhelp know their stuff. Even if I didn't like their product, I'd still learn a thing or two, by reading their explanations and feedback. Makes for a better forum, having them, Ilya, Stefan, Inspector Clouseau etc.

-{ Quote: "I've mentioned it previously, as prevx keep upgrading and updating their versions, maybe a seven-day trial might be on the horizon, where the program then reverts after seven days to detect only.

Or that might never be on the agenda.

Whatever the outcome, eraser and prevxhelp know their stuff. Even if I didn't like their product, I'd still learn a thing or two, by reading their explanations and feedback. Makes for a better forum, having them, Ilya, Stefan, Inspector Clouseau etc." }-
If their wanna to, their could do many times before, they send me already 7 dayz trial license... So more pressure is only thing (i think) they can understand...
hey why anybody else haven't our license policy? we will not give even pinch of our technology for free even our potential customers need to suffer from heavy infections, we are small company ::)

-{ Quote: "even more prosaic, you could lose wow account or your entire my documents folder could be encrypted, there is many more, am I mentioned killdisk where you could lose your entire windows installation ::) while using prevx in trialing mode...
and yes almost everything is voluntarily... nobody forced you to download rogue AV or anything" }-
Prevx is NOT a rogue AV or rogue antimalware solution just because it doesnt provide free cleaning services.
A rogue AV ON PURPOSE produces false messages and bullies users into buying their software that does nothing and may in fact actually infect a pc.
It's just their policy to offer free detection but not free removal.
If you don't want it don't use it and go trial another software.But calling prevx rogue is utterly stupid to say the least.

-{ Quote: "-{ Quote: "

First off how are they going to do that? 2ndly let them, chances it will happen is as large as someone stealing my house - both arent my properties anyway. Do you really think my name and banc account No is going to do anyone any good?



I think your more paranoid then you should be + buying a license is volunteraly and i hardly imagine lots of non security folks ever even heard of Prevx.

Heres what i think are Px's main userbase: Wilders Security folks + friends/family/colleguescompanies, PXs staff + friends/family and IT companies.

I really dont c average Joe or Anita with a Cita going oh man Px CIPS i really gotta have that with their patented in the cloud tech n all." }-

I disagree. I think it is exactly what Joe and Anita will want. Simplicity. Compared to most who dont even know how to check if their AV is updated, this is exactly what will sell. Box it and put it on the shelves of your local electronics store, and it will sell.

Anyway, without steering this ship into an iceberg, if prevx decide to offer a detection/cleanup trial again, I think it would actually be more in their favor (displaying its effectiveness in cleaning up infections).

If this was offered (and I have zero say in this), maybe users sign up for a trial license through an email system, like avast! has, to prevent abuse. There are a lot of freeloaders out there that want free program and A+ support for $0, and that's unfair.

If people are really keen on the product, the least they can do is go to the effort of providing a few details (email, describe 'what problems they've experienced', 'what they hope prevx will do' - gives prevx valuable market research information).

Ok, back to topic, 'full steam ahead captain!'. ;)

-{ Quote: "-{ Quote: "

I disagree. I think it is exactly what Joe and Anita will want. Simplicity. Compared to most who dont even know how to check if their AV is updated, this is exactly what will sell. Box it and put it on the shelves of your local electronics store, and it will sell." }-

Yeah it would sell. Light, efficient, so simple to use (big red block button).

-{ Quote: "
I disagree. I think it is exactly what Joe and Anita will want. Simplicity. Compared to most who dont even know how to check if their AV is updated, this is exactly what will sell. Box it and put it on the shelves of your local electronics store, and it will sell." }-

Exactly what I was trying to explain before :)

By the way, apologies for the quote tag not working. That quote eraser and I are referring to is yours trjam.

-{ Quote: "

Exactly what I was trying to explain before :)" }-

Comodo for instance have exactly the same as you have, red alerts for blocking and it is free (differences is: probably mbr infector - prevx or direct disk access - Comodo), it will actually block and there is no trial, so why would anybody helplessly watch their PCs get infected

-{ Quote: "By the way, apologies for the quote tag not working. That quote eraser and I are referring to is yours trjam." }-

Edited my post ;D Thank you for the notification :)

-{ Quote: "Prevx is NOT a rogue AV or rogue antimalware solution just because it doesnt provide free cleaning services.
A rogue AV ON PURPOSE produces false messages and bullies users into buying their software that does nothing and may in fact actually infect a pc.
It's just their policy to offer free detection but not free removal.
If you don't want it don't use it and go trial another software.But calling prevx rogue is utterly stupid to say the least." }-

Me and you know that prevx is not rogue....but how is a person bitten by AV360-esque rogues supposed to distinguish?

Both display warnings of some kind of infection on the computers and both want payment for removal (not in the case of this mbr thing, but generally). In the users eye's that is completely the same, no?

I'm not trying to crap on prevx but I am just thinking from a newbie perspective.

-{ Quote: "Prevx is NOT a rogue AV or rogue antimalware solution just because it doesnt provide free cleaning services.
" }-
No, it is rogue because it does not provide free blocking service and free cleaning service in trialing time and with many FPs its try to lure uzers for purchasing, cumulative it is rogue behavior...
Not to mention there is no clearly visible warning that this software must be uzed with another real time antimalware software while in trialing time, because our silly licensing or whatever policy...

-{ Quote: "
I think your more paranoid then you should be + buying a license is volunteraly and i hardly imagine lots of non security folks ever even heard of Prevx.

Heres what i think are Px's main userbase: Wilders Security folks + friends/family/colleguescompanies, PXs staff + friends/family and IT companies.

I really dont c average Joe or Anita with a Cita going oh man Px CIPS i really gotta have that with their patented in the cloud tech n all." }-

You're contradicting yourself here. On one hand, you say that "i hardly imagine lots of non security folks ever even heard of Prevx.". On the other hand, you say "Heres what i think are Px's main userbase: Wilders Security folks + friends/family/colleguescompanies, PXs staff + friends/family and IT companies."

Where do we stand? First, how many users are registered in the forum? According to the latest statistics -{ Quote: "Threads: 148,225, Posts: 1,292,224, Members: 90,573, Active Members: 17,703 " }-

Let's multiply 90,573 people with 90,573 friends... Already gives a significant number... Now, let's take that number and multiply by the same number of people. Plus family members, family members's friends, so on...

Well, you know the rest... So, the number of people using Prevx may not be that small... I truly don't know, as I don't have the numbers, but, according to the number of friends, etc, it would be a start to start guessing... Or not ...

Anyway, folks, I'm no one at this forum, but a member who tries to learn more with other more knowledgeable people, and I'm not learning nothing for the last... and it's just a guess ... perhaps more than 18 posts... I didn't count them...

This sure doesn't give a great look to this forum to first visitors... I think I'm repeating my self allover again, since it's not the first time alike threads end up. By the end of it, I don't remember what I read before.

Should PrevX allow removal during trial? Yes, because that's what I call a trial. Even for the 30-day (normal trial period, some offer 15-day, other a 90-day OEM license, etc), more than likely there will happen no infection, but should it happen, then the user should know whether or not the product they're trialing before buying is effective or not.
I'm aware that's not a sign that a product is effective, but, I guess that's what most people want to see...

Perhaps, to make the leeches happy, PrevX should offer a different trialing, like PCTools does. Spyware Doctor (I do not use it, and I'm not advertising, as it would be the last thing I'd do for a product I totally dislike...) allows to, during lifetime trialling (alike PrevX), prevent new infections, but it won't clean the already exiting ones.

If not that, then, perhaps, and is just a humble opinion, a traditional trial period?

Now, if there's anything more to add to the REAL content of the thread, let's proceed... Otherwise, our thoughts have been shout out and now let's grab something to eat, shall we? I know I will... :)


Regard

-{ Quote: "My BIOS has what is called "Boot Sector Protection" but the manual says it's for protecting the the BIOS from viruses (ie unauthorized flashing). Have a look in your manual and see what it states." }-


It seems that in my case that option reacts (shows some interaction options alow/block) when i install operating systems too, so it should protect theretically against MBR modifications.
My motherboards are MSI-s with AMI BIOS.
Maybe someone should test this MBR Rootkit in a real machine to see if this BIOS option prevents MBR modification.

-{ Quote: "If you have a clean image or a boot CD, removal is straightforward by "fixmbr" or "fdisk /mbr" or any other method to write a clean MBR to the drive, and you should be able to boot cleanly directly after without needing to modify any other data (however, a majority of users don't have those "luxuries" :().

The primary rootkit loader infects and secures the first 512 bytes of the harddisk so if you can either replace those or take an image which doesn't include those bytes, you should be safe :)

From what I've seen, the partition table remains untouched and I suspect it will stay that way as the rootkit tries to remain as compatible as possible by modifying as little as possible." }-
That is why there's a place for the likes of PrevX to do the dirty work for them.;)

Perhaps though a 7 or 30 day free cleanup trial from the time of the first infection might be a way to go with licensing? At present a user may well feel agrieved if they purchase a full cleanup licence on the basis of a FP for example.

Hello all,
A lot of comments have been made already but I'll just make a few more notes to clear things up :)

First, if you are questioning our trial procedure, read through this thread: http://www.wilderssecurity.com/showthread.php?t=235002 in which I've explained our logic.

Second, our cleanup it NOT rogue, as explained above, but the big reason which sets us apart from rogue vendors is that we GUARANTEE our malware cleanup. We have to charge for it because it is a service - giving it away as a trial is just not possible: you don't expect someone who goes around as a PC repair person to do it all for free, do you? Our researchers spend countless hours helping users remotely correct any problems we don't fix automatically, and in turn, we update our removal engines to fix the problems in the future. Cleanup is not the same today as it was before and it does now require significant resources to manage. We host many many gigabytes of clean system files from every OS and language centrally in our servers which we send down to users if they have a system file which is replaced by an infection.

Third, if you really don't want to use our cleanup, we give you all of the information about the threats, unlike many online scanners, so that you could go clean it up manually if you want, OR, if you don't feel like spending a few hours of your day hoping you can remove 12 rootkits and 30 infected system files, you can use our cleanup service :)

From a newbie perspective it may look suspicious that Prevx is requiring payment for cleanup but when AV2009 detects 3,000 infections and we detect 5.... I think there is a bit of a difference and an obvious way to see which is rogue ;)

Personally (and I outline it in the thread mentioned above), trying to offer a 7 day trial can really muddy the waters with clarity, and, although we care about users a lot, it would not be economically viable to try and offer a free cleanup service to the entire world for free ;D

(Also note that we DID try this before with Prevx1 - offering cleanup free for one month after the first infection - and it failed miserably, causing us to remove this model very quickly, because users would just try it, cleanup, and then toss us out as soon as they finished)

-{ Quote: "At present a user may well feel agrieved if they purchase a full cleanup licence on the basis of a FP for example." }-

If this does happen, we always give the user a refund or an extension on their license if they do want to continue using us - we're really not out to steal from people and for the minimal number of times that this actually happens, its not worth the hassle of generating the FPs in the first place :)

-{ Quote: "how prevx work and it act as rogue soft" }-
and
-{ Quote: "but how is a person bitten by AV360-esque rogues supposed to distinguish?
Both display warnings of some kind of infection on the computers and both want payment for removal (not in the case of this mbr thing, but generally). In the users eye's that is completely the same, no?" }-
prevx scan on a clean system tells that the sys is clean.......hardly rougish

-{ Quote: "they will always stay small company" }-
ummm prophecy or preassumption..........anyway every big name co. was small yesterday..........and every small co. can be big tommorow....yes can be ,not neccessarily will be...

well had the big daddies been doing there job well...every 4-5th customer of theirs not scream of xpantivirus,av360........
and the big names too call upon very efficient...but small co. owned products to cleanup the mess ,viz. mbam

-{ Quote: "At present a user may well feel agrieved if they purchase a full cleanup licence on the basis of a FP for example." }-
agrieved........well wilders has many threads where some freewares and paid for softwares have caused bsod with fps........
few of the best infection cleaners are free,viz dr web Ci,sas,mbam....but won't detect threat in real time.they work on the philosophy that what we clean we can prevent..prevx free detects threat in real time but does'nt clean....the marketing philosophy....is what we detect we can clean..what's wrong with this credo....

Readers of this thread may be interested in a paper jointly authored by Symantec and F-Secure: Your Computer is Now Stoned (...Again!): The Rise of MBR Rootkits (http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/your_computer_is_now_stoned.pdf).

-{ Quote: "If this does happen, we always give the user a refund or an extension on their license if they do want to continue using us - we're really not out to steal from people and for the minimal number of times that this actually happens, its not worth the hassle of generating the FPs in the first place :)" }-
Of course I know your company isn't out to con anybody.:thumb:

With regards to the free MBR rootkit cleaner,that's a very fair deal.

-{ Quote: "Readers of this thread may be interested in a paper jointly authored by Symantec and F-Secure: Your Computer is Now Stoned (...Again!): The Rise of MBR Rootkits (http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/your_computer_is_now_stoned.pdf)." }-
Thanks for that info.:thumb:

-{ Quote: "Readers of this thread may be interested in a paper jointly authored by Symantec and F-Secure: Your Computer is Now Stoned (...Again!): The Rise of MBR Rootkits (http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/your_computer_is_now_stoned.pdf)." }-

This is related to the old MBR rootkit

http://www.prevx.com/blog/75/Master-Boot-Record-Rootkit-is-here-and-ITW.html

http://www.prevx.com/blog/84/MBR-Rootkit-new-tricks-added.html

PrevxHelp, the only thing I'm curious about is, if I'm unlicensed, and Prevx detects something - will it put the system on hold and let you buy a license to never be infected at all? That would be one really neat way to get customers IMO. ;) :P

-{ Quote: "PrevxHelp, the only thing I'm curious about is, if I'm unlicensed, and Prevx detects something - will it put the system on hold and let you buy a license to never be infected at all? That would be one really neat way to get customers IMO. ;) :P" }-

If not then it's an excellent idea.

-{ Quote: "PrevxHelp, the only thing I'm curious about is, if I'm unlicensed, and Prevx detects something - will it put the system on hold and let you buy a license to never be infected at all? That would be one really neat way to get customers IMO. ;) :P" }-

It doesn't, but that is indeed a good idea :) I'll see how feasible it is (the issue is that it could lock up the system if we try and hold up a program loading for that long).

-{ Quote: "It doesn't, but that is indeed a good idea :) I'll see how feasible it is (the issue is that it could lock up the system if we try and hold up a program loading for that long)." }-

Yeah, I thought about some of those things, so what about a built-in tool for purchasing a license so that only the malware is stopped for the moment?

-{ Quote: "Yeah, I thought about some of those things, so what about a built-in tool for purchasing a license so that only the malware is stopped for the moment?" }-

Definitely possible, I'll forward the request on :)

-{ Quote: "Yeah, I thought about some of those things, so what about a built-in tool for purchasing a license so that only the malware is stopped for the moment?" }-

-{ Quote: "Definitely possible, I'll forward the request on :)" }-

That would be a nice feature for the free version. :thumb:

-{ Quote: "Third, if you really don't want to use our cleanup, we give you all of the information about the threats, unlike many online scanners, so that you could go clean it up manually if you want, OR, if you don't feel like spending a few hours of your day hoping you can remove 12 rootkits and 30 infected system files, you can use our cleanup service :)" }-
This is a good thing IMO, and kudos to Prevx guys for the improvement on their products (actually i'm not a user at all). However, at their homepage they sell their products as:
-{ Quote: "We find and fix threats that your current security products missed...
The chart shows how many infections we found yesterday, on users' PCs which were protected by security products from the following vendors:" }-
..where the most known av programs are listed there along with their 'non detected threats'. This could lead some new users to think that Prevx detects that number of malware over and above those nasties already detected by the av's. How would be the results the other way around? ;)
And at us$30 per year subscription versus the price of any av...

-{ Quote: "That would be a nice feature for the free version. :thumb:" }-

The main concern with this approach would be that it would make us look rogue, as if we were blackmailing the user to buy NOW or else we will unleash the infection on them. Its a risky line to try and cross - right now we're very "black and white" where we will not block anything in realtime, which prevents any confusion.

We are considering alternate approaches, however, and are always open to input on the topic :)

-{ Quote: "-{ Quote: "We find and fix threats that your current security products missed...
The chart shows how many infections we found yesterday, on users' PCs which were protected by security products from the following vendors:" }-
..where the most known av programs are listed there along with their 'non detected threats'. This could lead some new users to think that Prevx detects that number of malware over and above those nasties already detected by the av's. How would be the results the other way around? ;)
And at us$30 per year subscription versus the price of any av..." }-
This also have another problem because that graphic doesn't indicate what is the number of users that use each AV.

That should made the comparison more fair.

-{ Quote: " How would be the results the other way around? ;)" }-

Its hard to say really, but the fact still remains that no AV out there protects against 100% of threats (not us either, and we openly admit that :))

If any other AV company has this data against us, we would be more than happy to see it to improve our products but I believe ours is the first realtime assessment of the antivirus industry from real world data seen by real users on a day-to-day basis.

Regarding the size of the userbases - that is a factor in interpreting the statistics but rather than obfuscating the data by showing the % of the userbase infected, we provide the raw statistics. We aren't looking to compare each vendor to each other vendor, rather, comparing every vendor to the infections themselves.

-{ Quote: "It seems that in my case that option reacts (shows some interaction options alow/block) when i install operating systems too, so it should protect theretically against MBR modifications.
My motherboards are MSI-s with AMI BIOS.
Maybe someone should test this MBR Rootkit in a real machine to see if this BIOS option prevents MBR modification." }-
My motherboard is also a MSI with the AMI BIOS. When I first built this rig I also received an alert when first installing the OS which is weird considering the feature is for BIOS protection. I have no idea if it would protect against this rootkit. I guess an optional way to test it is installing a safe program that modifies the MBR.

I had an old Asus Mobo in the past, with AMI-Bios and it protected against kill MBR (one of better moments in life when I downloaded it first with DefenseWall, and on the other image with GesWall, totally forgetting I had to mark it untrusted first, since it was not downloaded when GW was active)

Thanks for the input Kees1958. I may have to look into this a bit further. Also, glad to hear it saved your machine :).

i dont really know how prevx rates software for how bad it is or whatever but if prevx blocked say 10 serious threats then the trial would run out sounds pretty good. serious meaning like trojan/rootkit/virus or something thats pretty bad. after the 10 serious blocks maybe just notify the user when something bad infects and prompt them to buy. damn i should run this show ;D
never used prevx or trialed it but it seems pretty effective i may look into it.

In hopes of steering this thread back to it's intended topic....New MBR rootkit goes undetected....and lesson the one vendor discussion, I have moved numerous posts to a thread of their own for further discussion.

New thread---> I applaud Prevx’s openness to sharing information (http://www.wilderssecurity.com/showthread.php?t=239580)

Bubba

Hi,

This thread is already hijacked to an off topic discussion..
Which is the threat exacly? the new MBR variant or PrevX?
I suggest to Einsturzende (Neubauten?), innerspace and co to follow my future antimarketing post on the AM area.
Off course there is no need PrevX or any other AV/HIPS to counter this rootkit and other kernel level ones.
OS hardening as suggested by Lucy, white list approach via SRP or HIPS as suggested by "the teacher near the blue valley" are possible prevention solutions.
There is also a forensic way to protect the PC in real time with zero soft and default configuration, a way to use instant back up solution stored in a restricted and secure zone of disk (HPA) and which can be helpful to restore its computer in a clean state (mbr included).
From Melissa to Conflicker/new MBR RKT, AV are loosing the malware game since years, and any good HIPS like DW, PrevX, SnS, OA and co is better than any pure av scanner based protection.
I have not taken a look at this last variant.
DKOH and IRP hooking are not new, but this new variant seems more vicious in playing the man in the middle game.
Each time the detector checks and knock (is there something wrong ?), the man/rootkit intercepts the request and returns fake or invalid parameters ( no no tovaritch, everything is ok!)...
Regarding detection, i have not seen a kernel rootkit that resist to a live or post mortem physical memory analysis.
But detection is not victory in security, especially with this variant which targets financial logins.
Once detected, it might already be too late.
And sorry to repeat one of my favourite intrusion mantra:
"That which can not be detected should be prevented; That which can't be prevented should be detected."

The comment of PrevX blog is true, there is more to be afraid of Ring0 rkts than of onceptual ones like SMM, or VM Rkts ( i have some forensic analyst contacts Russia, Germany...and none has reported this in real incidents).
There is always a big difference between what is possible in a labotory and its in the wild industrialization...
Well...a lot of blah blah for my concern without help for the end users...
So i suggest a few easy to use tool that could help to backup and restore the MBR in case of infection or corruption
MBR wizard http://www.mbrwizard.com/
MBRFix http://www.sysint.no/nedlasting/mbrfix.htm
HDHacker, for thos who wants a gui tool http://dimio.altervista.org/eng/
MBRTool http://www.diydatarecovery.nl/mbrtool.htm
With its various features like the ability to create a boot CD, this is the more suited for non experimented users.

rgds

-{ Quote: "I suggest to Einsturzende (Neubauten?), innerspace and co to follow my future antimarketing post on the AM area." }-
??? Were you meaning me? If so, I'm not sure I follow you. Are you going to be starting a new thread or are you lumping me in with way off-topic posts?

-{ Quote: "Hi,

This thread is already hijacked to an off topic discussion..
Which is the threat exacly? the new MBR variant or PrevX?
I suggest to Einsturzende (Neubauten?), innerspace and co to follow my future antimarketing post on the AM area.
Off course there is no need PrevX or any other AV/HIPS to counter this rootkit and other kernel level ones.
OS hardening as suggested by Lucy, white list approach via SRP or HIPS as suggested by "the teacher near the blue valley" are possible prevention solutions.
There is also a forensic way to protect the PC in real time with zero soft and default configuration, a way to use instant back up solution stored in a restricted and secure zone of disk (HPA) and which can be helpful to restore its computer in a clean state (mbr included).
From Melissa to Conflicker/new MBR RKT, AV are loosing the malware game since years, and any good HIPS like DW, PrevX, SnS, OA and co is better than any pure av scanner based protection.
I have not taken a look at this last variant.
DKOH and IRP hooking are not new, but this new variant seems more vicious in playing the man in the middle game.
Each time the detector checks and knock (is there something wrong ?), the man/rootkit intercepts the request and returns fake or invalid parameters ( no no tovaritch, everything is ok!)...
Regarding detection, i have not seen a kernel rootkit that resist to a live or post mortem physical memory analysis.
But detection is not victory in security, especially with this variant which targets financial logins.
Once detected, it might already be too late.
And sorry to repeat one of my favourite intrusion mantra:
"That which can not be detected should be prevented; That which can't be prevented should be detected."

The comment of PrevX blog is true, there is more to be afraid of Ring0 rkts than of onceptual ones like SMM, or VM Rkts ( i have some forensic analyst contacts Russia, Germany...and none has reported this in real incidents).
There is always a big difference between what is possible in a labotory and its in the wild industrialization...
Well...a lot of blah blah for my concern without help for the end users...
So i suggest a few easy to use tool that could help to backup and restore the MBR in case of infection or corruption
MBR wizard http://www.mbrwizard.com/
MBRFix http://www.sysint.no/nedlasting/mbrfix.htm
HDHacker, for thos who wants a gui tool http://dimio.altervista.org/eng/
MBRTool http://www.diydatarecovery.nl/mbrtool.htm
With its various features like the ability to create a boot CD, this is the more suited for non experimented users.

rgds" }-

kareldjag

Easter here.

As always your exceptional in-depth analysis and recommendations borders on a some mass publication to your credit but your website is served that purpose satisfactory IMHO. I must admit that i also miss like many others the very concise and strict testings during your many efforts to pit various vendors security apps thru painstaking (for them) scrutiny and the results have always been worth professional review from them and the customers/users alike. For that we are grateful indeed. In my estimation those competitions of sorts always not so much compared A is better then B but exposed both weaknesses & strenghts that demanded immediate attention should the respective programs survive as a worthy endeavor or else sadly left as a gamble which is a remedy in the end for either disaster or time consuming efforts on the user's/customers end to pick up after the limitations pointed out in those reviews.

Now to topic: I endeavor to safeguard against MBR disruption in any form be it O/S malfunction or malware tampering by use of turning to a simple floppy that i SAVE both MBR & PARTITION TABLE of each Hard Drive that is occupied by a Windows System, chiefly, XP Pro. Also DVD/CD can serve the same purpose of course.

Are you aware of now an older method of saving and repair as MBR whiskey, MBRwiz, and MBR.exe which i have used to saved these critical codes to dat file on a floppy and whats your opinion of them if any.

EASTER

-{ Quote: "
Are you aware of now an older method of saving and repair as MBR whiskey, MBRwiz, and MBR.exe which i have used to saved these critical codes to dat file on a floppy and whats your opinion of them if any.
" }-
With a GNU/Linux livecd you can use dd. I saved a note on it, i hope it's correct. At least the mbr part is, i used it quite recently to restore the mbr after the usual XP fix/reinstall..

Backup MBR (if hda is the primary):
dd if=/dev/hda of=mbr.img bs=512 count=1

Imagine hda3 partition, backup its boot sector by:
dd if=/dev/hda3 of=hda3.img bs=512 count=1

Only the boot program:
dd if=/dev/hda of=mbr.img bs=466 count=1

To restore mbr:
dd if=mbr.img of=/dev/hda bs=512 count=1

To restore just the boot program:
dd if=mbr.img of=/dev/hda bs=466 count=1

'if' means input file, 'of' output file, i think.

One post removed. Let's keep the commentary grounded in reality.

Blue

Just a small correction. On the hda3 example, i made an error and put hda5 in the command. Sorry about that..

Are these rootkits only a problem for 32-bit systems
or can they now also infect vista 64-bit?

BluePill rootkit was developed on x64 systems only. So yes, x64 rootkits do exist (I guess)

http://northsecuritylabs.blogspot.com/2008/06/catching-blue-pill.html

also: http://bluepillproject.org/

-{ Quote: "Wow...with all the security you are running, I am surprised it wasn't picked up!" }-
Perhaps the best idea is fill your HD with security apps so there's no room for any malware!

I just got the RSS feed report

http://www.prevx.com/blog/131/MBR-Rootkit-reloaded.html

-{ Quote: "
We have checked how many antirootkits are already able to detect the new version of MBR rootkit we've isolated two months ago. Result is that only five applications are able to fully detect this threat
" }-

-{ Quote: "I just got the RSS feed report

http://www.prevx.com/blog/131/MBR-Rootkit-reloaded.html" }-


I assume if prevx is so worried about the lack of detection by other security vendors they have shared samples with the security community to combat such a "dangerous" threat....unless they are going to pull a "Dr.Web" ::)

-{ Quote: "I assume if prevx is so worried about the lack of detection by other security vendors they have shared samples with the security community to combat such a "dangerous" threat....::)" }-

Right :) I can assure you I personally shared all the samples I have with all companies that asked me for them. Sure, I'm not going to hunt for every single e-mail contact inside every single company and send samples in a spam-like way :) If anyone from security vendors want them, just ask for them :) I think it's the best way for everyone

-{ Quote: "Right :) I can assure you I personally shared all the samples I have with all companies that asked me for them. Sure, I'm not going to hunt every single e-mail contact inside every single company and send samples in a spam-like way :) If anyone from security vendors want them, just ask for them :) I think it's the best way for everyone" }-

I think we both know about a certain place(s) where vendors meet for malware researching, makes sense to lay them out in there perhaps....I mean of course this is great that you found it and congratulations on the technical knowledge, props for being the first.... but if its something revolutionary collective intelligence is better than none.

-{ Quote: "I think we both know about a certain place(s) where vendors meet for malware researching, makes sense to lay them out in there perhaps....I mean of course this is great that you found it and congratulations on the technical knowledge, props for being the first.... but if its something revolutionary collective intelligence is better than none." }-

As you may know, inside certain places samples are available since April :) So they have been always available to everyone ;)

-{ Quote: "As you may know, inside certain places samples are available since April :) So they have been always available to everyone ;)" }-


In which case I apologise since I missed that. :thumb:

-{ Quote: "In which case I apologise since I missed that. :thumb:" }-

No problem at all :) You're more than welcome :thumb:

-{ Quote: "It's good seeing people test their security programs against this variation.

Maybe someone can test Shadow Defender? Would be interested to find out if a reboot removes the infection." }-

No, it's vulnerable.

New variant of mebroot detected as vendors criticised for failing to react to threat (http://www.scmagazineuk.com/New-variant-of-mebroot-detected-as-vendors-criticised-for-failing-to-react-to-threat/article/137903/)

Dr.Web can neutralize all known modifications of the Backdoor.Maosboot including its latest variation discovered in May and still undefeated by any other anti-virus. (http://news.drweb.com/show/?i=359&c=5?lng=en)

Interesting analysis by Sergey Golovanov at KL here (http://www.viruslist.com/en/analysis?pubid=204792063).

-{ Quote: "Dr.Web can neutralize all known modifications of the Backdoor.Maosboot including its latest variation discovered in May and still undefeated by any other anti-virus. (http://news.drweb.com/show/?i=359&c=5?lng=en)" }-

... and it says so on their own website - *applause*.