Link
http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html

Does Returnil protect from this new variant of MBR rootkit?
I know Returnil protect the master boot sector, but this rootkit use new techniques, and the blogger says:
-{ Quote: "its creators decided to develop a new version of it, virtually able to bypass almost all security products" }-

Can someone test this rootkit?

Hi betaman,
Without having a sample to test against I would not be able to difinitively say yes or no. In theory however, RVS should protect against this type of attack. We do encourage testing and will be following this discussion closely.

Be sure to make your reports as detailed as possible sans content mentioned in the warning below:

Side note for participants in the discussion: Do not post links to the content as that information will be removed per the site TOS. If your testing reveals an issue, use the information in the malware sample submission Sticky (http://www.wilderssecurity.com/showthread.php?t=232901) to send us the binary or links where our research team can obtain the content.

Thanks
Mike

I have tested this new mbr rootkit, and it's able to bypass Returnil. After the restart, system is infected by hidden code.

I will send this sample to Returnil support tech, but please fix this issue and also the file protection issue, for the security of the user.

Thanks developers - Please PM me the details of the submission (subject, name or nickname) so I can alert the team to it ASAP.

Edit: We have recieved the sample and the team has been alerted.

Mike

Have you been able to validate this yet?

Returnil Virtual System 2009 beta 3 is immune to new MBR rootkit :thumb:

can we get a link to it now? Beta is ok with me. I did fill out the beta tester form also.

-{ Quote: "Returnil Virtual System 2009 beta 3 is immune to new MBR rootkit
" }-Interesting.

-{ Quote: "can we get a link to it now? Beta is ok with me. I did fill out the beta tester form also." }-

Hi,
The list should be getting an e-mail later tonight (US EDT) or tomorrow announcing availability of Beta 4.

Mike

Sweet thank you

" Returnil Virtual System 2009 beta 3 is immune to new MBR rootkit "

If this 100% correct then, as far as i'm aware it's the only App of ANY kind on the planet that can ! This includes all other similar products, and VM type Apps, and various flavours of System Restorers etc etc.

So based on what was stated, full marks to all involved @ Returnil.

Looking forward to some independent tests to confirm above.

StevieO, you mean than this new MBR rootkit can bypass VMware etc as well?

aigle

Proviso " as far as i'm aware "

I'm sure i read about it in a tech blog somewhere. If i can remember where and locate it, then i'll post it.

Well here's something i found to be going on with, posted by one of our members Elite.

http://forum.sysinternals.com/printer_friendly_posts.asp?TID=13179 " I just ran it on a VM to test something quickly, and to my surprise, upon rebooting, it appears the rootkit has auto-updated itself to the latest version. "

-{ Quote: "aigle

Proviso " as far as i'm aware "

I'm sure i read about it in a tech blog somewhere. If i can remember where and locate it, then i'll post it." }-
I don,t think that it,s true.