Rustock C no longer a myth, no longer a threat

If Kaspersky detects it, will F-Secure AV for workstatione V7? Doed f-Secure still use the Kaspersky engine?

 

I am not sure about F secure detecting an active infection. According to the KL virus lab, only Kaspersky V2009 and above will be able to detect and cure an active infection whilst installed (users of other versions will need to use a rescue cd to scan offline)....so I am guessing fsecure will flag dormant infection but no idea about live infection....because they use an older engine and not KL's antirootkit module.... unless fsecure have coded their own antirootkit module to detect and cure it specifically.

 

I think Baz can correct me if wrong but it is new Kasp technology coded into latest version that's doing the trick as far as i'm aware f-secure does not have this engine/capability yet...

None that i am aware of yet.

But that said most of them know the Trojan-downloader.Agent that imports ntldrbot

 

Think I will install KAV then

 

Hehe, fully agree. PrevX has imo strong misleading-antispy tendencies (and no real av), Gmer.dll is a dangerous app, yes... lool

 

F-Secure has BlackLight, so most likely the 2009 version will indeed detect and remove a lot of active rootkits.....

Well, this 2009 version will be interesting IMO

 

<sarcastic>

Yeah, I fully agree

</sarcastic>

 

i have imformed f-secure.
im sure they can get some samples from kasperky and with time detect it when active and cure it.

 

@fcukdat
So you would say this is incorrect:

Or rather, like you always said, you allow it to execute first, then while 'loading' the rootkit, the above programs are bypassed?

You allowed first the dropper to execute, and showed us the dropper connecting out, easily detected by Kerio as it is a direct connection.
Then what happens? Another executable is to be allowed?

Thank you in advance!

 

It wouls appear that SuperAntiSpyware detects and removes it:

http://forums.superantispyware.com/viewtopic.php?p=8487#8487

 

lol Nick might have the 1 or even possibly the 2nd broken driver that were doing the rounds when DR Web made its PR advert announcing the arrival of Rustock C...
SAS scan of driver md5 00430470e6754f082b6c2c19d022caea0e6754f082b6c2c19d022caea now= 0 point.

I tested SAS versus loaded infection covered on last page and it did not detect any of the 3 files involved(Agent dropper,Downloader.Agent& ntldrbot infected agent driver) at time of testing....i even custom scanned the 3 files 5mins ago with current def set and still no flags...bear in mind these files were put up in various distribution points for vendors/researchers the day before i posted data here

FYI point Nick in this direction...the files are up at MR(6/5) ...have been for some days now and dumped driver is up on Malware listserve(6/5)

Good luck unpacking it and repairing it tho....it appears not to many vendors/experts have made the grade yet

 

Well got to be honest i can niether agree or disagree with that statement except all those things would foil the downloader.agent in its tracks!

I had stripped out of memory my regular toolkit in the session where i ran the dropper for the downloader agent. These agents are designed to monitor what is installed,system info etc inorder to report data back home=whether or not the compromised machine is a suitable victim

Well and hour into that session and had bsod which restarted the PC and my tools sprang back into life back hence captured outbound traffic...so my answer is i have no idea what happens,series of system events when ntldrbot is imported nor what it will/wont bypass.

 

@fcukdat

To be honest, this is all beyond me. Either SAS detects it or it does not. I felt their answer was vague so thats why I tried to pin them down.

I will point the thread over there to here and see what they say.

 

Ade - I assume these are all being submitted by you through the MIRT initiative over at CastleCops?

 

It does not then..quite streight forward.

I don't beieve Nick has done his homework on this one..that said it is so not widely dispersed that it really would be low priority for most of the vendors to go after this bot.There are 1000's of more widely spread bots out there to worry about

 

Ade - we have more than "done our homework". We detect and remove many variants of the "Rustock" family of trojans and well of millions other other threats that are in active distribution. You used to submit us samples, but stopped for whatever reason - the only people you are hurting is the users out there using SUPERAntiSpyware who may not be protected against some of these trojans, malware and spyware that you are harvesting and locating.

I will pull these latest off the various places you are posting them, but why not just submit them through MIRT?

Again, if you, or any user has threats that we don't detect, we are more than happy to analyze and process the threats so they are removed!

 

The dumped driver was uploaded =6/5

No need to upload the dropper for the downloader agent or the downloader agent because one had 32/32 hits@ VT and the other had 29/32 hits at VT upload although i put both up at the *other* forum in the topic i made there on 6/5

The original broken driver released by Dr Web labs to virutotal upload
00430470e6754f082b6c2c19d022caea0e6754f082b6c2c19d022caea
was uploaded to MIRT>>>May 7th.
http://www.castlecops.com/t221308-Rustock_C_Win32_NtldrBot.html

But i'm getting deja Vu here...have we not had simmilar exchange back a few weeks ago in this very forum

 

Didnt think it did as fluffed the answer.

 

Ok Nick stop painting me bad afterall it was me and my bro who goaded Dr Webs hand on VT upload to get the driver out to the bigger research/vendor community as a whole

SAS record versus Rustock trojans is excellent,you had the first botkiller(AS/AT) that took down B series and all credit for that to you and your staff

That said there is very distinct line between lzx32.sys & huy32.sys and ntldrbot( C series) which is file infector rootkit that merges with boot loading drivers...like i said to you a few weeks ago you will need to code new module ala MBR rooter detection

 

No one is painting you bad Ade. I (and my research team) fully understand the differences between the threats - remember I have a personal background of over 25 years of professional software development and over 8 years in the security industry/segment analyzing threats - so please drop the condescending statements regarding my understanding of the threats.

 

Lot of time.. but in relation to the age of the universe only a snippet.

 

Actually much less than a snippet compared to the universe

 

It should not go without saying that lots of people have plenty of years on a job but that experience does not necessarily translate into expertise. Likewise, plenty of young talent, new to a particular line of work, can outshine the guys who have been in it for ages.

 

You certainly don't know me very well then! I am in no way saying I know more than "anyone" or "everyone", but in the software development and security fields I would put our team, talent, dedication and service up against any challenge presented to us - meaning, we work very hard to fully understand, disect and diagnose every threat we come across. It's reallly the only way to properly protect our users. Malware is a tough "beast" to fight day in and day out.

 

So Ade why did you stop submitting samples to SAS? Maybe you and Nick could be on good grounds again, just a thought is all.