New MBR rootkit goes undetected

[PrevxHelp]

Quote:

Originally Posted by BJStone

Just write a new MBR and it's gone.

You'll have to write a new MBR from outside of the OS as the rootkit filters any attempt to write the MBR when loaded.

[andyman35]

Quote:

Originally Posted by PrevxHelp

You'll have to write a new MBR from outside of the OS as the rootkit filters any attempt to write the MBR when loaded.

That's where the good old UBCD4Win comes into play,removal/detection is a doddle.Rootkitty then mbrwiz and voila.

[metalforlife]

What about a HIPS like Comodo or Malware Defender, will the rootkit be able to sneak past them as well?

[PrevxHelp]

Quote:

Originally Posted by metalforlife

What about a HIPS like Comodo or Malware Defender, will the rootkit be able to sneak past them as well?

It depends on how strict the rules are. All that the rootkit does is rewrite the MBR and then lock it down very tightly. The main issue isn't prevention (that's always an issue with any threat so that isn't anything new ), the real issue is detection once infected and cleanup after detection. The droppers we've encountered so far are very cautious and just infect the MBR and then remain quiet without any visible signs.

[Lucy]

Isn't LUA simply the solution?

PrevXHelp, why not simply explain this is an easy solution, which complements so well your security solution (or maybe it is the other way around, isn't it? )

[PrevxHelp]

Quote:

Originally Posted by Lucy

Isn't LUA simply the solution?

PrevXHelp, why not simply explain this is an easy solution, which complements so well your security solution (or maybe it is the other way around, isn't it? )

LUA is a solution to a majority of malware problems but it simply isn't viable for a majority of home users, which is why most people don't use it (its just too restrictive).

However, if you do run EVERYTHING under LUA, you should be completely safe from this threat

[metalforlife]

Quote:

Originally Posted by PrevxHelp

It depends on how strict the rules are. All that the rootkit does is rewrite the MBR and then lock it down very tightly. The main issue isn't prevention (that's always an issue with any threat so that isn't anything new ), the real issue is detection once infected and cleanup after detection. The droppers we've encountered so far are very cautious and just infect the MBR and then remain quiet without any visible signs.

So does it mean that HIPS applications won't be able to do much, once the rootkit succeeds in digging itself into the system?

How does the same file, intercepted during it's attempt to get into the PC, suddenly cloak itself once it manages to do so? Isn't that basically what HIPSs monitor? Wouldn't every files/process residing in the PC be under the watch of a HIPS?

[yamaneko]

Quote:

Originally Posted by PrevxHelp

LUA is a solution to a majority of malware problems but it simply isn't viable for a majority of home users, which is why most people don't use it (its just too restrictive).

Well, maybe prior Vista. With Vista, I really not see much point to use administrator account. IMO

[PrevxHelp]

Quote:

Originally Posted by metalforlife

So does it mean that HIPS applications won't be able to do much, once the rootkit succeeds in digging itself into the system?

That's correct. Once its in, you'll need a standalone scanner to find it because the behaviors occur in hidden threads which aren't visible by "normal" HIPS methods.

[metalforlife]

Quote:

Originally Posted by PrevxHelp

That's correct. Once its in, you'll need a standalone scanner to find it because the behaviors occur in hidden threads which aren't visible by "normal" HIPS methods.

Understood.

[raven211]

Quote:

Originally Posted by PrevxHelp

That's correct. Once its in, you'll need a standalone scanner to find it because the behaviors occur in hidden threads which aren't visible by "normal" HIPS methods.

Not even Prevx?

[Meriadoc]

Quote:

LUA is a solution to a majority of malware problems but it simply isn't viable for a majority of home users, which is why most people don't use it (its just too restrictive).

I find it works well, if I need more privilege I can do that, run as admin or log into the admin account,..XP Pro.

[PrevxHelp]

Quote:

Originally Posted by raven211

Not even Prevx?

We do now, but to be completely honest - we didn't before Sure, we blocked the dropper, but that's not difficult. The real challenge with this threat is finding it on an infected system (without forcing users to resort to a boot cd )

[raven211]

I don't doubt TF would miss it also - I've been a very big fanboy of it lately, but atleast I'm being open-minded and honest about its mistakes.

[trjam]

I think you also need to be open minded from what is reported and what is actually true. And that bothers me. F-Secure has been on top of this one from the start, even before Prevx.

[PrevxHelp]

Quote:

Originally Posted by trjam

I think you also need to be open minded from what is reported and what is actually true. And that bothers me. F-Secure has been on top of this one from the start, even before Prevx.

Do you know what version of F-Secure detects/cleans this threat? I tried last week with F-Secure 2009 and it didn't find it at all, but I'm reinstalling again now to see.

[trjam]

Set your settings at high.

[raven211]

Quote:

Originally Posted by trjam

I think you also need to be open minded from what is reported and what is actually true. And that bothers me. F-Secure has been on top of this one from the start, even before Prevx.

I can only speak from my personal experience, and that's exactly what I do - and that's true for F-Secure as well. I'd past bad experience with it and the prog. is not for me, but I never doubt that it's one awesome product that's just becoming better.

The same goes for Prevx. I've got many FPs with it, and not surprisingly especially with the beta, so even if running it with a license atleast till it runs out and hope that real "1 PC" support is there when it does so I can hesitate less on renewing it, I can't set automatic removal feature to on even if it's there - and I personally like automatic operation - because of personal experience. Personal experience also makes me choose TF before it.

[trjam]

F-Secure is a beauty if you treat her nice, Edge is a Philly kicking her legs out to see what the world holds. And then, there is, Norman.

[PrevxHelp]

Quote:

Originally Posted by trjam

F-Secure is a beauty if you treat her nice, Edge is a Philly kicking her legs out to see what the world holds. And then, there is, Norman.

I ran a "Quick Rootkit Scan" with FS2009 and it came up empty on "High" with the newest definitions. I'm running a full scan now but it looks like it may take a while - I'll report back once its finished.

[trjam]

thanks Joe. I would like to know from what I lead to know.

[EraserHW]

After I had a look at them, anyone of commercial antirootkits nor most of standalone free antirootkits are able to detect the rootkit once is active in the system

[PrevxHelp]

My F-Secure 2009 scan has finished on a bare install of XP SP2 with the new MBR rootkit active and it was not detected with the newest definitions (updated directly before the scan on the High level of protection).

[Jin K]

PrevxHelp or if i can call you joe

did you tried kaspersky 2009 ?? on-demand & on-access

[PrevxHelp]

Quote:

Originally Posted by Jin K

PrevxHelp or if i can call you joe

did you tried kaspersky 2009 ?? on-demand & on-access

KIS 2009 misses it on-demand. A number of vendors have added this particular sample to detection on-access but the problem lies in detecting already infected computers