Olmarik / TDL3 rootkit

[Marcos]

Quote:

Originally Posted by Roman Rashevskiy

Ok.
In my question I mean - "When will ESET's products can remove active TDL3 from computer?"

If you were unable to clean a computer infected with the Olmarik (aka TDL3) rootkit using this ESET Olmarik cleaner, let us know. Also we are planning to make some improvements for detecting and cleaning rootkits using the ESET rescue cd.

[Roman Rashevskiy]

Quote:

Originally Posted by Marcos

If you were unable to clean a computer infected with the Olmarik (aka TDL3) rootkit using this ESET Olmarik cleaner, let us know. Also we are planning to make some improvements for detecting and cleaning rootkits using the ESET rescue cd.

I will test this utility timorrow, but ESET NOD32 Antivirus and ESET SmartSecurity unable to clean a computer, infected with TDL3 and I think that Antivirus product, which realised on signatures-methods, should not only detect threats, but it should clean PC from threats.

[Marcos]

Quote:

Originally Posted by Roman Rashevskiy

I will test this utility timorrow, but ESET NOD32 Antivirus and ESET SmartSecurity unable to clean a computer, infected with TDL3 and I think that Antivirus product, which realised on signatures-methods, should not only detect threats, but it should clean PC from threats.

This is not always feasible. For that reason, AV vendors also create standalone cleaners/removers besides the anti-virus programs. In the case of rootkits the best course of action is to boot from a clean media (e.g. ESET rescue cd), scan the disk and remove all found malware.

[Roman Rashevskiy]

Quote:

Originally Posted by Marcos

This is not always feasible. For that reason, AV vendors also create standalone cleaners/removers besides the anti-virus programs. In the case of rootkits the best course of action is to boot from a clean media (e.g. ESET rescue cd), scan the disk and remove all found malware.

I understand that some threats (such as rootkit for keyboard of Mac) can't be cleaned by AV-products, but Dr.Web and Kaspersky Lab. can clean TDL3.

[siljaline]

I see that the detection database as early as 4083 have been targetting Win32/Olmarik, fwiw, an observation

[Roman Rashevskiy]

Quote:

Originally Posted by siljaline

I see that the detection database as early as 4083 have been targetting Win32/Olmarik, fwiw, an observation

I see it too, ESET can detect TDL3 if you computer not infected with this threat, but if your computer infected with it - ESET Antivirus NOD32 and SmartSecurity can't help you

[Marcos]

Quote:

Originally Posted by Roman Rashevskiy

I see it too, ESET can detect TDL3 if you computer not infected with this threat, but if your computer infected with it - ESET Antivirus NOD32 and SmartSecurity can't help you

Again, did you try the Olmarik removal tool? Standalone cleaners as well as the rescue cd are intended for cases when malware authors intentionally target specific security software and tailor the code to such an extent that it's undetected / unremovable by standard means.

[Roman Rashevskiy]

Quote:

Originally Posted by Marcos

Again, did you try the Olmarik removal tool? Standalone cleaners as well as the rescue cd are intended for cases when malware authors intentionally target specific security software and tailor the code to such an extent that it's undetected / unremovable by standard means.

I can clean TDL3 without any removal tools from AV-vendors.
But I want to know, when will ESET's prosucts can remove this threat without special removal tool?

You can read this test: http://www.anti-malware-test.com/?q=node/180

[siljaline]

As Marcos has requested from you here if you have used the Win32/Olmarik rootkit tool ?

The tool is available to all that require using it, regardless if you can remove this rootkit manually, no one other than a highly skilled Malware Specialist could remove this manually, so I think your request of ESET is generally moot.

I believe I could say to some level of certainty that the ESET Team are working around the clock to build into the detection database sufficient protection without requiring a special tool.

Quote:

Originally Posted by Roman Rashevskiy

I can clean TDL3 without any removal tools from AV-vendors.
But I want to know, when will ESET's prosucts can remove this threat without special removal tool?

You can read this test: http://www.anti-malware-test.com/?q=node/180

[biscuits]

Quote:

Originally Posted by Roman Rashevskiy

I can clean TDL3 without any removal tools from AV-vendors.
But I want to know, when will ESET's prosucts can remove this threat without special removal tool?

You can read this test: http://www.anti-malware-test.com/?q=node/180

Why do want to know when will ESET NOD32 and SS can remove TDL3?

[Marcos]

Active Olmarik detection should improve if you use EAV/ESS 4.2 or enable pre-release updates.

The stand-alone cleaner is going to be updated shortly as well. The new version will bring improved detection/removal for new variants, including those against which some competitive removers are ineffective.

[siljaline]

You may enable pre-release updates here
As Marcos said in his previous post and I quote:

Quote:

The stand-alone cleaner is going to be updated shortly as well. The new version will bring improved detection/removal for new variants, including those against which some competitive removers are ineffective.

This is excellent news that newer variants of this rootkit will be better targetted and removed successfully.

[ESS3]

-www.anti-malware.ru- belongs to Kaspersky. What they are not recognized, and hide. I live there and know for sure! There tests are bogus. Testing of ESET they produce is not fair.
http://www.securelist.com/ru/userinfo/14764

http://kltest.org.ru/viewtopic.php?f...432&start=1440

[siljaline]

To whom are you addressing your reply ? To my knowledge, nothing regarding Kaspersky has been cited in this thread.

Quote:

Originally Posted by ESS3

-www.anti-malware.ru- belongs to Kaspersky. What they are not recognized, and hide. I live there and know for sure! There tests are bogus. Testing of ESET they produce is not fair.
http://www.securelist.com/ru/userinfo/14764

http://kltest.org.ru/viewtopic.php?f...432&start=1440

[jimwillsher]

He's referencing the post further up about "www.anti-malware.ru". But as this is a serial thread, you can only post after the last existing post....

[GrammatonCleric]

It's great that the AV companies are responding with ad-on tools (assuming the users know where to look and that assumes that the user is security aware and not someone who just wants the AV to work).
It's also great that the new detection schemes are being implemented into 4.2.

However, what everyone seems to miss is the point that Roman is attempting to drive upon (whether he/she/bot is sponsored by the big Circle K or not). The point being is: why isn't NOD32 capable of removing the rootkit with it's anti-stealth technology while other AV's have no problems in the removal? Wasn't the whole point of version 4 a better infection removal of deeply entrenched infections and better detection of unknown infections? That was the main idea why we are sacrificing massive CPU cycles (over large or unknown files) with version 4 over the low resource hit of version 2.7.

I am not for or against, just re-stating what I think is the gist that he/she/bot was attempting to convey.

[Triple Helix]

Read this blog post from a Prevx Malware Expert http://www.prevx.com/blog/143/BSOD-a...apologize.html and this one http://www.prevx.com/blog/139/Tdss-r...s-the-net.html as the TDL3 Rootkit is a very nasty RootKit not all AV's will clean every variant of this nasty as it changes many times!

TH

[The Hammer]

Quote:

Originally Posted by GrammatonCleric

It's great that the AV companies are responding with ad-on tools (assuming the users know where to look and that assumes that the user is security aware and not someone who just wants the AV to work).
It's also great that the new detection schemes are being implemented into 4.2.

However, what everyone seems to miss is the point that Roman is attempting to drive upon (whether he/she/bot is sponsored by the big Circle K or not). The point being is: why isn't NOD32 capable of removing the rootkit with it's anti-stealth technology while other AV's have no problems in the removal? Wasn't the whole point of version 4 a better infection removal of deeply entrenched infections and better detection of unknown infections? That was the main idea why we are sacrificing massive CPU cycles (over large or unknown files) with version 4 over the low resource hit of version 2.7.

I am not for or against, just re-stating what I think is the gist that he/she/bot was attempting to convey.

Other Av's do have a problem with removal. F-Secure for one. See here http://www.wilderssecurity.com/showt...75#post1628175

[siljaline]

@ GrammatonCleric

Much of this, less being botted, has been discussed already we await these from ESET.

[Triple Helix]

Quote:

Originally Posted by siljaline

@ GrammatonCleric

Much of this, less being botted, has been discussed already we await these from ESET.

That was Feb 19th and now it's the 22nd so lets see it and the TDL3 has probably changed a few times since! That is why I made my Quotes of Marco's Blogs! I'm a advent NOD32 user and they need to Detect it with it's Advanced Heuristics and block new variants with it! I would love to see the famous Advanced Heuristics kick into action on this one.

TH

[siljaline]

Noted, Triple Helix. ESET surely has not forgotten what they had promised and are surely working on as I type and as Marcos has already said.

We are all on the same team with respect to getting a tool and/or hoping that ESET will be able to build into the scanning heuristics of NOD32

[Marcos]

1, most of new Olmarik variants are detected proactively or detection is added quickly when a new variant appears. So there's very little chance that you would get infected with ESET running and kept up to date.

2, as for removal, even standalone tools from other vendors don't detect / remove every variant. As I wrote, all Olmarik variants should be detected with the latest Anti-stealth module available in v. 4.2 or on pre-release update servers.

[Triple Helix]

Quote:

Originally Posted by siljaline

Noted, Triple Helix. ESET surely has not forgotten what they had promised and are surely working on as I type and as Marcos has already said.

We are all on the same team with respect to getting a tool and/or hoping that ESET will be able to build into the scanning heuristics of NOD32

Quote from your link:

Quote:

In addition to comparing potential malware against known virus signatures, all ESET security products use heuristics in detecting viruses, trojans and other threats.
Heuristics is a technique that implements a set of guidelines or rules in order to problem solve efficiently. In an antivirus context, heuristics are a set of rules used to detect malicious program behavior without needing to uniquely identify the specific threat, as is required by classic signature-based detection.

TDL3 writers are changing faster than the signatures are getting out, the reason I suggested using Advanced Heuristics to protect us now! Proactive protection not a cleaning tool!

TH

[Triple Helix]

Quote:

Originally Posted by Marcos

1, most of new Olmarik variants are detected proactively or detection is added quickly when a new variant appears. So there's very little chance that you would get infected with ESET running and kept up to date.

2, as for removal, even standalone tools from other vendors don't detect / remove every variant. As I wrote, all Olmarik variants should be detected with the latest Anti-stealth module available in v. 4.2 or on pre-release update servers.

Agreed that's what I was looking for detected proactively and to block new variants And I do have pre-release updates checked!

Thanks Marcos!

TH

[czarWilliam]

Dear Marcos,

I have scanned my system with many different malware scanners recently. Eset NOD32 is the only one that detected the presence of the Win32/Olmank rootkit. Eset deserves full marks for its detection capability.

However, I have run the Eset Win32/Olmank Remover version 1.1.0.1. I regret to inform you that it has failed to remove the Rootkit. When I open the program it confirms the presence of the infection on my system. After running the Remover I receive an erroneous message that claims that the infection has been successfully removed. The infection still lives. It is time for a new, improved version of the Remover.

P.S. Kaspersky's TDSSkiller version 2.2.4 did remove it.