An Inconsequential Rootkit Test

Having a little time and a flash drive with 3 relatively new (found last week) zeroaccess rootkits, I decided it was time to infect a computer and try out some of the 3rd party rootkit removers, specifically the newest version of Oshi Unhooker (to my knowledge the first antimalware app from the Seychelles). Along with Oshi, I decided to test 8 others. Please note that only 3 samples were used and they all were a specific type of Rootkit so please don’t draw too much in the way of a conclusion. But if you do need an antirootkit scanner, I hope the results will assist on which to try first.

Anyway, the test system was a Win XP 32bit thingy (lowest common denominator). Each of the 3 samples were confirmed as malicious (ZA) and run (one right after the other). As HitmanPro detected the rootkit after infection testing proceeded as follows:
1), Samples run
2). Confirmation of infection by HMP
3). One of the AntiRookit scanners was run, and no matter the result the computer was rebooted and,
4). HMP was again run to determine if System was cleansed of infection.

Results:
GMER- crashed
avast! aswMBR Rootkit Scanner- crashed
(Please note that both successfully completed a scan on the test system when it was completely clean)
Bitdefender Rootkit Remover- fail (didn’t detect any infection)
Trend Micro RootkitBuster- fail (detected infection but noted “Unable to Fix”)
McAfee Rootkit Remover- fail (really fast but really useless)
Sophos Rootkit Removal Tool- fail (Detected infection but failed to clean, even though it said it had. Typical Sophos! Also note that this is a combo Anti-malware\antivirus\antirootkit product and must be installed)
Kaspersky TDSSKiller- fail (also uselessly fast)
Oshi Unhooker- fail (WAHHH! I wanted it to work. But the interface is pretty)
Malwarebtytes Anti-Rootkit- Pass (surprise, surprise)

Conclusion and Comments- As shouldn’t be a shock to any, Malwarebytes makes good products. As for the GMER and Avast crashes, I can’t determine if the malware had a specific coding to cause these to crash, or if just the nature of the infection made them loop- whatever, they failed. I also have to add before I close that the Sophos product actually has a use- I came across a Trojan earlier this month that when run would hide the directory it was run from, as well as spawning a number of daughter programs into that same (now hidden) directory. Although Hitman could not see this directory to detect the files, Sophos was able to detect the parent and the daughters. And once again after stating that the infections were cleaned, it lied. Typical Sophos!

 

no Emsisoft Emergency Kit? Combofix?

 

Test Addendum: 3 others scanners were added:

1). ComboFix- Pass (thanks, guest. I totally forgot to use this one)

2). Emsisoft Emergency Scanner- fail (it did actually detect one (missed the rest) of the infected points, the hidden C:\windows\assembly\gac\desktop.ini file, and indicated it would delete it on reboot. Of course it failed to do so. I really don't like this product).

3). CCE- Pass (found all and cleaned on reboot- actually performed better than I expected)

 

Nice, how about Norton Power Eraser and NoVirusThanks ARK?

 

Thanks, sista!

 

Thank you for the info cruelsister.Kaspersky TDSSKiller,hmmm...an unpleasant surprise i suppose..

 

I guess to wrap things up I reinfected the poor computer and ran MSERT, NNoVirusThanks rootkit tool, as well as Norton PowerEraser (which always puts me in a good mood).

Results:

Msert- fail (crashed whenever the system was infected with the ZA's- actually froze the system. Worked fine on a clean computer, however)

NoVirusThanks Rootkit Tool- fail (found nothing. At least it was fast)

Power Eraser- FAIL (It did find 3 things which it marked as malicious: Combofix, my beloved Seamonkey browser, and something it listed as "[]". I did select the latter and rebooted the computer. Upon restart I received a message that (sadly) Norton couldn't delete the file, but was presented with a link where I could buy NIS to proactively protect my computer. I clicked the link and was unfortunately redirected to some Russian Porn site- that pesky ZA trojan again).

 

Great thread! Thanks for taking the time to do this.
And what about HMP, did you actually test it?

 

http://www.raymond.cc/blog/10-antirootkits-tested-to-detect-and-remove-a-hidden-rootkit/

more antirootkits for your tests

interesting enough the best was Norton PE

 

Thanks for testing!
Do you have the time to test Dr.Web CureIt?
In my experience they normally pass were others fail.

/E

 

Just to make a note that NoVirusThanks AntiRootkit has not been upgraded for over two years...