CounterSpy 2 - Notes

Hi Eric,
Just started trying out CS2. The install went without a hitch, and compared to the 48MB of memory that 1.582 was using on my system, v2 is using a modest 16MB, so congrats on the new design. So far no compatibility problems with my other apps. Also just did a scan of processes, reg, and my C drive (approx. 15GB used) and the scan took just over 12 minutes with no complications. So far everything looks good, so again congratulations!

 

Well i've finally got around to installing the latest offerings from the team@Sunbelt.

1st impressions on initial installation and operation as follows.

1)Installed and updated without any of the bugs my setup had experienced with an earliar version.Moving around the various tools,tabs and settings seemed somewhat smoother and very eye pleasing

2)Looking at ProcessExplorer during operations its not the resource hog of its former incarnation and there is a definate advancement in scan speed.Another *biggy* for me is that using most of these types of tools i like to try them as ondemand so when i close functions and exit software seeing services/exe's still active irks me somwhat and am glad to report when i shutdown CS it removes it service & exe's

Congrats to the Sunbelt team this is a big improvement on the last version

I'm now very much looking forward to giving it a challenge against the beasties in my malware menagerie to see how the under the hood stuff(tech advances)are shaping up

 

seems its alot better than spysweeper that still keeps its services and .exe's when it closes
lodore

 

Just a follow up update with my further tests of CS latest version for detection and cleaning.

It sucessfully killed 2x Vundo,2x qoologic,2x lop C2,2x Z-lob/fake codec infections that i installed admitably against archived installers but still displayed its Bot killing prowess 100%

Against a current infestation yesterday of CWS collected off a cracksite driveby it was semi-effective,new executables and loaded DLL's still active after 2x cleaning runs but then again it would have been an OMG!!! moment if it had whacked 100%: so still giving it a healthy

Versus my most advanced trojans(Rootkit's) it faired not too great testing against samples that have been around from 3 wks to 1 year in the wild and has exposed an archillies heel in what is a very capable antimalware software.

Haxdor sm. (p81eskse.sys+ pasksa.dll) Sucessful D&C
Haxdor (ntio256.sys+protector.exe) Blind
Rustock A (lzx32.sys) Blind
Rustock B (huy32.sys) Blind
Wincom (wincom32.sys) BSoD on scan initiation
Tr. injector aka all-in-one (see s/shot) *Part detection and removal

*The exe and run entry in registry are detected and removed but the rootkit + archived copies of components held in seperate folders still remain cloaked and rootkit is still active
http://img53.imageshack.us/img53/997/csvsinjectorfailureim0.jpg

All TR/RK droppers are available for inspection if any experts would like to re-enact/verify my test findings but fwiw all of those files(droppers and components) have been uploaded to MIRT malware listserve database over the last 4 months

CS Version tested 2.1.906 and defs set 498.

With reguards Rustock B which is the most advanced Trojan to be tested and still the most widely reguarded evasive malware rootkit in the labs...

CS can detect a current session(inactive) saved *copy* of the driver($DATA) that had been recovered using RKU *detect hidden file+copy* but still miss's the live driver loaded into ADS

http://img65.imageshack.us/img65/9884/csvsrustlzx32ji8.jpg

Maybe something to dev for the next under the hood scanner upgrade to turn this into an allround malware butt-kicker

 

Hats off to you again fcukdat and man keep that same strong head of steam going on full tilt like that because if i seen nothing else over these short months recently, i certainly have seen a marked increase in some serious improvements to these AS's since you been pouring on the research over there and feeding the Bug-Mill with your captured samples.

Also thanks for the continous efforts and contibutes to the bug-pots, even my own .

The rest of these AS's need to really step up their efforts because combine those results that strengthen and eliminate these high-risk threats thru Anti-Spyware Programs with HIPS and throw in a good AV and those malware writers are losing some of their teeth.