MBR Rootkit versus HIPS/ Sandboxes

Discussion in 'other anti-malware software' started by aigle, Jan 10, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    And therein lies the beauty of Layered Approach protection. Malware, even the very newest of their crafts, ha! ha!
    ....at least on a well thoughtful laid out strategic plan as Layering with proven track record HIPS/Sandboxing/Virtualizing/LUA etc. only puts their efforts in a nice thick fog :D

    They are just wasting their time IMO. AV's alone, sure, they may defeat some, but with the onset of all the utilities and security programs that have surfaced in just the past year alone, those are enough hurdles to keep them spinning their wheels indefinitely.

    I've regularly taken unpatched plain jane XP systems thru a walk in some of the darkest parks with just a choice few safety apps and never even been scratched. Vendors of specialized security prevention have raised the bar higher then they have ladders to reach IMO.
     
  2. wat0114

    wat0114 Guest

    And that I place considerable worth on :thumb: This is only one example, but it does lend support to the value of a properly configured two-way application firewall.

    BTW, thank you fcukdat for sharing the results of your considerable efforts :)
     
  3. Wordward

    Wordward Former Poster

    Joined:
    Jan 12, 2007
    Posts:
    707
    Any testing done with Comodo Pro's Defense+ enabled?
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Sounds nice.

    This is not very objective if you read a lot about this you would know that black hats always one step ahead. Probably full hd encryption could help against those beasts.

    BluePill+Stealth MBR or vbootkit is their new focus. (= Hardware+Software mod)
    (which means in fact you can disable what process you want that doesn´t matter, kill/block svchost or anything else but their malware still laughs about you)
     
    Last edited: Jan 12, 2008
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Here is something that I discovered one reboot later it shows itself as rdbss.sys:

    http://i7.tinypic.com/6q3z8k2.png

    Seems so that it feels comfortable between Comodo.
     
    Last edited: Jan 12, 2008
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I know they have plans but when did they update their tool ?

    NB i wonder if they have updated to catch Nulprot or Allinone(TR-Inject) yet...
    http://www.dslreports.com/forum/r19633146-

    I know that SAS DKOM+DDA are bypassed by the active RK in MBR as it is fileless.FWIW the system is subverted as soon as it boots because the kernel is patched so i'm guessing that all these would be bypassed although i have not tested to verify beyond SAS PR 4.0

    I have asked others to check elsewhere but no one seems to be able to return a positive confirmation of detection once loaded....

    That said the Sinowal file components have been expedited into most good softwares targeting databases as soon as it was distrubuted.So although the softwares are blind to active RK they will probaly take out the installation files to prevent it from landing in the first place:D

    2 way firewalls will capture most malware infections phoning home but it must be remembered that not all will be detected.

    There are trojans that patch part of the OS underpinning the firewalls operation and the net result is outbound communication while the firewall sleeps.
    Also there has been seen ITW infections where the BITS service of XP is used to phone home and import more baddies.Unless you have firewall configured to uber paranoid(Don't trust M$) then is will sleep through that performance with default settings:blink:

    No need to test as earliar stated this badboy is so easily caught:D

    FWIW i would be interested what any of the HIPS software would report if they were installed to a PC that already had the MBR RK native on it...
     
    Last edited: Jan 13, 2008
  7. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello fcukdat,

    I guess I must have jumped the gun regarding Prevx CSI+.


    Peace & Gratitude,

    CogitoErgoSum
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, just to clarify, I assume that HIPS who are monitoring "Low Level Disk access", can stop this thing and probably all other malware who try to modify the MBR?
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Seems u did not read the whole thread!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.