TDL3 Rootkit

A little while ago there was an interesting blog by Marco (Eraser) and comment here about Prevx being the only company able to detect this rootkit at the time although detection and removal wasn't incorporated into the Prevx3 version that was then available.
With the proliferation of TDL3 and the newer variants of the TDL3/Alureon family does Prevx 3.0.5.50 now detect and remove these or is it still a case of requiring remote assistance to remove it?

Edit: This is the link to the previous discussion

https://www.wilderssecurity.com/showthread.php?t=258778&highlight=TDL3

 

Good Question!

TH

 

We're currently in the process of improving our cleanup of TDL3 (and similar threats) but are still just helping users on a case-by-case basis for now as we don't want to give out our new techniques to the mass public just yet

We will definitely keep our users here and readers on our blog up-to-date with new interesting developments but right now we're working on a much more streamlined generic approach to defeat this new generation of threats which should put us significantly in front of where the malware authors are at the moment.

Of course I'll divulge more information a bit later... but for now we're fairly tight lipped - no need to escalate the inevitable cat and mouse game any faster than it already is

 

pmed PH.

 

Many thanks for the update Joe, interesting

 

TDL3 rootkit authors are quickly defeating every new public fix approach, they are really active in counteracting them by releasing every few days a new update of the rootkit

 

Sometimes several updates in a day!

 

well how effective is the real time protection of prevx in preventing the infection in the first place?

 

yep, my question too.

the behaviour blocker should pick up on such a threat, surely?

 

Yes - at the moment we're blocking every variant we're aware of. We recently had a submission of two TDL3 variants we didn't automatically flag but have subsequently added a new rule which will block them generically in the future.

As always, let us know if you come across anything new and we'll investigate it further!

 

"Yes - at the moment we're blocking every variant we're aware of."

What settings are you using?
As is out of the box or have you increased the settings?
Thanks.

 

I'm going to call you on this one Joe. So is every other AV Vendor. If you don't know about them you can't block them.

 

That's why technologies like heuristic are more and more developed They can assist you intercepting new unknown threats even without knowing them each one

 

I agree with you Eraser. The good old days of relying on signatures only is quickly fading into the past. Unfortunately, just as any any antimalware app is getting close to having all the answers, the malware authors change the questions.

 

Precisely true - However, my response is just me being diplomatic. I can't be 100% sure we're finding every variant in existence but our heuristics have correctly latched onto every variant we've received so far

 

is prevx safeonline compatible with keyscrambler?

 

Is that with default settings? If not what settings are you using?

 

This is the way I always have it without problems!

TH

 

Mine is configured the same as Triple Helix's. Max/Med/Med. I never have any problems.

 

agree. At the start setting it this high resulted in some FPs, but they have worked hard to correct that.

 

I can't remember the the last time I got a false positive with Prevx it's been ages

TH

 

Oh ok, I have been using medium on all settings. I'll try the high setting on AH and see how that is. If no fp then I may nudge it up to max.

 

I'm finally going the other way... nudging the settings down a notch, to Max/High/High. I've been running with Max across the board, but I finally decided to bring it down, especially after getting HitmanPro.exe fp's while running a HMP scan. And according to TH and Threedog, I should probably come down even more.

 

I'm going to try that also to see how it goes!

TH

 

This thread should help answer your quesiton.


https://www.wilderssecurity.com/showthread.php?t=258095&highlight=keyscrambler