Useless defence against TDSS

Just wasted an hour cleaning up a TDSS infection. It would appear NOD32 just laid down and played dead whilst the rootkit somehow got through Opera with a Flash + adblocker and JS off by default. Couldn't detect the modified boot sector, only the payloads it was downloading. TDSSKiller from Kapersky did the same. Only Hitman Pro could detect and kill it. This is a bit pathetic; it's not as if it's unheard of, it's a widely known and dangerous rootkit, so why did a supposedly high-end AV just let it waltz on by? Either beef up your TDSS defense or my subscription's going elsewhere next time.

Anyone else had a similar experience?

 

This is absolutely not true. New variants of Olmarik emerge on a daily basis, often there's not a single AV to detect them at the beginning. However, ESET is one of the few AVs to add detection among the first. You might be surprised how long it takes some other vendors to add detection for malware detected by ESET proactively (that malware often circumvents famous behavior blockers and runs happily on the system).

Did you actually run the stand-alone TDL4 cleaner, restart the computer and run a full system scan?

 

Sorry if I don't believe you, but it sounds more like a Hitman Pro false positive.

Unless you're suggesting it's taking advantage of a brand new undocumented Opera exploit that no one has heard of that doesn't need javascript to function, and from there, dry-by it's way to your PC, and install itself silently without admin priviledges.

Unless you're running XP with admin rights and an outdated version of flash. But from what I tried to comprehend, it seemed like you're saying flash was turned off.

 

thank you Marcos, I totally agree. Eset only gets better and as far as TDSS changing rootkits, Marcos is right on. I still,,,,, put my faith in their products and for the time being, will continue to.

 

So you basically also say we don't have to expect a behavior blocker in version 5, since you don't seem to be very positive about them?
You think ESET's current solution with generic signatures and advanced heuristics can keep up with competitors who are adding new technologies?
If not, so what is ESET's solution for version 5?

 

No antivirus product will detect all, all the time, see this reply, therefore, special tools are required, as needed.

 

So I suppose I imagined the fairly standard threats popping up in my temp folders around the clock, popups at blocked domains, attempted infected downloads, the disability to get into safe mode and an incorrect boot sector checksum all of which vanish the moment another product actually cleans it up? The boot sector being tampered with should have been flagged up immediately even if the rest of the behaviour of the rootkit wasn't.

 

I'm sure that the infection you're talking about was real, but I'm curious as to the method of payload delivery. I'm yet to hear about a drive by exploit that can (1) download and (2) execute itself via Opera, without JS enabled, and without user intervention. If such an exploit has gone live and is in the wild, I'm assuming that it'll be about, oh, two days before the internet explodes entirely - since pretty much everyone on the planet who's not browsing in a sandbox will get infected, and most folks don't clean rootkits properly. If Opera's tapped in this way, Firefox has to be, too.

 

It is pointless coming to a forum stating this...

Firstly, send files to ESET, detection should be added, in my experience within 3-4 hours.

In the mean time run other utilities to clean and/or remove...if they fail then rest assured by next signature update nod32 will detect and take things from there...

Why users must post that "such" was not detected makes no sense. Send to appropriate vendor and detection will be added. Simple.

 

My thoughts exactly.

 

I had 2 machines infected with this today and I had to use the TDSSKiller tool. The users can't explain or remember how they got infected.

Malwarebytes didn't find anything but combofix deleted theses

Detection by TDSSKiller

The users are fine at the moment so hopefully this is gone for now.

Thanks

 

Most likely all are benign xml or some sort of data files (ie. junk).

Already replied here. Please continue discussion in your thread.