Vba32 AntiRootkit 3.12.* beta

Re: Vba32 AntiRootkit 3.12.5 beta

Specialists of http://www.ntinternals.org/ retested Vba32 Antirootkit 3.12.5.0 in the Hidden Process
Detection Test (http://www.ntinternals.org/process_detection_test.php).

Current result is 6 from 12. Last result was 1 from 12.

We continue to work in this direction.

 

Re: Vba32 AntiRootkit 3.12.5 beta

I think this is just how companies should work, keep it up.

 

Vba32 AntiRootkit 3.12.5 beta

Thanks

I have tested Vba32 Antirootkit 3.12.5.0 beta with last TDL3 v3.27. This is result:

Code:

[main]
quote=You people voted for Hubert Humphrey, and you killed Jesus
version=3.27
botid=105ef377-e1a7-42d0-a324-30096d7a9bf1
affid=20223
subid=0
installdate=25.2.2010 13:59:41
builddate=24.2.2010 17:25:9
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.65/
wspservers=http://j00k877x.cc/;http://b11335599.cn/
popupservers=http://m3131313.cn/
version=3.741

 

Re: Vba32 AntiRootkit 3.12.3 beta

Great Vba show TDL3 driver IRP hooks

How about removal?

Forgive me for not wording correctly, it wasn't intended to be a loaded question...

Do you have plans for removing TDL3?

 

Re: Vba32 AntiRootkit 3.12.3 beta

testing now [the 4 links to download seem to be the same name/file? ]

 

Re: Vba32 AntiRootkit 3.12.5 beta

Even I as an advanced user am not sure how to interpret all those results - could you clarify how I should know what is what (what to remove and what NOT to remove, etc.)? Thanks

 

Re: Vba32 AntiRootkit 3.12.3 beta

The code is from the TDL rootkit...here is one I dumped,

Code:

[main]
quote=Everybody's a jerk. You, me, this jerk. That's just my philosophy
version=3.27
installdate=26.2.2010 0:36:30
builddate=25.2.2010 8:55:8
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.65/
wspservers=http://j00k877x.cc/;http://b11335599.cn/
popupservers=http://m3131313.cn/
version=3.741

Although Vba is showing some of TDL it currently is not removing.

There are a few removers but of course the game changes frequently.

 

Re: Vba32 AntiRootkit 3.12.3 beta

TDL 3.271

 

Re: Vba32 AntiRootkit 3.12.5 beta

Hi!

Thanks for your question.

We have Vba32 Rescue disk (http://anti-virus.by/en/vba32rescue.shtml) for it.

In the future we are planning to provide an opportunity to unhook IRP-hooks. After this you can replace malware file with "clean" file.

 

Re: Vba32 AntiRootkit 3.12.3 beta

3.271 and 3.272 are detected in active state.


02.03.2010 Vba32 AntiRootkit 3.12.5.0 beta

* Overall work robustness of antirootkit was improved

Fixed some bugs that led to BSOD.

P.S.: If you have BSOD during antirootkit use, you can send minidump file to beta[at]anti-virus.by.

 

Re: Vba32 AntiRootkit 3.12.3 beta

TDL updated to 3.273

Code:

[main]
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
version=[B]3.273[/B]
installdate=3.3.2010 6:49:48
builddate=[B]2.3.2010 12:41:15[/B]
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=https://d45648675.cn/;https://d92378523.cn/;https://91.212.226.65/
wspservers=http://30xc1cjh91.com/;http://j00k877x.cc/;http://m01n83kjf7.com/
popupservers=http://m3131313.cn/
version=[B]3.741[/B]
delay=7200
clkservers=http://clkmfd001.ws/
[tasks]
  

 

Re: Vba32 AntiRootkit 3.12.3 beta

I'm still confused about how interpret the results... It's like when I tried to use Rootkit Revealer or something like that.

 

Vba32 AntiRootkit 3.12.5.1

Vba32 AntiRootKit 3.12.5.1 beta.

Links for downloading:

http://www.anti-virus.by/en/download_arkit_beta.php?

ftp://anti-virus.by/beta/Vba32arkit_beta.7z

ftp://anti-virus.by/beta/Vba32arkit_beta.rar

ftp://anti-virus.by/beta/Vba32arkit_beta.zip

http://vba.datacenter.by/beta/Vba32arkit_beta.7z

http://vba.datacenter.by/beta/Vba32arkit_beta.rar

http://vba.datacenter.by/beta/Vba32arkit_beta.zip

Antirootkit has the next changelog:

+ Main window was completely redesigned

Now html-report is generated in the main window. Later you will have an opportunity to save it to file.

+ Usability was improved ( added context menus, hot keys, tabs, etc. )

You can work with utility without a mouse. There are still some troubles but we will fix them ASAP.

+ Increased the number of checked autorun items ( Quick Launch, Service Modules, Explorer, Task Scheduler, Image File Execution Options )

+ View/delete for KeBugCheck notificators

+ HTML-report was improved: navigation, scan time, the state of Vba32 Defender were added. Interrupted scanning and errors in the analysis process are correctly displayed in the report

The html-report began to look much structured and validates by W3C.

+ Web page of beta-version Vba32 AntiRootkit

Antirootkit web page: http://www.anti-virus.by/en/beta.shtml . And there you can download Vba32 AntiRootkit with random name.

* Internal caching of scanning files was improved

Total checking time significantly decreased.

* Hidden processes search mechanism was improved

* Vba32ar.dll and Vba32arch.dll functional moved to .exe file. Now .exe packs with UPX

* Help in Russian was improved

- Temporarily removed quarantine and scripts

 

Re: Vba32 AntiRootkit 3.12.3 beta

I have tried to run this twice,and both times it has failed to complete. My computer became locked up. No response to mouse or keyboard. Had to do a hard restart.

First time with the check-box ticked for "Vba32 Defender", and the second time, unchecked.

It seems to run into a problem when it gets to... 'Kernel-Mode Hooks' section.

 

Re: Vba32 AntiRootkit 3.12.3 beta

@sergey ulasen

Thanks works for me



The log also showed me 2 crypted files belonging to one of my security apps, that no other ARK etc does I won't show them or say what app it is to protect their confidentiality

Version info is slightly confusing



You don't get a chance to select



before it scans, only after ?

System shows some strange results ?





@Tarnak

Try doing manual one at a time scans via TOOLS

 

Re: Vba32 AntiRootkit 3.12.3 beta

Thanks We are trying to do our best

What did you expect to see here? 5.1 is actual file version btw

Just uncheck "Check digital signature" in the main window and you'll get result you wish.

Nothing strange here. "System" process doesn't have corresponding executable file by it's design. System process serves as a container for the system threads which are needed for some drivers and other kernel-mode stuff. In the 3.12.5.2 you'll be able to see those system threads.
The only thing we probably need - is to hide "File Information" tab for this process. Thanks for suggestion.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Hi, thank you for interesting in our product.
First of all we apologize for any inconvenience. The product is in beta stage so system hangs are still possible. Did you try to uncheck "Kernel Mode Hooks" option? If no, please do and let us know.

 

Re: Vba32 AntiRootkit 3.12.3 beta

You're welcome!

I did try unchecking "Kernel Mode Hooks", and still unsuccessful.

In fact it locked up very quickly the 3rd time I tried to run it. It locked up at around 3.00pm,and when I rebooted, see the file change monitor as indicated by the second screenshot.


Edit: Further explanation as follows:

Even though I had unticked "Kernel Mode Hooks", as can be seen from my screenshot below... the scan came to a halt about 5 minutes later(i.e.3.06pm)...system completely unresponsive.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Check just "Kernel Modules", try to get the log and send it to beta[at]anti-virus.by if succeed.
Is there any possibility to take a screenshot after system hangs? If not, please describe in detail what you see. The most important thing is the status bar and the current iteration name.

 

Re: Vba32 AntiRootkit 3.12.3 beta

I sent an email about 10 minutes ago.

 

Vba32 AntiRootkit 3.12.5.1 beta

Thanks to Tarnak, AF_, CloneRanger

Alex from NT Internals retested Vba32 AntiRootkit 3.12.5.1 in Hidden Process Detection Test.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Thanks Sergey. That's great results for Vba32 ARK! Is the "[-12-] - THREAD OBJECT - MANIPULATION" impossible to detect? I see that no product has a + for it.

 

Re: Vba32 AntiRootkit 3.12.3 beta

Why all products fail that #12 test?

How do we detect malwares that are using #12 technique?

thanks and great work VBA

 

Re: Vba32 AntiRootkit 3.12.3 beta

@AF_

Re Version info

I expected to see 3.12.5.1 not just 5.1.0.0

Thanks for the System feedback

Autorun shows a very nice comprehensive list

Zombie Processes is good for showing what is still in memory, even though the actual app or malware has stopped running


@sergey ulasen

Yes up with the best now Only #12 test to pass now

 

Re: Vba32 AntiRootkit 3.12.3 beta

Nothing is impossible. For sure #12 test could be defeated, but as soon as that is only a PoC and there is no real malware using this technique, it's not vital problem indeed.
We have a lot of things to implement in our product which are much more important. Finding hidden dll's ( fuller TDL/MAX++ and other malware detect ) or threads analysis ( for Rustock 2010 for example ) are among of them. You'll see many more improvements in 3.12.5.2.
Also I'd like to thanks Alex of NtInternals for his tests and all of our beta testers of course.