what is the best rootkit prevention/protection?

Save them there great!!

TH

 

sure this one remind me of high school lol

 

Unfortunately, all of these analyses of this BackDoor.Tdss.565 exploit show what happens after the trojan file is executed. Thus, your quote earlier from the PDF file,

comes later in the article, where the opening statement is,

So, the assumption is, the malware file has executed, and now it's analyzed.

The analysis is very interesting (also very complicated -- I can't follow most of it). You wrote earlier,

For a better understanding, you need to read basic analysis of malware behavior, code injection, rootkit behavior, etc. Once you get all of that, you can explain it to me!

From one point of view in this thread, these analyses of the malware behavior are irrelevant to 'Prevention at the Gate', so to speak: How can the malware be prevented from being delivered?

Nowhere is it discussed in these analyses how BackDoor.Tdss.565 is delivered to the computer and attempts to execute in the first place.

In all of the Hijack Forums, no one ever says how the infection took place: what was the delivery method to the computer? Has anyone heard or read details about how one has gotten this trojan in the first place?

BackDoor.Tdss.565 is a trojan:

http://www.precisesecurity.com/trojan/backdoortdss565/

Trojan used in this sense is an executable file. Thus, the suggestions for HIPS and anti-execution types of programs by many here, to effectively block the initial executable from running and doing any damage if the delivery method is by remote code execution.

BackDoor.Tdss.565
http://vms.drweb.com/virus/?i=441481

So, it needs to install first. From this standpoint, a rootkit trojan is no different from any other trojan, in terms of Prevention. A rootkit, by definition, hides. Sure, that's scary, but, to paraphrase fcukdat, if it can't execute/install, it can't hide.

However, if the infection occurs via a download that the user authorizes, as indicated in remarks regarding one of the Tdss aliases:

Infected With Packed.Win32.Tdss.f?
http://www.spytrackers.com/threats/packed-win32-tdss-f-removal.html

In this case, HIPS and anti-execution protection are disabled to permit the installation. So, different preventative measures must be taken, beginning with how the user decides what is safe to download/install.

This thread has two topics going on at once: Prevention from executing in the first place, and Monitoring/Detecting/Blocking the rootkit behavior (behaviour blockers,), should the file execute, in the second place.

These two topics should be in separate threads, in my view, for the lines between them get blurred and can cause confusion.

----
rich

 

You have made a very good point here..." If it can't execute/install, it can't hide himself"...

IMHO, if you would like to prevent any trojan or rootkit, then you should use your little common sense first, before jumping on any conclusion...

At first, you should have updated OS with a good Anti-Virus, Anti-Malware and good firewall and all these should be updated. Secondly, you should you use Sandboxie for your daily browsing activities. You should always use LUA with having SRP or AppLocker policies implemented.

Never install any software/codec which is downloaded from dodgy site. If you want to test it, test on Virtual Machine which is again should be protected by a good AV, Anti-Malware, HIPS and Any Virtualisation software like "Returnil" or "Shadow Defender"....This will make you atleast 99.9% safe....

I always use this type of trend to protect my computer system....

 

From the links given in this thread, it seems to be just another rootkit malware with nothing particularly scary or special about it. The dropper requires admin privileges to infect the system - the usual SeLoadDriverPrivilege to be more precise, and admin privileges are needed to be able to inject anything into the print spooler process that's running as SYSTEM. So basically, just another day at the office. Simply not running the malware dropper as admin would prevent infection, so, yeah, LUA would stop it.

 

so if print spooler process is disable this malware is useless then

 

hey mr.TH i really like the second picture, i trust you are dealing with your virus (especially: rootkits) like this . i really like your way dude.keep it up soon i will join you.
ps: there is any welcome party to join in your band wagon. (off topic i know).

 

So much here over my head. Will by Online Armor Premium and NOD 32 v4 take care of this?

 

the hips componet of online armor will stop this type of malware if you know hot to click when it comes to decide allow/denny

 

Yes, that question haunts me constantly. I'm always looking up .dll's, etc. online to see what the heck they are. And, at times, in not recognizing the program (usually some windows file), I get stuck in fear that:
1. If I don't "allow" my PC might not work right;
2. If I do allow, my life could get very complicated.

Any suggestions? (It's even worse for my wife in this way!)

Peace,
Chamlin

 

online armor scaner also detects rootkits in real time you should be ok if you always becarefull of what you download in to your pc ,i use prevx for rootkits removal and DefenseWall for rootkits prevention

 

The wagon is never full! And if a club is all you need then use it!

TH

 

OK, so business as usual. I thought it was something new.

Thanks

 

Hi, has anyone seen or used this new(?) rootkit scanner PScanner++ 1.9.0.2 ?
Unfortunately the website www.pscanner.com is only in Italian yet, but some info and d/l is also at Softpedia.
I installed it (Windows 7 x32), and it seemed good, but I don't know enough to use it properly. Just thought it could be of interest?

 

Whatever happened to Hypersight Rootkit Detector. I remember a thread on wilders last year about it but have heard nothing since. Guess it wasnt too good.

 

Yes, also NT Internals has it listed. 1 2 more antimalware.

Last blog post was June 23rd, 2008.

 

which scaner will be the fastest and strongest againts rootkits?any coments?thanks

 

There is no strongest scanner Sometimes GMER, sometimes RootRepeal, sometimes MBAM, sometimes A² ...

 

yeah i guez prevx will do good job at saving some bacon too