Rustock C no longer a myth, no longer a threat

True. An antivirus can detect as much as it can, but if it can't clean what it finds it is completely useless.

 

U mean u have droppers?

Software: Antivir n AVG

 

There's detecting a threat before and after it activates. If it's the prior case, cleaning doesn't come into the equation at all: you just delete the file, and that's it.

 

Could you test Kaspersky too for me please?

 

Crete you forgot to add your monster noise

 

Those detections, that are already made by a few quick AVs (according to VT) are too quick. Either they cannot detect an active infection or their disinfection would make a system stop working...

Let's wait. I'm far from enjoying this. DrWeb really wants other vendors could fight rustock.c successfully, and we proved it by sharing the samples we have, we just know how difficult it is.

 

Did you share a dropper/installer?

 

Once a file gets submitted to VT, every vendor gets a copy of it. It's then up to them whether to inspect the files or not.

 

It would, if you'd spent a few seconds to think about it.

Dr. Web found out that they were the only ones to detect this virus by scanning it on Virustotal. Meaning the other companies would've got this sample.

 

The only components I can see publicly circulating are drivers...which are not that useful without the dropper itself as far as I can tell.

 

Seems like the first submission of the mentioned Win32.Ntldrbot to VirusTotal was in mid-September 2007. :?

 

I thought there was agreement betwwen AV companies to share info on new threats,not how to protect against them just samples of the threats?used to be the case so why have no other companies received samples of this?

 

With all fairness, I think ( considering the nature of this malware- Rustock C) Dr.Web has the rights to make a press release first and only then to distribute the sample. They need the due credit atleast.

 

Again, the lack of cash flow theory..

 

Bitdefender, AVG and MS also added the detection now on VT. I still don,t see response from AVs famous for urgent updates, may be due to the fact that the threat is low.

 

Or the fact that as the drweb employee said, those that have added detection are more likely to trash an infected pc than cure it due to the nature of the threat.

 

Seems it bypasses the HIPS like:

OSS 2008
KIS 2009
DW
SSM 2.4



http://www.anti-malware.ru/forum/index.php?showtopic=4564&pid=37613&st=20?entry37613

 

Very likely. EP_X0FF confirmed the nice job by Dr.Web.

 

If any F-Secure user has the sample, do try out whether the AV detects it because I feel it may be detected via BlackLight, however, the VT engine probably doesn't include BlackLight detections.

 

then based oh Aigles post, Dr Web did it, can rightfully claim it, and we all should shut the heck up instead of tearing a good thing down. Sergey, congrats.

 

We did not have the dropper for sometime. And yes, we checked the samples on the VT website.
We just could not make the whole situation public before we could detect and cure it. You know, it would be pretty strange of us to say "we have a virus, nobody detects. people, be afraid!"

 

well i don't get the comments about people saying 'hey it's old and not worth detect'

can You imagine that IF it's undetected then there are some 'thousands' maybe more people still infected with this ... ?

i guess by pure luck Dr.Web staff don't have 'cure' statistic about this piece right ? if Yes maybe they could put some more weight against 'PR' comments ...

i mean the Rostock based botnet is not yet dead right ?

 

Far from it. All rustock versions still widely spread.

By the way, as well as polipos...

 

I can't read Russian and I'm not really experienced with this thingy, but how can bypass HIPS without dropper to install? What phase it bypassed?

 

Sorry, may I ask a hypothetical question? If after a test done by IBK or Marx you asked for samples you had missed and got a reply like 'We checked them on VT; go find them yourselves', would you call that sharing too?