Introducing, The New Prevx Edge.

Lets say 15 R00tkits are compressed in a RARfile...... Shouldnt Prevx Edge detect them(some)?

TCSP

 

No it wouldn't. Edge does not scan archives as the files cannot actually infect your system from the archive so we don't bother scanning them.

 

Also note that these rootkits are inactive so you aren't actually testing Edge against them, just testing the files themselves Edge would most definitely detect and clean them if it scanned when the rootkits were active

Rootkits in an archive is an oxymoron

 

I totally quote.

When I read some comparatives where people test antimalware software against active and inactive rootkits, then I really don't understand what would they show.

I can understand antimalware sw against active rootkits: you're able to test the technology used against rootkit's hiding techniques.

But why doing a specific test against inactive rootkits? They are as malware as the other ones tested in the comparative. I could still understand if the comparative was intended to be done against specific categories (trojan,worm,backdoor,rootkit), but I've read (and I still read) comparatives where the categories tested are generic malware AND inactive rootkits.

What is the exact goal of testing inactive rootkits outside the generic malware category?

 

I launched another scan after decompression....

Same result!!!

TCSP

 

We will test them ACTIVE!

TCSP

 

Could you please send the files to EraserHW or myself? We will analyze them here as well to see why they're missed

 

I hope an antimalware software will detect malicious c0des, also before activation) -rootkits are rootkits-

TCSP

 

Yes, but you are testing them out of context. A file laying on disk or in an archive has no behavior and isn't a thread but if it was to start to load we would catch it immediately

 

Good That's how a "antirootkit vs rootkit" comparative should be done

 

so meaning that an archive that is sitting with unpack is dead malware inactive and with no behabiour so there is nothing to be worry about untill executed? note:some antiviruses scan for archive

 

We will see about that...
Does your software find the SUN2 r00tkit (active)
P.S. I personally want U all the best!

TCSP

@$

 

is that rootkit new?
note:that's why there is layer,well in this case a sandbox type software or hips will put a rootkit in it's place

 

ITS OLD !

I like y0ur avatar (jmonge)

TCSP

 

thanks i look like this when i drink coffee

 

there are some rootkits out there that are really scarry and people think that they are
inmune to malware cause of the virus scan says in green you are safe to go but in fact in reality very scarry some times only a clean format can save you from those types of malware just to be sure you are not infected
like the Hxdef Rootkit or the net devil,stuff like that any way i am going to have some more coffee to look more yellow

 

any way i put my trust in prevx edge did you guys watch my post prevxedge in action with a smily face,it was about some type of malware i think it was a rootkit that prevx killed,

 

sorry guys i talk alot cause i got like 5 cups of coffee already

 

-OFF T0PIC-

Just take a coffee pill instead :_P... My n0se whre th F*** iz iT!
I will never stop thinking like a child.
Respect 2 the pure.....

TCSP

 

This is correct If a piece of malware is sitting in an archive there is nothing it can do to your system. You would first have to extract the file from the archive, where it will then be found

Other antivirus products do scan through archives to protect gateway email servers primarily but for a consumer it is largely unnecessary.

 

I'm sure it does but I've never heard of it and a quick Googling says that it came out in 2000.... doesn't exactly look like a threat today If you want, you can send me the file and I'll check in our database to see what we detect it as/how many users have ever seen it

 

Right now Avira free 0n maxconfig and threatfire do impressme compared 2 alot of other software....

Draco

 

it makes sense

 

DiabloNova writes: "Rustock.C revelation since beginning was just a question of faith"
(c) unknown person from wasm.ru

We always was interested in non trivial malware samples especially these, which wants to do some kicking before death.

This one for example
http://www.virustotal.com/ru/analisis/6cfa2dd68356c376f7610a89278ab1b4

This malware acting as virus, moreover it is with rootkit component built-in. In addition this **** protected by THEMIDA (yes this one rumored as ultimate prot).

This sample we got was merged with trivial crack for trivial program. Are you still consider cracks safe to use? Unfortunately there now the same **** as everywhere, and cracks now become one of the main methods to deliver malwares right directly to you So guys and girls use only trustworthy cracks downloaded only from trustworthy sites/peoples. But even this doesn't give any guarantees of course. Better of course to buy progs, but we all are adult enough, isn't? ^^

So wtf this virus is doing. First victim of this Dodelka (it is actual name of malware by the way) was, oh my god - virtual machine service responsible for drag-n-drop operations. What a lose. Actually its not simple infected this executable, this malware fully replaced it with itself. This causes numerous bugs. Next malware copies itself to the system32\drivers folder under name hldrrr.exe, extracts in the same folder driver named srosa.sys (also packed by some ****). Driver loaded and fun begins.

srosa.sys (looks like static name) sets callback on images loading. And here the most interesting part. This malware included the huge blacklist of the different security software and even malware competitors.

This list located inside srosa.sys driver and takes more than 50% of the driver body (some items in UNICODE listed even twice).

Here just a little example of available in blacklist software and numerous components of softwares (firewalls, HIPS, antirootkits, antiviruses):

vsdatant.sys
sandbox.sys
safemon.sys
filtnt.sys
bdfndisf.sys
Vba32PP3.exe
vba32ldr.exe
Vba32ifs.exe
Vba32ECM.exe
TrojanHunter.exe
TrojanGuarder.exe
SysSafe.exe
Sysinfo.exe
SpybotSD.exe
SDTrayApp.exe
scanner.exe
SCAN32.EXE
SAVScan.exe
Rootkit_Detective.exe //McAfee Antirootkit
RootkitBuster.exe //TrendMicro Antirootkit
RkUService.exe //We will shred some light on this later
RKUnhooker.exe //here we are! Oh thanks for listing us in your malware!
RavMon.exe
ProcessViewer.exe
PrevxSetup.exe
prevsrv.exe
PQMAGIC.EXE
PAVARK.exe //Panda Antirootkit
OUTPOST.EXE
MalwareRemoval.exe
KAVSvcUI.EXE
KAVSvc.exe
KAVStart.exe
KavPFW.exe
KAVPF.exe
kavmm.exe
KAV.exe
IceSword.exe //PJF's IceSword Antirootkit
hookAnalyzer.exe
HiJackThis_v2.exe
HijackThis.exe
GIANTAntiSpywareMain.exe
F-StopW.EXE
F-Sched.exe
F-PROT95.EXE
drweb32.exe
defensewall.exe
DarkSpy105.exe (CardMagic's/Wowocock's DarkSpy Antirootkit)
CureIt.exe
ClamTray.exe
ClamScan.exe
blackice.exe
bdss.exe
avp32.exe
avgnt.exe
avgserv.exe
Autostartexplorer.exe
Anti-Trojan.exe
amon.exe
ashAvSrv.exe
a2HiJackFree.exe
nod32krn.exe
NAVW32.EXE
zonealarm.exe
avgarkt.sys (AVG AntiRootkit driver)
gmer.pdb (string inside GMER Antirootkit)
AVZ Driver //AVZ related ****, probably from version info block
AVZGuard Driver
AVZ Monitoring Driver
rootkit.avz

Full list of software is about 40Kb of text (both ANSI and UNICODE).

What's happening when one of the blacklisted software is trying to start? Fully unknown, simple not tested with all this huge list, but regarding to several antirootkits mentioned above and DrWeb32 antivirus this malware did the following:

It modified PE header and changed CPU type architecture to be invalid (in our case 256). After this Windows loader was unable to load these images (including drivers) because of non supported CPU type. So even if your antivirus/antirootkit is able to find this malware (in theory) it doesn't means that it will help, because this malware will simple prevent your programs from working. As it did in case of Drweb32 and newly installed after malware Rootkit Unhooker v3.8

Okay wtf RkUService.exe is doing in this list?
But RKU executable name is always random after installation, how it can be prevented? Answer is very simple, after installation installer drops RkUService.exe inside RKU folder and executes it. Exactly this small tool doing all RkUnhooker.exe name randomization, after this installer deletes this small tool. Since RkUService.exe was prevented from launch RKU wasn't automatically renamed and malware was able to prevent it start. However if you have RKU already installed BEFORE malware it will be unable to prevent RKU.

Imagine - you paid for AV your money, you have downloaded all the available antirootkits, antitrojans, freeware malware removal tools and you can't manage with this infection at all because nothing from this is not working. Drama for your money.

It our test this malware successfully killed IceSword, DarkSpy, RootkitBuster, GMER v1.14 and Rootkit Detective aka Rootkit Defective.

However this malware tricks was completely useless against VX variant of the RKU, from which we gathered almost all information about Dodelka.

Except prevention of work of the antimalware tools this Dodelka also contains several surprises inside, some of them specially for antirootkits.

One of them numerous bugs inside rootkit filters, which is slowing down infected computer scanning.

This rootkit sets several inline hooks, this report generated by RKU engineering variant with tracer turned on.

Rootkit Unhooker report generator v1.1
==============================================
Rootkit Unhooker ER
version: 0.8 (based on VX 4.5 engine)
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600 (Service Pack 2)
==============================================
Code Hooks scanning...
==============================================
Mismatch inside c:\windows\system32\ntoskrnl.exe found
Beginning 2 level tracing (Settings: Tracer level Medium)
==============================================
Tracing: 1 level...
==============================================
Tracing complete at 1 level, hooks confirmed
==============================================
ntoskrnl.exe-->NtQueryKey, Type: Inline - RelativeJump 0x8056F473-->F8021974 [srosa.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x8056F76A-->F8020E36 [srosa.sys]
ntoskrnl.exe-->NtOpenFile, Type: Inline - RelativeJump 0x805715E7-->F8020A8C [srosa.sys]
ntoskrnl.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8057164C-->F802096E [srosa.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x8057459E-->F801C33E [srosa.sys]
ntoskrnl.exe-->NtQueryDirectoryFile, Type: Inline - RelativeJump 0x80574DAD-->F80210DC [srosa.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x80575527-->F801C564 [srosa.sys]
ntoskrnl.exe-->NtSetInformationFile, Type: Inline - RelativeJump 0x80579E7E-->F801C43C [srosa.sys]
ntoskrnl.exe-->NtQuerySystemInformation, Type: Inline - RelativeJump 0x8057CC27-->F802128E [srosa.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x805801FE-->F8020B8C [srosa.sys]
ntoskrnl.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80597430-->F801C77E [srosa.sys]
ntoskrnl.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8059D6BD-->F801C97E [srosa.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x805A6B26-->F8021684 [srosa.sys]
ntoskrnl.exe-->NtDeleteFile, Type: Inline - RelativeJump 0x805D8CF7-->F801C3EC [srosa.sys]
==============================================
End of report
==============================================

But report of the public 3.8 RKU LE showing the following strange behaviour.

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.8.341.552
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
ntoskrnl.exe+0x00005032, Type: Inline - RelativeJump 0x804DC032 [ntoskrnl.exe]
ntoskrnl.exe-->NtQueryKey, Type: Inline - RelativeJump 0x8056F473 [ntoskrnl.exe]
ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x8056F76A [ntoskrnl.exe]
ntoskrnl.exe-->NtOpenFile, Type: Inline - RelativeJump 0x805715E7 [ntoskrnl.exe]
ntoskrnl.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8057164C [ntoskrnl.exe]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x8057459E [srosa.sys]
ntoskrnl.exe-->NtQueryDirectoryFile, Type: Inline - RelativeJump 0x80574DAD [ntoskrnl.exe]
ntoskrnl.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x80575527 [ntoskrnl.exe]
ntoskrnl.exe-->NtSetInformationFile, Type: Inline - RelativeJump 0x80579E7E [srosa.sys]
ntoskrnl.exe-->NtQuerySystemInformation, Type: Inline - RelativeJump 0x8057CC27 [srosa.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x805801FE [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80597430 [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8059D6BD [ntoskrnl.exe]
ntoskrnl.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x805A6B26 [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteFile, Type: Inline - RelativeJump 0x805D8CF7 [ntoskrnl.exe]

As you see many of the hooks have ntoskrnl.exe as hooker address. Why this happening? Lets look in memory on this hooks.

NtDeleteValueKey

80597423: call 804E2AD2
80597428: retn 0C
8059742B: jmp F801C77E
==========================
Actual function body
NtDeleteValueKey
==========================
80597430: jmp 8059742

Where first instruction is jump back to the jump to the rootkit driver handler. RKU LE was unable to decide who exactly here is "hooker". However as you see with tracer such kind of hooking isn't a problem at all. Additionally this doesn't prevents RKU LE from removal of this hooks, since mismatch is determined.

These hooks responsible for hiding rootkit process, rootkit files, registry keys (including startup location) and preventing malware removal.

Removal of this malware isn't trivial and requires a complex work, because antirootkit can't determine exactly all components of this malware since some of them doesn't use rootkit technologies so you have a good chances for reinfection even after successful removal. The best approach here - eradicate malware hooks, LoadImage notify routine, determine malware files (it is simple since all them are the same excluding driver) and kill them all. And don't forget before using antimalware tools rename them to something innocent - blahblah.exe for example, because nobody can't guarantee that malware doesn't knows your av/fw etc. Who need surprises? =)

Why we named this malware Dodelka? Because of this
c:\reliz2\dodelka\hlhl_vista_flesh\driver PDB string inside rootkit driver.

and because we really like to call this exactly "Dodelka" which means in translation from Russian - "additional work". As you see Vista mentioned, but we didn't tried this malware on Vista.

What about RKU LE we of course can't leave this tricks with our programs inside malware blacklist, so future version will contain our surprises for crapware coders (they will have to create something new).

No, I won't give you malware sample nor engineering variant of RKU.