Does SAS detect Win32.Ntldrbot?

Discussion in 'other anti-malware software' started by ChrisP, Jun 7, 2008.

Thread Status:
Not open for further replies.
  1. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I would like to know as Im not sure my F-Secure does.
     
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Not at the moment but give Nick sometime and maybe he will write new detection module as he did for MBR kit recently;)

    F-secure will not see ntldrbot if it is loaded...
     
    Last edited: Jun 7, 2008
  3. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
  4. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    They now state SAS does detect Rustock.C
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Just looked at that thread. Seems to me you were also vague and evasive. You were asked if you had a test case where SAS failed. Simple yes or no question that was never answered.
     
  6. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Not vague at all. I asked a specific question "Does SAS detect Rustock.C" The answer was that it "should" detect it.

    I then ask agin if they confirm if it does or not and they do not answer as there are no standard names for these things.

    I then say it is only known by tow names and asked them to say if they detect it or not

    Only then do they say they definately detect Rustock.C

    I suggest you try being less rude and obesrve the facts better in future.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    If SAS can detect and remove Rustock.C, it means that Rustock.C is on your HDD. ~off topic comment removed....Bubba~ So why is Rustock.C so scaring, if it is so easy to remove ? I don't need 240 posts to clean this one.
     
    Last edited by a moderator: Jun 9, 2008
  8. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I have replied to this comment in ntldrbot topic and still standby what is posted in my reply post to you;)

    Just to clear up this little bit of grey area around what is Rustock C for Nick.Here is a collection of useful reference reading/support data on ntldrbot aka Rustock C!

    http://www.drweb.com/upload/6c5e138..._DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf

    http://www.rootkit.com/newsread.php?newsid=879

    http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html

    http://translate.google.com/transla...sis?pubid=204007614&hl=en&ie=UTF8&sl=ru&tl=en

    HTH:)
     
  9. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I'm not normally a blacklist scanner user, but I can confirm that on a system infected with the "xyyy" rustock.c sample (from Offensive Computing) the latest SAS Free and sigs detect nothing (while CureIt does).

    What's more interesting, though, is that on this test machine (E6700 C2D, XP SP2) some aspects of the rootkit are visible within XP's bootlog, within regedit, and within the system32\drivers folder.

    Nick

    Some examples:

    ...Loaded driver \SystemRoot\system32\drivers\AsIO.sys
    Loaded driver \??\C:\WINDOWS\system32\drivers\a12e891a.sys
    Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys
    Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
    Loaded driver \??\C:\Program Files\ProSecurity\ProSecur.sys
    Loaded driver \SystemRoot\System32\Drivers\DefragFS.SYS...
     

    Attached Files:

    Last edited: Jun 10, 2008
  10. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    If you wouldn't mind, would you send those samples to nicks AT superantispyware.com and I will personally analyze them immediately and ensure we remove the strain you have on your system.
     
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Not a problem. Sent.

    Nick
     
  12. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I thought Rustock.C was completely invisible, obvious not. I don't see much difference between Rustock.C and any other malware. It installs objects like any other malware.
    Of course the execution is more complicated, but it has to change your system first and what is changed can be replaced or removed in several ways. Is that the scaring Rustock.C ? Pffft.
    A rootkit that infects your motherboard, VGA card, etc. that is scaring.
     
  13. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Now this will be confusing...

    Nick S,
    a12e891a.sys is Trojan downloader.agent.ddl It is agent and not Rustock C/spambot.

    It no longer imports ntldrbot/Rustock C as the download from 208.66.194.215 appears to be yanked.

    With that there is no reason that SAS once it *knows* the down-loader agent cannot detect and remove the Agent bot:)
     
  14. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Not confusing. I suspected something was broken. Wireshark shows the 208.66.194.215 attempts.

    Nick
     
  15. chris2busy

    chris2busy Registered Member

    Joined:
    Jun 14, 2007
    Posts:
    477
    out of curiocity...would that malware succesfully install its driver and infect the system in LUA as well?
     
Loading...
Thread Status:
Not open for further replies.