Dr.Web Anti-virus is the first one to counteract BackDoor.MaosBoot rootkit

Doctor Web, Ltd.
http://www.drweb.com/

 

Sounds like Gmers Stealth.MBR discovery.

 

drweb - stealth rootkit

http://info.drweb.com/show/3257/en

Drweb becomes first av to counteract a new type of stealth rootkit, via the updated shield technology for 4.44

Also, the guard has been updated too.

 

Re: drweb - stealth rootkit

Will DrWeb CureIt also tackle this nasty?

 

Sure, if cureit has been updated.

The shield is part of the scanner, so cureit should have the technology too.

 

To make sure we understand each other correctly: DrWeb CureIt is the Free downloadable application, right?

 

Yes it is.

 

Is this the same as Prevx is shown as detecting in this thread
https://www.wilderssecurity.com/showthread.php?t=196376
see post #9.
What a combination Chris, Prevx & Dr. Web!

Ian

 

Hello,
first of all im sorry if im going off topic.
i would like the know if any other antivirus provides protection and removal of that threat now?
major names like nod32,kaspersky,symantec etc.
it seems quite dangerous and i dont really ever want any of my computers to be infected with it.

 

Yes it is stealth.mbr, what else?!

 

Most AVs have this MBR rootkit in their databases, so detection/prevention shouldn't be an issue. Removal is another topic.

 

There is difference in detecting the dropper/ installer and actually installed active rootkit.

 

Yup, detection/prevention is "easy", removal is a whole different story.

 

Amen only Cureit,CSI and GMER currently expose it once it is native.

But as said back a while virtually all the vendors extradited the Sinowal C stuff into their databases inorder to protect their user's from the MBR RK landing in the first place

 

i just wish the main antivirus vendors could provide removal for it.
there is enough users that will be infected by it and wont even know because their scanners wont be able to see it.
lodore

 

If the defenders are bypassed by say a new repack then detection is currently not that common because it requires a new routine for the scanning engines to see it
The tools that can see this thing that are used outside the labs can be still counted on 3 fingers....

Removal on the other hand is very simple if the victim is fammiliar with Recovery Console functions(fix mbr) or else just have 1 of the 3 tools do it for them.

Of course out of thoes 3 tools,2 are free(GMER,Dr Web CI) where as 1(PrevX CSI) you will have to pay for the priviledge of it doings its foo

Bravo Dr Web for providing a free onestop fix becuse GMER requires enduser input to complete the task.

The trouble is if they are blind to it when it is native then there is no way they can heal it but i'm sure some of the engines when they upgrade in the future will include a routine to bust these badboys if present

 

Sure, they have to! I think it must be on their top priorties!

 

most avs will not be able to protect properly, simply because they dont have the technology in the product.

sure, there are many avs that believe adding a signature is enough, it also looks good on these massive tests as a percentage, but this is not proper protection, or at least i dont think so.


what's also pleasing for drweb users is that the technology is now in place to stop other similar threats that WILL arrive across 2008, im glad they have updated something.. because news on the drweb-front was getting rare, i really was wondering what the hell they were doing.

------
im sure that alot of people who flame at drwebs so-called low detection, use drwebs free cureit to clean their machine because 'their top AV' failed.

 

They will get there very soon. Dr.Web is just the first one in the row!

 

Re: drweb - stealth rootkit

What has been updated in the guard? Also, any timetable for a real quarantine feature for Dr Web? The absence of that is making want to try something new. But is good to see Dr Web's implementation of its own technology being used and proven effective.

 

Re: drweb - stealth rootkit

minor, mainly bug fixes.

as for the quarentine thing, i dont know... this is what im waiting for myself.

anyway, regarding this shield update.

 

kaspersky also detects it when active.

 

Maybe you can get LB to grab a screenshot of the detection(like others have) inorder to welcome it to the club

 

and it removes it successfully?

detecting this active threat is not quite the same as detection and removal of the threat.

-----------------------------------
lots of scanner updated lately, are we getting close to a V5 beta i wonder?

lol, dare to dream.

4.44.4 now, and i think it was only on 4.44.1 in November/December.

 

i have posted a message to see if i can get hold of a screenshot.
if you have a copy of the sample would you be willing to install kis or kav7.0 to show the active rootkit detected? i know you do this type of thing alot anyways.
@Chris,
detecting the active threat is alot better than not being able to detect the active threat thou.
i have asked at the kaspersky forum if kaspersky can successfully remove it.
lodore