Dr.Web Anti-virus is the first one to counteract BackDoor.MaosBoot rootkit

Discussion in 'malware problems & news' started by Malcontent, Jan 29, 2008.

Thread Status:
Not open for further replies.
  1. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    451
    Location:
    Cleveland, Ohio USA
    Doctor Web, Ltd.
    http://www.drweb.com/
     
    Last edited by a moderator: Jan 29, 2008
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Sounds like Gmers Stealth.MBR discovery.
     
  3. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    drweb - stealth rootkit

    http://info.drweb.com/show/3257/en

    Drweb becomes first av to counteract a new type of stealth rootkit, via the updated shield technology for 4.44

    Also, the guard has been updated too.

    :)
     
  4. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Re: drweb - stealth rootkit

    Will DrWeb CureIt also tackle this nasty?
     
  5. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Sure, if cureit has been updated.

    The shield is part of the scanner, so cureit should have the technology too.
     
  6. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    To make sure we understand each other correctly: DrWeb CureIt is the Free downloadable application, right? :)
     
  7. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Yes it is.
     
  8. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Hello,
    first of all im sorry if im going off topic.
    i would like the know if any other antivirus provides protection and removal of that threat now?
    major names like nod32,kaspersky,symantec etc.
    it seems quite dangerous and i dont really ever want any of my computers to be infected with it.
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes it is stealth.mbr, what else?!
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Most AVs have this MBR rootkit in their databases, so detection/prevention shouldn't be an issue. Removal is another topic.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    There is difference in detecting the dropper/ installer and actually installed active rootkit.
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yup, detection/prevention is "easy", removal is a whole different story.
     
  14. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Amen only Cureit,CSI and GMER currently expose it once it is native.

    But as said back a while virtually all the vendors extradited the Sinowal C stuff into their databases inorder to protect their user's from the MBR RK landing in the first place:thumb:
     
  15. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i just wish the main antivirus vendors could provide removal for it.
    there is enough users that will be infected by it and wont even know because their scanners wont be able to see it.
    lodore
     
  16. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    If the defenders are bypassed by say a new repack then detection is currently not that common because it requires a new routine for the scanning engines to see it;)
    The tools that can see this thing that are used outside the labs can be still counted on 3 fingers....

    Removal on the other hand is very simple if the victim is fammiliar with Recovery Console functions(fix mbr) or else just have 1 of the 3 tools do it for them.

    Of course out of thoes 3 tools,2 are free(GMER,Dr Web CI) where as 1(PrevX CSI) you will have to pay for the priviledge of it doings its foo:cautious:

    :thumb: Bravo Dr Web for providing a free onestop fix becuse GMER requires enduser input to complete the task.

    The trouble is if they are blind to it when it is native then there is no way they can heal it but i'm sure some of the engines when they upgrade in the future will include a routine to bust these badboys if present:thumb:
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Sure, they have to! I think it must be on their top priorties!
     
  18. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    most avs will not be able to protect properly, simply because they dont have the technology in the product.

    sure, there are many avs that believe adding a signature is enough, it also looks good on these massive tests as a percentage, but this is not proper protection, or at least i dont think so.


    what's also pleasing for drweb users is that the technology is now in place to stop other similar threats that WILL arrive across 2008, im glad they have updated something.. because news on the drweb-front was getting rare, i really was wondering what the hell they were doing.

    ------
    im sure that alot of people who flame at drwebs so-called low detection, use drwebs free cureit to clean their machine because 'their top AV' failed.
     
    Last edited: Jan 29, 2008
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    They will get there very soon. Dr.Web is just the first one in the row!
     
  20. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,304
    Location:
    Location Unknown
    Re: drweb - stealth rootkit

    What has been updated in the guard? Also, any timetable for a real quarantine feature for Dr Web? The absence of that is making want to try something new. But is good to see Dr Web's implementation of its own technology being used and proven effective.
     
  21. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    Re: drweb - stealth rootkit

    minor, mainly bug fixes.

    as for the quarentine thing, i dont know... this is what im waiting for myself.

    anyway, regarding this shield update.

     
    Last edited: Jan 29, 2008
  22. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    kaspersky also detects it when active.
     
  23. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Maybe you can get LB to grab a screenshot of the detection(like others have) inorder to welcome it to the club:thumb:
     
  24. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    and it removes it successfully?

    detecting this active threat is not quite the same as detection and removal of the threat.

    -----------------------------------
    lots of scanner updated lately, are we getting close to a V5 beta i wonder?

    lol, dare to dream.

    4.44.4 now, and i think it was only on 4.44.1 in November/December.

    Untitled.jpg
     
  25. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    i have posted a message to see if i can get hold of a screenshot.
    if you have a copy of the sample would you be willing to install kis or kav7.0 to show the active rootkit detected? i know you do this type of thing alot anyways.
    @Chris,
    detecting the active threat is alot better than not being able to detect the active threat thou.
    i have asked at the kaspersky forum if kaspersky can successfully remove it.
    lodore
     
Loading...
Thread Status:
Not open for further replies.