Discussion in 'Prevx Releases' started by trjam, Nov 13, 2008.
Lets say 15 R00tkits are compressed in a RARfile...... Shouldnt Prevx Edge detect them(some)?
No it wouldn't. Edge does not scan archives as the files cannot actually infect your system from the archive so we don't bother scanning them.
Also note that these rootkits are inactive so you aren't actually testing Edge against them, just testing the files themselves Edge would most definitely detect and clean them if it scanned when the rootkits were active
Rootkits in an archive is an oxymoron
I totally quote.
When I read some comparatives where people test antimalware software against active and inactive rootkits, then I really don't understand what would they show.
I can understand antimalware sw against active rootkits: you're able to test the technology used against rootkit's hiding techniques.
But why doing a specific test against inactive rootkits? They are as malware as the other ones tested in the comparative. I could still understand if the comparative was intended to be done against specific categories (trojan,worm,backdoor,rootkit), but I've read (and I still read) comparatives where the categories tested are generic malware AND inactive rootkits.
What is the exact goal of testing inactive rootkits outside the generic malware category?
I launched another scan after decompression....
We will test them ACTIVE!
Could you please send the files to EraserHW or myself? We will analyze them here as well to see why they're missed
I hope an antimalware software will detect malicious c0des, also before activation) -rootkits are rootkits-
Yes, but you are testing them out of context. A file laying on disk or in an archive has no behavior and isn't a thread but if it was to start to load we would catch it immediately
Good That's how a "antirootkit vs rootkit" comparative should be done
so meaning that an archive that is sitting with unpack is dead malware inactive and with no behabiour so there is nothing to be worry about untill executed? note:some antiviruses scan for archive
We will see about that...
Does your software find the SUN2 r00tkit (active)
P.S. I personally want U all the best!
is that rootkit new?
note:that's why there is layer,well in this case a sandbox type software or hips will put a rootkit in it's place
ITS OLD !
I like y0ur avatar (jmonge)
thanks i look like this when i drink coffee
there are some rootkits out there that are really scarry and people think that they are
inmune to malware cause of the virus scan says in green you are safe to go but in fact in reality very scarry some times only a clean format can save you from those types of malware just to be sure you are not infected
like the Hxdef Rootkit or the net devil,stuff like that any way i am going to have some more coffee to look more yellow
any way i put my trust in prevx edge did you guys watch my post prevxedge in action with a smily face,it was about some type of malware i think it was a rootkit that prevx killed,
sorry guys i talk alot cause i got like 5 cups of coffee already
Just take a coffee pill instead :_P... My n0se whre th F*** iz iT!
I will never stop thinking like a child.
Respect 2 the pure.....
This is correct If a piece of malware is sitting in an archive there is nothing it can do to your system. You would first have to extract the file from the archive, where it will then be found
Other antivirus products do scan through archives to protect gateway email servers primarily but for a consumer it is largely unnecessary.
I'm sure it does but I've never heard of it and a quick Googling says that it came out in 2000.... doesn't exactly look like a threat today If you want, you can send me the file and I'll check in our database to see what we detect it as/how many users have ever seen it
Right now Avira free 0n maxconfig and threatfire do impressme compared 2 alot of other software....
it makes sense
DiabloNova writes: "Rustock.C revelation since beginning was just a question of faith"
(c) unknown person from wasm.ru
We always was interested in non trivial malware samples especially these, which wants to do some kicking before death.
This one for example
This malware acting as virus, moreover it is with rootkit component built-in. In addition this **** protected by THEMIDA (yes this one rumored as ultimate prot).
This sample we got was merged with trivial crack for trivial program. Are you still consider cracks safe to use? Unfortunately there now the same **** as everywhere, and cracks now become one of the main methods to deliver malwares right directly to you So guys and girls use only trustworthy cracks downloaded only from trustworthy sites/peoples. But even this doesn't give any guarantees of course. Better of course to buy progs, but we all are adult enough, isn't? ^^
So wtf this virus is doing. First victim of this Dodelka (it is actual name of malware by the way) was, oh my god - virtual machine service responsible for drag-n-drop operations. What a lose. Actually its not simple infected this executable, this malware fully replaced it with itself. This causes numerous bugs. Next malware copies itself to the system32\drivers folder under name hldrrr.exe, extracts in the same folder driver named srosa.sys (also packed by some ****). Driver loaded and fun begins.
srosa.sys (looks like static name) sets callback on images loading. And here the most interesting part. This malware included the huge blacklist of the different security software and even malware competitors.
This list located inside srosa.sys driver and takes more than 50% of the driver body (some items in UNICODE listed even twice).
Here just a little example of available in blacklist software and numerous components of softwares (firewalls, HIPS, antirootkits, antiviruses):
Rootkit_Detective.exe //McAfee Antirootkit
RootkitBuster.exe //TrendMicro Antirootkit
RkUService.exe //We will shred some light on this later
RKUnhooker.exe //here we are! Oh thanks for listing us in your malware!
PAVARK.exe //Panda Antirootkit
IceSword.exe //PJF's IceSword Antirootkit
DarkSpy105.exe (CardMagic's/Wowocock's DarkSpy Antirootkit)
avgarkt.sys (AVG AntiRootkit driver)
gmer.pdb (string inside GMER Antirootkit)
AVZ Driver //AVZ related ****, probably from version info block
AVZ Monitoring Driver
Full list of software is about 40Kb of text (both ANSI and UNICODE).
What's happening when one of the blacklisted software is trying to start? Fully unknown, simple not tested with all this huge list, but regarding to several antirootkits mentioned above and DrWeb32 antivirus this malware did the following:
It modified PE header and changed CPU type architecture to be invalid (in our case 256). After this Windows loader was unable to load these images (including drivers) because of non supported CPU type. So even if your antivirus/antirootkit is able to find this malware (in theory) it doesn't means that it will help, because this malware will simple prevent your programs from working. As it did in case of Drweb32 and newly installed after malware Rootkit Unhooker v3.8
Okay wtf RkUService.exe is doing in this list?
But RKU executable name is always random after installation, how it can be prevented? Answer is very simple, after installation installer drops RkUService.exe inside RKU folder and executes it. Exactly this small tool doing all RkUnhooker.exe name randomization, after this installer deletes this small tool. Since RkUService.exe was prevented from launch RKU wasn't automatically renamed and malware was able to prevent it start. However if you have RKU already installed BEFORE malware it will be unable to prevent RKU.
Imagine - you paid for AV your money, you have downloaded all the available antirootkits, antitrojans, freeware malware removal tools and you can't manage with this infection at all because nothing from this is not working. Drama for your money.
It our test this malware successfully killed IceSword, DarkSpy, RootkitBuster, GMER v1.14 and Rootkit Detective aka Rootkit Defective.
However this malware tricks was completely useless against VX variant of the RKU, from which we gathered almost all information about Dodelka.
Except prevention of work of the antimalware tools this Dodelka also contains several surprises inside, some of them specially for antirootkits.
One of them numerous bugs inside rootkit filters, which is slowing down infected computer scanning.
This rootkit sets several inline hooks, this report generated by RKU engineering variant with tracer turned on.
Rootkit Unhooker report generator v1.1
Rootkit Unhooker ER
version: 0.8 (based on VX 4.5 engine)
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600 (Service Pack 2)
Code Hooks scanning...
Mismatch inside c:\windows\system32\ntoskrnl.exe found
Beginning 2 level tracing (Settings: Tracer level Medium)
Tracing: 1 level...
Tracing complete at 1 level, hooks confirmed
ntoskrnl.exe-->NtQueryKey, Type: Inline - RelativeJump 0x8056F473-->F8021974 [srosa.sys]
ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x8056F76A-->F8020E36 [srosa.sys]
ntoskrnl.exe-->NtOpenFile, Type: Inline - RelativeJump 0x805715E7-->F8020A8C [srosa.sys]
ntoskrnl.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8057164C-->F802096E [srosa.sys]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x8057459E-->F801C33E [srosa.sys]
ntoskrnl.exe-->NtQueryDirectoryFile, Type: Inline - RelativeJump 0x80574DAD-->F80210DC [srosa.sys]
ntoskrnl.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x80575527-->F801C564 [srosa.sys]
ntoskrnl.exe-->NtSetInformationFile, Type: Inline - RelativeJump 0x80579E7E-->F801C43C [srosa.sys]
ntoskrnl.exe-->NtQuerySystemInformation, Type: Inline - RelativeJump 0x8057CC27-->F802128E [srosa.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x805801FE-->F8020B8C [srosa.sys]
ntoskrnl.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80597430-->F801C77E [srosa.sys]
ntoskrnl.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8059D6BD-->F801C97E [srosa.sys]
ntoskrnl.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x805A6B26-->F8021684 [srosa.sys]
ntoskrnl.exe-->NtDeleteFile, Type: Inline - RelativeJump 0x805D8CF7-->F801C3EC [srosa.sys]
End of report
But report of the public 3.8 RKU LE showing the following strange behaviour.
RkUnhooker report generator v0.7
Rootkit Unhooker kernel version: 3.8.341.552
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
ntoskrnl.exe+0x00005032, Type: Inline - RelativeJump 0x804DC032 [ntoskrnl.exe]
ntoskrnl.exe-->NtQueryKey, Type: Inline - RelativeJump 0x8056F473 [ntoskrnl.exe]
ntoskrnl.exe-->NtEnumerateKey, Type: Inline - RelativeJump 0x8056F76A [ntoskrnl.exe]
ntoskrnl.exe-->NtOpenFile, Type: Inline - RelativeJump 0x805715E7 [ntoskrnl.exe]
ntoskrnl.exe-->NtCreateFile, Type: Inline - RelativeJump 0x8057164C [ntoskrnl.exe]
ntoskrnl.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x8057459E [srosa.sys]
ntoskrnl.exe-->NtQueryDirectoryFile, Type: Inline - RelativeJump 0x80574DAD [ntoskrnl.exe]
ntoskrnl.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x80575527 [ntoskrnl.exe]
ntoskrnl.exe-->NtSetInformationFile, Type: Inline - RelativeJump 0x80579E7E [srosa.sys]
ntoskrnl.exe-->NtQuerySystemInformation, Type: Inline - RelativeJump 0x8057CC27 [srosa.sys]
ntoskrnl.exe-->NtEnumerateValueKey, Type: Inline - RelativeJump 0x805801FE [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80597430 [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x8059D6BD [ntoskrnl.exe]
ntoskrnl.exe-->NtLoadDriver, Type: Inline - RelativeJump 0x805A6B26 [ntoskrnl.exe]
ntoskrnl.exe-->NtDeleteFile, Type: Inline - RelativeJump 0x805D8CF7 [ntoskrnl.exe]
As you see many of the hooks have ntoskrnl.exe as hooker address. Why this happening? Lets look in memory on this hooks.
80597423: call 804E2AD2
80597428: retn 0C
8059742B: jmp F801C77E
Actual function body
80597430: jmp 8059742
Where first instruction is jump back to the jump to the rootkit driver handler. RKU LE was unable to decide who exactly here is "hooker". However as you see with tracer such kind of hooking isn't a problem at all. Additionally this doesn't prevents RKU LE from removal of this hooks, since mismatch is determined.
These hooks responsible for hiding rootkit process, rootkit files, registry keys (including startup location) and preventing malware removal.
Removal of this malware isn't trivial and requires a complex work, because antirootkit can't determine exactly all components of this malware since some of them doesn't use rootkit technologies so you have a good chances for reinfection even after successful removal. The best approach here - eradicate malware hooks, LoadImage notify routine, determine malware files (it is simple since all them are the same excluding driver) and kill them all. And don't forget before using antimalware tools rename them to something innocent - blahblah.exe for example, because nobody can't guarantee that malware doesn't knows your av/fw etc. Who need surprises? =)
Why we named this malware Dodelka? Because of this
c:\reliz2\dodelka\hlhl_vista_flesh\driver PDB string inside rootkit driver.
and because we really like to call this exactly "Dodelka" which means in translation from Russian - "additional work". As you see Vista mentioned, but we didn't tried this malware on Vista.
What about RKU LE we of course can't leave this tricks with our programs inside malware blacklist, so future version will contain our surprises for crapware coders (they will have to create something new).
No, I won't give you malware sample nor engineering variant of RKU.
Separate names with a comma.