New MBR rootkit goes undetected

You'll have to write a new MBR from outside of the OS as the rootkit filters any attempt to write the MBR when loaded.

 

That's where the good old UBCD4Win comes into play,removal/detection is a doddle.Rootkitty then mbrwiz and voila.

 

What about a HIPS like Comodo or Malware Defender, will the rootkit be able to sneak past them as well?

 

It depends on how strict the rules are. All that the rootkit does is rewrite the MBR and then lock it down very tightly. The main issue isn't prevention (that's always an issue with any threat so that isn't anything new ), the real issue is detection once infected and cleanup after detection. The droppers we've encountered so far are very cautious and just infect the MBR and then remain quiet without any visible signs.

 

Isn't LUA simply the solution?

PrevXHelp, why not simply explain this is an easy solution, which complements so well your security solution (or maybe it is the other way around, isn't it? )

 

LUA is a solution to a majority of malware problems but it simply isn't viable for a majority of home users, which is why most people don't use it (its just too restrictive).

However, if you do run EVERYTHING under LUA, you should be completely safe from this threat

 

So does it mean that HIPS applications won't be able to do much, once the rootkit succeeds in digging itself into the system?

How does the same file, intercepted during it's attempt to get into the PC, suddenly cloak itself once it manages to do so? Isn't that basically what HIPSs monitor? Wouldn't every files/process residing in the PC be under the watch of a HIPS?

 

Well, maybe prior Vista. With Vista, I really not see much point to use administrator account. IMO

 

That's correct. Once its in, you'll need a standalone scanner to find it because the behaviors occur in hidden threads which aren't visible by "normal" HIPS methods.

 

Understood.

 

Not even Prevx?

 

I find it works well, if I need more privilege I can do that, run as admin or log into the admin account,..XP Pro.

 

We do now, but to be completely honest - we didn't before Sure, we blocked the dropper, but that's not difficult. The real challenge with this threat is finding it on an infected system (without forcing users to resort to a boot cd )

 

I don't doubt TF would miss it also - I've been a very big fanboy of it lately, but atleast I'm being open-minded and honest about its mistakes.

 

I think you also need to be open minded from what is reported and what is actually true. And that bothers me. F-Secure has been on top of this one from the start, even before Prevx.

 

Do you know what version of F-Secure detects/cleans this threat? I tried last week with F-Secure 2009 and it didn't find it at all, but I'm reinstalling again now to see.

 

Set your settings at high.

 

I can only speak from my personal experience, and that's exactly what I do - and that's true for F-Secure as well. I'd past bad experience with it and the prog. is not for me, but I never doubt that it's one awesome product that's just becoming better.

The same goes for Prevx. I've got many FPs with it, and not surprisingly especially with the beta, so even if running it with a license atleast till it runs out and hope that real "1 PC" support is there when it does so I can hesitate less on renewing it, I can't set automatic removal feature to on even if it's there - and I personally like automatic operation - because of personal experience. Personal experience also makes me choose TF before it.

 

F-Secure is a beauty if you treat her nice, Edge is a Philly kicking her legs out to see what the world holds. And then, there is, Norman.

 

I ran a "Quick Rootkit Scan" with FS2009 and it came up empty on "High" with the newest definitions. I'm running a full scan now but it looks like it may take a while - I'll report back once its finished.

 

thanks Joe. I would like to know from what I lead to know.

 

After I had a look at them, anyone of commercial antirootkits nor most of standalone free antirootkits are able to detect the rootkit once is active in the system

 

My F-Secure 2009 scan has finished on a bare install of XP SP2 with the new MBR rootkit active and it was not detected with the newest definitions (updated directly before the scan on the High level of protection).

 

PrevxHelp or if i can call you joe

did you tried kaspersky 2009 ?? on-demand & on-access

 

KIS 2009 misses it on-demand. A number of vendors have added this particular sample to detection on-access but the problem lies in detecting already infected computers