New MBR rootkit goes undetected

I agree Joe is a great professional!

TH

 

Yes and always very informative and interesting to read.

 

Tried it with CFP Defence Plus. Can intercept its install. GesWall also stopped it.





View attachment GesWall.txt

 

GREAT TOPIC and answers without equal.

So if i understand it right, another alternative in like manner of a system image taken for restoring purposes later should the need arise, would also be to use any app designed to safely COPY your entire MBR and PARTITION TABLE (because they will likely fudge that up too) to any external media, and if by chance the apps mentioned failed for whatever reason which isn;t likely we hope, it's but a simple matter of restoring BOTH of those critical boot componants either over the malicious boot rootkit or even clean or wipe those sectors and replace with the saved copies made to fully restore functionality once again.

Does this seem sound alternative advice in your opinions as another method?

EASTER

 

If you have a clean image or a boot CD, removal is straightforward by "fixmbr" or "fdisk /mbr" or any other method to write a clean MBR to the drive, and you should be able to boot cleanly directly after without needing to modify any other data (however, a majority of users don't have those "luxuries" ).

The primary rootkit loader infects and secures the first 512 bytes of the harddisk so if you can either replace those or take an image which doesn't include those bytes, you should be safe

From what I've seen, the partition table remains untouched and I suspect it will stay that way as the rootkit tries to remain as compatible as possible by modifying as little as possible.

 

Thanks PrevxHelp

I always depended on ERD Commander which most folks never heard of let alone what it can do by loading your system into it's artificial environment, then free to browse the entire gambit of files and such and pull away stubborn infections as well as though insidious Root\Legacy entried in the registry that more or less due to permissions, LOCK their supporting files and system drivers as well as concealing them. BTW, RegistryCrawler is one of my best investments ever. If a registry item such as ENUM\ROOT\Legacy Keys doesn't delete, it JUMPS at-once to the registry line locked and saves a lot of time by changing permissions then deleting the foul flypaper entry and it's history.

The straightforward approach you mention is by far the easiest and quickest way i must agree but the normal user knowing not what in the world is happened to them are left gasping in panic should such a MBR rootkit attach untouched and whatever else it might been designed to do to a system.

But your approach for those like us should be a piece of cake.

EASTER

 

Before I test DriveSentry...will a system restore undo this infection?

 

Will Sandboxie prevent this MBR Rootkit from installing?

I currently rely heavily on Sandboxie to protect me. I am thinking about adding another layer of defense, if necessary.

Thank you.

 

Yes, as long as the file is run completely within the sandbox, Sandboxie does block it from installing by preventing it from accessing the disk directly

 

Anyone? I'm waiting to test DS

 

DriveSentry intercepts installation.

 

Did you seriously run this infection with the hopes of system restore fixing everything? I'm no expert but system restore is limited in what it can fix/undo. At a minimum you want a good clean image to restore.

I do hope you know more than your letting on. Usually when people test malware such as this it's on a test machine and/or within a virtual machine. I have Returnil and I'm not touching this malware because it's my only machine.

Anyways, good to hear DS was able to block the installation . DS should give you a free license for your faith in them .

 

Yeah, I'm using a test machine. A $400 acer special dedicated to testing malware. I do have a backup image but I hate using it because the image is from way back when...I'd have to install all my current security software all over again. I need to make another image...just takes too damn long on a 250 gig drive....maybe this weekend though.

 

I'm tonite on a strickly test machine so all bets are off. Not only that but as much as i don't prefer XP3 it;s going on tonite too.

I got to give this piece of junk a run inside if it can do it, i have the tools to pull it off if needed.

I rarely go all out like this unless i throw aution to the wind, and this is one of them that i;m going to find out what it;s made of.

Wish me luck. Bunk i say to VMware fearful. LoL Take it to the raw metal and then observe.

EASTER

 

Good to hear! You had me a bit worried for a minute LOL. I hope to get a used computer someday to play around with.

EASTER,

Have fun and good luck. If you can, get a few pics if your running security software.

FWIW, SP3 isn't that bad. I've been using since I built this rig a year ago.

 

Thanks as always greets innerpeace!

I don't see why some programmer, if thats what it takes, can build a ring around the MBR to repel and alert to anything trying to change it;s code.

 

That's what we have in Prevx 3.0 - realtime MBR monitoring, as well as on-demand scanning/cleaning which will work if you're installing Prevx 3.0 after you've been infected. (The realtime piece helps if the rootkit gets past every other line of defense, allowing you to be warned and clean up the infection immediately).

 

My BIOS has what is called "Boot Sector Protection" but the manual says it's for protecting the the BIOS from viruses (ie unauthorized flashing). Have a look in your manual and see what it states.

 

What is a problem here? every decent HIPS can stop this infection, even Outpost can stop it since they incorporate direct disk access protection in newer builds, even KIS without signature can stop it on Vista...
(see screeny)




P.S. Threads with this type of infection and testing was here couple of times before (e.g. killdisk malware) and I don't see any reason for this thread except for prevx promotion which (BTW.) still acts as rogue antimalware in trialing mode and do not do its job of preventing from infection...

 

Oh God

When last year everyone alerted about MBR Rootkit, everyone was right (and we have been among firsts). Now that we alerted about this new variant, this is only promotion

BTW: MBR rootkit cleanup is free for all

I won't comment the last sentence, because it's evident you don't know how does Prevx work

 

Comodo for instance have direct disk access protection since they introduced v3 and this technique is known for long time also with any sandbox you simply cant infect your system, and I know how prevx work and it act as rogue soft, there is one thing which difference you from "real" rogue, you have uninstallation procedure, which is very good, number of FPs is about same and not realtime protection in trialing mode is the same as in rogue AM...

 

It's good seeing people test their security programs against this variation.

Maybe someone can test Shadow Defender? Would be interested to find out if a reboot removes the infection.

But regarding once it is already installed, I think what Joe from Prevx was saying earlier, was that products may detect/block it, but not many (or any at the moment) will clean the infection once it is installed.

About promoting your product, I think it's a good thing, whether for Avira, Panda, Dr.Web, Prevx, and all the rest, if a program is making progress against difficult malware, I'd like to be aware of it, otherwise I won't know.

 

Imagine you infected your system at the time and you running prevx in trial mode, how much you could wait till purchase license?

 

You could use dedicated free malware removal tools at that time such as SAS, MBAM and DWCt and be happy for the free realtime detection/headsup PX3 provided you.

Some behaviours from PX wich differs from rogue apps: 1 False positives are unintentional 2 Real malware detection present 3 Constant program updates 4 Splendid support

 

what if infection stealing your bank account, what then?

So you have infection detected by prevx and after you purchase your license, to at last you found out it is one of many, many fp, I doubt number of FP are unintentional, it is here also to allure new customers...