New MBR rootkit VS Returnil

Discussion in 'General Returnil discussions' started by betaman, Apr 14, 2009.

Thread Status:
Not open for further replies.
  1. betaman

    betaman Registered Member

    Joined:
    Jan 10, 2009
    Posts:
    8
    Link
    http://www.prevx.com/blog/120/MBR-rootkit-changes-itself-and-strikes-again.html

    Does Returnil protect from this new variant of MBR rootkit?
    I know Returnil protect the master boot sector, but this rootkit use new techniques, and the blogger says:
    Can someone test this rootkit?
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi betaman,
    Without having a sample to test against I would not be able to difinitively say yes or no. In theory however, RVS should protect against this type of attack. We do encourage testing and will be following this discussion closely.

    Be sure to make your reports as detailed as possible sans content mentioned in the warning below:

    Side note for participants in the discussion: Do not post links to the content as that information will be removed per the site TOS. If your testing reveals an issue, use the information in the malware sample submission Sticky to send us the binary or links where our research team can obtain the content.

    Thanks
    Mike
     
  3. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    I have tested this new mbr rootkit, and it's able to bypass Returnil. After the restart, system is infected by hidden code.

    I will send this sample to Returnil support tech, but please fix this issue and also the file protection issue, for the security of the user.
     
    Last edited: Apr 14, 2009
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Thanks developers - Please PM me the details of the submission (subject, name or nickname) so I can alert the team to it ASAP.

    Edit: We have recieved the sample and the team has been alerted.

    Mike
     
    Last edited: Apr 14, 2009
  5. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Have you been able to validate this yet?
     
  6. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Returnil Virtual System 2009 beta 3 is immune to new MBR rootkit :thumb:
     
  7. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    can we get a link to it now? Beta is ok with me. I did fill out the beta tester form also.
     
  8. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Interesting.
     
  9. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    The list should be getting an e-mail later tonight (US EDT) or tomorrow announcing availability of Beta 4.

    Mike
     
  10. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    Sweet thank you
     
  11. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    " Returnil Virtual System 2009 beta 3 is immune to new MBR rootkit "

    If this 100% correct then, as far as i'm aware it's the only App of ANY kind on the planet that can ! This includes all other similar products, and VM type Apps, and various flavours of System Restorers etc etc.

    So based on what was stated, full marks to all involved @ Returnil.

    Looking forward to some independent tests to confirm above.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    StevieO, you mean than this new MBR rootkit can bypass VMware etc as well?
     
  13. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    aigle

    Proviso " as far as i'm aware "

    I'm sure i read about it in a tech blog somewhere. If i can remember where and locate it, then i'll post it.
     
  14. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I don,t think that it,s true.
     
Loading...
Thread Status:
Not open for further replies.