(NEWS) Unreal.A rootkit high tide

Discussion in 'other security issues & news' started by Ice_Czar, Feb 10, 2007.

Thread Status:
Not open for further replies.
  1. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    http://rootkit.com/newsread.php?newsid=647

    Rootkit dangers at an 'all-time high'

    and who's responsible for naming this thing?
    The amount of "noise" in any search query trying to find info on this is going to be a pain for the average user.

    (did a search in here for unreal, which of course ran into the above issue, did one for unreal.A with no results, didnt bother to pare down the first query attempt to determine if this is old news or not, sorry if it is)
     
  2. EASTER.2010

    EASTER.2010 Guest

    I would also like to add and think it bares noting that HIPS/IDS and other behavior blockers and bad file interceptors/detectors are also at a premium all-time high and growing just as much.

    It is definitely the classic cat & mouse act plowing along at full steam ahead in both camps. Question is will the end-user get to this knowledge and be able to configure these programs quickly enough to stave off rootkit malwares new releases before they have infiltrated their PC's.

    I don't have the figures at the ready but am working to compile some averages to this, because frankly Security Programs are swelling in ranks and numbers beyond the efforts of malware makers to keep up IMO.
     
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Antidote for Unreal.A is NoAdware4. It detects Unreal.sys.
     
  4. dave88

    dave88 Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    177
  5. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Unreal.A detected only by

    - IceSword plugin FileReg
    - latest GMER
    - RKU v3.20
    - Unhackme but it is fake detection

    Unreal.B undetected by all of listed above.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    All rootkits easily detectable by bootable cd v1.02.5.
    Mrk
     
  7. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    :D knoppix or?
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    Any which Linux - although preferably one with Windows diagnostics tools, including Helix and/or Knoppix, but also BartPE, UBCD4WIN.
    Dual boot will work as well.
    Mrk
     
  9. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    More easy solution.

    FAT32 on the main boot disk + Windows 98 and no rootkit can escape.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    But Win98 is not very leet compared to Linux... Or even XP.
    Mrk
     
  11. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    NTFS´Alternate Data Streams look like a dream to rootkit writers, right?
    So, DOS-based Windows and FAT32 filesystem are virtually immune to rootkits in your opinion?
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    No, NoAdware4 detects it.


    What you have to lose? Test the demo and convince yourself, I ran it for over a year, nearby spybro, ScanSpyware and all those "roooogue" Antispy products, they are as harmless as a fly, I don´t like this criticism, I have no problem if they have fps, in my opinion zlib.dll is total unnecessaryfile, so why it is rogue? Because of false positives? I don´t like the so called expert opinions, they are silly in my eyes.

    Yesterday when I went to bed I had exactly the same thought.

    Here is the prove to prevent unnecessary discussion :

    http://i15.tinypic.com/2my85l0.png
     
    Last edited: Feb 15, 2007
  13. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    It shows to you registry key. Unreal.A doesn't hide registry keys. It hides driver and file. If this program can't show them to you then it can't detect it.

    No, but it is more easy to boot into Windows 98 and cleanup FAT32 drive after rootkits. Or even use simple old good MS-Dos boot diskette. It is more easy than using any variants of *nix / cdboot systems.
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Look at the screen: File C:\unreal.sys. (look exactly you will see F I L E)
    I tested most scanners, only NoAdware4 was able to detect the hidden ads file/stream unreal.sys!

    ^^Look above^^
     
  15. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    @ SystemJunkie

    I would be very wary of recommending any roooogue Antispy products to anyone. They are not all as harmless as a fly, some are just useless, others are fake and pretend you're infected then ask for payment for a fix, and some are syware etc themselves. Why advise people to use those when there are much better genuine products available, many for free.

    Noadware is now delisted, but that doesn't mean it's great. I'll be very interested to hear more about the unreal.sys detection.


    StevieO
     
  16. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    It get this name from registry key:
    \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\unreal

    exactly from ImagePath '\??\C:\:unreal.sys'

    Noadware can't detect Unreal.A

    And on screen I see - "severe", whats means "service", not driver or file.
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Probably you need glasses, I don´t understand this bullishness.

    Again the picture http://i15.tinypic.com/2my85l0.png

    Severe is the threat degree. OMG o_O o_O

    I really like noadware and it detects the hidden Unreal.A as F I L E not as registry entry, File stands for File, understand?!
     
Loading...
Thread Status:
Not open for further replies.