Olmarik / TDL3 rootkit

Discussion in 'ESET NOD32 Antivirus' started by Marcos, Feb 17, 2010.

Thread Status:
Not open for further replies.
  1. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Disinfecting of Sality.

    If you were unable to clean a computer infected with the Olmarik (aka TDL3) rootkit using this ESET Olmarik cleaner, let us know. Also we are planning to make some improvements for detecting and cleaning rootkits using the ESET rescue cd.
     
  2. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    Re: Disinfecting of Sality.

    I will test this utility timorrow, but ESET NOD32 Antivirus and ESET SmartSecurity unable to clean a computer, infected with TDL3 and I think that Antivirus product, which realised on signatures-methods, should not only detect threats, but it should clean PC from threats.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Disinfecting of Sality.

    This is not always feasible. For that reason, AV vendors also create standalone cleaners/removers besides the anti-virus programs. In the case of rootkits the best course of action is to boot from a clean media (e.g. ESET rescue cd), scan the disk and remove all found malware.
     
  4. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    Re: Disinfecting of Sality.

    I understand that some threats (such as rootkit for keyboard of Mac) can't be cleaned by AV-products, but Dr.Web and Kaspersky Lab. can clean TDL3. ;)
     
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Re: Disinfecting of Sality.

    I see that the detection database as early as 4083 have been targetting Win32/Olmarik, fwiw, an observation :)
     
  6. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    Re: Disinfecting of Sality.

    I see it too, ESET can detect TDL3 if you computer not infected with this threat, but if your computer infected with it - ESET Antivirus NOD32 and SmartSecurity can't help you ;)
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Disinfecting of Sality.

    Again, did you try the Olmarik removal tool? Standalone cleaners as well as the rescue cd are intended for cases when malware authors intentionally target specific security software and tailor the code to such an extent that it's undetected / unremovable by standard means.
     
  8. Roman Rashevskiy

    Roman Rashevskiy Former Poster

    Joined:
    Jan 17, 2010
    Posts:
    13
    Location:
    Russia
    Re: Disinfecting of Sality.

    I can clean TDL3 without any removal tools from AV-vendors.
    But I want to know, when will ESET's prosucts can remove this threat without special removal tool?

    You can read this test: http://www.anti-malware-test.com/?q=node/180 ;)
     
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Re: Disinfecting of Sality.

    As Marcos has requested from you here if you have used the Win32/Olmarik rootkit tool ?

    The tool is available to all that require using it, regardless if you can remove this rootkit manually, no one other than a highly skilled Malware Specialist could remove this manually, so I think your request of ESET is generally moot.

    I believe I could say to some level of certainty that the ESET Team are working around the clock to build into the detection database sufficient protection without requiring a special tool.


     
    Last edited: Feb 18, 2010
  10. biscuits

    biscuits Registered Member

    Joined:
    Feb 16, 2010
    Posts:
    111
    Re: Disinfecting of Sality.

    Why do want to know when will ESET NOD32 and SS can remove TDL3?
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Disinfecting of Sality.

    Active Olmarik detection should improve if you use EAV/ESS 4.2 or enable pre-release updates.

    The stand-alone cleaner is going to be updated shortly as well. The new version will bring improved detection/removal for new variants, including those against which some competitive removers are ineffective.
     
  12. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You may enable pre-release updates here
    As Marcos said in his previous post and I quote:
    This is excellent news that newer variants of this rootkit will be better targetted and removed successfully.
     
  13. ESS3

    ESS3 Registered Member

    Joined:
    Dec 11, 2007
    Posts:
    112
    Last edited: Feb 20, 2010
  14. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  15. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    He's referencing the post further up about "www.anti-malware.ru". But as this is a serial thread, you can only post after the last existing post....
     
  16. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372
    It's great that the AV companies are responding with ad-on tools (assuming the users know where to look and that assumes that the user is security aware and not someone who just wants the AV to work).
    It's also great that the new detection schemes are being implemented into 4.2.

    However, what everyone seems to miss is the point that Roman is attempting to drive upon (whether he/she/bot is sponsored by the big Circle K or not). The point being is: why isn't NOD32 capable of removing the rootkit with it's anti-stealth technology while other AV's have no problems in the removal? Wasn't the whole point of version 4 a better infection removal of deeply entrenched infections and better detection of unknown infections? That was the main idea why we are sacrificing massive CPU cycles (over large or unknown files) with version 4 over the low resource hit of version 2.7.

    I am not for or against, just re-stating what I think is the gist that he/she/bot was attempting to convey.
     
  17. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
  18. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Other Av's do have a problem with removal. F-Secure for one. See here https://www.wilderssecurity.com/showthread.php?p=1628175#post1628175
     
  19. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    @ GrammatonCleric

    Much of this, less being botted, has been discussed already we await these from ESET.
     
  20. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    That was Feb 19th and now it's the 22nd so lets see it and the TDL3 has probably changed a few times since! That is why I made my Quotes of Marco's Blogs! I'm a advent NOD32 user and they need to Detect it with it's Advanced Heuristics and block new variants with it! I would love to see the famous Advanced Heuristics kick into action on this one.

    TH
     
    Last edited: Feb 22, 2010
  21. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Noted, Triple Helix. ESET surely has not forgotten what they had promised and are surely working on as I type and as Marcos has already said.

    We are all on the same team with respect to getting a tool and/or hoping that ESET will be able to build into the scanning heuristics of NOD32
     
    Last edited: Feb 23, 2010
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    1, most of new Olmarik variants are detected proactively or detection is added quickly when a new variant appears. So there's very little chance that you would get infected with ESET running and kept up to date.

    2, as for removal, even standalone tools from other vendors don't detect / remove every variant. As I wrote, all Olmarik variants should be detected with the latest Anti-stealth module available in v. 4.2 or on pre-release update servers.
     
  23. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Quote from your link:

    TDL3 writers are changing faster than the signatures are getting out, the reason I suggested using Advanced Heuristics to protect us now! Proactive protection not a cleaning tool! ;)

    TH
     
  24. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Agreed that's what I was looking for detected proactively and to block new variants :thumb: And I do have pre-release updates checked!

    Thanks Marcos!

    TH
     

    Attached Files:

    Last edited: Feb 23, 2010
  25. czarWilliam

    czarWilliam Registered Member

    Joined:
    Feb 23, 2010
    Posts:
    1
    Dear Marcos,

    I have scanned my system with many different malware scanners recently. Eset NOD32 is the only one that detected the presence of the Win32/Olmank rootkit. Eset deserves full marks for its detection capability.

    However, I have run the Eset Win32/Olmank Remover version 1.1.0.1. I regret to inform you that it has failed to remove the Rootkit. When I open the program it confirms the presence of the infection on my system. After running the Remover I receive an erroneous message that claims that the infection has been successfully removed. The infection still lives. It is time for a new, improved version of the Remover.

    P.S. Kaspersky's TDSSkiller version 2.2.4 did remove it.
     
Thread Status:
Not open for further replies.