rootkit driver install not intercepted by CFP?

Discussion in 'other anti-malware software' started by aigle, Aug 2, 2008.

Thread Status:
Not open for further replies.
  1. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Damn I deleted the post instead of editing it:mad:
    Anyway, So, maybe it can be prevented, but not detected after it has been loaded.
     
  2. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    606
    Location:
    Cleveland, Ohio USA
    Looking forward to your results with Dr. Web.
     
  3. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    No probs aigle on the support data/history of inch.sys;) but phide_ex write upo_O ...if you mean versus rootrepeal(screenshots of its detections) then they were posted(amended)on the Monday as stated at the time:thumb:
    https://www.wilderssecurity.com/showpost.php?p=1287691&postcount=13
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks. I missed that. Will try it myself and see the results on my system.
     
  5. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    lol the case of the vanishing post is solved:D

    Well certainly prevention is far better than cure(this always rings true) and RK's are no different to any malicious code.It is far better to intercept & block at the gates rather than deal with post execution scenario's:thumb:
     
  6. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    thanks. in the process of 'copycating' now! :D


    Mike
     
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Dr Web cure it versus loaded inch.sys= blind.

    test.jpg

    I can only conclude that the tool is blind to this driver afterall Dr Web has a classification for the driver file when checked at VirusTotal:thumb:

    dr web vt.jpg
     
  8. testerazzi

    testerazzi Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    21
    First, aigle thanks for all your work ;)

    I have tested Prosecurity, and it blocks the driver (rootkit driver did not load).
    Returnil also works perfectly :thumb:
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      68.3 KB
      Views:
      182
    • 2.jpg
      2.jpg
      File size:
      63.9 KB
      Views:
      182
    • 4.jpg
      4.jpg
      File size:
      126.1 KB
      Views:
      191
    • 7.jpg
      7.jpg
      File size:
      116.9 KB
      Views:
      183
    • 8_2.JPG
      8_2.JPG
      File size:
      10.7 KB
      Views:
      186
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks for nice screenshots. PS is/ was great in all aspects except only the GUI.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Both SSM Pro and NG pass the test, they are both able to stop the driver from loading. I´m surprised that Threatfire and CFP both fail, what´s so special about this malware?
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    CFP bug will be fixed with next release. Not sure about TF.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.