Rustock C no longer a myth, no longer a threat

Discussion in 'other anti-virus software' started by Meriadoc, May 6, 2008.

Thread Status:
Not open for further replies.
  1. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    I was never aware we were on bad grounds, Ade just stopped submitting samples to us. :(

    FYI : For those that did submit the Rustock samples (and others), we processed them all and they are in today's batch!
     
  2. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,688
  3. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    I want to personally thank Ade for submitting us the Rustock samples - we are processing them now and are adding to our definition set to handle this variant of Rustock!

    We are all in this together against the malware, not eachother, and I hope that we can continue down this path! :)
     
  4. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,641
    Location:
    Sneffels volcano
    It's good to see that an AS product can deal with this type of threat as well :thumb:
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,064
    nice to see your once again removing all threats not just the easy ones.
    that will make three products i own be able to detect and remove rustook when active. keep up the good work.
    i reccomend your product alot always gets the job done.
     
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    You mean Trojan downloader.Agent.ddl is no match for Defencewall as for Rustock C/ntldrbot then it has still not been tested versus DW!

    BTW too many people are getting confused between what is ntldrbot/rustock C code and the trojan downloader agent that until recently imported it before the server went awol;)

    Mindyou good luck to Ilya in his search for a dropper as it dose not exist!!!
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Hmmmm... Is it really true?

    Then why EP was referring that DW, SSM, KAV PDM etc bypassed by it? Some people claimed on these forums that they have the droppers, so is said about Dr.Web.
     
    Last edited: Jun 11, 2008
  8. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Has GesWall been tested against this?
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Q is how to test?
     
  10. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Two of my users have sent me the Ntldrbot dropper. This piece of malware, runned as untrusted, successfully died right after DefenseWall did blocked its attempt to create its driver. So, everything EX_XOFF wrote about DefenseWall defense bypass is just a bullshit. Big PR, miserable results- all as usual.

    I'm going to write an official press-release about it.

    As about Downloader.Agent.ddl- if somebody have a sample of it, send it to me and I'll test it against DW.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    1- Are you sure that it,s really Rustock dropper?

    2- It,s hard for me to swallow that EP will just boast such a thing without any grounds unless there is a big misunderstanding.
     
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    lol Ilya upload your so called droppers to VT...ignore Doctor Webs flag and look at the other classifications;)
    ~VirusTotal and\or Jotti link removed per Policy....Bubba~ is dropper for the agent;)

    And here is the Agent that is dropped!


    Since the servers it phone home data too our now not responding for sometime there is currently no chance of testing versus Defence Wall versus ntldrbot as it loads...with one exception;)

    Grab yourself one of the 2 broken ntldrbot infected drivers doing the rounds in research forums...unpack(lol) and repair...Patch VM detction and hardware specific detection then load the driver...Mind you since there are'nt too many folks on teh planet up to that task then i guess you won't get your chance to test versus live infection!

    ~VirusTotal and\or Jotti link removed per Policy....Bubba~

    No need to send you the relevent agent droppers as u have just tested them and about to write article on it:D
     
    Last edited by a moderator: Jun 12, 2008
  13. Laerua

    Laerua Registered Member

    Joined:
    May 7, 2008
    Posts:
    3
    Check the rootkit.com for more information about Rustock.C and its dropper :)
     
  14. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Aigle, I did check the sample you sent me. The verdict is the same- CureIt flags it as Win32.Ntldrbot, running untrusted it dies right after this:"Attempt to create new file D:\WINDOWS\system32\drivers\5b74e998.sys". One more time- DefenseWall is immune to Rustock.C infection, this is my official position and I can prove it with samples and experiments. If somebody want to believe that this is not a real dropper, there is no dropper at all and computers are infected by miracle or there is a Sinderella nearby- it's not my problem.
     
    Last edited: Jun 12, 2008
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,032
    Hello,

    A general question to all:

    Why do you doubt Ilya's findings? If DefenseWall prevents (untrusted) executables from installing drivers, then ... it prevents executables from installing drivers! Why should it be any different for file x versus file y?

    It's a matter of permissions. Very simple really ...

    Mrk
     
  16. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,688
    I never said I doubted Ilya.
    I have no reason to. :D
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Becoz it has been bypassed more than once. Why to close eyes? Any thing can fail anyehre.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.