Rustock C no longer a myth, no longer a threat

This story seems a little bit strange.
How could a so spreaded threat never be found and detected by any AV vendor... ?

A fair procedure would be that Dr.Web should give this sample to other vendors also as they may provide good protection. I know there is a competition here but I didn't say to give it for free.

 

well, unless

anyway, you arent going to give away a gold chunk, especially when you can plaster it to your home page for recognition. They did it, so kudos to them.

 

Well, no one is sure that Dr.Web is the only detecting it. At the end, any company would try to advertise itself. So, Kaspersky may not detect it by normal scanning, but maybe with Maximum Heuristics and Proactive protection, it will. Hoping for v 2009, expecially

I know. It's a security revolution. It's like mixing Kaspersky and Avira's detection, NOD32's speed, Comodo's Firewall, and the rootkit detection of all anti rootkits.

 

throw in for Easter, EQsecure.

 

IMPORTANT NOTE!

Please, if ANYONE finds the supposed rootkit in his/her pc, please try to take the sample and spread it to antiviruses (via VirusTotal, Jotti, or by sending the emails manually)

 

and still missing Rustock C ?

 

Are you so sure.

 

When Kaspersky employees say so themselves, yes.

 

Alot has changed today, especially with what 2009 can do. But that is just me talking.

 

I don't know, but I think that Kaspersky workers said that Kaspersky didn't have the file in signature, not that it can't detect it. And did they talk also about v 2009? I doubt it.

 

Well uh, you don't know.......

Look buddy, Kaspersky is a very good AV, I'm using it myself for more than 5 years now, but try to keep things in perspective.

 

Don't know, but I see kaspersky as powerful and very good at finding new threats. Dr.Web is a good antivirus indeed, but it didn't really surprise me. At the end, who knows , except for Dr.Web? But it shouldn't be me speaking for kaspersky, rather a kaspersky employee should be.
~~ snipped off-topic question ~~

 

why would they give away or even sale there hard work to there competitors?

 

Another good reason to do a scan with DrWeb CureIt from time to time.

 

I agree, I love DrWeb cureit very nifty liitle tool.

 

Quick question... Avira free's detection lists RKIT/RUSTOCK.C all the way to RKIT/RUSTOCK.J.

Is the rustock in this topic the same as the one/ones detected by avira?

 

I feel it strange too..

How come no other AV can detect this 'threat'? Unless of course it's a homemade 'pizza' in which case they aren't going to sell the recipe to anyone

 

Not really, still too many false alarms. The heuristic is cruel and will remain cruel until the end.
I don´t believe the hype, not much changed, imo, except of adding few signatures.

One simple example for all:
nutils.dll -> DrWeb Cureit: Trojan.Ntrootkit.103

ThreatExpert: ThreatExpert's awareness of the file "nutils.dll":
Across all ThreatExpert reports, the file "nutils.dll" has never been identified as a threat.
Looooool.

 

You would not believe how often we tried VirusTotal and Jotti with this virus...

 

No, it is not.

 

I had 1 false positive in 2 months, after reporting this to Dr.Web this was fixed within 30 minutes.

No idea what this is supposed to mean, but I guess that against malware you have to be "cruel".

There is no hype with the Doctor. Do some googling and you will find reports of users whos systems have been desinfected with the help of CureIt/Dr.Web, because their "99.9% detection" or "gold medal" AV missed some nasty and could not remove it.

So? If I want to I can give examples of every "big boy" in this industry that has comparable misses.

 

this is quite nice news ... ofc in PR style but ...

could You please expand a bit this entry

"A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer. "

how exactly ? is this tied with some firmware or even tampering with some hardware device firmware/bios ?

 

Well, that's not excactly what I call evidence.

There are a couple of problems with these types of arguments often presented by you or C.S.J. in favour of Dr.Web:

- Just because program B picks up "left-overs" from A, doesn't mean it's better. What about the stuff that A actually DID detect and block in the first place? Are you sure B would pick up all of them? No one can be totally sure, but still this is often used as "evidence" in forums that one AV is better than another, even though the collection of viruses were not the same, as program A may have already removed quite a lot that B would not have detected. So this may be a totally unfair comparsion.

- Another thing is detection vs. cleaning. I think most agree that Dr.Web is very good at cleaning infected computers. But is it also the best AV for detection, and thereby preventing infections in the first place? I'm not so sure, and I truly believe that Avira, Kaspersky, NOD32, F-Secure and others can do an equally or better job. So the question remains: do you need the best detector/blocker or the best cleaner? Personally I have not been infected by virus since early or mid 90-ies, so naturally I am not that conserned about cleaning abilities. If I do catch a real nasty infection one day, I would restore my PC from a known clean image - the only way to be 100% sure

I think you have a little too much confidence in the "doctor" - think about it, the rootkit went undetected for a long time even with dr web. Even though it is eventually removed from a system, what about all the bad stuff it may have done in the meantime? E.g. stealing confidencial data - how can you undo that with a good virus-cleaner? My point is that no one should rely 100% on their favourite AV. It's important to take other precautions as well.

 

if i'm not wrong,trendmicro remove the aka Rustock.C without problem,and is detected by another av's company.like you can see in:

http://www.trendmicro.com/vinfo/emea/virusencyclo/default5.asp?VName=RTKT_RUSTOCK.C&VSect=P

so i'm not shure about dr.web "unique"

because what say on dr.web website is:

"Dr.Web scanner successfully detects Win32.Ntldrbot (aka Rustock.C) and cures system files infected by the rootkit. Currently no other anti-virus can detect this malicious program"

lool.