Rustock C no longer a myth, no longer a threat

Discussion in 'other anti-virus software' started by Meriadoc, May 6, 2008.

Thread Status:
Not open for further replies.
  1. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    This story seems a little bit strange.
    How could a so spreaded threat never be found and detected by any AV vendor... ?

    A fair procedure would be that Dr.Web should give this sample to other vendors also as they may provide good protection. I know there is a competition here but I didn't say to give it for free.
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    well, unless:cautious:

    anyway, you arent going to give away a gold chunk, especially when you can plaster it to your home page for recognition. They did it, so kudos to them.
     
  3. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Well, no one is sure that Dr.Web is the only detecting it. At the end, any company would try to advertise itself. So, Kaspersky may not detect it by normal scanning, but maybe with Maximum Heuristics and Proactive protection, it will. Hoping for v 2009, expecially

    I know. It's a security revolution. It's like mixing Kaspersky and Avira's detection, NOD32's speed, Comodo's Firewall, and the rootkit detection of all anti rootkits. :D
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    throw in for Easter, EQsecure.;)
     
  5. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    IMPORTANT NOTE!

    Please, if ANYONE finds the supposed rootkit in his/her pc, please try to take the sample and spread it to antiviruses (via VirusTotal, Jotti, or by sending the emails manually);)
     
  6. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    and still missing Rustock C ? ;)
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Are you so sure.;)
     
  8. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    When Kaspersky employees say so themselves, yes.
     
  9. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Alot has changed today, especially with what 2009 can do. But that is just me talking.:)
     
  10. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    I don't know, but I think that Kaspersky workers said that Kaspersky didn't have the file in signature, not that it can't detect it. And did they talk also about v 2009? I doubt it.
     
  11. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    Well uh, you don't know.......:rolleyes:

    Look buddy, Kaspersky is a very good AV, I'm using it myself for more than 5 years now, but try to keep things in perspective. ;)
     
  12. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Don't know, but I see kaspersky as powerful and very good at finding new threats. Dr.Web is a good antivirus indeed, but it didn't really surprise me. At the end, who knows , except for Dr.Web? But it shouldn't be me speaking for kaspersky, rather a kaspersky employee should be.
    ~~ snipped off-topic question ~~
     
    Last edited by a moderator: May 6, 2008
  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,253
    Location:
    New England
    A lot of off-topic posts removed, some asking where certain members were and why they weren't commenting in this thread, some jibes against users of one product stating theirs was many steps behind another (yeah, insulting a whole group of members is always a good idea), and someone's who never scans saying he never needs to and is proud of it.

    The topic here is Rustock C and about what Dr.Web has done with it. Nothing else.
     
  14. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    why would they give away or even sale there hard work to there competitors?
     
  15. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,688
    Another good reason to do a scan with DrWeb CureIt from time to time. :D
     
  16. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree, I love DrWeb cureit very nifty liitle tool.
     
  17. bman412

    bman412 Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    261
    Quick question... Avira free's detection lists RKIT/RUSTOCK.C all the way to RKIT/RUSTOCK.J.

    Is the rustock in this topic the same as the one/ones detected by avira?
     
  18. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,641
    Location:
    Sneffels volcano
    I feel it strange too..
    How come no other AV can detect this 'threat'? Unless of course it's a homemade 'pizza' :rolleyes: in which case they aren't going to sell the recipe to anyone :D
     
  19. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Not really, still too many false alarms. The heuristic is cruel and will remain cruel until the end.
    I don´t believe the hype, not much changed, imo, except of adding few signatures.

    One simple example for all:
    nutils.dll -> DrWeb Cureit: Trojan.Ntrootkit.103

    ThreatExpert: ThreatExpert's awareness of the file "nutils.dll":
    Across all ThreatExpert reports, the file "nutils.dll" has never been identified as a threat.
    Looooool.
     
    Last edited: May 6, 2008
  20. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    You would not believe how often we tried VirusTotal and Jotti with this virus...
     
  21. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    No, it is not.
     
  22. egghead

    egghead Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    443
    Location:
    The Netherlands
    I had 1 false positive in 2 months, after reporting this to Dr.Web this was fixed within 30 minutes.

    No idea what this is supposed to mean, but I guess that against malware you have to be "cruel". :D

    There is no hype with the Doctor. Do some googling and you will find reports of users whos systems have been desinfected with the help of CureIt/Dr.Web, because their "99.9% detection" or "gold medal" AV missed some nasty and could not remove it.

    So? If I want to I can give examples of every "big boy" in this industry that has comparable misses.
     
    Last edited: May 7, 2008
  23. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    177
    Location:
    Czech Republic
    this is quite nice news ... ofc in PR style but ...

    could You please expand a bit this entry

    "A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer. "

    how exactly ? is this tied with some firmware or even tampering with some hardware device firmware/bios ?
     
  24. ola nordmann

    ola nordmann Registered Member

    Joined:
    May 6, 2007
    Posts:
    89
    Well, that's not excactly what I call evidence.

    There are a couple of problems with these types of arguments often presented by you or C.S.J. in favour of Dr.Web:

    - Just because program B picks up "left-overs" from A, doesn't mean it's better. What about the stuff that A actually DID detect and block in the first place? Are you sure B would pick up all of them? No one can be totally sure, but still this is often used as "evidence" in forums that one AV is better than another, even though the collection of viruses were not the same, as program A may have already removed quite a lot that B would not have detected. So this may be a totally unfair comparsion.

    - Another thing is detection vs. cleaning. I think most agree that Dr.Web is very good at cleaning infected computers. But is it also the best AV for detection, and thereby preventing infections in the first place? I'm not so sure, and I truly believe that Avira, Kaspersky, NOD32, F-Secure and others can do an equally or better job. So the question remains: do you need the best detector/blocker or the best cleaner? Personally I have not been infected by virus since early or mid 90-ies, so naturally I am not that conserned about cleaning abilities. If I do catch a real nasty infection one day, I would restore my PC from a known clean image - the only way to be 100% sure :)

    I think you have a little too much confidence in the "doctor" - think about it, the rootkit went undetected for a long time even with dr web. Even though it is eventually removed from a system, what about all the bad stuff it may have done in the meantime? E.g. stealing confidencial data - how can you undo that with a good virus-cleaner? My point is that no one should rely 100% on their favourite AV. It's important to take other precautions as well. :)
     
  25. marciocruz

    marciocruz Registered Member

    Joined:
    May 7, 2008
    Posts:
    253
    if i'm not wrong,trendmicro remove the aka Rustock.C without problem,and is detected by another av's company.like you can see in:

    http://www.trendmicro.com/vinfo/emea/virusencyclo/default5.asp?VName=RTKT_RUSTOCK.C&VSect=P

    so i'm not shure about dr.web "unique"

    because what say on dr.web website is:

    "Dr.Web scanner successfully detects Win32.Ntldrbot (aka Rustock.C) and cures system files infected by the rootkit. Currently no other anti-virus can detect this malicious program"

    lool.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.