Rustock C no longer a myth, no longer a threat

In some rare cases Dr.Web has a "unique" detection.

But this rus.c story looks really not that fresh as propogated,
infected ntldr that was all? There was so much hype that
one could believe it would be the ultimate thing.
Just one look into ntldr and it is is done.

 

Hmm, I think Dr.Web is saying that nobody can detect the rootkit *after* it is activated on a computer apart from Dr.Web. Most likely the inactive samples are detected by most competent AV vendors.

 

i still dont understand other posters comments about not caring if there av can clean or not. sure at first point if the av has a signiture for inactive malware its blocked. but what if it infects your system and your av vendor adds the signiture later? well if your av is blind to the active malware is quite useless. who knows what the hidden malware could do. this is why im glad drweb can see this infection when its loaded and also cure it.

 

Well, it won't be drweb only party anymore:

http://www.castlecops.com/t221308-Rustock_C_Win32_NtldrBot.html

TY to web for uncovering it, looks like it is out for vendor distribution.

 

Do not remember me in vain, keep your hands off!

 

Excellent analogy!

/T

 

Are you sure? Do you trust a pr action? In the meantime they already created Rus.D and you are glad for Rus.C detection but it is nothing then a endless cat and mouse action.

 

yup fatdcuk always manages to get a sample of the lastest rootkits
wiether other av vendors will detect it when loaded it and be able to remove it is another matter.

 

I'd guess it's more a PR spin than anything. Nothing wrong with that, except when it creates paranoia and users buy the hype.

I'd say that they're using Symantec's nomenclature. Symantec has done an extensive research on Rustock:
- Rustock.A write-up
- Rustock.B write-up
- Raising the Bar: Rustock.A and Advances in Rootkits
- Handling Today's Tough Security Threats

Rustock.C was supposed to be the next evolution in the area of hiding (direct hooking of disk and network drivers, etc) and code polymorphism (file infector, packing, etc)

 

Well, scanned it on virscan.org which has trend micro also and no detection.
PrevX gives a Generic malware warning together with Fortinet - suspicious.

 

i am fully aware of that.
btw drweb is correct atm they are the only av to detect it. but the other vendors should receve a sample soon. av vendors are always playing the cat and mouse game. if av vendors cant find a sample then surely it cant be very wide spread?

smaller companies need to spread the message to people that they should use there product.
the fact that a small companie keeps beating the big names to detect and remove the lastest threats. this means the existing customers are happy and they will get new customers because they do there job very well.

im pleased that Igor Daniloff still adds detections himself and isnt willing to sell the company to a faceless corparation such as symantec.
for those two reasons alone is why i spent £10.92 of my hard earned cash to support the little guy

 

Thats absolute okay, no problem with that.

BTW, this statement already says it all, pure pr, push up and directly calm down both together.

But disk.sys replacement already done by ddefy long before the idea of Rus.C arose.anti_forensic_rootkits_ppt
I actually doubt that the rus.sequence will ever show us all the "promised abilities" that you mentioned.
The real Phantom is likely on another side. Not the obvious is the clue, watch out for the consciously hidden.

 

well, this thread is interesting

of course it is PR, im actually glad Drweb are trying for some.

 

But, is it PR with some substance behind it or just a bubble of hot air?

 

most definatly there is some substance about it, you should ask them

 

Dr.Web definitely is the only AV out there that detects this threat right now....

 

I agree.

 

i aint disagreeing, just choosing my words carefully.

 

According to the Symantec and Trend Micro links, it appears that Vista and Server 2008 are immune to Rustock as they are not listed in the affected OSs.

 

Interesting. But Stealth.MBR/BluePill still work on Vista 64, isn´t it? I heard that they closed only one of two important security holes related to bootsector stuff. The Polish fraction said that sometimes in the past.

 

Ok, congratulations to Dr.Web for finding this new rustock variant. Miracles can happen.

However, since the sample has been distributed, soon all av-companies will detect it.

 

Symantec has also added the detection now- checked by VT.

 

What's this all about? Another PoliPos like PR stunt and people all fall for it again?

All the samples I saw are from mid 2007. That's hardly any issue anymore. From the detection point of view, a very boring one too. It took me a few seconds to update Rootkit.Gen for it. Back to the real work. There is plenty of *new* malware that bypasses all detection by every vendor.

 

Well I have never questioned Stefan, so basically that tells me that Dr Webs assertion is fake.

 

Not really......Stefan said that all the samples he saw are from 2007. If this wasn't new then it should have been detected already.