Rustock C no longer a myth, no longer a threat

Discussion in 'other anti-virus software' started by Meriadoc, May 6, 2008.

Thread Status:
Not open for further replies.
  1. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    True. An antivirus can detect as much as it can, but if it can't clean what it finds it is completely useless.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    U mean u have droppers?

    Software: Antivir n AVG
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    There's detecting a threat before and after it activates. If it's the prior case, cleaning doesn't come into the equation at all: you just delete the file, and that's it.
     
  4. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Could you test Kaspersky too for me please?:D
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    :D :D :D
    Crete you forgot to add your monster noise :D :D
     
    Last edited: May 8, 2008
  6. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    Those detections, that are already made by a few quick AVs (according to VT) are too quick. Either they cannot detect an active infection or their disinfection would make a system stop working...

    Let's wait. I'm far from enjoying this. DrWeb really wants other vendors could fight rustock.c successfully, and we proved it by sharing the samples we have, we just know how difficult it is.
     
  7. Wordmonger

    Wordmonger Registered Member

    Joined:
    Mar 19, 2006
    Posts:
    4
    Did you share a dropper/installer?
     
  8. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Once a file gets submitted to VT, every vendor gets a copy of it. It's then up to them whether to inspect the files or not.
     
  9. jdenton

    jdenton Registered Member

    Joined:
    Apr 25, 2008
    Posts:
    47
    It would, if you'd spent a few seconds to think about it.

    Dr. Web found out that they were the only ones to detect this virus by scanning it on Virustotal. Meaning the other companies would've got this sample.
     
  10. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    The only components I can see publicly circulating are drivers...which are not that useful without the dropper itself as far as I can tell.
     
  11. IBK

    IBK AV Expert

    Joined:
    Dec 22, 2003
    Posts:
    1,873
    Location:
    Innsbruck (Austria)
    Seems like the first submission of the mentioned Win32.Ntldrbot to VirusTotal was in mid-September 2007. :?
     
  12. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    I thought there was agreement betwwen AV companies to share info on new threats,not how to protect against them just samples of the threats?used to be the case so why have no other companies received samples of this?
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    With all fairness, I think ( considering the nature of this malware- Rustock C) Dr.Web has the rights to make a press release first and only then to distribute the sample. They need the due credit atleast.
     
  14. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,641
    Location:
    Sneffels volcano
    Again, the lack of cash flow theory..
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Bitdefender, AVG and MS also added the detection now on VT. I still don,t see response from AVs famous for urgent updates, may be due to the fact that the threat is low.
     
  16. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Or the fact that as the drweb employee said, those that have added detection are more likely to trash an infected pc than cure it due to the nature of the threat.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Very likely. EP_X0FF confirmed the nice job by Dr.Web.

     

    Attached Files:

  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,225
    Location:
    The land of no identity :D
    If any F-Secure user has the sample, do try out whether the AV detects it because I feel it may be detected via BlackLight, however, the VT engine probably doesn't include BlackLight detections.
     
  20. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    then based oh Aigles post, Dr Web did it, can rightfully claim it, and we all should shut the heck up instead of tearing a good thing down. Sergey, congrats.:thumb:
     
  21. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    We did not have the dropper for sometime. And yes, we checked the samples on the VT website.
    We just could not make the whole situation public before we could detect and cure it. You know, it would be pretty strange of us to say "we have a virus, nobody detects. people, be afraid!"
     
    Last edited: May 9, 2008
  22. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    well i don't get the comments about people saying 'hey it's old and not worth detect'

    can You imagine that IF it's undetected then there are some 'thousands' maybe more people still infected with this ... ?

    i guess by pure luck Dr.Web staff don't have 'cure' statistic about this piece right ? if Yes maybe they could put some more weight against 'PR' comments ...

    i mean the Rostock based botnet is not yet dead right ?
     
  23. sergeyko

    sergeyko AV Expert

    Joined:
    May 16, 2006
    Posts:
    56
    Far from it. All rustock versions still widely spread.

    By the way, as well as polipos... ;)
     
  24. Einsturzende

    Einsturzende Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    390
    Location:
    neubauten
  25. Wordmonger

    Wordmonger Registered Member

    Joined:
    Mar 19, 2006
    Posts:
    4
    Sorry, may I ask a hypothetical question? If after a test done by IBK or Marx you asked for samples you had missed and got a reply like 'We checked them on VT; go find them yourselves', would you call that sharing too?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.