Something to worry about?

Discussion in 'NOD32 version 2 Forum' started by Itsme, Jan 9, 2008.

Thread Status:
Not open for further replies.
  1. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
  2. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    "About 30,000 websites, mostly located in Europe, are actively trying to install the rootkit by exploiting users who have failed to install Windows updates"
     
  3. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    It suggests enabling the mbr scan in your bios. So do that and you should be fine.
     
  4. Itsme

    Itsme Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    148
    Thanks for the reply...

    But.. does NOD32 prevent the rootkit from installing and if installed.. does Nod32 find it and clean it?

    Kind regards.
    Itsme
     
  5. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Where does it say that?
    Is this option available in all BIOSes?
     
  6. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Is it known which sites are involved?
     
  7. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    I don't know where you could find that information and I don't know where they got that figure from. Sorry.

    Some more reading here...

    http://isc.sans.org/diary.html?storyid=3820

    The next big thing is that those distributing this rootkit, also distribute the Torpig banking Trojan.

    The rootkit is currently being installed through a set of relatively old, and easy to patch Microsoft vulnerabilities:

    * Microsoft JVM ByteVerify (MS03-011)
    * Microsoft MDAC (MS06-014) (two versions)
    * Microsoft Internet Explorer Vector Markup Language (MS06-055)
    * Microsoft XML CoreServices (MS06-071)

    But that can change at any moment to something more recent.

    The different files involved had rather spurious detection in the anti-virus world.
     
  8. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Indeed something to worry about then, especially because practically no AV/AS program picks this variant up.
     
  9. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    I edited my post above with a link.
     
  10. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Great, thanks!
    So if I understand it correctly you are 'safe' if you have the patches for those MS leaks installed or if you haven't got those MS components on your system?
     
  11. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    I noticed this definition in the 2788 update file: JS/Exploit.MS06-014
    Is this the 'solution' to one of the exploits as explained above (for the MBR rootkit problem)?

    Can someone also comment on this?:
    If I understand it correctly you are 'safe' if you have the patches for those MS leaks installed or if you haven't got those MS components on your system (for example, the patch for MS06-014 is KB911562)?
     
  12. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I don't think so. That signature detects the MDAC exploit, so it will be mainly used by the web scanner. Probably, it's a re-release of a existing signature to workaround obfuscated JS and the such.
    Per this thread, ESET's name for the MBR rootkit is "Win32/Agent.DSJ"
     
  13. Stijnson

    Stijnson Registered Member

    Joined:
    Nov 7, 2007
    Posts:
    533
    Location:
    Paranoia Heaven
    Thanks for the info Lucas!;)
     
  14. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You're welcome :)
    EDIT:
    In update 2793, ESET has added this signature: Win32/Mebroot.A . It's probably for the boot component. The other signature (Win32/Agent.DSJ) is for the dropper, I guess.
     
    Last edited: Jan 15, 2008
Thread Status:
Not open for further replies.