undetectable data stealing trojan

Discussion in 'ESET Smart Security' started by rollers, Nov 1, 2008.

Thread Status:
Not open for further replies.
  1. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    439
    Very interesting article in the register
    http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/

    Any ideas anyone if Nod is likely to catch this little tinker with heuristics? or otherwise?

    I guess the answer may be in the title in the word undetectable, but it would be reasurring to know if the AV's or at least some of them can handle this little beauty.

    Rollers
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello, as you can see in article, Sinowal is known as Mebroot, too. And ESET catchs it under this name, concrete Win32/Mebroot and other variant, e.g. Win32/Mebroot.W. Check list of updates here, if you want.
     
  3. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    439
    Hi and thanks for your answer.
    I was hoping that was going to be the case, and hopefully esets heuristics will catch the many variants that seem to have come out. It can't be all good news accross the board of AV's as so many seem to have been hit by it.
     
  4. kC_

    kC_ Registered Member

    Joined:
    Apr 6, 2007
    Posts:
    452
    have actually seen this in work, we had a pc in for simple task of format/reinstall windows xp, no other info was given.
    when they got the pc back they said they were having the same problem as before.. which was that their banking was taking them to a separate login page which they never normally saw. they had used AVG free 8.0 & Bitdefender security 2009 which failed to even warn about it. Only after reading up about this undetectable MBR rootkit, we trashed & rebuilt the MBR & Reinstalled windows again, now all ok.
     
  5. COSMO26

    COSMO26 Registered Member

    Joined:
    Oct 21, 2003
    Posts:
    404
    In this case it appears the damage is done Not for the failure of heuristics BUT the stupidity of the users. Apparently people are entering their Soc Security # and other identifying data that this Malware has installed extra fields for in order for the damage to occur.

    The main message here is to re-state Banks Will NEVER ASK for such data Online, although malware will present a bank's page that looks EXACTLY like the real one...happened to me. That is where people's guards start to drop and the inexcusable mistakes begin.
     
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    Detection of Win32/Mebroot was added around January, 2008, with updates to the virus signature database as needed to added detection and removal of variants.

    Additionally, a standalone remover is available from ESET's web site at http://www.eset.sk/download/emebremover

    The ESET SysInspector diagnostic tool also detects the malware.

    Regards,

    Aryeh Goretsky
     
  7. rollers

    rollers Registered Member

    Joined:
    Sep 13, 2004
    Posts:
    439
    Cool, thanks Agoretsky for the reply, peace of mind to know after such publicity about this trojan.
    Rollers
     
Thread Status:
Not open for further replies.