Useless defence against TDSS

Discussion in 'ESET NOD32 Antivirus' started by nexekho, Jan 17, 2011.

Thread Status:
Not open for further replies.
  1. nexekho

    nexekho Registered Member

    Joined:
    Jan 17, 2011
    Posts:
    2
    Just wasted an hour cleaning up a TDSS infection. It would appear NOD32 just laid down and played dead whilst the rootkit somehow got through Opera with a Flash + adblocker and JS off by default. Couldn't detect the modified boot sector, only the payloads it was downloading. TDSSKiller from Kapersky did the same. Only Hitman Pro could detect and kill it. This is a bit pathetic; it's not as if it's unheard of, it's a widely known and dangerous rootkit, so why did a supposedly high-end AV just let it waltz on by? Either beef up your TDSS defense or my subscription's going elsewhere next time.

    Anyone else had a similar experience?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is absolutely not true. New variants of Olmarik emerge on a daily basis, often there's not a single AV to detect them at the beginning. However, ESET is one of the few AVs to add detection among the first. You might be surprised how long it takes some other vendors to add detection for malware detected by ESET proactively (that malware often circumvents famous behavior blockers and runs happily on the system).

    Did you actually run the stand-alone TDL4 cleaner, restart the computer and run a full system scan?
     
    Last edited: Jan 17, 2011
  3. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    Sorry if I don't believe you, but it sounds more like a Hitman Pro false positive.

    Unless you're suggesting it's taking advantage of a brand new undocumented Opera exploit that no one has heard of that doesn't need javascript to function, and from there, dry-by it's way to your PC, and install itself silently without admin priviledges.

    Unless you're running XP with admin rights and an outdated version of flash. But from what I tried to comprehend, it seemed like you're saying flash was turned off.
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    thank you Marcos, I totally agree. Eset only gets better and as far as TDSS changing rootkits, Marcos is right on. I still,,,,, put my faith in their products and for the time being, will continue to.
     
  5. Matthijs5nl

    Matthijs5nl Guest

    So you basically also say we don't have to expect a behavior blocker in version 5, since you don't seem to be very positive about them?
    You think ESET's current solution with generic signatures and advanced heuristics can keep up with competitors who are adding new technologies?
    If not, so what is ESET's solution for version 5?
     
    Last edited by a moderator: Jan 18, 2011
  6. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    No antivirus product will detect all, all the time, see this reply, therefore, special tools are required, as needed.
     
  7. nexekho

    nexekho Registered Member

    Joined:
    Jan 17, 2011
    Posts:
    2
    So I suppose I imagined the fairly standard threats popping up in my temp folders around the clock, popups at blocked domains, attempted infected downloads, the disability to get into safe mode and an incorrect boot sector checksum all of which vanish the moment another product actually cleans it up? The boot sector being tampered with should have been flagged up immediately even if the rest of the behaviour of the rootkit wasn't.
     
  8. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    I'm sure that the infection you're talking about was real, but I'm curious as to the method of payload delivery. I'm yet to hear about a drive by exploit that can (1) download and (2) execute itself via Opera, without JS enabled, and without user intervention. If such an exploit has gone live and is in the wild, I'm assuming that it'll be about, oh, two days before the internet explodes entirely - since pretty much everyone on the planet who's not browsing in a sandbox will get infected, and most folks don't clean rootkits properly. If Opera's tapped in this way, Firefox has to be, too.
     
  9. get_it

    get_it Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    99
    It is pointless coming to a forum stating this...

    Firstly, send files to ESET, detection should be added, in my experience within 3-4 hours.

    In the mean time run other utilities to clean and/or remove...if they fail then rest assured by next signature update nod32 will detect and take things from there...

    Why users must post that "such" was not detected makes no sense. Send to appropriate vendor and detection will be added. Simple.
     
  10. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,855
    My thoughts exactly.
     
  11. ramirez1

    ramirez1 Registered Member

    Joined:
    Sep 15, 2010
    Posts:
    30
    I had 2 machines infected with this today and I had to use the TDSSKiller tool. The users can't explain or remember how they got infected.

    Malwarebytes didn't find anything but combofix deleted theses

    Detection by TDSSKiller

    The users are fine at the moment so hopefully this is gone for now.

    Thanks
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Most likely all are benign xml or some sort of data files (ie. junk).

    Already replied here. Please continue discussion in your thread.
     
Thread Status:
Not open for further replies.