The Trojan I mentioned was detected by most of the scanners at Jotti. I just mentioned Clam-Win and Anti-Vir as examples of the free scanners. It was Crypt.L, which seems to have been identified in mid-August 2005. At least it was added to Kaspersky’s definitions at that time. For it to remain undetected by avast! a month later seems to be an unacceptable delay. True it’s just one Trojan, that avoided detection, but it should have been nailed by now. I would have sent it to avast! but I’ve seen so many postings saying ‘I sent in a virus six weeks ago but it’s still undetected’ that I didn’t think it worth the trouble.
Well the more people that send in samples via virus @ avast the more likelihood of it getting actioned. Whilst the submissions situation is not good, avast! has said they are working on it, e.g. additional staff to process the submissions and they are also working on an additional way for submissions. Unfortunately this won’t yield results overnight.
So is it better to not submit because you don’t think it will do any good or should you submit in the hope that it will do some good? I know which camp I’m in.
Also if people use Jotti any AVs that don’t detect it are I believe sent the sample. So again the more the better.
Well the rootkit issue is on ongoing discussion. To-day the best policy is hardening your system with System Monitoring Programs that alert at Intrusions Detected (changes in execution files, the registry ). The normal signature detection methods of AV products only alert at the initializing stage and not beyond, because the whole cloaking and hiding process of the rootkit is very clever going “around” detection. And the means the malcreant uses is “threads” rearranging to get invisibility from the system of the user. So a simple proggie like notepad.exe can become your demise. An interesting analysis can be found here:
http://www.securiteam.com/securityreviews/5FP0E0AGAC.html
The present detection techniques of to-days AV product is inadequate. The situation could be compared with the first year of the U-boat war, later when appropriate detection was developed by the Allies the role of the wolf-packs lost its dent.
At the moment the only solution to the rootkit problem Microsoft envisions is to promise a fully closed (barred) code for the OS after XP.
greets,
polonus
There have been numerous attempts to either take control of or infect notepad in the past, which was one of the major reasons firewalls have outbound program checking (but your stuffed if you simply answer yes to most things your firewall pops-up) and the grc.com leak test checks for vulnerability to that in your firewall.
But I’m not sure how rootkits and notepad would change this outbound checking, any injection of code into notepad would surely be detected as changed or a program that hadn’t previously had internet permission so it would be challenged by the firewall.
I had a quick look at the security article (huge and daunting) and most of it went straight over my head and I mean way over ;D didn’t even come close to parting my hair.
Is a bootable avast! CD the answer?
Or an bootable section of hard drive created by avast?
So, this is my message to the antispyware and antivirus vendors out there: you need to rewrite your scanner programs to provide the ability to run in a "non-Windows environment". Your scanners need to have the ability to edit the file system and load the registry without Windows itself having been loaded. Pretty soon, you will not be able to depend on Windows giving your scanners accurate enough information to be of any use.
When your software is installed, you simply prompt the user to insert a CD, DVD or flash drive and copy the files needed to run the "non-Windows environment", as well as your scanner. You even might be able to boot it up right from the hard drive, the same way disk imaging and partitioning software do. Scanning in this way can be an additional option, right next to "Quick Scan" and "Full Scan".
Maybe. I’ve tested Bart CD and found it very operative.
I was wondering writting a review and comparation with Norton Emergency Rescue CD but I’m not finding time for that…
Bart CD could work at file system (FAT32, NTFS and maybe WinSF) coping, deleting files, etc.; work with the Registry without Windows loaded; scan; etc.
I presume the only problem here is legal? The Bart CD proves it’s possible, but I’m thinking that it must be necessary to license the OS system software for use on bootable disk, and that this probably costs a lot.
Would it be possible for avast! to create a bootable CD or a bootable partition on the hard drive? What are the technical problems and the legal requirements and costs? Even some non-rootkit malware can load itself before avast!'s boot time scan, and of course booting into a “non Windows environment” may be the only way to defeat the rootkit itself.
Hi FrwhlnFrnk,
When we keep using our Microsoft binaries and offer a daily prayer to our favourite god(s) to keep us free from virus. No that is not the solution. Preventive measures will only work if it has been installed BEFORE your computer has been rooted. The best policy is your brain, be careful what or who you allow into your comp (pics, avatars, code there are a million ways: weak cgi as an old way, cross site scripting a newer way). Drop your rights will surely help, get behind a router also.
greets,
polonus
Not much good if an AV company has to say ‘sorry, if you’ve got a rootkit, your stuffed, you should have been more careful in the first place’, is it?
Hi FreewheelinFrank,
If MS top UK security chief is on dial-up and his computer has a dialer Trojan on it (link: http://news.zdnet.co.uk/internet/security/0,39020375,39216715,00.htm
,) and the man pathetically states that only Macs and Linux boxes are safe, then this is explaining more about the safety of the MS closed script environment, than a thousand postings here. Moreover Microsoft chooses to skip the monthly every second Tuesday patch day, while leak lay around for months literary to be patched. A Microsoft Approved Course cannot help these guys, because they have not got security at heart, but something else…
polonus
avast! Bart CD is a recovery CD.
It uses the Windows Boot environment and files that you’re trying to clean, correct, etc.
Bart PE made a bootable Windows into a CD. Microsoft complains about rights but lost. The user could have a backup copy of any file and Bart PE is for that. Maybe we can think in something similar here.
avast! Bart CD does not create a bootable partition. It will be another project…
Hi rootkit analyzers,
If a rootkit sists on a windows XP SP2 configuration, the governmental sites advice is to use RootkitRemover.
http://3wdesign.es/security/
It is a known fact that especially Spanish security folks spearhead at fighting rootkits. Brazil too has spearhead virus technology.
Anybody experience with RootkitRemover? Is it the same as UnHackMe: http://greatis.com/unhackme/?
polonus
I assume that you ment Rootkit Detector as that link doesn’t mention RootkitRemover?
Translation of the link to Rootkit Detector, by my friend BableFish:
to title [b]Rootkit for V0.62 Detector Windows 2K/XP/2k3[/b] file RKDetectorv0.62.zip (66704 bytes - md5 checksum: 7785f257a110a860fed9666f43c5f29e) description Rootkit V0.62 Detector for Windows 2K/XP/2k3This utility provides information about processes and hidden services by rootkits of NT as Hacker Defender (rootkit.host.sk) detected by software antivirus once has not settled in the system since once hacker it has been able to penetrate in its maquina nothing prevent him to kill the processes antivirus and to install one rootkit making their steps and their programs is practicamente indetectables.
Despues to identify handles hidden, rootkit Detector tried to kill these tasks and of reescanear the system to identify services, hidden keys in the registry (Run, runOnce…) that could have been installed by hackers.If You need aid on this program or to resist opiones, visits the forum of www.shellsec.net, your vestibule dedicated to the informatica security.
Hi DavidR and FreewheelinFrank,
Yours truly is a bit worried about all the postings we get here,
where rootkits are detected, running processes, and finally it appears that the AV solution cannot handle these effectively.
What will be the solution for these unlucky souls for the upcoming future or the drastic one: “total recall”. I for one think the best advice is to avoid infection: NoScript, good system monitoring, so effective prevention for the backdoors that initiate the rootkit. Prevention Programs: ProcessGuard (www.diamondcs.com/au) and AntiHook free (www.infoprocess.com.au/)
What would you advice?
polonus
I never really liked ProcessGuard free, and had lots of hassle trying to get rid of registry remnants after an uninstall, they were very well protected even though the program was gone. I haven’t tried the other program.
My best answer would be to stop them getting established buy you should have guessed it by now DropMyRights (link in signature). No files can be put into the system folders, no registry entries can be created so this limits the effectiveness and stops them getting fully established. Either that or stop logging on with administrator rights and use a limited user account, I know which I choose.
Not to mention it isn’t yet another security program getting to the mix to cause possible conflict, etc.
Hello DavidR,
I know this is your “baby”, the drop your rights preventing a lot of undesirable things from happening. I fully agree. Alas my question is why did the MS prgrammers have system run as a sort of a super user even on top of admin. Read this:
http://forum.avast.com/index.php?topic=14363.0.
If we can, malcreants can. How do you comment or in your opinion
dropping your rights prevents this too?
polonus
Unfortunately ease of use overcame security, even in the XP Pro version when you install/set it up you need administrator privileges, so rather than have an installation account that would expire after you created a user account or just use the Administrator account and force them to create a user account.
The problem it is a pain to create a limited user account even with fast user switching (which is a mess) it is just too easy to log on with an account with full admin privileges, you can do what ever you like. unfortunately most people don’t know that malware inherits the privileges of the user.
Vista is taking a totally different approach were users, even those with admin privileges will have to enter a username and password to install software and do some other system stuff. This is much better than the current situation but some are sure to whine at this slight inconvenience.
I have never used the system trick (a bit to complex to remember without committing it to paper or file), the idea is fine in areas were access is denied, but boot-time scan may well negate it slightly (for those recognised by avast).
DropMyRights won’t prevent everything in the same way as AVs don’t but if it can stop the creation or modification of files in system folders (which when in use a normal user even admin can’t touch) the creation of registry entries, then more difficult to remove files/malware, the need for system user is again reduced but I don’t think eliminated.
The deletion of registry keys with embedded nulls, such as the ShudderLTD key that my smitfraud removal tool removes, is accomplished with the use of reg.exe and hiv files. I’ve removed the LTDFix.exe from the tool and incorporated the fix into the RunThis.bat if anyone wants to see it, but the example below contains the basic procedure.
reg add HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTDdummy
reg save HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTDdummy ShudderLTDdummy.hiv
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTDdummy /f
reg restore HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD ShudderLTDdummy.hiv
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\ShudderLTD /f