A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2417  by EP_X0FF
 Sat Aug 28, 2010 2:38 am
kakaraka wrote:Heh, under win7 x64 the user still needs to accept to run the threat as admin.
How about infinite loop with UAC messages, when you have to press "Yes" or reset to get rid of it? :)
 #2419  by CloneRanger
 Sat Aug 28, 2010 6:25 am
MBRguard by Blue Ridge Networks

Anybody tried using this with some of the nasty stuff ?

Did/does it work as advertised, if so on which nasties ?

If it can help protect the MBR then it's worth having. I've had it installed for a while just as a precaution, why not it's free ;) It hasn't had a negative affect on anything, as far as i can tell. I havn't run any MBR nasties though, so i can't vouch for it's effectiveness, or otherwise.

*
Supported operating systems:

* Windows XP SP2/SP3 32-bit
* Windows Vista SP0/SP1 32-bit
* Windows 7, 32-bit

http://www.blueridgenetworks.com/suppor ... bguard.php
 #2420  by bytejammer
 Sat Aug 28, 2010 6:41 am
CloneRanger wrote:@ Meriadoc
Does Prevx have 64 bit support?
Yes it does
Fully compatible with the following Windows operating systems:
98, XP, VISTA, 2000, 2003, 2008 and Windows 7 (All versions - 32/64bit)

http://info.prevx.com/downloadprevx.asp
To my knowledge, Prevx 3 has never been able to detect and remove any TDL3.
If during a scan Prevx reports an infection caused by tdlcmd.dll or z00clicker.dll, please contact Prevx technical support. Our technicians will help our customers to get rid off of the TDL3 infection.
Source: http://www.prevx.com/blog/143/BSOD-afte ... ogize.html

I use Prevx since it is light and fast.
 #2421  by EP_X0FF
 Sat Aug 28, 2010 7:11 am
CloneRanger wrote:MBRguard by Blue Ridge Networks

Anybody tried using this with some of the nasty stuff ?
Useless stuff.
 #2422  by CloneRanger
 Sat Aug 28, 2010 7:12 am
@ bytejammer

I can't reliably comment about the capability, or otherwise, of Prevx and TDL3 etc, as i havn't tested it. As you rightly show, they will help people to get rid of it/them. It "might" be that it's just some variants that aren't auto detected ?

Even if people don't have a paid version they will help them remove ALL MBR nasties for FREE :)
 #2423  by CloneRanger
 Sat Aug 28, 2010 7:16 am
@ EP_X0FF
Useless stuff.
Really, well there goes the neighborhood then :P

Are you saying it won't protect against any MBR infection, or just the latest stuff ?
 #2424  by CloneRanger
 Sat Aug 28, 2010 7:21 am
Unsigned drivers in X64

OK so these new nasties are able to circumvent the enforcement of only being able to install/load signed drivers.

As ONLY signed drivers are supposed to be installed/loaded/running, what happens if you run a search for drivers with these loaded. Does it show them as signed/trusted, or just not see them ?

If they do show up can they be disabled on the fly ?

Also could they have their name changed to for eg, from whatever.sys to whatever.sysz then a fake whatever.sys dropped into the drivers folder to prevent it from running again ? See my Zip - PW = whatever

This could be a temporary solution whilst a better fix arrives, or ?

Just a few ideas, so don't scream at me

EDIT - Spelling
Attachments
(316 Bytes) Downloaded 82 times
Last edited by CloneRanger on Sat Aug 28, 2010 7:39 am, edited 2 times in total.
 #2425  by EP_X0FF
 Sat Aug 28, 2010 7:32 am
This TDL loads it code from disk sectors, not from "files" in usual Windows manner. It loads itself, get control over boot process and then uses dll injection for payload.
When it gets control in privileged mode, it can do whatever it want and nothing can help. What it can do depends only on a TDL authors skills. Do not sit with maximum possible rights, even on x64 if you can't manage with your computer in case of infection. All this 3rd party hooking stuff ala security through obscurity is nonsense and looks like same malware just legalized and mostly paid.
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 60