Kelly wrote:And further to Calls' observation -
I browsed through the French and German forums (I'm competent with both languages) to see what's going on there. Strange, there's little mention of it in either forum. In the German forum there's only one recent mention of a trojan.gen detection that Norton successfully blocked, and the poster was wondering if he was really safe. Most of what's going on in those forums deal with subscription issues, minor issues with browsers - all definitely tame and quiet there compared to the frenzy of trojan infections and requests for removal help reported here. So the possibility of self-infection and a deliberate effort to cause chaos is not far-fetched.
Regards,
Kelly
Hi, Kelly. There are other possibilities:
1. The cohort of users who regularly and continually download pirateware have known for years that much of that software has virus, trojan, rootkit and bootkit droppers embedded in the software. They know that installing this stuff is an open invitation to get infected eventually.
2. Up until very recently, many of those users have simply accepted that having an infected machine is an acceptable tradeoff for the benefit of access to pirated movies/software/whatever.
3. However, the latest developments in rootkit technology include annoyware-rootkits - along with the traditional stealth-rootkits.
4. Furthermore, Anti-Malware Software is getting quite good at being able to reliably detect "stealth" infections - no matter what the malware writers cook up to try and keep their infections hidden.
5. The result of Items 3 & 4 is a rash of successful detections of rootkit/bootkit behaviour - which has not occurred in the past. Many of the machines that have been running infected for months/years are now being "found out" by the latest Anti-Malware Engines that can strip away stealth-routines and reveal rootkit/bootkit infections as a matter of course.
6. However, as mentioned by Quads in all his malware-infection-removal threads - as well as by myself in earlier posts in this thread - "Find" is not enough. So what is happening is people are seeing the "self healing" process return their machines to an infected state very shortly after they supposedly "remove" the infection using an Anti-Malware Software Company's out-of-date rootkit/bootkit eradicator software. And thus, infected users return to Item-5-status in ever-greater-numbers.
7. Consequently, the load on Anti-Malware Forums such as BleepingComputer and MalwareBytes has increased. The number of "braindead" has risen to levels where the Competent Malware-Removal-Experts are swamped with requests for help. They have responded to this by creating Forum Policy where they refuse to aid people who cannot read, comprehend and correctly follow instructions. IMO, rightly so.
8. Bootkit/rootkit removal is not a procedure amenable to monkeydiddling. It requires a combination of the detective skills of Sherlock Holmes, the surgery skills of Christiaan Barnard, the tenacity and dedication of Nelson Mandela and the patience of Job.
9. Despite the rarity of the skillset mentioned in Item 8, the ever-increasing-number of people who fit Item-5-status - descend like hordes of flying monkeys upon Forums where Competent Malware-Removal-Experts are available. Ergo, this Forum's massive increase in rootkit/bootkit eradication threads.
10. And then those who are regulars in the Forums here note the burgeoning list of rootkit/bootkit eradication threads - and ask the question which is the topic of this thread.
IMO, the increase in threadlist-frequency of dedicated bootkit/rootkit eradication topics is absolutely inevitable - when someone of the calibre and Competence of Quads is available to help those who are currently being regularly notified by their Anti-Malware software that they are infected.
Now, let's add into this the cohort of users who are being infected by Zero-Day Drive-by-Download attacks. Some of these users are going to Porn Sites, Gambling Sites and various forms of fetish and sleaze sites where the people running those sites are leaving their webservers open to hijacking because they are not properly securing their websites from compromise. Interestingly, Church websites are front and centre on that list as well - because so many of them are administered by volunteers with little to no training in Website Security practices.
Thus, more load for Quads and the other experts on BleepingComputer, MalwareBytes and so forth.
Conclusions that can be drawn from this thread:
1. Could the burgeoning rootkit/bootkit eradication threadlist in this Forum be trolls at work?
Absolutely.
2. Is that the only explanation? No.
3. Do we have a way to tell the various types of infected users from each other?
Quads knows something about that - simply as a result of the probes he needs to perform
to detect the infections and variants in place on a user's machine before he scripts for removal.
The topic doesn't get raised very much by experienced Malware-Removal-Experts because it
leads to fingerpointing and flamewars rather than productive discourse.
4. Can Symantec make a post like I've just done?
No. The Lawyers at Corporate would have a fit, along with conniptions and kittens.
Hope this helps your understanding.
As to the other Norton language forums.
Hmmm, I have had users for removal, from countries, in Europe (France, Denmark, Germany Sweden, Italy, UK etc,) The USA and Canada, Asia (Hong Kong, Japan, China, India (but I did send one way due to not good enough english)) Australia, South Africa, Kiwi Land.
They were the ones I can remember seeing by logs
So by the fact they went to the English Norton Forums and not the others, doesn't really matter, maybe they don't have a Quads 
Doesn't really matter as long as they have good enough English for this.
Quads
- �1995 - 2013 Symantec Corporation Legal Notice License Agreement Privacy Policy Cookies Site Map RSS
