• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

dangerous Rootkits found in most Malware

more and more Samples of daily Malware , Fake AV , Fake Codec ect.have Rootkits inside that can disabled Norton 2009 after Reboot that infected Machines !

http://www.abload.de/img/1xxw1k2.jpg

http://www.abload.de/img/15lj6.jpg

http://www.abload.de/img/19i5j.jpg

Combofix  http://www.combofix.org/ show that Rootkit infection on my Testmachines with NIS2009 that i have infected with Malware to look for Detections. 

Symantec should address the issue with urgently investigations.

Replies

Kudos0

Re: dangerous Rootkits found in most Malware

more and more Samples of daily Malware , Fake AV , Fake Codec ect.have Rootkits inside that can disabled Norton 2009 after Reboot that infected Machines !

http://www.abload.de/img/1xxw1k2.jpg

http://www.abload.de/img/15lj6.jpg

http://www.abload.de/img/19i5j.jpg

Combofix  http://www.combofix.org/ show that Rootkit infection on my Testmachines with NIS2009 that i have infected with Malware to look for Detections. 

Symantec should address the issue with urgently investigations.
Kudos1 Stats

Re: dangerous Rootkits found in most Malware

This is why it is important to enable early load.
Kudos0

Re: dangerous Rootkits found in most Malware

early load is always enabled on NIS07/08/09 but this is not helpful against these new Rootkits , they can still block Norton.
Kudos4 Stats

Re: dangerous Rootkits found in most Malware

I think I can safely say that Symantec is working very hard to keep up with the new and improved trojans and rootkits as they are identified.  It does become much more difficult dealing with malware that can change its name, copy itself, use other antimalware as a defense against removal, among other things.

While malware writers have months to perfect their code, it can take some time for the antimalware companies to get samples, reverse engineer them in order to produce code that will block them.

In the meantime software patches must be kept current, autorun must be disabled, regular scans should be performed by Norton as well as an on-demand scanner, and safe browsing techniques practiced.

As users, we also share the responsibility for keeping our machines clean.  If we let our antimalware lapse, become out-dated, click on things that should be avoided, download dubious software, or try to install our antimalware onto an already infected machine, we are going to suffer the results.  It's a team effort.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: dangerous Rootkits found in most Malware


Voyager10 wrote:
early load is always enabled on NIS07/08/09...

No it's not; it's only Enabled if Norton Products Detect a Threat.  And having "Early Load" On gives Norton a better chance of Detecting Threats - if they were on your computer - when the File(s) are being Loaded-Up, as, once Loaded-Up, may have Anti-Detection and Anti-Removal Enabled.

Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: dangerous Rootkits found in most Malware

I had always manually switched On Early Load since Years.  believe me this not help.

(Tamper Protection also ON)

Back to Topic. 

Test itself :

Malwaredomainlist , load a FakeAV or Fake Flashplayer and test this on a PC with Norton09  and run this not detected Objekt . I see this Rootkits on many of this Malwaresamples.

http://img4.abload.de/img/1pxpp.jpg

Norton show  here Backdoor Tidserv Detection and open a Window - Restart to delete this Threat. There is no Rootkit Detection !

After Reboot Norton TrayIcon not load and Norton GUI  not open and not functional.

Download Combofix to this  infected PC and rename Combofix to 123fix.exe , combofix will also blocked ! 

Than you see this : 

http://www.abload.de/img/15lj6.jpg

After Combofix delete this Detection Norton works again.

i hope that You and other  Readers understand now that this Situation is dangerous for all Norton Users.

My issue is, Symantec must be increase the protection of software against illegal blockages .Message Edited by Voyager10 on 06-10-2009 03:43 PM
Kudos0

Re: dangerous Rootkits found in most Malware

Voyager10

I am dealing with these rootkits in a slightly safer manner than using Combofix just as it is downloaded as it can cause problems with the Windows OS

For rootkits from TDSS, Tidserv, Globalroot, Tidserv.G, Packed.Generic.200, UAC, Spynet, MSIVX, ........................... 

Quads 

Message Edited by Quads on 06-11-2009 10:38 AM
Kudos0

Re: dangerous Rootkits found in most Malware

a Symantec employee read the topic or my messages and testing are futile? ;)

@Quads

i use combofix  only to demonstrate rootkitinfection  they interrupt the function of Norton09 after Reboot. 

Kudos0

Re: dangerous Rootkits found in most Malware

Hi Voyager10,

Thank you very much for bringing this to our attention. We have a detection added for this file. Sorry for the delay in updating this thread.

Thanks,

TomV

Norton Forums Moderator

Symantec Corporation

Kudos0

Re: dangerous Rootkits found in most Malware

   delphinium,  would you mind taking a minute or so, to explain how to make sure auto-load is turned off and explain about early-loading?  I am using an old version of XP, 2002 I think, MCE, I have upgraded to SP3, and use IE 7.  NIS 2009 seems to keep itself updated, so I don't have to think about that.

Kudos0

Re: dangerous Rootkits found in most Malware

Hi PC_Confused:

I'm not sure I am the right person for this particular question.  Floating Red knows more about how early load works.  The setting is in the Computer settings pane.  You have to scroll down to find it in the Real Time Protection section.  It should be turned on, ideally, so that Norton loads up before everything else.

I am unable to do that because my Brother printer doesn't want to load properly if Norton loads first.  It's one of those things that you adjust to suit your system.

The more rootkit files that Quads is able to get to Symantec, the better the detection gets.  If they can be blocked in the first instance, it  would save a lot of aggravation.  Once the rootkit is in, it becomes active at boot, and it is able to block the operation of most antimalware.

So the earlier Norton is loaded the better.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: dangerous Rootkits found in most Malware

@TomV

older Rootkits "random Name.sys" detected as Packed Generic 238.

New Samples not detected. 

 http://www.virustotal.com/de/analisis/948d7b53d941833763ec6480520ff785cf5036c9cec13627ecf030ebb1a87448-1246287848

http://www.threatexpert.com/report.aspx?md5=b748c980acc97098299aa591e3531b86

Message Edited by Voyager10 on 06-29-2009 08:13 AM
Kudos0

Re: dangerous Rootkits found in most Malware

Hi Voyager10,

Are the sample codecs downloaded from the link that you sent over a PM to me detected now? I received a confirmation from our SR that detections have been added.

-Tom

Kudos1 Stats

Re: dangerous Rootkits found in most Malware

Hi, PC_confused,

Early Load Starts the Auto-Protect Feature of your Norton product as the Drivers of your P.C. are being Loaded, so, Norton is more-likely to Detect Threats as the Files are being Loaded-Up, if there actually was a Threat on your computer, as, when the Threat File(s) are Loaded-Up, may have some Anti-Detection and Anti-Removal Techniques attached, as most Threats will how now-a-days.  And that is why I Highly-Recommend having Early Load On all the time.

Message Edited by Floating_Red on 06-30-2009 08:00 PMMessage Edited by Floating_Red on 06-30-2009 08:06 PM
Thursday, November 21, 2013: The THREATCON was changed to Level 1: Normal | Tue., Nov. 05, 2013: Zero-Day Vulnerability: Microsoft Security Advisory 2896666 | Saturday, November 09, 2013: Cyber-Criminals Serve Up A Veritable Smorgasbord Of Threats For South Koreans | Wednesday, October 09, 2013: New Internet Explorer Zero-Day Targeted In Attacks Against Korea And Japan [C.V.E.-2013-3897]
Kudos0

Re: dangerous Rootkits found in most Malware

@TomV

You mean this 400 Files - 200MB to swapdrive , in  the Moment there are only 25 Detection. 

the file  MSIVXxnospyxetijoewiesbqgrivibivctnhv.sys is still in the folder and wait for Detection ;) 

 ps.:

i know  , you mean  License.v.3.412.exe (i have 3 different files from that) in the Virusfolder , No detection at this Time.

Message Edited by Voyager10 on 06-30-2009 12:55 PM
Kudos0

Re: dangerous Rootkits found in most Malware

Quads,

Combofix is safe to use, I have been using it for years to clean infected computers with no problem as a lot of people in the world.

It is the one of the best tools with great detection rate, but its not for amateurs. You have to know how to work with it. This program is used by it and malware specialists and is created by them.

Message Edited by SaLaDiN on 06-30-2009 01:53 PM
Kudos0

Re: dangerous Rootkits found in most Malware

In your case good, BUT I have seen PC's after Combofix, and other problems, there is a reason why the creators give the warning.

I have the safer way for all but SKYNET, but I target with a CFScript.

With all but SKYNET my safer way is working!!

hahaha, like your contradiction,   Combofix is safe.............but not for Ameteurs, interesting comment   Most people who have been on the forum having the rootkits are Ameteurs 

Quads 

Message Edited by Quads on 07-01-2009 08:58 AM
Kudos0

Re: dangerous Rootkits found in most Malware

Quads,

Every program which is installed on pc /such as comboFIX, sdFIX,  and otherFIX/ can corrupt OS, I have seen cases when AV softwares corrupted OS /Kaspersky, NOD, AVIRA or Norton/. Not every sotfware works fine on every computer...You should know

that )))

Yes, there is a warning, 1 of 1000 pcs CAN BE damaged....nothing bad...the similar warnings are in other programs too :) for example AV and ANTISPY software, check EULA ))

There are lots of malware cleaning forums which use Combofix.

 EDITED:

Yes, is not safe for amateurs...what is funny on it? When some "newbie" user is using combofix without any help from a specialist, so its dangerous...There have to be always some person who will say what EXACTLY to do....You do it here...I do it too on another forum...so?

Newbie user can corrupt the Windows in one minute without any help ))) 

Message Edited by SaLaDiN on 06-30-2009 02:35 PM
Kudos0

Re: dangerous Rootkits found in most Malware

As programs as a whole the likes aof AV Software (Norton etc) is safer then Combofix,   SDfix is safer than Combofix,   Though Sdfix is out of date now.

I am aware of other forums, and that they also use it as a last resort most of the time.

I do it my way to be as safe as possible for the persons PC at the other end.   it's safer to use Avenger with script to target only those files I state, than Combofix  with or without script.

Quads 

Kudos0

Re: dangerous Rootkits found in most Malware

Can you attach some proof? Statistics? Combofix has been using for long time by specialists and this does not need any other comments )))  

Combofix make a backup, so if something goes wrong, you can easily  restore )

Please, do not compare Avenger vs Combofix, these are completely different programs )

Message Edited by SaLaDiN on 06-30-2009 02:34 PM
Kudos1 Stats

Re: dangerous Rootkits found in most Malware

I am not comparing Avenger and Combofix in terms of the program.

I am telling you that Avenger is safer.  

Secondly, is is known Combofix can cause problems, and I have actually had fun at a PC after using Combofix.

It is better to try the easier and safer programs first.

Quads 

Kudos0

Re: dangerous Rootkits found in most Malware

Found a new type of Rootkit today inside a new Fakecodec.

GMER not detect this Rootkit.

http://img176.imageshack.us/i/38812585.jpg/

Gmer Log , see attachment

Combofix (renamed to combo2fix) found it.

http://img126.imageshack.us/i/63836300.jpg/

Norton09 detects nothing during the malware installation and  will also blocked by this Threat after Reboot, tested with second VM.
File Attachment: 

This thread is closed from further comment. Please visit the forum to start a new thread.