Hi,
today I helped someone cleaning a PC from the H8SRT rootkit (aka rootkit.tdss). This rootkit downloaded the rogue AV scanner Malware Defense. The PC was protected by a not too current Symantec product, but with current definitions, so I thought these might be the reason why it got through. Once the removal was done, I ran a current trial of NAV 2010 on several of the rootkit’s files, but only one of them was detected as “Suspicous.cloud”. Being a Symantec user since the early 90ies, I am really disappointed that NAV doesn’t detected this rootkit. In fact, detection is easy, most file names follow the scheme h8srt*.*, and there a quite a few registry entries with this name. Still NAV doesn’t find these or Malware Defense, although the web is full of infection reports. I also searched Symantec’s Threat Explorer for h8srt and Malware Defense, but no single hit found!
How can this happen?!? I found reports dating back to September, with a peak since end of December.
FYI, this is how I removed it:
First I tried a-squared: this product detected and removed Malware Defense, but Malware Defense reappeared later. At this time I didn’t know that we are fighting a rootkit.
After finding other reports on the web, I disabled the rootkit using GMER, then I did a Quick Scan with Malwarebyte’s Anti-Malware which removed the rootkit and Malware Defense.
Regards,
Frank