New Trends in malware?

Printable View

November 20th, 2010, 09:20 PM
Niclo Iste

New Trends in malware?

Maybe I've been out of the game a little too much with the low amount of work I've pulled in for the past year but from what I can tell it looks like malware is all leaning in the direction of rootkits now. Has anyone else noticed that a large majority of infections are using this to keep from being removed easily? Also what are your methods so far that work out for you? In my observations Combofix is most of the time incapable or incapacitated so it can't deal with the rootkits. I've resorted to all in safe mode, installing powershell on systems and running emsisofts a2cmd program, esets DOS32, and sunbelt softwares viprerescue through it just to get things started then I follow up in the next reboot with Trend Micros rootkit buster. I'm sure there are better methods or processes I should add to this though. Suggestions or your own tricks would be nice to pull from if you don't mind sharing.

Oh by the way the reason I use powershell is because to me it seems it gives some added permission/access to files for the command line scanners. I could be wrong and assuming this because of it showing me more than the general command prompt would show me.
November 22nd, 2010, 04:44 PM
slgrieb

Well, from my perspective, most of the nasties I've dealt with lately haven't been challenging. But then, I'm not doing as many malware removals as I'm used to either. I've hit one or two lately that took 2 passes of Combofix to eradicated, (plus the usual supplementary scan or two). If I can ever get back to it, I need to rescan a computer I did last week; it's either still infected or re-infected.

Still, I think a lot of malware authors have decided that you don't really need to spend vast amounts of time and effort being super-stealthy when there are just such an incredible number of systems that are unpatched, run 3rd rate, out of date malware protection, and whose users are about as savvy on Internet security as my dog. Glancing at top threat lists from various sources, I don't see much that doesn't look pretty old and familiar, except for FireEye's blog.
November 23rd, 2010, 10:51 PM
Ferrit

It really is quite true that most of the nasty stuff is all rootkit based.
I just this night finished cleaning a Dell XP machine with A360 on it.
Malwarebytes didnt even see it, and I had just installed and updated
malwarebytes about an hour before. In fairness I didnt finish the full scan
with malwarebytes when it found 10 in the first 10/15 minutes. SO I shut it off and cleaned those as I commonly do. Meaning to get back to completing the Full scan later. But even after I cleaned those 10 fake warning trojans and a full reboot it ran like crap. So I went ot my personal favorite Combofix.It deleted around 100 files from Windows and Windows/System32. I have had Combofix totally trash an XP system so it couldnt be repaired but that was likely the mess left trying to clean it. It doesnt happen often but i does.
November 24th, 2010, 09:17 AM
Niclo Iste

I love malwarebytes just all my clients have it since I install it and recommend it to them. 95% of the time though if they have me come out it's because the infection has disabled/damaged all the tools on their pc that are for dealing with infections. Maybe I've had a bad string of weeks where combofix just wasn't good enough for the specific infections I had to deal with. I just know I have as of late had to rely on the slower solutions via commandline scanners which generally are only good enough to disable the infection enough so I can mop up with malwarebytes.
November 24th, 2010, 04:51 PM
slgrieb

Quote:

Originally Posted by Ferrit

It really is quite true that most of the nasty stuff is all rootkit based.

You'll certainly not get any arguments from me on that statement; I'm just saying that lately I'm not encountering much that's particularly hard to remove. And I believe one reason is that malware distributors may simply find that putting up a lot of short-lived sites hosting malware that targets common security vulnerabilities (particularly if it appeals to the conceptually challenged) may be more cost effective than trying to write a super bug. The clueless will always be slow to deal with any infection, and they will most assuredly be re-infected over and over again, no matter what defenses they use. Why buy an elephant gun to shoot turkeys?

Happy Thanksgiving!
November 25th, 2010, 09:06 AM
Zonie

Interesting enough, I have also run across an increased number of rootkit infections as well as MBR infections. For a while I was having difficulties in cleaning them and on a couple, backed up data formated and reinstalled. I then found a program which seems to help in both cases, called TDSSKiller from Kaspersky. You might want to give this a try.

Happy Thanksgiving.
November 25th, 2010, 09:14 AM
Niclo Iste

Cool, thanks Zonie I'll give that a try :)