New Trends in malware?
Results 1 to 7 of 7

Thread: New Trends in malware?

  1. #1
    Registered User Niclo Iste's Avatar
    Join Date
    Oct 2007
    Location
    Pgh, PA
    Posts
    2,051

    New Trends in malware?

    Maybe I've been out of the game a little too much with the low amount of work I've pulled in for the past year but from what I can tell it looks like malware is all leaning in the direction of rootkits now. Has anyone else noticed that a large majority of infections are using this to keep from being removed easily? Also what are your methods so far that work out for you? In my observations Combofix is most of the time incapable or incapacitated so it can't deal with the rootkits. I've resorted to all in safe mode, installing powershell on systems and running emsisofts a2cmd program, esets DOS32, and sunbelt softwares viprerescue through it just to get things started then I follow up in the next reboot with Trend Micros rootkit buster. I'm sure there are better methods or processes I should add to this though. Suggestions or your own tricks would be nice to pull from if you don't mind sharing.

    Oh by the way the reason I use powershell is because to me it seems it gives some added permission/access to files for the command line scanners. I could be wrong and assuming this because of it showing me more than the general command prompt would show me.
    Last edited by Niclo Iste; November 20th, 2010 at 09:23 PM.
    One Script to rule them all.
    One Script to find them.
    One Script to bring them all,
    and clean up after itself.

  2. #2
    Registered User slgrieb's Avatar
    Join Date
    Feb 2003
    Posts
    4,103
    Well, from my perspective, most of the nasties I've dealt with lately haven't been challenging. But then, I'm not doing as many malware removals as I'm used to either. I've hit one or two lately that took 2 passes of Combofix to eradicated, (plus the usual supplementary scan or two). If I can ever get back to it, I need to rescan a computer I did last week; it's either still infected or re-infected.

    Still, I think a lot of malware authors have decided that you don't really need to spend vast amounts of time and effort being super-stealthy when there are just such an incredible number of systems that are unpatched, run 3rd rate, out of date malware protection, and whose users are about as savvy on Internet security as my dog. Glancing at top threat lists from various sources, I don't see much that doesn't look pretty old and familiar, except for FireEye's blog.

  3. #3
    Registered User Ferrit's Avatar
    Join Date
    Apr 2001
    Location
    Vancouver Island The Real Canada
    Posts
    4,952
    It really is quite true that most of the nasty stuff is all rootkit based.
    I just this night finished cleaning a Dell XP machine with A360 on it.
    Malwarebytes didnt even see it, and I had just installed and updated
    malwarebytes about an hour before. In fairness I didnt finish the full scan
    with malwarebytes when it found 10 in the first 10/15 minutes. SO I shut it off and cleaned those as I commonly do. Meaning to get back to completing the Full scan later. But even after I cleaned those 10 fake warning trojans and a full reboot it ran like crap. So I went ot my personal favorite Combofix.It deleted around 100 files from Windows and Windows/System32. I have had Combofix totally trash an XP system so it couldnt be repaired but that was likely the mess left trying to clean it. It doesnt happen often but i does.
    Gigabyte 990FXA-UD3
    AMD FX 8350 4ghz OCTO-Core
    Windows 8.1 PRO 64
    Adata 256 gig SSD
    Kingston HyperX 1600 16 Gigs
    Sapphire R9 280 2gig
    Enermax Liberty Modular 620
    www.northernaurora.net
    http://www.northernaurora.net/page/chat.html

  4. #4
    Registered User Niclo Iste's Avatar
    Join Date
    Oct 2007
    Location
    Pgh, PA
    Posts
    2,051
    I love malwarebytes just all my clients have it since I install it and recommend it to them. 95% of the time though if they have me come out it's because the infection has disabled/damaged all the tools on their pc that are for dealing with infections. Maybe I've had a bad string of weeks where combofix just wasn't good enough for the specific infections I had to deal with. I just know I have as of late had to rely on the slower solutions via commandline scanners which generally are only good enough to disable the infection enough so I can mop up with malwarebytes.
    One Script to rule them all.
    One Script to find them.
    One Script to bring them all,
    and clean up after itself.

  5. #5
    Registered User slgrieb's Avatar
    Join Date
    Feb 2003
    Posts
    4,103
    Quote Originally Posted by Ferrit View Post
    It really is quite true that most of the nasty stuff is all rootkit based.
    You'll certainly not get any arguments from me on that statement; I'm just saying that lately I'm not encountering much that's particularly hard to remove. And I believe one reason is that malware distributors may simply find that putting up a lot of short-lived sites hosting malware that targets common security vulnerabilities (particularly if it appeals to the conceptually challenged) may be more cost effective than trying to write a super bug. The clueless will always be slow to deal with any infection, and they will most assuredly be re-infected over and over again, no matter what defenses they use. Why buy an elephant gun to shoot turkeys?

    Happy Thanksgiving!

  6. #6
    Registered User Zonie's Avatar
    Join Date
    Apr 2001
    Location
    Phoenix, Arizona
    Posts
    1,461
    Interesting enough, I have also run across an increased number of rootkit infections as well as MBR infections. For a while I was having difficulties in cleaning them and on a couple, backed up data formated and reinstalled. I then found a program which seems to help in both cases, called TDSSKiller from Kaspersky. You might want to give this a try.

    Happy Thanksgiving.
    It's not the computers that keep having problems, it's the users!!

  7. #7
    Registered User Niclo Iste's Avatar
    Join Date
    Oct 2007
    Location
    Pgh, PA
    Posts
    2,051
    Cool, thanks Zonie I'll give that a try
    One Script to rule them all.
    One Script to find them.
    One Script to bring them all,
    and clean up after itself.

Similar Threads

  1. Malware infections disabling safemode problem
    By Niclo Iste in forum Tech-To-Tech
    Replies: 10
    Last Post: December 2nd, 2009, 02:34 PM
  2. Replies: 4
    Last Post: August 14th, 2005, 05:23 PM
  3. IT trends?
    By Rob Wagner in forum Tech-To-Tech
    Replies: 2
    Last Post: October 22nd, 2001, 10:52 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •