New Antivirus Tests Show Rootkits Hard to Kill 178
ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."
Re:Naturally, (on first) (Score:4, Informative)
Re:Bootable antivirus discs? (Score:5, Informative)
Re:Not really surpirsed (Score:5, Informative)
It's funny, the embarrassing part here isn't that you look at porn, it's that you get infected while doing it. Get NoScript, a bittorrent client, and a clue.
Well, DUH! (Score:5, Informative)
First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.
Info - Anti rootkit tools (Score:4, Informative)
AVG Free 8.0 (free.grisoft.com) or AVG free antirootkit if they are using 7.5 free.
Hint: AVG 8 *removes* their old free antirootkit.
For techie users grab the sysinternals toolkit from majorgeeks etc. (Rootkit revealer). For real techies a copy of "Rootkit Unhooker LE" (rku.nm.ru) but (like Hijack This) hide this one from non techie users so they don't fiddle with it ...
(oh and beware some versions of daemon tools which use rootkit like functionality to hide their virtual cd driver).
Andy
It is actually quite easy to break a rootkit... (Score:2, Informative)
The best way to remove them is to use another OS to hit the files, then break the rootkit code and/or replication routine from Windows itself.
Unfortunately, full removal of the kernel level coding injected by the rootkit tends to break the kernel itself.
In a nutshell, Windows fragility prevents the proper removal of the rootkit, rather than the stealth and/or hooking used by the rootkit.
Re:Bootable ClamAV CD image... Ubuntu live CD? (Score:5, Informative)
http://www.ultimatebootcd.com/ [ultimatebootcd.com]
http://www.ubcd4win.com/ [ubcd4win.com]
Both have excellent tools on them, including some UPDATABLE AV kits.
Re:Bootable antivirus discs? (Score:4, Informative)
It is not totally burn and go, thanks to Microsoft and the EULA, but very close. I was just updating my images today, as a matter of fact. Several clients have the latest "It burns when I pee" support calls scheduled.
A compromised system can't diag/fix itself (Score:3, Informative)
Sometimes it happens to work. If it does, you're lucky. But you can't rely on it, and you never will be able to, and anyone who sells you a product that says it can do that, is deceiving you.
Don't execute the rootkit in the first place. That's the only way to be sure. Once you've run untrusted code, your system is compromised until you boot from read-only media.
Sorry if you don't like hearing that. Sorry if it's inconvenient. Sorry if you're an AV company stockholder and you don't want people to know. But that's just how it is, period.
And when you look at it that way, today's rootkits are actually really easy to kill; you just have to go "far enough" (e.g. nuke the whole damn partition). (I have to say "today's rootkits" because if your BIOS is flashable, well, you've got serious problems.)
Re:Killing rootkits. You're doing it wrong. (Score:3, Informative)
Re:I don't even bother trying to clean them up. (Score:5, Informative)
What you described sounds similar to how signature/definition-based scanners work. I'm sure a lot of scanners make bootable versions - I know that older versions of McAfee came with a boot floppy.
Signature-based scanners are a glorified form of grep. They look through every file looking for a string of bytes which is reasonably unique to a virus. It's not possible to have a computer know in advance with 100% certainty whether executing a particular block of code is dangerous - the best you can do is say "this is probably dangerous", so realistically your options are:
1. Look for things which are known to be bad, delete any we find. Well, 20 years of antivirus should have taught us by now that this is a crappy solution.
2. Look for things which are known to be good. Anything which isn't known to be good we delete. This is essentially what I described originally.
The minor issue with this (and indeed with what I described) is that writing a general-purpose application which does this without leaving the system broken beyond real use (who's going to put up with an AV product which deletes every data file they've got because there have been known vulnerabilities in programs which read those files?) is impossible.
However, they do say an ounce of prevention is worth a pound of cure, and nowhere in IT is it more true than here. Don't allow users to run as admin, filter email for anything even remotely suspicious, configure your desktop PCs to automatically update, run antivirus on your fileserver to slow down the spread of anything, get proper configurable desktop AV software - preferably configurable such that end users can't easily mess with the configuration - and set it up to scan everything on access.
And while we're at it, abandon any email scanner which filters dodgy attachments on the basis of their file extension. The first virus which comes with text saying "Rename to
This sounds like a lot of work, but I've been in the middle of dealing with virus outbreaks before. Once configured, 99.5% of my suggestions can be just left to their own devices and it's a lot less hassle than dealing with a virus outbreak.
Re:Not really surpirsed (Score:3, Informative)
I found the easiest way to get rid of that one (Because all the 3rd party tools to do it simply didn't work) was to bite the bullet and install unlocker [ccollomb.free.fr]. This piece of software is without a doubt my favourite utility for windows and one of the first things I install (when I'm running 32bit, that is, no 64bit support yet
So when Vundo gets locked into your system, you can still delete it without much trouble (Explorer will crash, but a restart makes it as right as rain). Why AV's can't do this, I don't know...
Re:Interesting way of putting it (Score:4, Informative)
"in this day and age IMHO it is kind of silly that I can't simply make a list of the two dozen or so programs that I use and have them be the only things that are allowed to run".
For Windows, what you are describing is Software Restriction Policies [microsoft.com]. This has been around for some time.
System Rescue CD does (Score:3, Informative)
It's mainly a boot disk geared toward partitioning and hard disk recovery (helped me save a b0rked FakeRaid), but it has lots of tools to help rescue & repair a broken system.
It has ntfs-3g, so you can read and write Windows partitions.
It also has chkrootkit [chkrootkit.org] (but apparently not rkhunter [sourceforge.net]) so you can also scan Linux boxes for rootkits.
Speaking about ClamAV, sadly that anti-virus isn't mentioned anyway in the AV-test.org publication [av-test.org]. It could be useful to test that one too, because :
- clamav is starting to get popular as a solution to filter e-mails, etc. (and often the rootkits are payload of worms, although Sony proved that they also could be payload of audio CDs) thus detecting the rootkits while still inactive (even though, I must concede the test was also about the active detection and the disinfection)
- clamav's team has been known to have a fast response time to new threats
- clamav is the only open source scanner available. there's some active research being worked on (there's a port to GPGPU engine mentioned in GPU Gems 3, for example).
Even though, I don't think ClamAV could have fared very well in the "inactive detection" chapter, as it a mostly signature-based scanner.