New Antivirus Tests Show Rootkits Hard to Kill

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

Not really surpirsed

[neokushan]

Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then. Usually it's able to kill the thing, but every now and then one comes along that's just a pig to get rid of.
Norton (keep in mind, last time I used it was half a decade ago, if not more) had a great habit of going "HEY! YOU'VE GOT A VIRUS!" but when you actually tell it to delete the bloody thing, it refused to do anything. What was annoying was that often you could delete it simply by killing the process, but I digress.
Every other AV I've used has been able to handle most, but to this day, every now and then a virus will come along that whatever AV I try simply can't shift, forcing me to do the ol' safe-mode delete trick (or sometimes having to boot into a different OS entirely).
I don't understand why these AV's don't pop up saying "we've found a virus, unfortunately it's going to be a pain to remove, so I can't do it for you, instead here's some instructions on what to do to get rid of it..." instead of just repeatedly popping up that the Virus is there and refusing to do anything about it....

I don't even bother trying to clean them up.

[Dr. Manhattan]

My nephew got something or other on his laptop. I made a desultory effort to clean it, but whatever crap was on there would kill the anti-spyware install routines within seconds. Fortunately I'd installed Ubuntu on another partition, and he was still able to do web and email and stuff, and I told him to back up the data he needs and I'll wipe it and start fresh.

I'm pretty sure it was trojaned game mods that got him instead of the usual porn sites. At least, if it was porn, he did a pretty good job hiding his tracks. :->

Killing rootkits. You're doing it wrong.

[khasim]

Every time this subject comes up, I say the same thing.

The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.

With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums?

Anything that cannot be identified can be moved to a different drive. A drive without run permissions.

Problem solved.

Re:Bootable antivirus discs?

[Carnildo]

A slightly related question:

Does any vendor offer an antivirus program that is delivered on an auto-booting CD-ROM / DVD-ROM?

I haven't looked at Windows antivirus products in a few years, but all antivirus products used to do this. Originally, it was a boot floppy; later, a boot CD. The neccessity of an internet connection to get the latest virus definitions would make this harder these days, as you'd need to support an incredible variety of network cards.

Bootable ClamAV CD image... Ubuntu live CD?

[steveha]

What I'm just waiting for is a bootable Linux CD that includes ClamAV ready-to-run.

Once a root kit has its tentacles through your system, you can't trust your system. So it just makes sense to boot a trusted system before running a malware scan.

I know enough that I could boot an Ubuntu CD, make sure clamav is installed, update it to the latest virus definitions, mount each disk volume, and then run clamav by hand. But more people could use it if this was easier.

Originally I was thinking of a CD you boot just for virus scanning. But I already carry around an Ubuntu CD to use as a utility disk (you can boot it as a RAM tester, or you can boot to a desktop to help repair a non-booting computer). And if it finds any malware you will want to fire up a web browser and read about how to clean your system. So now I think the very best thing would be for the standard Ubuntu live CD desktop to have a "scan computer for viruses" icon. Ideally it should have some kind of attractive GUI interface, but I'd settle for a scrolling text display as long as it does everything automatically.

Ideally this would also have a way to download a signed program, verify the signature, and run the program; then people could write programs that automatically clean malware off a computer.

I already give away Ubuntu CDs to friends who use Windows, and I tell them how to use them to test their RAM. It would be so cool if they could also use it to check their computers for malware. (Who knows, they might get tired of cleaning malware off their computers and try running Ubuntu someday.)

Is there any way to suggest this as a "summer of code" project or something?

steveha

A self-hampering problem.

[kiehlster]

While there are advantages to features like System Restore and the fact that in-use files are locked by their associated programs, these features are often the only things that come between detection and eradication of many of these rootkitting trojans. AV software still doesn't tell you to turn off system restore before it tries to delete viruses, or close program XYZ that is infected, and rootkit removal tools often forget to delete the other half of a virus when they reboot.

On top of that, Google and other engines are so full of spammy removal tools that finding a legitimate tool is a gamble. Tools that do work (eg Hijackthis) often are not intelligent enough to tell good from bad or don't recognize the correlation between multiple pieces of a rootkit. It sometimes comes down to scanning the system, turning it off without shutting down, and booting the recovery console to delete a laundry list of trojan dll files that one tool could not take care.

If I were a smart AV software developer, I'd make a bootable recover tool that will erase viruses and trojans before they can hide and secure themselves. Such tools existed back in the days of Windows 3.1 and into the early days of Win95, but today we have nothing more than windows apps and web-based housecalls. Windows and third-party developers have let their guard down and have forgotten the history of the problem.

Re:Killing rootkits. You're doing it wrong.

[Wierdy1024]

Um how exactly do you do this? How can I run a scan and get a list of all files on the entire system that don't match the MD5's in their packages?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Interesting way of putting it

[kesuki]

"But on a more serious note, I think these new super stealth rootkits are going to be the beginning of the end for the AV industry. IMHO we are going to have to end up with whitelisting at the OS level as the never ending tidal wave of viruses will simply become too hard for the AV industry to keep up with without overloading the systems with the constant scanning and updating. And in this day and age IMHO it is kind of silly that I can't simply make a list of the two dozen or so programs that I use and have them be the only things that are allowed to run. And with all the legacy systems out there running older MSFT OSes some company could make some good money with an easy to use system that lets a user specify the couple of dozen programs he uses and refuse to run the rest. Anyway that is my 02c,YMMV."

I had to dig deep, but the company that did the test, tested software that was released in 2005-2006. They weren't even testing what had been released in the past 2 years, only stuff that was known in security circles in 05-06!!!

they tested security suites as well as specialized removal tools, the sad part was that
3 of the rootkits were on COMMERCIAL PRESSED CD/DVDs I guess, only the likes of sony gets sued over offering rootkits on DVDs/CDs.

white-listing might help, but clueless users are going to override white lists because of the 'dancing pigs problem' http://en.wikipedia.org/wiki/Dancing_pigs [wikipedia.org]

I knew about this problem, but my experience was even worse, I couldn't find a single scanner that could even detect the trace files in a zipfile, other than google's g-mail scanner...

once again the rootkit came to infect my systems around 2006, or possibly earlier, but it could re-infect from CD-rs and DVD-rs I'm basically in a situation now where i am being forced to use linux to read those discs and salvage what data i can, and never even dare let that data go near a windows machine again... not a practical solution, but i couldn't find a single scanner that could detect the problem from it's source... so all my old cd-r and dvd-r are now suspect... because the virus can add on to any disc not 'finalized' and there isnt' a single detection program i can run (sending files through g-mail only works when you have small files, and a lot of free time)

but yeah, security firms aren't keeping up anymore. if they can't even keep up with 'known' rootkits, then frankly we should all switch to linux, and never never install anything not in a repository... (essentially white listing ourselves)