Sign In
Create Account
2
http://rapidshare.de...lureon.zip.html
-
This topic is locked
#1
Posted 09 August 2009 - 12:29 AM
-
- Members
-
- 25 posts
New Member
- Gender:Male
Well, I just dealt with yet another alureon rootkit, so here are the files. It dropped GammaView.exe in my temp directory, then it installed it's driver. It dropped 2 dlls with long names in the system directory, then it dropped some more files into my temp directory and the windows temp directory. This time I managed to find all of them (Except for the one at C:\Windows\System32\dll.dll, which strangely didn't seem to exist on the disk). This one also messes with the MBR. RootRepeal wasn't able to find anything, except under the stealth objects scan, it found one of the modules, but it froze whenever I tried to do something to it. It also gave a lot of errors about being unable to read the master boot record. MBAM was unfortunately not able to do anything about it, as it couldn't find anything. I hope you guys are working on some stronger kernel tools, this pesky rootkit is getting better every time I run into it
http://rapidshare.de...lureon.zip.html
http://rapidshare.de...lureon.zip.html
Back to top
#2
Posted 09 August 2009 - 12:13 PM
-
- Malware Hunters
-
- 213 posts
Advanced Member
- Gender:Male
- Location:Velika Plana, Serbia.
#3
Posted 09 August 2009 - 12:29 PM
-
- Moderators
-
- 16,155 posts
Malware BBQ'er
- Gender:Male
- Location:127.0.0.1
Hi tobor,
There is in memory heuristic's for this variant in the database already,which means of they are *live* then they are known to our DB
However as you know the driver at the root of the infection is constantly messing wth both our's (& others tech) in order to avoid being removed.
The fact of the matter is everytime we figure away to avoid their dirty tricks so they just go off and within a week have found another way of borking the defenders tech
It is an arms race and unfortunetly the malware author who writes this stuff is one very talented if despicable character.The defenders have to play catch up and can only ever be reactionary to a degree as this guy is extremely inventive how he dose business inorder to circumnavigate the defenders softwares/tools
With reference to RootRepeal the author is constantly having to upgarde his tool to cope with the new rootkit tech as it appears ITW,so always best to try and download the most recent version everytime you need use of that type of tool.
Anyhow without being all doom and gloom i believe we are going to be once again setting the pace for state of the art tech in the security arena... our next version and our very talented dev's have something very special lined up for CLB/WinNT Alureon when 1.41 is rolled out
There is in memory heuristic's for this variant in the database already,which means of they are *live* then they are known to our DB
However as you know the driver at the root of the infection is constantly messing wth both our's (& others tech) in order to avoid being removed.
The fact of the matter is everytime we figure away to avoid their dirty tricks so they just go off and within a week have found another way of borking the defenders tech
It is an arms race and unfortunetly the malware author who writes this stuff is one very talented if despicable character.The defenders have to play catch up and can only ever be reactionary to a degree as this guy is extremely inventive how he dose business inorder to circumnavigate the defenders softwares/tools
With reference to RootRepeal the author is constantly having to upgarde his tool to cope with the new rootkit tech as it appears ITW,so always best to try and download the most recent version everytime you need use of that type of tool.
Anyhow without being all doom and gloom i believe we are going to be once again setting the pace for state of the art tech in the security arena... our next version and our very talented dev's have something very special lined up for CLB/WinNT Alureon when 1.41 is rolled out
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
