Rootkit coders beware: Malwarebytes is in hot pursuit

[Chiefcrowe]

http://www.techrepublic.com/blog/security/rootkit-coders-beware-malwarebytes-is-in-hot-pursuit/9207

 

[blankslate]

I heard about this beta back in late November early Dec. of 2012. I used it a couple of times just because I like to run on demand scanners every so often in addition to running Anti-Virus software.

I wonder when it'll be out of beta.

 

[spandexninja]

Doesn't rootkit imply that the infection has integrated itself into the OS / MBR and is able to start before any antivirus program does and completely hide itself from detection?

How can Malwarebytes Anti-Rootkit work as expected if a rootkit is already active before installing it?

I don't see how a scanner that runs in the OS can be as effective as a pre-boot scan from Kaspersky Rescue disc or Avast.

 

[Chiefcrowe]

good question.. perhaps it uses rootkit like methods to hide itself from the rootkits?
I'd ask them to see what they say about it...

 

[MontyAC]

I've been using MBAR since last year. Nice rootkit scanner.

 

[Iron Woode]

I've been using MBAR since last year. Nice rootkit scanner.

me too.

this is old news.

 

[mechBgon]

Doesn't rootkit imply that the infection has integrated itself into the OS / MBR and is able to start before any antivirus program does and completely hide itself from detection?

Some do, some don't.

How can Malwarebytes Anti-Rootkit work as expected if a rootkit is already active before installing it?

I don't see how a scanner that runs in the OS can be as effective as a pre-boot scan from Kaspersky Rescue disc or Avast.

Some anti-rootkit scanners have used rootkits' own behavior against them, by a comparator technique. If you get different results from direct disk access than you do through a software request, you know something's hiding and falsifying stuff. An "offline" scan might have its own benefits but it won't have that option since the rootkit won't be active.

 

[Mark R]

Doesn't rootkit imply that the infection has integrated itself into the OS / MBR and is able to start before any antivirus program does and completely hide itself from detection?

Not necessarily.

Modern OSs have a facility whereby 3rd party software is able to modify core behavior of the OS. For example, this is how anti-virus software works.

The anti-virus requests interception of file access requests, and the OS responds by feeding file access requests to the AV - which then decides whether access to the file should be allowed.

Rootkits do a similar thing - e.g. they intercept a directory list request, and erase the name of the rootkit program before passing the result back to the requesting program. If this loads after the AV, then technically, the AV will still be able to see the rootkit files, even if any other app can't. However, positive detection would require that the AV has a signature for that particular variant of rootkit.

One of the problems with anti-rootkit work, is that rootkits are difficult to find, and can circulate in the wild for a considerable period of time before being detected. The Sony CD rootkit was being distributed on CDs for many months before anyone noticed. In fact, it was only detected by accident, when a security researcher working on rootkit detection techniques couldn't understand why his "known clean" machine did not give the results he was expecting.

Technically, they don't have to load before the AV, they can load at any time
How can Malwarebytes Anti-Rootkit work as expected if a rootkit is already active before installing it?

Rootkits work by intercepting OS actions and modifying their behavior. E.g. if a registry search finds the rootkit, the rootkit might intercept that and delete the search result.

However, there are sometimes multiple ways to do the same thing, and rootkits are rarely, if ever, smart enough to intercept all the ways of doing something so that they give the same result.

For example, the registry is basically a database which provides a simple method for applications and windows to store complex preferences. However, the contents of that database must be stored in a file, and the file format is known an understood. This makes it possible to search the registry in 2 different ways: 1. The program uses the OS's registry search function. 2. The program loads the registry file directly and analyses it using an internal algorithm for decoding the database. The results of the 2 different scans can be compared; they should match exactly. If they don't, something is altering the behavior of the OS.

While intercepting registry searches and hiding some results is easy, making a rootkit that will detect direct access to the registry file and alter the complex file format to hide itself without destroying the registry in the process, is very, very hard.

 

[Chiefcrowe]

Thank you, that was a great explanation since i don't know fully how rootkits work.