You catch 'em, we kill 'em

Further Cause To approach Virii With White Lists not Just Black Lists

, posted: 13-Oct-2008 13:36

Ironically, soon after finishing my previous post around the idea of going down the whitelist route for hunting viruses (lists of known good software and programs so only unknowns will be checked for problems) I had the (dis)pleasure of runnig into one of the new style root kits.

As before the root kit had gotten into the system via Win Antivirus 2008 or a similar variant of that malware. The machine was dis-infected using smitfraud fix software and also SDFix software, the two quickest methods for killing that type of rubbish.

We then ran Kapersky, Nod32 and Spybot S & D , Malwarebytes antispyware across the system. The first three failed to detect anything. Malwarebytes found something, supposedly killed it and then we rebooted. Malwarbytes again found the same thing and again we rebooted and rechecked. Again the same issues. Also task manager was showing iExplorer.exe process running all the time, a symptom of many zlob or sd type infections.

After unpacking three common root kit checkers we ran them. All three failed to discover a root kit. However our firewalls and malwarebytes all showed ongoing infections.

To cut a long story short we eneded up having to test three new antiroot kit systems and eventually one of thme worked (we hope). We figure it has worked as malwarebytes detects nothing after removal, kapersky detected and removed the virus after the root kit was disabled and the firewall shows no signs of infection.

So why the white list approach? If we had not been observant or meticulous in our double checking we would have missed this new nasty little root kit. It is one giving root kit detection experts problems as it is a bit more devious than most.

However, running a white list executable check from a known good operating system (e.g. boot from linux live, bart, dos disk etc) and we would have seen the root kitted system file, quarentined it and had all our detectors work and detect the virus correctly.

With constantly evolving ways for malware to hide and beat detection, it is becoming more likely that the old fashioned moethds of booting from alternative media will need to be employed. Other than issues with alternative file streams in NTFS and encrypted systems it is the only way to see some of these new versions of malware.

Currently we are working on a Java based system so we can run it on Linux, Windows and DOS based media. The Db will take a while to get filled correctly - but seriously - it may be the best method of detection for a while to come. Verify your friends, don't trust the rest.


Other related posts:
A new approach to virus removal?

Comment by Regs, on 13-Oct-2008 23:21

my attempt to use the word "virii" lost me a scrabble game once.... its not a real word :)

Author's note by nunz, on 26-Nov-2008 18:23

Sure it is a real word - you saw it here on geekzone didn't you?  :D

nunz's profile

Shane Hollis
New Zealand

Shane started Virusbusters twelve years ago to provide fixed price IT support for home users.

Daily battles through the world of viruses, spammers and other malware has left an indelible impression on him so he decided to try to give back some of the help he has received over time.

Hopefully crazy ideas, virus removal tips and other help can be found in this new blog. who knows, it might even be worth reading one day.