Rootkit coders beware: Malwarebytes is in hot pursuit

Takeaway: Anti-malware heavy-hitter Malwarebytes is now laser-concerned with eliminating rootkits. Michael P. Kassner asks the creators of MBAM how they approach this actual threat.

Rootkits are the crème de la crème of malware, operating in a fashion not unlike elite Special Forces units: sneak in, establish communications with headquarters, recon defenses, and tip the percentages in favor of the soon-to-arrive main-attack force.

Rootkits are comparable to Special Forces otherwise, if found and attempts are made to take away them, all hell breaks loose. Every rootkit remover worth its salt warns that removing the rootkit can cause problems for the operating system, to the purpose of where it could not boot.

That’s since the rootkit buries itself deep within the operating system, replacing critical files with those under the rootkit’s control. And when the replaced files linked to the rootkit are removed, the operating system would be rendered inoperable.

Enter Malwarebytes

It’s a lovely safe bet IT professionals, who cope with malware including rootkits, have a duplicate of Malwarebytes Anti-Malware ( MBAM ) at their disposal. i do know several who say they owe their sanity and good customer rapport to MBAM. Another safe bet: the folk at Malwarebytes are doing something right, particularly when bad guys add code to their malware installers to avoid MBAM from installing, or if already installed, from running. (More in this later.)

Back in 2009, I met the team at Malwarebytes when writing “ Malware scanners: MBAM is better of breed .” I knew, being the snoopy journalist, i wanted to maintain in contact with this energetic bunch. A couple of year ago, the crew started beta testing Malwarebytes Anti-Rootkit ( MBAR ), a device targeting rootkits — going right on the beast.

I needed to know more so I contacted Marcin Kleczynski, CEO, founder, and the one that put the magic in MBAM. Marcin mentioned:

We at Malwarebytes visit great lengths to release fast, effective, and safe software. This mission extends to our anti-rootkit technology it truly is currently in beta.

Marcin offers the next information about MBAR:

With MBAR we now have been running the open beta now for just about a year successfully, and while there’s a small chance specific configurations could pose issues; we’re confident for many users MBAR can be extremely effective against any rootkit infections they encounter.

I caught Marcin at a nasty time, his plane was boarding. Marcin told me to hook up with Marcus Chung, Executive Vice chairman and COO at Malwarebytes; he would answer my remaining questions.

My first question for Marcus was why the sudden interest in rootkits Marcus stated that rootkits have gotten the cornerstone on which all malware exploits are built. Rootkits have always greased the skids for other malware to be installed.

What’s new is the programming of rootkits to redirect web browsers to peer-alike malicious websites just waiting to put in more malware on vulnerable computers, or redirecting web browsers to websites advertising goods simply to increase click count, making advertisers happy.

I mentioned to Marcus that i assumed MBAM removed rootkits, why then is MBAR needed Marcus talked about it’s all about reaction time. Rootkit developers are becoming adept at quickly morphing their code once they learn rootkit removers recognize their handiwork. Using a separate tool, MBAR’s developers can react just as fast with none concern of damaging a bigger, more complex program like MBAM, and avoid the logistics of rolling out a brand new version of MBAM.

Marcus then mentioned another advantage:

The bad guys have the sting on the subject of rootkits, they aren’t too worried about breaking the host computer, but we’re, a great deal so. Having a separate tool allows us to make absolutely sure we minimize the danger of breaking the host computer.

I had an ah-ha moment when Marcus alluded to their are looking to react quickly, now understanding why their other tool, Chameleon was separate, and never embedded in MBAM.

If you aren’t accustomed to Chameleon, it’s Malwarebytes’s answer when malware prevents MBAM from installing, or running if already installed. Chameleon disguises MBAM, allowing it to begin and destroy malware.

Something i didn’t know until Marcus mentioned it’s that MBAM has Chameleon inside the installed MBAM folder, and it’s worth trying. If it doesn’t help, Marcus jogged my memory that like MBAR, Chameleon (website version) can also be a separate tool, giving Malwarebytes the choice of quickly altering Chameleon to enhance the percentages of fooling rootkits.

How MBAR works

It’s time to get to work; if you happen to suspect a rootkit, and MBAM comes up empty, you might want to aim MBAR. First thing to do is read this link . It explains everything: A to Z. Still, i need to the touch on most of the more important aspects. First, here’s the list of rootkits the blokes at Malwarebytes have tested MBAR against, and successfully removed:

  • Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
  • Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, resembling TDL3, ZeroAccess, Rloader, etc.
  • Master Boot Record infectors which include TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
  • Volume Boot Record/OS Bootstrap infectors like Cidox.
  • Disk Partition table infectors like SST/Elureon.
  • User mode patchers/infectors like ZeroAccess.

Once you could have unpacked the MBAR zip file, visit the MBAR folder. It’s going to be just like right here screenshot.

I circled the 3 files that i needed to say. i used to be happy the MBAR team included the ReadMe.rtf — it answered a lot of my questions. I didn’t notice any mention of it, but before the rest, i’d back up all data to a remote source. I asked Marcus about setting a restore point and he said doing so seriously isn’t recommended — making a restore point will allow the rootkit to be restored in addition.

Once you’re confident, start the ball rolling by double-clicking on mbar.exe. If MBAR finds something, you can get a screen just like the one below.

0 0

Similar to MBAM, just follow the instructions, and MBAR gets rid of the captured rootkits. Within the strategy of removing any located rootkits, MBAR can even try and repair or restore the rootkit-corrupted files. After the following reboot and rescan to ensure MBAR caught everything, Marcus recommended running Fixdamage.exe (circled within the slide showing the MBAR folder) as a “belt and suspenders” operation simply to make absolutely sure all critical files are as they must be.

Marcus reiterates

Marcus was adamant that I be sure to tell everyone that MBAR is in beta. I promised and here’s the disclaimer they post at the website:

All Beta versions are non-final products. Malwarebytes doesn’t guarantee the absence of errors which would cause interruption in normal computer operations or data loss. Precautions must be taken. The kinds of infections targeted by Malwarebytes Anti-Rootkit may be very difficult to take away. Please you’ll want to have any valued data backed up before proceeding, just as a precaution.

While we encourage and invite participation, Malwarebytes Anti-Rootkit BETA users run the tool at their very own risk. Malwarebytes bears no responsibility for issues that can arise during use of this tool, however all reasonable efforts may be made by Malwarebytes to help in recovery should the necessity arise.

Final thoughts

I guess I never gave it much thought, but after speaking to Marcin and Marcus, I came away wondering if rootkit coders intentionally replace critical files to make it that much harder to take away the rootkit, or is it fallout from controlling critical processes to avoid detection, and permit the rootkit to do its thing.

Thank you Marcin and Marcus in your explanations, and here’s to continued success for MBAR — we are able to use the assistance .

Virus Aware