Rootkit coders beware: Malwarebytes is in hot pursuit
Rootkits are the crème de la crème of malware, operating in a way not unlike elite Special Forces units: sneak in, establish communications with headquarters, recon defenses, and tip the percentages in favor of the soon-to-arrive main-attack force.
Rootkits are corresponding to Special Forces differently, if found and attempts are made to take away them, all hell breaks loose. Every rootkit remover worth its salt warns that removing the rootkit may cause problems for the operating system, to the purpose of where it could not boot.
That’s since the rootkit buries itself deep inside the operating system, replacing critical files with those under the rootkit’s control. And when the replaced files related to the rootkit are removed, the operating system should be would becould very well be rendered inoperable.
It’s a sexy safe bet IT professionals, who focus on malware including rootkits, have a replica of Malwarebytes Anti-Malware ( MBAM ) at their disposal. i do know several who say they owe their sanity and good customer rapport to MBAM. Another safe bet: the folk at Malwarebytes are doing something right, particularly when bad guys add code to their malware installers to avoid MBAM from installing, or if already installed, from running. (More in this later.)
Back in 2009, I met the team at Malwarebytes when writing “ Malware scanners: MBAM is better of breed .” I knew, being the snoopy journalist, i wanted to maintain in contact with this energetic bunch. A few year ago, the crew started beta testing Malwarebytes Anti-Rootkit ( MBAR ), a device targeting rootkits — going right on the beast.
I needed to know more so I contacted Marcin Kleczynski, CEO, founder, and the person who put the magic in MBAM. Marcin mentioned:
We at Malwarebytes visit great lengths to release fast, effective, and safe software. This mission extends to our anti-rootkit technology this is currently in beta.
Marcin offers the subsequent information about MBAR:
With MBAR we have now been running the open beta now for nearly a year successfully, and while there’s a small chance specific configurations could pose issues; we’re confident for many users MBAR can be extremely effective against any rootkit infections they encounter.
My first question for Marcus was why the sudden interest in rootkits Marcus stated that rootkits are getting the cornerstone on which all malware exploits are built. Rootkits have always greased the skids for other malware to be installed.
What’s new is the programming of rootkits to redirect web browsers to see-alike malicious websites just waiting to put in more malware on vulnerable computers, or redirecting web browsers to websites advertising goods simply to increase click count, making advertisers happy.
I mentioned to Marcus that i assumed MBAM removed rootkits, why then is MBAR needed Marcus mentioned it’s all about reaction time. Rootkit developers became adept at quickly morphing their code once they learn rootkit removers recognize their handiwork. Using a separate tool, MBAR’s developers can react just as fast with none concern of damaging a bigger, more complex program like MBAM, and avoid the logistics of rolling out a brand new version of MBAM.
Marcus then mentioned another advantage:
The bad guys have the sting on the subject of rootkits, they aren’t too worried about breaking the host computer, but we’re, a great deal so. Having a separate tool allows us to make absolutely sure we minimize the danger of breaking the host computer.
I had an ah-ha moment when Marcus alluded to their should react quickly, now understanding why their other tool, Chameleon was separate, and never embedded in MBAM.
If you aren’t acquainted with Chameleon, it’s miles Malwarebytes’s answer when malware prevents MBAM from installing, or running if already installed. Chameleon disguises MBAM, allowing it to begin and destroy malware.
Something i didn’t know until Marcus mentioned it truly is that MBAM has Chameleon within the installed MBAM folder, and it’s worth trying. If it doesn’t help, Marcus jogged my memory that like MBAR, Chameleon (website version) can also be a separate tool, giving Malwarebytes the choice of quickly altering Chameleon to enhance the chances of fooling rootkits.
How MBAR works
It’s time to get to work; in the event you suspect a rootkit, and MBAM comes up empty, you might want to aim MBAR. First thing to do is read this link . It explains everything: A to Z. Still, i would like to the touch on the various more important aspects. First, here’s the list of rootkits the fellows at Malwarebytes have tested MBAR against, and successfully removed:
- Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
- Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, similar to TDL3, ZeroAccess, Rloader, etc.
- Master Boot Record infectors equivalent to TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
- Volume Boot Record/OS Bootstrap infectors like Cidox.
- Disk Partition table infectors like SST/Elureon.
- User mode patchers/infectors like ZeroAccess.
Once you might have unpacked the MBAR zip file, visit the MBAR folder. It is going to be almost like the next screenshot.
I circled the 3 files that i wished to say. i used to be happy the MBAR team included the ReadMe.rtf — it answered lots of my questions. I didn’t notice any mention of it, but before the rest, i might back up all data to a remote source. I asked Marcus about setting a restore point and he said doing so just isn’t recommended — making a restore point will allow the rootkit to be restored to boot.
Once you might be confident, start the ball rolling by double-clicking on mbar.exe. If MBAR finds something, you can get a screen just like the one below.
Similar to MBAM, just follow the instructions, and MBAR gets rid of the captured rootkits. Within the strategy of removing any located rootkits, MBAR also will try and repair or restore the rootkit-corrupted files. After the consequent reboot and rescan to be certain MBAR caught everything, Marcus recommended running Fixdamage.exe (circled within the slide showing the MBAR folder) as a “belt and suspenders” operation simply to make absolutely sure all critical files are as they ought to be.
Marcus was adamant that I be sure to tell everyone that MBAR is in beta. I promised and here’s the disclaimer they post at the website:
All Beta versions are non-final products. Malwarebytes doesn’t guarantee the absence of errors which may result in interruption in normal computer operations or data loss. Precautions must be taken. The kinds of infections targeted by Malwarebytes Anti-Rootkit could be very difficult to take away. Please ensure you have any valued data backed up before proceeding, just as a precaution.
While we encourage and invite participation, Malwarebytes Anti-Rootkit BETA users run the tool at their very own risk. Malwarebytes bears no responsibility for issues which could arise during use of this tool, however all reasonable efforts would be made by Malwarebytes to help in recovery should the will arise.
I guess I never gave it much thought, but after chatting with Marcin and Marcus, I came away wondering if rootkit coders intentionally replace critical files to make it that much harder to take away the rootkit, or is it fallout from controlling critical processes to avoid detection, and make allowance the rootkit to do its thing.
Thank you Marcin and Marcus to your explanations, and here’s to continued success for MBAR — we will use the assistance .