Jump to content

charlesfisch

Members
  • Content Count

    1
  • Joined

  • Last visited

About charlesfisch

  • Rank
    Newbie
  1. Hi, I'd like to contribute additional info about this if I may: Several days ago a system was brought to me for help in dealing with a similar malicious software infection. Like Eric (OP), the manuf identifier on several malicious processes shown via task manager was found to be: IirDeramkel S.R.L (the process names themselves (id's) appear to be dynamically created, often hashed, & thus variable). Google searches have as yet turned up only a few page hits with that [iirDeramkel] tag (this site being the most recent one as of yet). I have used a couple of other tools to gain further insight into the situation, and so far as I've been able to discern at this time - we are likely dealing with a rootkit problem (possibly Cidox.b...or similar variant). Detection and accurate identification efforts are currently underway, however it has been suggested this malware is relatively fresh in the wild and therefore hasn't flagged much of a visible profile within the major AV security community & related forums such as Eset / McAfee / Techrepublic (and others who i won't mention here [in deference to SAS et. al.]) One thing I might add is that in the 2 cursory attempts I've made to *completely* remove the offending malware (at least so far), successful extraction/removal is initially indicated. However, such was not the case...and a rather persistent (stealthy) infection still remains. The malware appears to be able to dodge thorough detection techniques used by several popular AV products, but not all. However, those that do appear to detect it - seem to report their detections with differing signature id's. So it is likely that this malware fetches and enjoins additional malicious code using undetected or background system net connections. Furthermore, it appears to have successfully circumvented extraction routines employed by a couple of well-respected anti-rootkit tools which I've run against it so far. I'm confident that it won't be long before a proper signature profile is generated and released for various security-tool updates. And it may even turn out that this is simply a fresh variant of a previously identified and thus relatively easily handled attack vector (trojan/rootkit/ etc.). I would be happy to share a few additional details, however being new to this site ~ I will refrain from doing so unless specifically invited by SAS admins or staff members. Respectfully, charlie
×
×
  • Create New...