Jump to content
ChrisBP

SAS and Rustock.C

Recommended Posts

Who do you think you are? I NEVER said I had any samples. Read the thread and the Wilders thread before you make yourelf look even more ignorant.

I never said you have samples. Read the threat again. You received a official status of SAS but if you prefer to believe in unofficial posters in unofficial forums then stay with that.

Share this post


Link to post
Share on other sites

FYI - I just processed all Rustock samples that were posted and harvested, so they will be in today's batch.

Share this post


Link to post
Share on other sites
Where is my refund?

Submit your refund request here and we will process it :

https://www.superantispyware.com/support.html

I am sorry you are upset because we gave honest answers as to your questions and didn't lie like many would have and just said "yes".

You realize no product can catch everything on a given day, and we have some of the best service and processing times in the industry.

Share this post


Link to post
Share on other sites
Where is my refund?

Ha. Like a king on a chair.

Anyways, great to see that you - SAS team - will add the variant today. Keep up the great work, and GOOD support.

Share this post


Link to post
Share on other sites

As you can see, the SAS team was very quick to add detection for a new variant of the Rustok rootkit, and that is the most important.

I send the same samples to Kaspersky Labs too, and they said "no malicious software was found" :lol:

Share this post


Link to post
Share on other sites

Oh boy where to start and in hope this post is not moderated/removed.

This seems kinda of moot now since currently ntldrbot/Rustock C code is no longer being served up by its malware server!

Hopefully making this post will assist clarification and remove any misunderstanding/confusion about Rustock C/ntldrbot

:idea: Can first off there be a clear definition drawn between Trojan.downloader.agent.ddl and Rustock C/ntldrbot rootkit!

SAS will be able to detect and remove the dropper for the agent and the agent itself if they are known to the SAS target database.

If the agent has imported ntldrbot/Rustock C rootkit then SAS current engine would be unable to effect a detection let alone to attempt a disinfection of the host driver.

For the record so far Dr Web spent 2 months coding a detection&disinfection module for their cure-it tool....Kaspersky AV managed a little quicker and PrevX will need to rewrite their CSI ARK engine from scratch if they were to go after ntldrbot/Rustock C;)

No other antivirus/antitrojan or antispyware software has shown that it is capable nor claimed to be Rustock C killer!!!

Nick if you managed to unpack,repair and patch(bypass VM detection,bypass hardware detection) the Dr Web donated ntldrbot merged driver you would have to concede this point after loading it onto a test machine ...it is not as simple send us a sample and we will update target database to remove this...this is what is frustrating me.

As with MBR rootkit when it first appeared i knew that SAS at that point was incapable of checking MBR for this rooter and advised a new module would be required...further down the road and that module has been added ! Kudo's for that 8)

It the same all over with Rustock C...a new module is required,the rootkit is a virus(file infector) and will jump from one driver to next driver periodically! As long as the driver loads at boot it is potential host for the rootkit,reguardless of whether it is hardware,OS or software driver :!:

I will reference SpamRUcrazy by your classification and its use of patched ndis.sys as a loader and inturn the problems that caused SAS at the time having helped many of your user's at this forum with that bot infection....unless you was willing to taget the patched system driver for disinfection the spambot would keep reloading!

Anyway as olive branch if this post stands then i will turn over to you 1.5mb of Rustock samples you don't detect currently and 3rd(288kb) ntldrbot merged driver that was'nt distributed at either MIRT or MR but between a few of the top AV's only...just got to love having access to VT database :lol:

All the best!

Share this post


Link to post
Share on other sites

Ade, thanks for the post. We have many new technologies in SAS and have new ways of targeting specialized infections. If you want to send over the samples, we'll get them processed and modules coded/definitions created to remove anything that is not removed!

We, and the users of SUPERAntiSpyware, appreciate your assistance in helping out!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...