A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #633  by gjf
 Sun Apr 11, 2010 12:09 am
Hi all!

Here is the results of test made at Anti-Malware.Ru [RU]. Yes, it's in Russian, but I believe Russian people here will understand everything :)

It could be noted that VBA32 and Gmer were used as newest ones, and nobody knows about public betas of RkU, as well as about new Xuetr. I have no idea where new OSAM was downloaded (I can download only 5.0.11922.0 from offsite). But anyaway - results are interesting. Let's discuss!

// added
Testing of anti-rootkit software for the detection and removal of rootkits III (April 2010) [EN].
Last edited by Alex on Wed Jul 28, 2010 5:31 pm, edited 1 time in total. Reason: added link to EN version of the test
 #639  by EP_X0FF
 Sun Apr 11, 2010 4:05 am

quite obvious results.
btw if somebody will share with me Pandex Rootkit then I will look for BSOD and prepare fix for it, if it exists.

as far for now I found just a cutwail rootkit which is easily detected and removed by rku.

Pandex seems to be solved :D

Last edited by EP_X0FF on Sun Apr 11, 2010 1:47 pm, edited 1 time in total. Reason: pandex stuff
 #653  by Alex
 Sun Apr 11, 2010 1:43 pm
Interesting compilation of most current and interesting malware rootkits. In this test there are not such tools as Radix, CodeWalker, SanityCheck.

Could anyone explain me what does mean that concrete tool can "Copy the infected driver" (translation) and how it is related to removing for example driver infected by TDL3?

 #654  by EP_X0FF
 Sun Apr 11, 2010 1:46 pm
Translation if right.

This means, that antirootkit I/O engine is able to bypass hooks (whatever) to get original file data protected by rootkit, so (I assume this) in future version detection can be added by simple cross-checking of disk data.
 #655  by Alex
 Sun Apr 11, 2010 1:50 pm
Thanks for the explanation :)
 #659  by EP_X0FF
 Sun Apr 11, 2010 10:53 pm
You can calculate yourself ;) It is able to remove TDL2/Bootkit2 and detect all TDL3 versions. Plus it does not affected by BSOD with Pandex rootkit, so it is able to detect and kill it also.