A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #9835  by Dmitry Varshavsky
 Tue Nov 22, 2011 8:17 pm
Hi everybody,

I'm glad to present Vba32 AntiRootkit 3.12.5.5 beta build 425.

Download link is the same: http://anti-virus.by/en/beta.shtml

Change list:

+ Native support of IDE and AHCI mass storage controllers.

The main goal of this beta version. We spent thousands of hours studying specifications and debugging third-party drivers to provide the ultimate solution. AntiRootkit will work with the most mass storage controllers directly, however current solution is incompatible with some hardware/software setups, such as Nvidia4 chipset + original nvidia drivers ( there is no problem on Nvidia4 chipset when using standard Microsoft drivers ). We are working to solve this ASAP and if you're unlucky with starting antirootkit ( e.g. system hangs, bsods ), you can use our product in compatibility mode ( /nodmsa command line switch ).

+ Vba32 Defender: interactive mode, white and black lists, hints for users implemented. Ability to start
processes on dedicated desktop.


Functionality of Vba32 Defender was significantly increased for convenient use.

+ Basic self-defence functionality has been added.

AntiRootkit successfully confronts the most threats, including latest ZeroAccess aka Max++, Trojan.Necurs, etc.

+ Ability to detach device from device stack

Very useful feature.

+ Hidden driver detection technique ( raw memory lookup, only on Vista and later OS'es )

Also may be very useful.

+ View/delete for ObCallbacks notificators

For Vista SP1 and later OS'es.

+ Restore MBR and force reboot option

Safer than using "Restore MBR and force reset"

+ Output of MD5/SHA1 for checked files

Useful when using services such as VirusTotal.

+ "Don't display items with empty path name" option in drivers/services tool

+ Support of Windows 8 ( Developer Preview Build )

* Issue with driver unload and loss of sound on some systems

* Overall work robustness of antirootkit was improved

* Help in Russian was improved


Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !

Also, we began publishing "Detection & Removal" guides, drafts are available here:
http://anti-virus.by/en/doc/Vba32%20Ant ... 20TDL2.pdf
http://anti-virus.by/en/doc/Vba32%20Ant ... 20TDL4.pdf
Last edited by Dmitry Varshavsky on Tue Nov 22, 2011 8:58 pm, edited 1 time in total.
 #9894  by redp
 Thu Nov 24, 2011 5:17 pm
Vba32 AntiRootkit 3.12.5.5 constantly hangs on my smp machine with xp sp3 32bit after pressing Start button :(
Even when process of ARK is killed driver remains in memory and don`t cleans installed hooks :evil:
 #9895  by Dmitry Varshavsky
 Thu Nov 24, 2011 5:50 pm
redp wrote:Vba32 AntiRootkit 3.12.5.5 constantly hangs on my smp machine with xp sp3 32bit after pressing Start button :(
Even when process of ARK is killed driver remains in memory and don`t cleans installed hooks :evil:
/nodmsa switch will work for you.
 #11362  by Dmitry Varshavsky
 Tue Jan 31, 2012 8:02 am
Hi everybody,

I'm glad to present Vba32 AntiRootKit 3.12.5.6 beta build 500 !

Download links have been changed a little bit:

http://anti-virus.by/en/beta.shtml ( .exe is about 500 Kb )

ftp://anti-virus.by/pub/beta/vba32arkit_beta.zip ( regular version, what's new ( both in en and ru ) and russian help included, ~3.5 Mb )

ftp://anti-virus.by/pub/beta/vba32arkit_full_beta.zip ( full version with AV kernel and AV bases, ~90 Mb )

ChangeLog ( builds 493 and 500 ):

+ Volume Boot Sectors verification feature. Detection, view, dump and restoration of non-standard and forged
loaders. Saving primary volume boot sector in html log.


For detection / removal Cidox/Carberp malware.

+ Ability to use Vba32 AV-Kernel to verify forged, locked files and boot sectors as well

Simplifies the detection of complicated infections such as Cidox, Max++, TDLs, Sinowals, etc.

Some examples:
max___4.PNG
max___4.PNG (84.46 KiB) Viewed 692 times
tdl3.PNG
tdl3.PNG (91.22 KiB) Viewed 692 times
+ Force Delete option

Function is able to delete files that were been opened exclusively or locked with LockFile/LockFileEx/.. functions. For mapped files function "Unmap in all processes and force delete" is available from Process Manager.

* Functionality of Low-level disk access Scanner enhanced

Checking of MBRs/VBRs/System Folder from scanner tool. The functionality will be also enhanced in the future versions.

* Stability of direct mass storage access library was significantly improved

Now we are working MUCH more stable on supported hardware and provide direct access to the disk content on the most IDE ( PATA/SATA ) / AHCI controllers !

* Overall work robustness of antirootkit was improved

Fixed possible BSOD's on some MAX++ versions, also improved detection of Sinowal variant which hijacks \DR0 device object.

* Stability of Vba32 Defender was improved

* HTML-report was improved

* Fixed some minor bugs in GUI

* Help in Russian was improved

As usual, please feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !
 #11959  by Dmitry Varshavsky
 Sun Mar 04, 2012 8:29 pm
STRELiTZIA wrote:Hello Dmitry Varshavsky,
I tried to kill the tool from user mode by exploiting the opportunity to unload the driver and unfortunately the attemps was successfully done with very basic way...

Link to download the POC:
hxxp://www.mediafire.com/?wea6gbl5xl8gwje
Regards
I confirm the vulnerability. It will be closed in the nearest beta build.
 #12823  by Dmitry Varshavsky
 Fri Apr 20, 2012 1:39 pm
Hi everybody,

I'm glad to present Vba32 AntiRootkit 3.12.5.7 beta build 588.

Download link is the same: http://anti-virus.by/en/beta.shtml

Change list:

+ Registry hives parsing mechanism has been added. Direct registry access is performed in Autorun and
Drivers & Services ( from Registry ) windows, and in report as well


Should have been done long time ago.

+ Added Low-Level Registry Access Tool window. Operations on hidden, locked and forged registry keys / values

We will expand this window functionality in the nearest builds.

+ Restoration of modified MBR partition table

Needed for Rootkit.Boot.sst and similar malware treatment.

+ Vba32 Defender: added information about command line and parend pid ( for processes ). Ability to block
the creation of new registry keys and setting of registry values


+ Reboot on Exit option

Very usefull to fighting malware which is constantly rewriting the registry keys / values

+ Support of Windows 8 Consumer Preview. Support of Windows 8 Developer Preview has been dropped

We are trying to support the latest builds.

- Force reset option

This is redundant option. Force reboot works in all known cases.

* Overall work robustness of antirootkit was improved

* Stability of direct mass storage access library was improved

* Stability of Vba32 Defender was improved

* Fixed bugs in self-protection module

* Fixed bugs in GUI

We have spent a lot of time working on stability of this build.
STRELiTZIA, bug is fixed, thank you very much !

* Help in Russian was improved

Feel free to contact us at arkit[at]anti-virus[dot]by. Feature requests, bug reports, kernel dumps are very welcome !