djkimmel

boot:cidox-a rootkit detection by Anti-Malware and or EEK

Recommended Posts

I was helping a family member on a netbook that had multiple infections including a questionable 'antivirus' program that may have downloaded a number of related questionable software programs. Her issues seemed to have started when she somehow got a copy of Systweak Advanced System Protector. She has Windows XP and IE8 on the netbook.

 

I used an older version of EEK and then once I felt I had her clean enough to risk connecting to the Internet I updated EEK to the latest version 4.0.0.17 and found some more junk including some downloaders and adware crap. Once I thought I had her system clean I installed Avast Free for her (her budget at the moment) and ran a scan.

 

Avast found a rootkit reported as boot:cidox-a. I had to use TDSS to delete that rootkit and get a final clean report from various scan engines. The only issue left is that I can't boot the netbook into any version of safe mode? I have recommended to her that she upgrade to Windows 7 as soon as possible so her IE can be updated to a safer version so I'm not going to put anymore time into the safe mode issue.

 

My question here is why EEK 4.0.0.17 was unable to detect boot:cidox-a on her computer? Should EEK and/or Emsisoft Anti-Malware (I run the latest version of that myself) be able to detect and fix boot:cidox-a? I used my laptop to update the EEK USB drive and I'm slightly concerned about the risk of transferring something from the USB drive from her laptop to my laptop also?

Share this post


Link to post
Share on other sites

Hello,

To answer your question I'd need to have a copy of at least the TDSSkiller log, but it can depend on different factors. For example, the scan type and settings, the Cidox variant or the infected drive (boot or non-boot). Cidox is a bootkit, it doesn't spread via USB (it could theoretically infect the drive itself, but from there it will not spread to other computers). Its easy to verify by running a rootkit scanner though. You can use TDSSkiller or Emsisoft's MBRMastr (beta).

 

As for the safe mode problems, this is not a malware removal subforum, but have you tried SafeBootKeyRepair? Its a small tool that will restore all safeboot keys in the registry (without these safe mode will cause a BSOD when starting).

Share this post


Link to post
Share on other sites

That was all helpful information - thanks! I will give the MBRMastr program a test.

 

Not sure if I left the TDSSkiller logs on my family member's computer after I finished cleaning everything. I will check if I get a chance to see it. I will try the suggested safe boot repair utility too if she doesn't take my advice soon to upgrade to Windows 7, my preferred outcome for that computer. I don't think I kept a list of the various trojans from her netbook.

 

For some reason I expected the EEK that I received from Emsisoft to not be writeable - of course it isn't bootable. I will have to look into that more. Your information that this particular bootkit doesn't spread via USB helps. There were other trojans on her computer too so I will do some more research on whether or not certain infections could transfer to USB drives for my own knowledge since I do occasionally get asked to help friends and family clean their computers.

Share this post


Link to post
Share on other sites

You can make a usb write protected, but that would mean you can't download updates, so that would make the USB stick a bit useless. :) Still Cidox being a bootkit really can do nothing even if it were present on your USB stick. An MBR/VBR infection needs to load with the OS (Windows) in order to be active, otherwise it would just sit there and do nothing. 

Share this post


Link to post
Share on other sites

Once again I appreciate the confirmation. I believe I did not suffer any consequences (other than time :) ) from helping my family member. I think I also cleaned her computer correctly and hopefully completely. If she doesn't wipe and upgrade to Windows 7 I will try the SafeBootKeyRepair you suggested. Thanks again.

Share this post


Link to post
Share on other sites

Hello,

To answer your question I'd need to have a copy of at least the TDSSkiller log, but it can depend on different factors. For example, the scan type and settings, the Cidox variant or the infected drive (boot or non-boot). Cidox is a bootkit, it doesn't spread via USB (it could theoretically infect the drive itself, but from there it will not spread to other computers). Its easy to verify by running a rootkit scanner though. You can use TDSSkiller or Emsisoft's MBRMastr (beta).

 

As for the safe mode problems, this is not a malware removal subforum, but have you tried SafeBootKeyRepair? Its a small tool that will restore all safeboot keys in the registry (without these safe mode will cause a BSOD when starting).

 

I might have something similar to this and as of now no AV is detecting anything.....what scan type and settings would have detected the Cidox infection (full scan and or smart scan)? Connecting an infected drive with the cidox or the mebroni to another pc might infect it or is it safe to scan it this way? Can the Cidox and the Mebroni be detected on a boot drive? From windows or only using a boot cd? Which programs would you recommend  to check for bios/mbr rootkits and what procedure would you suggest? thank you !

Share this post


Link to post
Share on other sites

Cidox is detected by a number of security products. If you suspect Emsisoft isn't detecting it, try a rootkit scan with for example TDSSkiller to confirm this. As for mebromi, no AV may be able to scan the BIOS, but it has plenty of Windows components that will be detected. If you suspect you're infected, please follow the guide here.

Share this post


Link to post
Share on other sites

Thank you! I'll try the support forum for infections.  I'm not sure if I got a Bios or/and a router infection....or if I' m just super paranoic.... :mellow:

Can newer, really advanced Bios infections or router hacks be detected with the "standard" tools/procedure used in the malware support forum for analysis (DDS, FBAR,OTS etc)?

Connecting an infected drive with the cidox or the mebroni to another pc might infect it or is it safe to scan it this way?

What's the best way to scan an infected system? I always thought a boot/rescue cd would be the best but now I'm doubting that since  a bios malware could just delete the infection from the MBR and from windows at every shut down and reinfect at every start up so that the rescue cd cannot detect it since in the BIOS and apparently this cannot be scanned (or it could be,  but since the BIOS and the malware start first they could hide themselves from a scan, correct)?  Thank you!!!

Share this post


Link to post
Share on other sites
Can newer, really advanced Bios infections or router hacks be detected with the "standard" tools/procedure used in the malware support forum for analysis (DDS, FBAR,OTS etc)?

 

Yes they can, because they bring with them various other symptoms. I wouldn't worry about it though, this type of malware simply isn't be distributed (a lot of work, very little to gain due to small/unpredictable target group) right now.

 

Connecting an infected drive with the cidox or the mebroni to another pc might infect it or is it safe to scan it this way?

 

Cidox doesn't spread, so yes, thats safe. As for mebromi, that infection doesn't reside on disk, it resides in a chip on your computer's motherboard. Mebromi has so many other components that it is impossible to miss it if it actually is present on your system

Share this post


Link to post
Share on other sites

That depends completely on the problems you're having. Usually it is best from within Windows to make sure the registry is loaded as well so it can be scanned.

Share this post


Link to post
Share on other sites

Thank you! I'll try the support forum for infections.  I'm not sure if I got a Bios or/and a router infection....or if I' m just super paranoic....  :mellow:


Can newer, really advanced Bios infections or router hacks be detected with the "standard" tools/procedure used in the malware support forum for analysis (DDS, FBAR,OTS etc)???


Share this post


Link to post
Share on other sites

There really are no "new" BIOS/router infections out there. Its not productive from a malware point of view to write versions for all the different hardware thats out there. BIOS/router infections will not be detected directly, but usually they have some signs that will be seen by scans. BTW, a router infection usually only modifies the DNS servers, this can be easily modified by accessing your router interface (of course be sure you have set a custom password, not the default) and setting the DNS for example to google's public DNS servers, or your ISPs).

Share this post


Link to post
Share on other sites

I do not put a lot of stock in commissioned tests. Without the missed samples there is no way of verify the validity of the test results.

Share this post


Link to post
Share on other sites

I don't have any insight in the test-methodology apart from what the article states, but a few observations make me doubt the relevancy of this test:

  •  The test compares a number of different products: antirootkit scanners and anti-malware scanners. This makes no sense to me. TDSSkiller is an excellent Antirootkit scanner in my opinion, but it is a limited tool, you cannot compare this with a anti-malware scanner like EEK or MBAM because its simply a different product.
  •  The tested malware is for the most part very, very old and not seen in the wild anymore, even though the article states 2015 and "in the wild" in the title.

To give a few examples: Alureon/TDL3/4 hasn't been around "in the wild" for at least 3 years (and thats estimating it very loosely)

The article listed is from 2010 (!) http://contagiodump.blogspot.gr/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html?m=1

The same goes for ZeroAccess/Max++. The latest usermode version of that rootkit was active in 2013 and after the botnet was taken down for a large part, there has been no re-emergence of this malware. However, its kernelmode version was quite a bit older, this was last seen in 2011.

 

Sure, its interesting to see how products perform against such rootkits, but how useful is it? Those rootkits were "retired" for a very good reason, they can no longer infected today's OS versions.

 

Finally, I'm not one to make accusations, but I don't like "sponsored by..." tests. I'm fully willing to believe that Zemana was indeed the best product to remove all these infections, but I just think its not the best strategy for any testing lab to let a sponsor also participate in the tests, just to avoid any possible doubt as to the objectiveness of the test results.

  • Upvote 2

Share this post


Link to post
Share on other sites

Elise,

Thank you.

We agree with your points but the doubt still remains: should Emsi Emergency Kit with standard settings detect all the tested malwares on an already infecred system ?

Share this post


Link to post
Share on other sites

Without having their sample set its impossible to say so, but I suspect for some of these you'd need to change some custom settings like Direct Disk Access.  

Share this post


Link to post
Share on other sites

Would you be interested in replicating the test or couldn't you try to replicate it with samples of the same malwares?

They won't probably be the exact same used by Effitas but could show how well Emsi EK can detect them.

Share this post


Link to post
Share on other sites

It makes no sense to do this for extinct malware. Tests with current malware are done on a regular basis by test labs like AV-Comparatives.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.