Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes Anti-Rootkit beta is now publicly available


  • Please log in to reply
9 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:48 PM

Posted 12 November 2012 - 10:44 AM

Malwarebytes has released a beta of their anti-rootkit product, which can be downloaded here:

http://downloads.malwarebytes.org/file/mbar

The program has the following features.

Rootkits have the ability to infect the very core or ‘root’ of an operating system and hide the existence of certain processes and malicious programs from normal methods of detection. Rootkits can also enable continued privileged access to a computer to make system level modifications, leaving the system heavily compromised.

Malwarebytes Anti-Rootkit (MBAR) is designed to counteract malicious attempts to subvert base core subsystems of an OS which usually make it impossible to detect rootkits using conventional methods. Besides the general functionality of allowing a user to detect and remove rootkits automatically, MBAR contains a set of tools allowing to an experienced user to perform some actions to locate unknown rootkits and remove them manually. To protect itself from being terminated by a rootkit or other malware, MBAR uses Malwarebytes Chameleon technologies which prevent modification or removal or MBAR by malware which may reside on the system. This allows MBAR to complete the detection and removal process regardless of such attacks. MBAR uses an active internet connection to keep its database up to ensure that the most current definitions are used in order to detect and remove the latest 0-day rootkits.
Scope of Malwarebytes Anti-Rootkit:

Malwarebytes Anti-Rootkit (MBAR) has been tested and proven to be effective against the following types of rootkits:

  • Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
  • Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, such as TDL3, ZeroAccess, Rloader, etc.
  • Master Boot Record infectors such as TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
  • Volume Boot Record/OS Bootstrap infectors like Cidox
  • Disk Partition table infectors like SST/Elureon
  • User mode patchers/infectors like ZeroAccess.
  • And many more!
MBAR provides a comprehensive system scan to check for rootkits that includes drivers, MBRs (Master Boot Records) and VBRs (Volume Boot Records).


Note: This program is in beta and thus may not run properly or contain bugs. Please use this program on a computer at your own risk.

If you decide to use it, please let us know what you think.

BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:48 AM

Posted 12 November 2012 - 03:54 PM

Just a bit more about the tool which is being used on the MBAM Malware Removal area of their forum - With warnings for backup first and only specific use.

Its potentially a dangerous tool as it deals with the mechanism that controls booting of the computer. It was felt that it should only be provided to Trusted and Expert advisers until the tool was a bit more stable.
It is now a public beta tool. It doesn't mean it still can't cause an issue but we feel it's been through enough testing that it is highly unlikely to cause a booting issue for most users

Still sounds like one for the Experts only and care in its use - Not a play toy - Always use ERUNT or similar at this time for backing up -

#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:48 PM

Posted 14 November 2012 - 12:42 PM

A heads up that we added a tutorial on how to use this tool here:

http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit

#4 Smart91

Smart91

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 16 November 2012 - 04:33 PM

Hi Folks,

I have a question:

MBAR deletes patched system driver or replaces it with a legitimate driver ?

Thks in advance for your responses

Smart

Edited by Smart91, 16 November 2012 - 07:04 PM.


#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:48 PM

Posted 16 November 2012 - 10:00 PM

Replaces with legitimate.

#6 Smart91

Smart91

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 17 November 2012 - 02:31 PM

Thks a lot

Smart

#7 polskamachina

polskamachina

  • Malware Response Team
  • 3,913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 PM

Posted 15 January 2013 - 02:22 AM

I ran it on my eight year old laptop running XP SP3. I got a BSOD with the message, BAD_POOL_CALLER STOP 0X000000C2 (0X00000007, 00000CD4, 0X02CF0000, 0X853AD008) It didn't work in safe mode either.

I posted the error to MBAR support. I was told to run DDS and post the logs. Instead I downloaded a program called BlueScreenView. It gave me a detailed explanation of the BSOD. Specifically, it said my SCSI driver was causing the problem. So I uninstalled it and installed the default ALi driver. That fixed the problem. By the way, my scan came back clean. I then had to reinstall the SCSI driver because the performance of the ALi driver was horrible. It took 10 minutes to boot my machine. Anyway, when I wrote back to MBAR's tech department and said I hoped they fixed this bug in their next version, this is what I was told:

As to MBAR, it will be in perpetual beta form for the foreseeable future due to the nature of these types of threats, and countermeasures that the authors take try and circumvent it. However, I'll pass the data along and see what the MBAR team has to say


Regards,
polskamachina

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:48 AM

Posted 15 January 2013 - 04:07 AM

As to MBAR, it will be in perpetual beta form for the foreseeable future .........

Hello polskamachina -
If you were just experimenting with this tool, there are plenty of warnings listed with this tool and also posted in this topic above.

Did you first read the details prior to using the tool ?? This is fairly obvious if you do read it ...... or the items posted above by myself and Grinler
This is the reason that I posted my response below the first post from Grinler and I also added a line below with Bolded Warnings included.

Still sounds like one for the Experts only and care in its use - Not a play toy - Always use ERUNT or similar at this time for backing up -

The first request for DDS, as you must know by now, is to diagnose these types of problems, and to help you and others to fix these problems.
If a person that you were helping started doing their own scans and repairs , I think you would not be too happy ........

NOTE: The people at MBAM / MBAR support are also Experts in diagnostics, like the ones in the Malware Removal forum -

Thank You -

EXTRA: This post is not intended in any way to personally offend you, but to stress the warnings listed with this tool, and those listed above -

#9 polskamachina

polskamachina

  • Malware Response Team
  • 3,913 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:48 PM

Posted 15 January 2013 - 06:01 PM

The point of my message was to inform anyone else that had the same problem how they might find a solution.

I did read the warnings. I also read this:

Malwarebytes Anti-Rootkit is currently in Beta and could contain bugs or not operate as expected. Therefore you should only use this program if you are comfortable with using this type of software.

I felt very comfortable just running a scan. When the scan came back negative, I didn't have to worry about it altering anything. If it had found something, then I would have had to use some judgment about what to do next. In the event of some catastrophic failure, I have my system backed up.

I didn't take offense to your comments. Everyone is entitled to their opinion and I would hope the people that I talk to feel free to comment about my ideas. That's how I learn. :)

Regards,
polskamachina

#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:48 AM

Posted 18 January 2013 - 05:08 AM

Hello,
This is the current update on MBAR frim their site -
Malwarebytes Anti-Rootkit is still very much a beta tool and not ready for release. Once our initial testing is completed and the technology is proven stable, we'll consider other options, such as the possibility of incorporating it into Malwarebytes Anti-Malware.

The January 9th version of MBAR won't expire until February 25th, 2013 when it will be reviewed -




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users