cancel
Showing results for 
Search instead for 
Did you mean: 
patty.d00
Level 9

Alureon rootkit

Jump to solution

Microsoft has determinded that the issue with the MS10-015 patch was in the Alureon rootkit.  Is this being, or has this been resolved via McAfee via dat update?  If so which one is it?  Just want to make sure we are covered before this patch is re-released.  Any other thoughts on this welcome.  (not sure if this is the right section of this forum)  Thanks!!

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Alureon rootkit

Jump to solution

Hey Patty!

   Ok, I spoke with someone in the McAfee lab, and they've explained to me that our current DAT files have multiple Alureon variant detections. If you're up to date, you should be fine. If a new variant comes out, there's something called a "Zero Day" window. This is the amount of time between when the new variant hits the internet and all security vendors create a fix for it. Inside the Zero Day, all of us rely on what is called Heuristic detection (ie: detecting suspicioius behavior). McAfee uses Artemis technology to shorten this window and get samples of new threats as quickly as possible, so we can turnaround a DAT detection.

   Additionally, if you had an infected machine, we could get a sample of that threat, identify the new variant, and send you a DAT to clean it up.

   Can I answer any other questions for you Patty?

Thanks!

Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos
11 Replies
McAfee Employee

Re: Alureon rootkit

Jump to solution

Hi Patty,

   I'm looking into this for you to provide you with the most detail possible. I can currently tell you though, that there are multiple variants of the Alureon virus, and detections are included in our current DATs. We advise you to ensure your DATs are up to date and make sure you keep your operating system updated as well. I'll continue researching for specifics on this particular variant and see what I can find for you.

Oh, and just a heads up Patty, I moved this thread into the Security Awareness Home User community.

Message was edited by: Somer Pyron on 2/18/10 2:30:47 PM CST
Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos
CurtLM
Level 7

Re: Alureon rootkit

Jump to solution

Hi Somer,

I've been reading the latest on the Alureon rootkit and potential fixes every day for the past two weeks.  I've seen the MS articles where it talks about a 'likely' MS fix coming March 9 that will seek out and eliminate this virus.  I've seen where the only known current fix is a "complete OS re-install on a clean formatted disk" with threats of "unless you're a brain surgeon, you better not try this at home".  As a relative novice, i'm hesitant to try this and think perhaps I should wait for the next MS move, hopefully March 9.  I was unclear after reading some of these posts if McAfee had addressed this currently.  Do i have hopes of doing a reboot from my OS CD, running some McAfee scans and this is taken care of?  I'm using another PC at the moment obviously, so i'm not in dire need yet of a fix to my home computer, but certainly would like to get it fixed soon.  What do you recommend for a course of action (that a novice like me can understand please ).

-Curt

0 Kudos
McAfee Employee

Re: Alureon rootkit

Jump to solution

Hey Patty!

   Ok, I spoke with someone in the McAfee lab, and they've explained to me that our current DAT files have multiple Alureon variant detections. If you're up to date, you should be fine. If a new variant comes out, there's something called a "Zero Day" window. This is the amount of time between when the new variant hits the internet and all security vendors create a fix for it. Inside the Zero Day, all of us rely on what is called Heuristic detection (ie: detecting suspicioius behavior). McAfee uses Artemis technology to shorten this window and get samples of new threats as quickly as possible, so we can turnaround a DAT detection.

   Additionally, if you had an infected machine, we could get a sample of that threat, identify the new variant, and send you a DAT to clean it up.

   Can I answer any other questions for you Patty?

Thanks!

Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos
Maeks
Level 7

Re: Alureon rootkit

Jump to solution

So I've had my computer basically shut off this entire week after reading about this problem, for fear that I'll get the dreaded BSoD (because I can't do the work around, lack of install disc), but McAfee has this covered?

I've been sitting back and watching how it unfolds and getting more information, so now that MS has determined the problem, McAfee should have all the vaccines (or whatever they're called for computer viruses), and running a system scan should tell me whether or not I can finally restart my computer and be done with this mess? (I have the updates installed, but after reading all the BSoD stuff on the internet, I've refrained from restarting my computer)

Sorry, I know that you basically answered the question already, but I'm just looking for a clear "Yes", haha.

0 Kudos
McAfee Employee

Re: Alureon rootkit

Jump to solution

Let me go into a little more technical detail.

   The way the original threat worked, it exploited a vulnerability in the OS. Once the OS was patched, it actually prevented the threat from loading certain infected boot files. This caused the system to BSoD. If you are up to date, you should be safe from the original threat (and many of its variants).

   It gets a little dicey when you're dealing with a "polymorphic" threat though. Sometimes, malware and viruses are designed to morph. Once the original threat is on the system it can actually change itself creating a new variant, possibly one that nobody else has had or seen before. Heuristic detections (like Artemis) can still sometimes catch that threat by its behavior, but at the end of the day if you're looking at a new variant that nobody has seen, there is no way to know until we see it.

  That said, there are things you can do. You could submit your boot files to our Lab and we could take a look at them. You could update everything and run an On Demand Scan (just right-click and scan). You could have a disc handy to boot from, and replace your boot sector files if something goes wrong.

   So the answer is yes, you're protected from the original threat and the known variants, but possibly not an unknown variant. The window of infection (zero-day, as we call it) in your case would be, in my opinion:

If you were infected with the original threat before we had detection and if that threat morphed into a new variant which is unknown to us. Otherwise, the patch combined with updated virus definitions protection from this threat.

Does that help? I'm happy to answer any additional questions. Please just let me know.

Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos
Danos
Level 7

Re: Alureon rootkit

Jump to solution

Hi Somer

Thanks for the information on this issue so far.

Do you know if McAfee can or have provided Alureon rootkit detection tool, or if there is one generally available? This would help us to determine if we will experience issues with the MS10-015 patchset prior to deployment.

Best Regards

Dan

0 Kudos
McAfee Employee

Re: Alureon rootkit

Jump to solution

There isn't an Alureon stinger, and to the best of my knowledge there aren't plans to make one. Alureon detection has already be included in the normal daily DAT file, with variants being added daily as they're discovered. I've gone ahead and sent a request for more information to the Lab though, just to be 100%.

I would advise you update the dats and scan before anything else. How many machines are we talking about?

Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos
Danos
Level 7

Re: Alureon rootkit

Jump to solution

Hi Somer

Thanks for the quick response. We have approx. 4000 servers, so not a small undertaking! We're aware of the importance of the DAT currency - just wondered if we could avoid any issues on those machines whereby we're not able to force the latest signature updates.

Dan

0 Kudos
McAfee Employee

Re: Alureon rootkit

Jump to solution

Are you managing with EPO? You can push down rules to block writes to certain folders/certain files. I'm unsure off the top of my head which files/folders could be setup this way though.

Somer L. Pyron
Knowledge Analyst
ServicePortal: support.mcafee.com
Web: www.mcafee.com
0 Kudos