1 2 Previous Next 11 Replies Latest reply on Feb 25, 2010 7:38 PM by CurtLM

    Alureon rootkit

    patty.d00

      Microsoft has determinded that the issue with the MS10-015 patch was in the Alureon rootkit.  Is this being, or has this been resolved via McAfee via dat update?  If so which one is it?  Just want to make sure we are covered before this patch is re-released.  Any other thoughts on this welcome.  (not sure if this is the right section of this forum)  Thanks!!

        • 1. Re: Alureon rootkit
          SPyron

          Hi Patty,

           

             I'm looking into this for you to provide you with the most detail possible. I can currently tell you though, that there are multiple variants of the Alureon virus, and detections are included in our current DATs. We advise you to ensure your DATs are up to date and make sure you keep your operating system updated as well. I'll continue researching for specifics on this particular variant and see what I can find for you.

           

          Oh, and just a heads up Patty, I moved this thread into the Security Awareness Home User community.

           

           

          Message was edited by: Somer Pyron on 2/18/10 2:30:47 PM CST
          • 2. Re: Alureon rootkit
            SPyron

            Hey Patty!

             

               Ok, I spoke with someone in the McAfee lab, and they've explained to me that our current DAT files have multiple Alureon variant detections. If you're up to date, you should be fine. If a new variant comes out, there's something called a "Zero Day" window. This is the amount of time between when the new variant hits the internet and all security vendors create a fix for it. Inside the Zero Day, all of us rely on what is called Heuristic detection (ie: detecting suspicioius behavior). McAfee uses Artemis technology to shorten this window and get samples of new threats as quickly as possible, so we can turnaround a DAT detection.

             

               Additionally, if you had an infected machine, we could get a sample of that threat, identify the new variant, and send you a DAT to clean it up.

             

               Can I answer any other questions for you Patty?

             

            Thanks!

            • 3. Re: Alureon rootkit

              So I've had my computer basically shut off this entire week after reading about this problem, for fear that I'll get the dreaded BSoD (because I can't do the work around, lack of install disc), but McAfee has this covered?

               

              I've been sitting back and watching how it unfolds and getting more information, so now that MS has determined the problem, McAfee should have all the vaccines (or whatever they're called for computer viruses), and running a system scan should tell me whether or not I can finally restart my computer and be done with this mess? (I have the updates installed, but after reading all the BSoD stuff on the internet, I've refrained from restarting my computer)

               

              Sorry, I know that you basically answered the question already, but I'm just looking for a clear "Yes", haha.

              • 4. Re: Alureon rootkit
                SPyron

                Let me go into a little more technical detail.

                 

                   The way the original threat worked, it exploited a vulnerability in the OS. Once the OS was patched, it actually prevented the threat from loading certain infected boot files. This caused the system to BSoD. If you are up to date, you should be safe from the original threat (and many of its variants).

                 

                   It gets a little dicey when you're dealing with a "polymorphic" threat though. Sometimes, malware and viruses are designed to morph. Once the original threat is on the system it can actually change itself creating a new variant, possibly one that nobody else has had or seen before. Heuristic detections (like Artemis) can still sometimes catch that threat by its behavior, but at the end of the day if you're looking at a new variant that nobody has seen, there is no way to know until we see it.

                 

                  That said, there are things you can do. You could submit your boot files to our Lab and we could take a look at them. You could update everything and run an On Demand Scan (just right-click and scan). You could have a disc handy to boot from, and replace your boot sector files if something goes wrong.

                 

                   So the answer is yes, you're protected from the original threat and the known variants, but possibly not an unknown variant. The window of infection (zero-day, as we call it) in your case would be, in my opinion:

                 

                If you were infected with the original threat before we had detection and if that threat morphed into a new variant which is unknown to us. Otherwise, the patch combined with updated virus definitions protection from this threat.

                 

                Does that help? I'm happy to answer any additional questions. Please just let me know.

                • 5. Re: Alureon rootkit

                  Hi Somer

                   

                  Thanks for the information on this issue so far.

                   

                  Do you know if McAfee can or have provided Alureon rootkit detection tool, or if there is one generally available? This would help us to determine if we will experience issues with the MS10-015 patchset prior to deployment.

                   

                  Best Regards

                   

                  Dan

                  • 6. Re: Alureon rootkit
                    SPyron

                    There isn't an Alureon stinger, and to the best of my knowledge there aren't plans to make one. Alureon detection has already be included in the normal daily DAT file, with variants being added daily as they're discovered. I've gone ahead and sent a request for more information to the Lab though, just to be 100%.

                     

                    I would advise you update the dats and scan before anything else. How many machines are we talking about?

                    • 7. Re: Alureon rootkit

                      Hi Somer

                       

                      Thanks for the quick response. We have approx. 4000 servers, so not a small undertaking! We're aware of the importance of the DAT currency - just wondered if we could avoid any issues on those machines whereby we're not able to force the latest signature updates.

                       

                      Dan

                      • 8. Re: Alureon rootkit
                        SPyron

                        Are you managing with EPO? You can push down rules to block writes to certain folders/certain files. I'm unsure off the top of my head which files/folders could be setup this way though.

                        • 9. Re: Alureon rootkit

                          We do use EPO - there are only a small % of servers where we can't force a DAT update, so the interest was primarily concerning the stinger to aviod any unplanned downtime when we apply 015....

                           

                          Appreciate the info - we'll continue to work on the issue.

                           

                          Many thanks for your help.

                          1 2 Previous Next