3 Replies Latest reply on Jul 29, 2010 10:28 AM by sgrimmel

    Rootkit detective AND enterprise 8.7i  ?

      I am not sure how, but our network has apparently contracted a version or Rustock and as a result our corporate e-mail has made one blacklist. What the reading I have done, Rustock IS  a rootkit and in looking for solutions I found McAfee Rootkit Detective in the tools and utilities. However, it is listed as copyrighted 2005-2007. So my question is, will this be redundant when checking a machine, all XP service pack 3 with Enterprise 8.7i installed and up-to-date?  We are having problems tracking down the offending machine(s) and may have to scan all manually if we can not pin it down.

        • 1. Re: Rootkit detective AND enterprise 8.7i  ?

          Not sure if it will still work or not. Techniques have changed in the last few years.

           

          VSE 8.7i shoul have pretty much all of the same functionality when an On-Demand Scan is run, including the Rootkit detection functionality.

           

          There are other tools available as well, although I can't name any.

          • 2. Re: Rootkit detective AND enterprise 8.7i  ?
            rmetzger

            valkii wrote:

             

            I am not sure how, but our network has apparently contracted a version or Rustock and as a result our corporate e-mail has made one blacklist. What the reading I have done, Rustock IS  a rootkit and in looking for solutions I found McAfee Rootkit Detective in the tools and utilities. However, it is listed as copyrighted 2005-2007. So my question is, will this be redundant when checking a machine, all XP service pack 3 with Enterprise 8.7i installed and up-to-date?  We are having problems tracking down the offending machine(s) and may have to scan all manually if we can not pin it down.

            Check Stinger ( http://vil.nai.com/vil/stinger/default.aspx ). It states it can handle Rustock and Rustock.gen.b

             

            Additionally, check Spam-Mailbot.c ( http://vil.nai.com/vil/content/v_140181.htm ). Note the manual removal instructions at the end of the document.

             

            VSE v8.7i SP3 with 5400 engine and up to date DATs should be able to handle this successfully. But if the infection dates back before VSE was installed or during a time when VSE was not active, I suppose it could hide itself. Rustock uses Alternate Data Streams to hide itself, often using services.exe (and possibly other files as well).

             

            Rustock is sometimes called Cutwail, so that may help in looking up removal methods. Also, it may be related to TDSS infections.

             

            It may be helpful to run the free scan of MalwareBytes Anti-Malware ( http://www.malwarebytes.org ) if it is one of these variants.

             

            Good luck and let us know how you are doing.

            Ron Metzger

             

             

            Message was edited by: rmetzger on 7/29/10 11:18:14 AM EDT

             

             

            Message was edited by: rmetzger (Invalid URL to Stinger) on 7/29/10 12:02:36 PM EDT