Malware

Botnets: They do have the option to self-destruct

Self-destruct code is often written into bot malware. Up until recently that wasn't considered an issue. So, what changed and what does it mean to us?

I first learned about the use of self-destruct code in 2007 when I read an ITU report, Zombie Botnet Mitigation Project: Background and Approach. The report mentioned how certain bot malcode was programmed to destroy all resident data files if there was an attempt to remove the malware. Man, that's harsh.

All-purpose kill switch

Wanting to know more, I began researching the how and why of kill switch software. One thing became very apparent. Self-destruct mechanisms can be used for more than just expunging data. In fact, botmasters have almost god-like authority over compromised computers. It appears that the worst case scenario would be when an instruction from the bot's command and control server activates a process that completely destroys the operating system. Losing data doesn't seem so bad all of a sudden.

When are kill switches used

Whether a kill switch is used or not, appears to be up to the whim of the botcode developer. I did find one exception though. It seems that a self-destruct mechanism is always part of malware targeting financial institutions. InfoStealer, ZeuS, and Nethell are three such examples.

ZeuS in particular

The ZeuS bot malware is of special interest, having successfully created at least one botnet containing over 100,000 members. The following slide, courtesy of Prevx, shows the world-wide distribution of the botnet:

As I mentioned earlier the ZeuS botnet is entirely focused on gaining access to financial information. The security product developer Prevx describes ZeuS as:

"Information stealing software aimed at the ever-growing market for financial information stolen from banks, ecommerce web sites and personal computers."

ZeuS is also unique in that it's for sale. This allows anyone, even those with less than stellar programming skills to create sophisticated botnets. Prevx explains further:

"The DIY "exe builder" for the Zeus Trojan can be bought online for just $4,000. Each Zeus Trojan build incorporates a kernel level rootkit, which means it can hide from even the most advanced security software.

There seems to be some confusion as to the cost of the ZeuS package. I've seen the price range from as low as $700 to the $4000 mentioned by Prevx.

Self-destruct option

If you remember, I mentioned that ZeuS is one of those special cases of bot malware that has a self-destruct option built into the software. Reverse engineering the code wasn't even necessary to determine that; the help file supplied with ZeuS was kind enough to explain the self-destruct command (courtesy of abuse.ch):

KOS: incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and/or HKEY_LOCAL_MACHINE. If you have sufficient privileges - fly to "blue screen", in other cases creates the brakes. Following these steps, loading OS will not be possible!

The translation to English may not be perfect, but it's obvious that the self-destruct sequence (Kill Operating System) in ZeuS is not the kind that just destroys data files. In this case it appears that initiating the KOS command results in the botnet's computers going into a "blue screen of death" condition, preventing the operating system from booting. KOS command issued

I'm afraid to say that all this discussion about the ZeuS malware and its self-destruct option wasn't just a what-if exercise. In early April of 2009, analysts at abuse.ch were shocked to find telltale signs that the KOS command was issued by one of the ZeuS command and control servers, effectively "Blue-screening" over 100,000 computers.

There's precious little information available as to what this means. Still if the theory holds true, at least 100,000 employees of businesses and financial institutions weren't able to do their job.

Experts wonder why

It's very clear that security experts are perplexed as to why this was done. One possible explanation is offered by Jozsef Gegeny of S21sec:

"To disappear and hide all tracks, making further analysis harder?"

Or possibly:

"The point more probably for a phisher is to earn time. Taking the victim away from Internet connection - before the unwanted money transfer is realized and further actions could be taken."

Roman Hüssy a security expert at abuse.ch who has been instrumental in researching the ZeuS botnet mentioned his thoughts to Brian Krebs in a Washington Post article:

"Maybe the botnet was hijacked by another crime group. Then again, maybe the individuals in control over that ill-fated botnet simply didn't understand what they were doing. "Many cyber criminals...using the Zeus crimeware kit aren't very skilled."

It's early in the discovery process; hopefully some real insight will eventually surface.

Final thoughts

As I mentioned in the beginning, security experts seemed to downplay the possibility of this happening, pointing out that botmasters work hard to develop their botnets. Why turn around and destroy them? Ironically, that still seems logical. All the same, if the 100,000 users of the victimized computers and the IT personnel that had to recover them were asked, I suspect they'd have a whole different opinion.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

111 comments
JCitizen
JCitizen

I like the switch photo - it really hammers the subject home. I'm very visually oriented, and you always put such pertinent graphs and data with your articles, Michael. This is really great journalism! As usual, I can't say thanks enough times - please excuse my ebullience!

manwe
manwe

Is it just about money? Who's really behind all this? Is there perhaps a deeper level of control the purchasers of ZeuS don't know about? Imagine the real puppetmaster sending the KOS command to millions of computers, possibly even inside .mil. Hitting utilities and financial markets would create chaos. Russians and Chinese are working hard to perfect these tools. We have our fannies hanging in the breeze right now, just waiting to be spanked.

Michael Kassner
Michael Kassner

Just to show you that this is all serious business, check out the EULA for ZeuS: http://it.toolbox.com/blogs/managing-infosec/careful-of-that-malware-eula-24056 I love this part of the EULA, where they will sent the altered code signatures to AV companies: "In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies. Source: Symantec "

Jacky Howe
Jacky Howe

someone can come up with a process to circumvent KOS. I learn something new every time that you post Michael, keep it up as I find it fascinating.

Michael Kassner
Michael Kassner

Your comments make it all worthwhile. I also appreciate your expertise. I'm really enjoying yours and DeepSand's chat on the GhostNet article.

micky.parker
micky.parker

If the Lusers/Net Admins under a .mil TLD DON'T have any safeguards in place - be in software OR policies against clicking on stuff they know sod-all about, they need firing, immediately. NO "if's", NO "but's"...they simply aren't doing their job.

Gh0stMaker
Gh0stMaker

Destroy a country without firing a shot.. Things that make you go hmmm

Michael Kassner
Michael Kassner

I doubt that we will ever know. I'm trying to get my arms around the thought: What if Conficker had a KOS mechanism, millions of computers would BSOD. That would be some impact.

Neon Samurai
Neon Samurai

From the time organized crime went MBA, such things shouldn't be a surprise at all. It's still an impressive realization to see though.

JCitizen
JCitizen

or business as usual, perhaps I should say!

pgit
pgit

Thanks again for interesting, eye opening and valuable information. This EULA is... something; kahoneys, chutzpah, brass... something. Incredible.

pgit
pgit

If the black hats can do it, the white hats should be able to as well. By "it" I'm thinking there's one of those "antivirus 2009" malware attacks out there that will not allow the creation of the default install directory or the writing of the default name of the executable to disk of one of the more effective tools to remove the malware with. That would be Malware Byte's mbam. However this malware did it I'd have to change the install directory and/or rename the executable file. Maybe somewhere in that is a method for preventing kos to be installed or run, in an automated fashion at least?

Michael Kassner
Michael Kassner

If the botmasters of the Conficker botnet decided to do something like this? That's millions of computers with BSODs. Whew.

#foolish
#foolish

Time well spent reading your articles; on the flip side, the time spent afterwards contemplating the repercussions of these sorts of things give me performance anxiety. Now, if you will excuse me, I'm going to don my tinfoil hat and recite my mantra..."It's not out there...It's not out there... Thanks Michael.

Michael Kassner
Michael Kassner

That it's coming to that. Stopped at a gas station this weekend and tried to pump some gas. Couldn't, at first I thought the power was out, but the computers were down. Not a good sign.

Michael Kassner
Michael Kassner

I wasn't really researching anything and I found that Web site. Totally strange to say the least.

Michael Kassner
Michael Kassner

I'd also like to get another translation if possible. There may be something lost in that regard.

Michael Kassner
Michael Kassner

The real problem is that there are so many vulnerable computers hanging out on the Internet. No matter what you do, that has to be addressed fist. Without vulnerabilities there would be no exploits.

JCitizen
JCitizen

kind-of, sort-of. I should think that would only be necessary if you were already infected. The excellent hueristic real time protection should have prevented most attacks in the first place. Comodo could prevent the file modifications most bugs use also, unless you rely on the UAC like I do. I [u]can't[/u] see how it [u]wouldn't[/u] be a good idea to do something like that just to place one more obfuscation against the malware.

Jacky Howe
Jacky Howe

now that is being polite. The fact that you can buy into the action is freaky on its own. I'm with Santee on this one. ;)

santeewelding
santeewelding

There is not enough room under my bed for both of us. Get out there and do battle. I have binoculars. I'll watch.

Michael Kassner
Michael Kassner

I'm bald. Those tin hats keep rubbing all my hair off.

Michael Kassner
Michael Kassner

That's why I find it ironic that ZeuS is being exploited by bad guys themselves.

DHCDBD
DHCDBD

When code is written securely, there will still be logic errors that are difficult to eliminate. When the code is secure, logic errors will be exploited. Currently in any complex piece of code I do not believe it is possible to completely avoid errors.

JCitizen
JCitizen

someday ... You've never had a malware write to it? I assume you are using RW disks?(for economy) To answer Michael's question - My clients really like MBAM on 32 bit - I like it on 64bit! But none of us has tested the real-time protection yet. I read that is is an excellent companion to NOD32 and Avast; and doesn't conflict with either of them. From what I read it was designed as a ground up companion utility; only downloading the latest threats that have a large footprint in the wild - if I understand correctly they actually remove signatures from the hit list if the malware becomes unpopular with the latest crime crackers. Any time I've contracted professional help that I assumed knew better than me, they have downloaded it and scanned with it first. So far I've never found a professional that can find the malware, if I can't. [b]Not[/b] bragging, just the bad luck on my part. I've still a lot to learn. I haven't moved, Michael; just got tired of trying to deflect honest questions about how things are going in "Antarctica" ;)

Neon Samurai
Neon Samurai

I use the liveCD as a backup to your installed scanner. It also makes for a nice spotcheck as I'm able to work through the office with user's days off. Provided it's only complaints are the admin utils that trigger signature hits, I move on to the next one.

Michael Kassner
Michael Kassner

To learn if you run MBAM on your 32 bit systems? If you do the have you seen any different results? Say, when did you move?

JCitizen
JCitizen

seriously - when you have utilities like Spyware Blaster and Spybot Search & Destroy, life used to get boring. They could both keep the malware off the computer in the first place. So scanning didn't do anything because the host file, registry hacks, and immunizer kept it all at bay(for AS threats) Now I feel SS&D is obsolete, but when you can get other AV/AS real time protection to work without conflicts it can still get pretty boring around the LAN. I really need to test NOD32 with Adwatch and/or MBAM to see if Windows detects any contflicts in the event monitor. You can't see any obvious during operation; Comodo's defense plus seems to work seemlessly with all the others too. My sister forgot to reinstall it after lightning destroyed her hardware firewall, and I'm afraid she got PWNED trying to rely on the Windows firewall on a DSL modem. I should have remembered that. I don't keep notes on my relatives! DRAT!

JCitizen
JCitizen

as it has slammed somethings that weren't in it's definition file. I've never had a false positive on it. After looking at the logs and Googling the file names much later, they always show up as a threat - defined on someone's else's data base somewhere. Trend Micro was the best back in 2006, and I had no false positives back then either, but can't recommend 2007(or later) - don't have time to try anything new with them. With PC-cillin 2006 - if it was found hueristically, it was usually stuck in a hidden IE temp file on a restricted account and couldn't do anything anyway. I would simply move to that account and remove it using Explorer. So far NOD32 has slammed only known threats, but nothing much gets past it either. It almost seems like ESET's product relies solely on behavior. I rarely use the scanner. AdAware scans so quickly I rely on it as a scanner to get rid of deactivated malware stuck in restricted accounts. I may do a manual scan with NOD32 quarterly, but I never find anything that way. It always slams the malware as soon as it makes a move, either upon entry through the firewall, or when it tries to open an application it is using as a vulnerability vector. Surprisingly Norton has been making quick moves on my x64 system, but not hueristically, I don't believe. The attack is always a predefined vector. I am surprised at the speed it has when it works, it usually catches it as soon as it comes thru the firewall, USB flash, or DVD/CD ROM. What little gets through is usually sucked up by an AdAware scan. I quit trying to use their conflicting AdWatch guard. Maybe Malewarebytes will come up with a compatible real time protection as soon as they code it for 64 bit.

Michael Kassner
Michael Kassner

Get loaded when the program is installed or is it part of the install exe? That sounds like a real issue, uninstalling is scary enough.

pgit
pgit

Good point on the installers. I've noticed a lot of stuff recently coming with it's own uninstaller. Everybody is loading up on google apps that have their own for eg. It can be a royal pain if the people don't manage their files well... and who does? Just last week had to restore a machine to it's first restore point after someone removed an app that didn't uninstall completely. After it went as far as it was going to it appeared the windows installer 'took over,' further attempts were handled by windows but failed, obviously. It complained about not finding the program files to uninstall. Nightmare.

JCitizen
JCitizen

as far as sticking to that as a factor has worked out well for me. Avast and NOD32 have no conflicts with the following utilities: Commodo's Defense + Adaware's AdWatch (with process and registry protection turned on) SpywareBlaster - which uses registry hacks anyway and it and Adaware both use hostfiles. I suspect AdAware uses hostfiles anyway because I can turn off the real time protections and get adblocking results without it. That is - unless NIS 2009 has brought back adblocking(which I doubt), because they have failed miserably since 2004 in that area. For a while both Norton and AdAware became victims of powerfull advertising lobbists and decided to weaken their bad server blocking to accommodate these scumbags. AdBlock Plus(FireFox) and Spyware Blaster have never comprimised on this, that I am aware of, however. I consider this serious real-time protection, because many of these bad servers are being infected with some of the worst vectors in the malware battlefield. I've never seen any conflict events in logfiles or event monitors for these various real-time protection schemes. On Windows Vista Home Premium x64, NIS 2009 shows conflict in the event logs with AdWatch's real time protection, but not the registry guard. I only turn on real time protection on that PC when I'm testing cause and affect with spyware. Even with the conflict some times things work better with it on regardless; however I keep it turned off and simply run CCleaner to get rid of nasty temp files. Which isn't that often. I might as well throw SnoopFree in there as well, because it totally blocks all keyboard and video hooks that can reveal information to the criminal with video and keyboard hooks. This is a powerfull combination, that I've never seen defeated by any malware yet. I suspect it is because Snoopfree runs independently as a root kit. It is uninstallable however, if you use the new version(1.0.7 I believe).

JCitizen
JCitizen

I suspect habitual data flip on the CPU core errors on individual PCs may be a factor. When I was a CNC tech, I occasionally saw this, in real time, testing both IC and large scale circuits. I seems there could be no doubt hardware causes variation in PCs, especially when the vendor is slow to issue patches to drivers. Im my experience the variation seems more the fact that users have various habits when using and maintaining their PCs. Bad practices or mistakes can lead to improperly installed updates or patches. Conflicting applications or (more frequently) utilities. I usually end up reinstalling the operating system and instructing them to use better practice, like always checking for the install file for the particular application they are using. It seems we are back to the bad ol' DOS days when it comes to the Windows installer again. It rarely works correctly for uninstalling, if the app has it's own intaller/uninstaller. I must say, so far I have only one client who has had trouble with Comodo, but he mistakenly overlayed a trial over an old installation, and the Comodo installer didn't recognize this. It really hosed his networking. I tried all the usual fixes, and ended up reinstalling the OS.

pgit
pgit

When I get some time I'll either drag out my notes from the A+ class or write up a bit of a description, it's quite visual, I have one drawn up on a white board atm, I'll take a pic and stick it on flickr. Basically I write out one byte, right to left starting with a bit that represents 0 or 1. (off or on) The next bit over is written as a 2, the next 4 etc up to 128. Then below each one you write a one or a zero to represent on/off, and then below that the nuber above the witch (whatever bit) then add them up, to show how any number is represented. For instance 0-0-0-0-0-0-1-0 = 2, thus the great T shirt that reads "there are exactly 10 types of people in the world: those who understand binary, and those who do not." Then I show the byte represents a max number of 255, which is 256 unique combinations counting all off = 0. The adding one more bit basically doubles the total of all the bits to the right, so I jump ahead to that 32 bit point, and tell them trust me, we're talking about that 4.3 billion here. Then it's clock ticks, an incredible number there, multiplying the unique possibilities over time, eg one second, which is the basis of the "GHz" numbers everyone is familiar with. All this has taken 2 minutes to this point. I used to have the number that results from a 64 bit bus, but I don't have a calculator handy that puts it in a common notation. (I'll ave to add it up in round nos or find those notes!) There's other references that mention/illustrate the "fuzzy math" nature of driving a processor to do things... if I can find those, too...

pgit
pgit

It is mostly home end users getting the bad scripts. The business clients I service are (almost) all quite knowledgeable and adhere to best practices. They also ave extensive firewalling, restrictive routing etc. The home users that care enough to have a dedicated hardware firewall usually never show up with a gunked up machine either. The 'one a week' variety either plug directly into a cable or DSL modem or have an off the shelf router. They usually have a router solely in order to be able to access the internet with more than one computer. I far prefer commercial clients but there's a catch 22, the systems I set up for those types just click along without a hitch. It seems lately most of the calls I get are hardware related. (though I have a very odd printer problem atm that's related to proprietary software)

DHCDBD
DHCDBD

that I am currently aware of is that the three I have run across have were all RedBox rentals. However, Redbox denies adding anything and were helpful enough that I believe them. They were more than likely from the same producer, but without looking I can not honestly answer. There are also numerous blogs at Slysoft about the "New" encryption and its being based on a rootkit. I sent the data I had to Ray Beckerman who sent it to someone else who deals with the MPAA rather than the RIAA and there has been nothing but a dearth os silence in this area.

Michael Kassner
Michael Kassner

Are those consumer systems mainly? Are they behind a router or connected directly to the perimeter gateway? I find that those two factors play a huge role.

Michael Kassner
Michael Kassner

I appreciate your comments Pgit. I'd like the information if you don't mind.

pgit
pgit

I've got a laptop on the bench atm with a bogus pop-up message about the system codecs being corrupt. It brings up a web site offering to fix the problem for a mere $79.95. What a bargain! The irony is sound works. MBAM didn't clean this one BTW, not fully. Nor did advanced system care, though that shut down the web site pop up, but the windows error reporting is still gunked. I see on average one a week of this kind of thing, all of them are entirely the fault of the end user. This one is a doctor's computer, she's one of the safest/smartest computer users I know. But her mother on the other hand... The doctor uses firefox with noscript, and has cookies set to "ask every time." Her mother thought she'd circumvent the "harassment" and used IE8, and promptly found herself a nasty script. Now here's an opener for ya: the doc asked me to just flat out uninstall internet explorer... uh, can you say "EU anti trust suit?" EDIT: just saw a bunch of stuff found by AVG Free 8.5. "trojan horse generic 13.AWXJ" The machine had Norton running at the time of the incident, go figure. Mom must be more clever than we suspect... =D

pgit
pgit

People don't realize computers are not the precision-perfect machines as they think. There's a lot of "fuzzy math" going on in there. I have very good luck convincing people that the ten XP machines in the office are really all quite different from one another, and that over time an operating system has a tendency to corrupt, deteriorate and generally muck itself up in unpredictable ways. I have a little lesson I scribble out, on a white board if one is available, where I show the binary numbering system. I make it interesting, believe it or not nobody has declined the explanation and all have had a lot of lights go off as a result. What I show them is how many possible unique switch positions are available per every click of the system clock. I go up to 32 bits, which is around 4.3 billion possible unique combinations. Then we factor the CPU clock speed, everybody knows what that means, but now they have a sense of what's really going on, 4.3 billion times 2 million ticks per second, that's a hell of a lot of switching going on. Now what happens if we add a 33rd bit... 8.6 billion possible combinations per clock tick... and there's 31 more "doublings" to go in todays 64 bit machines, and that's single core!! Right there everyone can see it's a matter of time and things screw up. It's also a miracle these things work at all, really. I have more fun with that kind of stuff than anything else. I have taught a few subjects over the years, I was a flight instructor, taught A+ for a time, tutored on some basics (like Linux)... Another point is the windows installer, and the API. The "let windows do it's thing with the different hardware and all applications only have to know this" factor is responsible for some of the differences in those 10 XP machines. You have a couple HP P-4 desktops, a few Dell laptops with celerons, centrinos, core duos etc, windows itself is quite different on all of them. In a way you have to consider the API a bit of a miracle of it's own. But without proof (closed source) I have to just assume there may be some differences in systems introduced in there as well. How consistently is an API presented across the diversity of platforms out there? In Linux you sure as heck know! (no API per se, but...)

Michael Kassner
Michael Kassner

With all those apps, do you catch much? I pretty much run firewalls, AV and scanners like MBAM. I'm not seeing that much from most of my clients.

Michael Kassner
Michael Kassner

A single source that is supplying DVDs? I've not heard anything about this.

Michael Kassner
Michael Kassner

This stuff interesting. Why does the same code work on one computer and not on a different one?

JCitizen
JCitizen

and my PC became unstable - so I uninstalled it immediately.(Online Armor) Comodo is only slightly pesky when installing something, in my experience. I always udpate it for both white list file definitions and program version updates. Usually the performance is improved after each one; but I send any files to Comodo to allow them to annalyse files for trustworthiness.

JCitizen
JCitizen

of course, but I don't just use Comodo, it is just one rung in a blended defense. For now I use Adwatch for registry protection, and of course, the UAC keeps privelege excalation in check. On XP machines I usually ran Nod32 in conjunction with spybot S&D's Tea Timer(and Comodo's Defense+). I have quit using it however. I think it is finally time to retire Pat Kolla's tired old utility. It can be a challenge finding utilities that don't conflict with each other's various real time protection mechanisms, or modifying them to work together, but it can be done.

DHCDBD
DHCDBD

I pretty much gave the information that I had. I take it as an attempt to protect movies by disabling the write capabilities for CD/DVD's by making the drive look empty to the OS. Other than what I mentioned to verify my suspicions, I first unintalled AnyDVD. Same result. I cleaned the registry with CCleaner and Tune-up Utilities. Same result. Then I used Fox Killer. This time I could access the DVD. When I reinstalled AnyDVD and inserted Paul Blart. The DVD tray read empty. When I had AnyDVD completely uninstalled I opened the DVD and noted the files. dvd-rom.exe did not show. I then took the DVD to a Linux box and examined the files on the DVD. dvd-rom.exe showed up. I looked at the autorun.inf file and it calls dvd-rom. There is no need to call any file other than vob_1 on a video. We both know that Windows code will not run under Linux. So I opened a CLI and called both Totem and Mplayer. The video would not play, I forget the exact error messages - something about a corrupt file, however the movie plays to perfection in my home theater and on the same box when AnyDVD is fully uninstalled, so the file could not be corrupt, I also cleaned the disc in the event of fingerprints. Because the computer went through several reboots during the brief testing, I know the code is persistent. Rather than chase the code down, I chose to restore from a known image. The Windows box in question has the entire section that allows autorun to function stripped out and it is locked. This was in response to the CERT advisory regarding the Confiker worm. It was strange because an entry was made in that area of the registry. With Bangkok Dangerous I had to reboot the machine to get the CD/DVD drive back, including any external USB slaved drive. With Paul Blart, I had to completely uninstall a program before the DVD drive would be recognized with that DVD. I did try a few other troublesome discs with no problem (i.e. Clan of the Cave Bear and Queen of the Damned). I noticed that my router activity light became active when Paul Blart was inserted - again no reason for it to. Other than that the only thing I can say is that I checked the torrent to see if the DVD was on them; if they would not have been, I would have stripped the encryption and put the DVD up in retaliation.

Michael Kassner
Michael Kassner

Please go into more detail? Are you referring to something like what Sony tried to do?

DHCDBD
DHCDBD

I can not say I have had either good or bad experience with Comodo other than it annoys the He!! out of me with its notifications. Over the weekend I was infected by a trojan that installed three bots. It was started by a house guest inserting a DVD with one of the new MPAA rootkits into the sole Windows box in my home network. Comodo was at the helm here. I usually just restore the registry and kill the file the DVD installs. The reg keys were changed for this rootkit and so I took to the web to find a killer. Ended up installing three bots in what looked as a promising application. While I scanned out of curiosity, I simply restored from an image taken when I first installed the machine. The identified bot was sd.trojan. The reg scans named two other modules: vbs:obfuscated-gen and win32:trojan-gen. After reimaging I reinstalled Comodo and the other software that I had updateed since the image was taken and created a new image. Regarding my statement about the MPAA. The first time I noticed MPAA rootkits was with the DVD release of Bangkok Dangerous. I called the MPAA and finally got through to the president. When I inquired about a rootkit, his response was "Get a lawyer," then he hung up. That was enough confirmation for me. Beyond this, I really can't say more behind lack of interest. What that rootkit does is disable cd/DVD writers and calls home to obtain encryption keys. It is intended to defeat programs like AnyDVD. The encryption in the latest "Paul Blart Mall Cop" installs a module DVD-rom.exe through the autorun file. If you have disabled autorun, then it installs the module when the decryption modules are called. You can not see the DVD-rom.exe in Windows; I examined the DVD with Linux which also could not play the DVD with either Totem or Mplayer. At any rate, Comodo allowed the installation of these modules without notification and also allowed the modification of protected keys, and when in attempting to remove the rootkit, allowed the installtion of three bots and their activation and operation. It never stopped them, or even presented an obstacle. But, Comodo is a better option than most of what is out there.

Michael Kassner
Michael Kassner

What I consider a good experience with Comodo firewall applications. Not sure if it's me or what. I've tried on numerous occasions and have had to remove it. I'm still a fan of Online Armor.

JCitizen
JCitizen

but that is what promotes their enterprise products. SMBs like it too for simple LAN interior software firewalling. Trustworthy test organizations say that it is the top firewall on their leak tests. You could build your own using other configurable utilites, but I like saving time by just using CFP.

Gh0stMaker
Gh0stMaker

I've used some of their products especially CA servers for customers needing SSL website security.

JCitizen
JCitizen

but MBAM and NOD32 come to mind as two of the best. I'm going mostly by my client's experience, Malwarebytes real time protection won't work on my x64 system; besides the fact that NIS 2009 won't cooperate with any other product anyway. I've never seen evidence of conflict with NOD32 or Avast however. This makes it an excellent companion product in these instances.

Michael Kassner
Michael Kassner

Except for one thing J. I don't know of an excellent heuristic real-time protection system. I know of heuristic systems, but not excellent.

Editor's Picks