Security

Rootkit coders beware: Malwarebytes is in hot pursuit

Anti-malware heavy-hitter Malwarebytes is now laser-focused on eliminating rootkits. Michael P. Kassner asks the creators of MBAM how they approach this particular threat.

Rootkits are the crème de la crème of malware, operating in a manner not unlike elite Special Forces units: sneak in, establish communications with headquarters, recon defenses, and tip the odds in favor of the soon-to-arrive main-attack force.

Rootkits are similar to Special Forces in another way, if found and attempts are made to remove them, all hell breaks loose. Every rootkit remover worth its salt warns that removing the rootkit could cause problems for the operating system, to the point of where it may not boot.

That's because the rootkit buries itself deep in the operating system, replacing critical files with those under the rootkit's control. And when the replaced files associated with the rootkit are removed, the operating system could be rendered inoperable.

Enter Malwarebytes

It's a pretty safe bet IT professionals, who deal with malware including rootkits, have a copy of Malwarebytes Anti-Malware (MBAM) at their disposal. I know several who say they owe their sanity and good customer rapport to MBAM. Another safe bet: the people at Malwarebytes are doing something right, particularly when bad guys add code to their malware installers to prevent MBAM from installing, or if already installed, from running. (More on this later.)

Back in 2009, I met the team at Malwarebytes when writing "Malware scanners: MBAM is best of breed." I knew, being the snoopy journalist, I needed to keep in touch with this energetic bunch. About a year ago, the crew started beta testing Malwarebytes Anti-Rootkit (MBAR), a tool targeting rootkits -- going right at the beast.

I had to know more so I contacted Marcin Kleczynski, CEO, founder, and the one who put the magic in MBAM. Marcin mentioned:

We at Malwarebytes go to great lengths to release fast, effective, and safe software. This mission extends to our anti-rootkit technology that is currently in beta.

Marcin offers the following details about MBAR:

With MBAR we have been running the open beta now for almost a year successfully, and while there is a small chance specific configurations could pose issues; we are confident for most users MBAR will be extremely effective against any rootkit infections they encounter.

I caught Marcin at a bad time, his plane was boarding. Marcin told me to connect with Marcus Chung, Executive Vice President and COO at Malwarebytes; he would answer my remaining questions.

My first question for Marcus was why the sudden interest in rootkits? Marcus pointed out that rootkits are becoming the cornerstone on which all malware exploits are built. Rootkits have always greased the skids for other malware to be installed.

What's new is the programming of rootkits to redirect web browsers to look-alike malicious websites just waiting to install more malware on vulnerable computers, or redirecting web browsers to websites advertising goods just to increase click count, making advertisers happy.

I mentioned to Marcus that I thought MBAM removed rootkits, why then is MBAR needed? Marcus pointed out it's all about reaction time. Rootkit developers have become adept at quickly morphing their code when they learn rootkit removers recognize their handiwork. Using a separate tool, MBAR's developers can react just as fast without any concern of damaging a larger, more complex program like MBAM, and avoid the logistics of rolling out a new version of MBAM.

Marcus then mentioned another advantage:

The bad guys have the edge when it comes to rootkits, they aren't too worried about breaking the host computer, but we are, very much so. Having a separate tool allows us to make absolutely sure we minimize the risk of breaking the host computer.

I had an ah-ha moment when Marcus alluded to their need to react quickly, now understanding why their other tool, Chameleon was separate, and not embedded in MBAM.

If you aren't familiar with Chameleon, it is Malwarebytes's answer when malware prevents MBAM from installing, or running if already installed. Chameleon disguises MBAM, allowing it to start and destroy malware.

Something I did not know until Marcus mentioned it is that MBAM has Chameleon in the installed MBAM folder, and it's worth trying. If it doesn't help, Marcus reminded me that like MBAR, Chameleon (website version) is also a separate tool, giving Malwarebytes the option of quickly altering Chameleon to improve the odds of fooling rootkits.

How MBAR works

It's time to get to work; if you suspect a rootkit, and MBAM comes up empty, you may want to try MBAR. The first thing to do is read this link. It explains everything: A to Z. Still, I want to touch on a few of the more important aspects. First, here's the list of rootkits the guys at Malwarebytes have tested MBAR against, and successfully removed:

  • Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
  • Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, such as TDL3, ZeroAccess, Rloader, etc.
  • Master Boot Record infectors such as TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
  • Volume Boot Record/OS Bootstrap infectors like Cidox.
  • Disk Partition table infectors like SST/Elureon.
  • User mode patchers/infectors like ZeroAccess.

Once you have unpacked the MBAR zip file, go to the MBAR folder. It should be similar to the following screenshot.

I circled the three files that I wanted to mention. I was happy the MBAR team included the ReadMe.rtf -- it answered many of my questions. I didn't notice any mention of it, but before anything else, I would back up all data to a remote source. I asked Marcus about setting a restore point and he said doing so is not recommended -- creating a restore point will allow the rootkit to be restored as well.

Once you are confident, start the ball rolling by double-clicking on mbar.exe. If MBAR finds something, you will get a screen like the one below.

Similar to MBAM, just follow the instructions, and MBAR will get rid of the captured rootkits. In the process of removing any located rootkits, MBAR will also try to repair or restore the rootkit-corrupted files. After the ensuing reboot and rescan to make sure MBAR caught everything, Marcus recommended running Fixdamage.exe (circled in the slide showing the MBAR folder) as a "belt and suspenders" operation just to make absolutely sure all critical files are as they should be.

Marcus reiterates

Marcus was adamant that I make sure to tell everyone that MBAR is in beta. I promised and here is the disclaimer they post on the website:

All Beta versions are non-final products. Malwarebytes does not guarantee the absence of errors which might lead to interruption in normal computer operations or data loss. Precautions should be taken. The types of infections targeted by Malwarebytes Anti-Rootkit can be very difficult to remove. Please be sure you have any valued data backed up before proceeding, just as a precaution.

While we encourage and invite participation, Malwarebytes Anti-Rootkit BETA users run the tool at their own risk. Malwarebytes bears no responsibility for issues that may arise during use of this tool, however all reasonable efforts will be made by Malwarebytes to assist in recovery should the need arise.

Final thoughts

I guess I never gave it much thought, but after talking to Marcin and Marcus, I came away wondering if rootkit coders intentionally replace critical files to make it that much harder to remove the rootkit, or is it fallout from controlling critical processes to prevent detection, and allow the rootkit to do its thing.

Thank you Marcin and Marcus for your explanations, and here's to continued success for MBAR -- we can use the help.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

69 comments
Marlinlikethefish
Marlinlikethefish

I had a problem with my home computer (Windows 7 home premium) that would not turn my computer off after selecting the shutdown option from the start menu. My computer would continuously display "Installing patch x of xx" and would never shut down. 


So I performed a MBAM scan, and after removing a plethora of malware, decided to check out the "tools" tab, and found the Chameleon, and MBAR beta apps. I ran the Chameleon, and then installed and ran the MB Anti-Rootkit application. It found 3 rootkits installed in my system. After removing them, I successfully restarted my computer without problem. Now, I'm able to shutdown my computer with my operating system. YAY! 



cojaxx8
cojaxx8

I would love to see an article as to what makes MBAM So good! It is always the program i turn to when a virus gets past the installed AV Software. It almost makes me think that i should be running MBAM all the time instead of the AV Software!

jdemontjoie
jdemontjoie

...but are rootkits not generally addressed by AV products such as McAffee, MS Security Essentials, AVG, Avast, Sophos etc? Genuine (embarrassed!) question. Note the mix of home/Enterprise AV products - if rootkits aren't part of the standard AV target list then many home users (and, apparently, professional users) will be carrying on in ignorance. FWIW, I use MSSE on a home media centre. Curious, I just tried MWB. Nothing on the Quick scan but the Full scan reported a Trojan in an Installshield Kernel.exe file. Interesting, because a full, updated MSSE (albeit freeware) scan didn't find it. Also, I don't browse (often) on this machine - and when I do, it's only email. Interesting experiment. Will nuke and reimage after seeing how MWB handles the Trojan. To the guy who's business won't spring for the AV costs; might be worth pointing out your hourly rate and how look it took you to fix the problem? And the opportunity costs of what esle you could have been doing?

benroberts
benroberts

One of the users here clicked on a link sent to them in Facebook that installed a rootkit on the machine. By the time we'd figured out which machine it was, it had spammed half our data allocation away. Numerous attempts at removing it later, including MBAM in safe mode saw the telltale browser redirects restoring themselves after every reboot. To save time, I nuked the system and re-installed XP. The company won't spring for the paid version of MBAM but I've put it on all of my personal machines and find it's the bets method for avoiding getting an infection in the first place. My personal notebook has been super clean despite it being my work/home beater. For the record, we run Vipre Enterprise here with server based automatic update and this rootkit just strolled past it. Very frustrating.

edewey
edewey

Safe mode is a great place to run AV scans, but I often just remove the infected drive and use a usb to sata/ide adapter to scan from a clean PC.

zoanon
zoanon

If the rootkit has removed a signed component of Windows, where do you get the replacement? It would seem that you might have to have an installation disk on hand.

DelbertPGH
DelbertPGH

BTS.scour was a nasty product that hijacked my Google searches, and would periodically redirect my clicks on a search result to one of several content farms. Nowhere on the Internet could I find any instructions for cleanup that I felt I could execute with confidence. I ran the MalwareBytes rootkit beta, and it cleaned it out in one pass. Or so it seems... the redirect has not happened again since that. AVG, my regular free antivirus product, never spotted it in its rootkit scans. MWB's (non-free; trial version) browser monitor also blocked several attempts by the virus to send information out from my computer, which MWB apparently did by comparing against a blacklist the IP address my computer was trying to communicate with. I was impressed every time I saw the warning pop up.

Michael Kassner
Michael Kassner

Look for the Chameleon folder, it should be a subfolder under the MBAM folder. Start Chameleon and see if MBAM or MBAR runs then. Also there is a separate Chameleon tool on the website that will be as up-to-date as possible.

rwbyshe
rwbyshe

If I go to someone's home or have their computer in my possession, I always try to run MBAM. I've found that if they have one type of infection it may allow MBAM to run but will not allow it to clean things up. In other cases it won't run at all. MY SOLUTION... Run MBAM in the Safe Mode!!! It will detect and remove any problems that it finds while in Safe Mode. I typically also run the individuals AV after I run MBAM and normally delete everything either program finds. I'll also run Advanced System Care to perform some disk cleanup and tweaking for better performance. Once I run those programs and delete the findings, I turn off System Restore to delete all previous Restore Points and I reboot the computer to ensure they are not in memory. Once the reboot completes I turn on System Restore and create a new Restore Point and name it accordingly so that they or I know that particular restore point is "clean". I haven't tried MBAR as yet but am certainly going to based upon this article and readers commentary! Thanks TR et al' for the good info, and don't forget that wonderful F8 key!!!

eric.broszeit
eric.broszeit

I can't tell you how many times malwarebytes has just closed on people toward the end of the scan because of an infection. Combofix has outperformed it and everything else. The only downside is that its not as easy for users, as it invovles turning off AntiVirus protection when it runs. Malwarebytes makes a good product, but I usually go with the one that works everytime.

LeMike
LeMike

Don't forget that it was Sony Music Corp that put a rootkit onto their CDs a few years ago in order to try to prevent them from being copied onto computers and listened to.

Adam_12345
Adam_12345

I sincerely recommend MBAM as one of the best anti malware softwares on the market. It offers a lot of useful options and offers deep scans.

wyattharris
wyattharris

I hadn't heard of Chameleon or the MBAR Beta, thanks for the heads up. Love this software, it's great to know more about the guys behind it. It seems no matter how the removal process starts it always ends the same way, run MalwareBytes. Marcin, keep up the good work.

SlowPCHelp
SlowPCHelp

One of the best free programs out there! I use it all the time. The stealth run options have saved many a doomed computer on my watch!

JCitizen
JCitizen

when you update to the new MBAM. I knew they were up to something when I saw that - and I knew it would be GOOD! :) After so long using the big red logo, it was very noticeable when this happened. Things are changing SO rapidly in the PC protection market, it is hard to keep up with it all! Avast has upgraded to version 8 now, and has a funky GUI, but I REALLY like the new software updater. NO more fiddling with Secunia or File Hippo to try to get java to update. This is a fantastic addition to a venerable AV, and these two companies make a killer team. :ar!

techrepublic@
techrepublic@

I simply don't trust a system that has been compromised.

sightsandsounds
sightsandsounds

At the online stores Malwarebytes is about the ONLY one that doesnt give a $50 MIR bringing the total cost to $0.00, They all hope and Pray that most people wont ask for their rebates.

Michael Kassner
Michael Kassner

Marcin the founder and CEO, knows code and malware -- he created MBAM. Marcus knows his part of the business. Just like the all the high-powered technologists who are behind the scenes, yet known well enough by the bad guys to be referred to in their malware code.

JCitizen
JCitizen

to detect and kill rootkits, but Michael has a point in this article, in that sometimes the removal will damage system files enough to prevent booting to the operating system. Some nasty malware have figured out how to block the boot process without damaging system files, so you never know which hazard you will run into. I think it might be prudent to try MBAR first, because of its ability to properly remove the kit, to hopefully avert this disaster. I always back up the files, even if it puts a copy of the zero day threat in the backup files - you can always use Avast to root it out of the backup file in a day or two, after the definitions come out.

Michael Kassner
Michael Kassner

It it the only focus of the crew at Malwarebytes, and they have a reputation to keep. I have talked to most of the guys, and they are invested completely in MBAM and their other products.

JCitizen
JCitizen

Web of Trust works on FaceBook, and will warn, or completely block bad site links from there.

Michael Kassner
Michael Kassner

But, I know the guys at Malwarebytes are concerned and being extra cautious that MBAR does it right before they go public with it.

Michael Kassner
Michael Kassner

Has that worked well? Have you run across any issues doing it that way?

HAL 9000
HAL 9000

To use a Boot Disc and scan the drive that way without the need to remove it and fit to another computer. Of course those days may be numbered with the advent of Secure Boot and UEFI which may stop a system working when you don't boot it with the installed version of Windows that the Hardware expects to find. ;) Col

Michael Kassner
Michael Kassner

This is from Marcus, For the cases where a file restoration is needed, MBAR is typically able to recover and restore clean files locally. However, it would be a good idea to have your Windows installation disks as a fallback. This is not critical in the majority of cases as MBAR has proven quite successful and robust against these type of infections. Best regards, -Marcus

JCitizen
JCitizen

type [b]sfc /scannow[/b] in an elevated command prompt, and have your disk ready. If you don't have an original operating system DVD, then use someone else's, but be ready to enter your OEM product key. This should repair all files lost in the attack. I wished Microsoft would come up with a parameter that would read the recovery partition, so folks wouldn't have to scramble for an optical disk. Maybe one of those Windows recovery flash drives on eBay would help there, I've never had to use them.

Michael Kassner
Michael Kassner

I appreciate your taking the time to let us know about a real-world example of where MBAR helped.

JCitizen
JCitizen

I've never had to do that yet, but then my clients all run MBAM Pro, and have it installed on the clean PC before they take a hit - so I'm not relating much experience here. Actually MBAM is the only paid solution I recommend buying. For $24 bucks or less(on sale), I just can't see a losing side to that; especially since it is a LIFETIME license. I do recommend folks password protect the console - I don't know if malware have been able to change settings on restricted accounts, but nothing would surprise me there - the new malware have had amazing abilities to manipulate files without setting off the UAC or needing much of any permissions from the system to do a lot of damage. (edited) I have seen malware change settings on restricted accounts for other security solutions, but some of them have anti-manipulation features, so it depends on the solution how vulnerable they are to this factor. Prevx was one of them I witnessed damaging settings changes on, so I know that it needs a console password.

JCitizen
JCitizen

and I always follow up, or in fact try SAS first. Super-Anti-Spyware will get a lot of things in normal mode that other solutions can only root out in safe mode. Don't let the goofy name fool you; SAS is serious business. I must admit though - I don't recommend the paid version for my indigent clients - the free scanner is good enough. I can't say how it performs trying to install on an infected computer, but then it is time to get out Hiren's boot CD(flash drive) in some of those cases, or use any one of the venerable rescue CDs, like Avast's or Kaspersky's Rescue 10 CD.

JCitizen
JCitizen

Some of the new z_access back-doors easily defeat Combofix. You really ought to try MBAM again. Me personally - I've never had a problem with MBAM, but then I use a lot of blended defenses too, so if one doesn't catch it the other one will. :) I've also seen TDDSKiller defeated by new malware - the cleanup utility folks always have their homework cut out for them!

Michael Kassner
Michael Kassner

I am curious about Chameleon, but I can wait. I have no inclination to jump into a situation where it is needed.

Michael Kassner
Michael Kassner

That is good to know, and I hope it continues to help.

Michael Kassner
Michael Kassner

There are many people that do not understand or have the wherewithal to "nuke and restore."

Michael Kassner
Michael Kassner

I can think of many definitions of MIR, but none seem to make sens in this case.

JCitizen
JCitizen

I think he must know the code inside out of typical Microsoft installations. That may be part of it - but is MBAM coded in C++ ? What ever it is - it just works! :O

JCitizen
JCitizen

I just clicked to make an exception when it fired off the block alert. v/

JCitizen
JCitizen

It doesn't pay to take the time to wipe and reinstall if they have little to lose. I always explain this, and assure them, that since they do no online banking and shopping, the risk is minimal. Besides, many of the free solutions I push, work in an infected environment, so there is little worry anyway.

dcharles
dcharles

I think he means Mail-In Rebate.

JCitizen
JCitizen

were having it on sale for anywhere from $11 to 14+change. I missed that because I never thought they'd go that route; but at least I got it for $19 several weeks later. My clients just don't know how to purchase downloadable software online - so these retail box versions are great!

JCitizen
JCitizen

I will always use these tools until they become unusable; they are still contenders. One of my favorites is Kaspersky's Rescue Disk 10, followed up with Super-Anti-Spyware. The good thing about SAS is that it does a thorough job even in normal mode.

JCitizen
JCitizen

I give them worst case scenarios that fit their situation. After all most refuse to use puppy linux Live CDs, so we have to do something at least.

Michael Kassner
Michael Kassner

Still I always wonder about if there is just that one time that they do and as you know that's all it takes.

JCitizen
JCitizen

but I hate those, and would much rather have a straight off discount.

Editor's Picks