Security

Rootkit coders beware: Malwarebytes is in hot pursuit

Anti-malware heavy-hitter Malwarebytes is now laser-focused on eliminating rootkits. Michael P. Kassner asks the creators of MBAM how they approach this particular threat.

Rootkits are the crème de la crème of malware, operating in a manner not unlike elite Special Forces units: sneak in, establish communications with headquarters, recon defenses, and tip the odds in favor of the soon-to-arrive main-attack force.

Rootkits are similar to Special Forces in another way, if found and attempts are made to remove them, all hell breaks loose. Every rootkit remover worth its salt warns that removing the rootkit could cause problems for the operating system, to the point of where it may not boot.

That's because the rootkit buries itself deep in the operating system, replacing critical files with those under the rootkit's control. And when the replaced files associated with the rootkit are removed, the operating system could be rendered inoperable.

Enter Malwarebytes

It's a pretty safe bet IT professionals, who deal with malware including rootkits, have a copy of Malwarebytes Anti-Malware (MBAM) at their disposal. I know several who say they owe their sanity and good customer rapport to MBAM. Another safe bet: the people at Malwarebytes are doing something right, particularly when bad guys add code to their malware installers to prevent MBAM from installing, or if already installed, from running. (More on this later.)

Back in 2009, I met the team at Malwarebytes when writing "Malware scanners: MBAM is best of breed." I knew, being the snoopy journalist, I needed to keep in touch with this energetic bunch. About a year ago, the crew started beta testing Malwarebytes Anti-Rootkit (MBAR), a tool targeting rootkits -- going right at the beast.

I had to know more so I contacted Marcin Kleczynski, CEO, founder, and the one who put the magic in MBAM. Marcin mentioned:

We at Malwarebytes go to great lengths to release fast, effective, and safe software. This mission extends to our anti-rootkit technology that is currently in beta.

Marcin offers the following details about MBAR:

With MBAR we have been running the open beta now for almost a year successfully, and while there is a small chance specific configurations could pose issues; we are confident for most users MBAR will be extremely effective against any rootkit infections they encounter.

I caught Marcin at a bad time, his plane was boarding. Marcin told me to connect with Marcus Chung, Executive Vice President and COO at Malwarebytes; he would answer my remaining questions.

My first question for Marcus was why the sudden interest in rootkits? Marcus pointed out that rootkits are becoming the cornerstone on which all malware exploits are built. Rootkits have always greased the skids for other malware to be installed.

What's new is the programming of rootkits to redirect web browsers to look-alike malicious websites just waiting to install more malware on vulnerable computers, or redirecting web browsers to websites advertising goods just to increase click count, making advertisers happy.

I mentioned to Marcus that I thought MBAM removed rootkits, why then is MBAR needed? Marcus pointed out it's all about reaction time. Rootkit developers have become adept at quickly morphing their code when they learn rootkit removers recognize their handiwork. Using a separate tool, MBAR's developers can react just as fast without any concern of damaging a larger, more complex program like MBAM, and avoid the logistics of rolling out a new version of MBAM.

Marcus then mentioned another advantage:

The bad guys have the edge when it comes to rootkits, they aren't too worried about breaking the host computer, but we are, very much so. Having a separate tool allows us to make absolutely sure we minimize the risk of breaking the host computer.

I had an ah-ha moment when Marcus alluded to their need to react quickly, now understanding why their other tool, Chameleon was separate, and not embedded in MBAM.

If you aren't familiar with Chameleon, it is Malwarebytes's answer when malware prevents MBAM from installing, or running if already installed. Chameleon disguises MBAM, allowing it to start and destroy malware.

Something I did not know until Marcus mentioned it is that MBAM has Chameleon in the installed MBAM folder, and it's worth trying. If it doesn't help, Marcus reminded me that like MBAR, Chameleon (website version) is also a separate tool, giving Malwarebytes the option of quickly altering Chameleon to improve the odds of fooling rootkits.

How MBAR works

It's time to get to work; if you suspect a rootkit, and MBAM comes up empty, you may want to try MBAR. The first thing to do is read this link. It explains everything: A to Z. Still, I want to touch on a few of the more important aspects. First, here's the list of rootkits the guys at Malwarebytes have tested MBAR against, and successfully removed:

  • Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.
  • Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, such as TDL3, ZeroAccess, Rloader, etc.
  • Master Boot Record infectors such as TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.
  • Volume Boot Record/OS Bootstrap infectors like Cidox.
  • Disk Partition table infectors like SST/Elureon.
  • User mode patchers/infectors like ZeroAccess.

Once you have unpacked the MBAR zip file, go to the MBAR folder. It should be similar to the following screenshot.

I circled the three files that I wanted to mention. I was happy the MBAR team included the ReadMe.rtf -- it answered many of my questions. I didn't notice any mention of it, but before anything else, I would back up all data to a remote source. I asked Marcus about setting a restore point and he said doing so is not recommended -- creating a restore point will allow the rootkit to be restored as well.

Once you are confident, start the ball rolling by double-clicking on mbar.exe. If MBAR finds something, you will get a screen like the one below.

Similar to MBAM, just follow the instructions, and MBAR will get rid of the captured rootkits. In the process of removing any located rootkits, MBAR will also try to repair or restore the rootkit-corrupted files. After the ensuing reboot and rescan to make sure MBAR caught everything, Marcus recommended running Fixdamage.exe (circled in the slide showing the MBAR folder) as a "belt and suspenders" operation just to make absolutely sure all critical files are as they should be.

Marcus reiterates

Marcus was adamant that I make sure to tell everyone that MBAR is in beta. I promised and here is the disclaimer they post on the website:

All Beta versions are non-final products. Malwarebytes does not guarantee the absence of errors which might lead to interruption in normal computer operations or data loss. Precautions should be taken. The types of infections targeted by Malwarebytes Anti-Rootkit can be very difficult to remove. Please be sure you have any valued data backed up before proceeding, just as a precaution.

While we encourage and invite participation, Malwarebytes Anti-Rootkit BETA users run the tool at their own risk. Malwarebytes bears no responsibility for issues that may arise during use of this tool, however all reasonable efforts will be made by Malwarebytes to assist in recovery should the need arise.

Final thoughts

I guess I never gave it much thought, but after talking to Marcin and Marcus, I came away wondering if rootkit coders intentionally replace critical files to make it that much harder to remove the rootkit, or is it fallout from controlling critical processes to prevent detection, and allow the rootkit to do its thing.

Thank you Marcin and Marcus for your explanations, and here's to continued success for MBAR -- we can use the help.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

71 comments
gabeh99
gabeh99

I'm confused.  I have Malwarebytes Premium.  Do I need any additional anti-virus such as Norton to be fully protected or does Malware take care of anything Norton takes care of?

bow65
bow65

@gabeh99  Do not install Malwarebytes or any other free anti-malware product. They come up with false positives. They are believed to be tools used for some purpose by the business community. The small fee they charge for "Pro" product is to portray they are legit. Go with the well known products such as Norton, BitDefender, AVG, McAfee etc.

Marlinlikethefish
Marlinlikethefish

I had a problem with my home computer (Windows 7 home premium) that would not turn my computer off after selecting the shutdown option from the start menu. My computer would continuously display "Installing patch x of xx" and would never shut down. 


So I performed a MBAM scan, and after removing a plethora of malware, decided to check out the "tools" tab, and found the Chameleon, and MBAR beta apps. I ran the Chameleon, and then installed and ran the MB Anti-Rootkit application. It found 3 rootkits installed in my system. After removing them, I successfully restarted my computer without problem. Now, I'm able to shutdown my computer with my operating system. YAY! 



cojaxx8
cojaxx8

I would love to see an article as to what makes MBAM So good! It is always the program i turn to when a virus gets past the installed AV Software. It almost makes me think that i should be running MBAM all the time instead of the AV Software!

jdemontjoie
jdemontjoie

...but are rootkits not generally addressed by AV products such as McAffee, MS Security Essentials, AVG, Avast, Sophos etc? Genuine (embarrassed!) question. Note the mix of home/Enterprise AV products - if rootkits aren't part of the standard AV target list then many home users (and, apparently, professional users) will be carrying on in ignorance. FWIW, I use MSSE on a home media centre. Curious, I just tried MWB. Nothing on the Quick scan but the Full scan reported a Trojan in an Installshield Kernel.exe file. Interesting, because a full, updated MSSE (albeit freeware) scan didn't find it. Also, I don't browse (often) on this machine - and when I do, it's only email. Interesting experiment. Will nuke and reimage after seeing how MWB handles the Trojan. To the guy who's business won't spring for the AV costs; might be worth pointing out your hourly rate and how look it took you to fix the problem? And the opportunity costs of what esle you could have been doing?

benroberts
benroberts

One of the users here clicked on a link sent to them in Facebook that installed a rootkit on the machine. By the time we'd figured out which machine it was, it had spammed half our data allocation away. Numerous attempts at removing it later, including MBAM in safe mode saw the telltale browser redirects restoring themselves after every reboot. To save time, I nuked the system and re-installed XP. The company won't spring for the paid version of MBAM but I've put it on all of my personal machines and find it's the bets method for avoiding getting an infection in the first place. My personal notebook has been super clean despite it being my work/home beater. For the record, we run Vipre Enterprise here with server based automatic update and this rootkit just strolled past it. Very frustrating.

edewey
edewey

Safe mode is a great place to run AV scans, but I often just remove the infected drive and use a usb to sata/ide adapter to scan from a clean PC.

zoanon
zoanon

If the rootkit has removed a signed component of Windows, where do you get the replacement? It would seem that you might have to have an installation disk on hand.

DelbertPGH
DelbertPGH

BTS.scour was a nasty product that hijacked my Google searches, and would periodically redirect my clicks on a search result to one of several content farms. Nowhere on the Internet could I find any instructions for cleanup that I felt I could execute with confidence. I ran the MalwareBytes rootkit beta, and it cleaned it out in one pass. Or so it seems... the redirect has not happened again since that. AVG, my regular free antivirus product, never spotted it in its rootkit scans. MWB's (non-free; trial version) browser monitor also blocked several attempts by the virus to send information out from my computer, which MWB apparently did by comparing against a blacklist the IP address my computer was trying to communicate with. I was impressed every time I saw the warning pop up.

Michael Kassner
Michael Kassner

Look for the Chameleon folder, it should be a subfolder under the MBAM folder. Start Chameleon and see if MBAM or MBAR runs then. Also there is a separate Chameleon tool on the website that will be as up-to-date as possible.

rwbyshe9
rwbyshe9

If I go to someone's home or have their computer in my possession, I always try to run MBAM. I've found that if they have one type of infection it may allow MBAM to run but will not allow it to clean things up. In other cases it won't run at all. MY SOLUTION... Run MBAM in the Safe Mode!!! It will detect and remove any problems that it finds while in Safe Mode. I typically also run the individuals AV after I run MBAM and normally delete everything either program finds. I'll also run Advanced System Care to perform some disk cleanup and tweaking for better performance. Once I run those programs and delete the findings, I turn off System Restore to delete all previous Restore Points and I reboot the computer to ensure they are not in memory. Once the reboot completes I turn on System Restore and create a new Restore Point and name it accordingly so that they or I know that particular restore point is "clean". I haven't tried MBAR as yet but am certainly going to based upon this article and readers commentary! Thanks TR et al' for the good info, and don't forget that wonderful F8 key!!!

eric.broszeit
eric.broszeit

I can't tell you how many times malwarebytes has just closed on people toward the end of the scan because of an infection. Combofix has outperformed it and everything else. The only downside is that its not as easy for users, as it invovles turning off AntiVirus protection when it runs. Malwarebytes makes a good product, but I usually go with the one that works everytime.

LeMike
LeMike

Don't forget that it was Sony Music Corp that put a rootkit onto their CDs a few years ago in order to try to prevent them from being copied onto computers and listened to.

Adam_12345
Adam_12345

I sincerely recommend MBAM as one of the best anti malware softwares on the market. It offers a lot of useful options and offers deep scans.

wyattharris
wyattharris

I hadn't heard of Chameleon or the MBAR Beta, thanks for the heads up. Love this software, it's great to know more about the guys behind it. It seems no matter how the removal process starts it always ends the same way, run MalwareBytes. Marcin, keep up the good work.

SlowPCHelp
SlowPCHelp

One of the best free programs out there! I use it all the time. The stealth run options have saved many a doomed computer on my watch!

JCitizen
JCitizen

when you update to the new MBAM. I knew they were up to something when I saw that - and I knew it would be GOOD! :) After so long using the big red logo, it was very noticeable when this happened. Things are changing SO rapidly in the PC protection market, it is hard to keep up with it all! Avast has upgraded to version 8 now, and has a funky GUI, but I REALLY like the new software updater. NO more fiddling with Secunia or File Hippo to try to get java to update. This is a fantastic addition to a venerable AV, and these two companies make a killer team. :ar!

techrepublic@
techrepublic@

I simply don't trust a system that has been compromised.

sightsandsounds
sightsandsounds

At the online stores Malwarebytes is about the ONLY one that doesnt give a $50 MIR bringing the total cost to $0.00, They all hope and Pray that most people wont ask for their rebates.

allanmount
allanmount

MWB say create a restore point after MBAR has scanned...

info
info

...talk about being behind the 8-ball! It'll be nice to have an alternative to Combofix on some systems where it might not be the best idea to run it...

l_creech
l_creech

I've used MBAR twice now to remove rootkits from customer systems. The first system [i]had[/i] Vipre Internet Security on it, which the customer removed and replaced with WebRoot; which was disabled when I arrived on site. This system also was 3 months behind on Windows updates and was still running Java 7 update 2. I ran three tools: Windows Offline Defender, MBAM, and MBAR. I only ran MBAR after being unable to install updates from Microsoft (warning that updates could not be installed on a compromised system). MBAR found a rootkitted boot-sector (and backup boot-sector) which it cleaned and repaired. The second system was similar, with the difference that the customer was disabling his Vipre Internet Security to play Halo 2 with his friends.

widd11e
widd11e

Malwarebytes is a great product. I can't even count how many people I have pointed to Malwarebytes. I meant nothing harsh when I said that it is just that rootkits are deep in the OS and when you tend to try to clean up and then fix things there, you could also tend to break things. MWB is taking on a huge project. I wish them luck. I don't envy them because they will be at the backbone of the OS. Once they start tackling rootkits I don't believe many consumers will understand the complexity of how MWB protects their PC.

Dusterman
Dusterman

As most always ........ Michael ........ you have given a very informational review of a product that most of us use daily but did not know about this product offering. . Bit Defender used to be top dog in my stable ........ but MBAM has surpassed them in ease and effectiveness [ in my opinion ] ........ ;-)

sslevine
sslevine

I've used Malwarebytes numerous times, and it outperforms almost everything else for the tough stuff. Sounds like the company is in the forefront again, with MWAR. I'll be downloading that shortly! I appreciate the pointers here,too, nice to get the down low on Chameleon. Thank you!

widd11e
widd11e

I don't envy Malwarebytes.

Editor's Picks