Jump to content

Bootkit Removal


markusg

Recommended Posts

sure, but i have no sample to upload at this moment.

this new bootkits are variannt off the stoned rootkit created by peter kleistner.

http://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-PAPER.pdf

here is an other link, but not english, but i think you can understand it.

http://antimalwarehelp.blogspot.com/2010/05/whistler-bootkit.html

there is also an other variant out.

its opening browser popups (advertisements) and its deactivating the sound.

most avs can not find this infection.

hope this are enough infos?

Link to comment
Share on other sites

has somebody tested if immunet can remove bootkits?

if not, immunet must have a look on it. i removed in german forums today around 10...

 

 

The short answer is that if your already infected when you install IMP Free there is little to no chance we will detect it. IMP Free can also not clean this threat effectively, if you are already infected. I'm using Mebroot as my work example as I am (off the top of my head) unaware of other examples in the wild. We can however detect it on access and on copy. Our hope is to nab threats like this when you dl them. YMMV.

 

IMP Plus can both detect and remove MBR style threats. Having said that, both removal and detection for this threat class in all AV products is in it's infancy.

 

al

Link to comment
Share on other sites

i think i can send you whistler sample perhaps if you need one...

 

ok i know its hard at all to remove such stuff and so on but there must be an other possebelity :D i think in the future this bootkits are coming. i cleaned in the last week perhaps 50 pcs having this stuff and there are other helpers doing the same...

i mean this peter kleistner paper is known since one year and most vendors can not detect or remove it. the esage lab tool can...

i will not say its easy to handle it, i'm not writing programs but the esage tool shows there is an way to find this bootkit

Link to comment
Share on other sites

Hi Everobody,

 

There should be an option to select which drive (c:\,d:\,e:\ etc) to scan for rootkits! For the moment, the whole computer will be scanned!

 

Cheers,

sweidre

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...