DNSChanger
The botnet was made up of more than 4 million computers in more than 100 countries. The computers are infected with malware called DNSChanger. This Trojan changes the DNS settings of the computer and allowed the botnet owners to redirect web browser requests. With these redirects, the botnet owners were able to manipulate internet advertising to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

Rogue DNS Servers
In November 2011 the FBI seized the rogue DNS servers and replaced them with legitimate servers in the hope that users who were infected will not have their Internet access disrupted. But these servers will be kept online until March 8, 2012.

The replacement DNS servers recorded 33.000 computers in Germany that are still contacting the rogue DNS servers. This number was large enough for the German government to issue the nationwide advice.

dns-ok.de
To facilitate the nationwide DNS check, the German government launched the website: dns-ok.de

If you go to the website and your computer uses rogue DNS server settings then you see this page:

DE-Cleaner
The page offers a link to botfrei.de which provides DE-Cleaner software which helps users to get rid of the DNSChanger infection (and other malware).

DE-Cleaner comes in three flavors provided by: Avira, Kaspersky and Symantec. A multi-vendor approach, just like HitmanPro.

The problem with the DE-Cleaner software is that they do not detect or repair rogue DNS server settings: they leave it up to the user.

Using rogue DNS server settings is as bad as it gets. Nothing on the internet can be trusted: login information and credit data will be stolen. Its a matter of time (DNSChanger is proof of this). So it is of utmost importance that the computer uses proper DNS server settings. Hence the German call for a nationwide DNS check.

DNS repair
Since DNS is extremely important, HitmanPro scans the DNS server settings of each network adapter in the computer. HitmanPro validates the DNS setting against blacklists and lists the corresponding adapter when its DNS server settings are deemed malicious. A repair of the DNS server setting is then offered, free of charge.

Bottom line
Besides DE-Cleaner, most Antivirus products do not check the DNS server settings of the computer. The reason for this is beyond anybody’s guess. HitmanPro 3 checks the DNS server settings since its incarnation and provides a convenient way for the average computer user to get rid of the malware and repair DNS server settings in just one single pass.

Since the DNSChanger botnet was made up of more than 4 million computers, with 500.000 computers in the US and 33.000 in Germany, there are a lot more computers that still use the rogue DNS server settings. So run a scan with HitmanPro before March 8, 2012 or you might not be able to use the internet – the FBI will shutdown the replacement DNS servers on that day.

Video
We have made a video to illustrate the whole proceedings:

Note: we’ve made the video with Hitman Pro 3.5 as this version supports the German language.

The highlights of this release are a brand new Remnant Scan, a new Scheduler with more options, a new Shell Extension, revamped graphics and many improvements which make this release the best release yet.

For the complete list of changes see the below changelog.

Changelog

• Hitman Pro is now called HitmanPro. On Twitter use #HitmanPro.
• NEW: Added Scanning for Malware Remnants.
  This new feature scans the File System and Registry for common malware related paths (files, folders, keys). The Remnant Scan combines a multi-threaded local scan with cloud based confirmation. In 3.6.0 we are detecting only a few hundred remnants; more will be added to the cloud in the coming weeks. We are still fine tuning the tooling on the back end.
• NEW: Added new Scheduler to allow scanning Daily, At Startup, Mon, Tue, Wed, Thu, Fri, Sat, Sun at specific times. The scheduler is a process called hmpsched.exe.
• NEW: Shell integration by using a Shell Extension which adds an icon to the context menu and also allows multiple selected files to be scanned.
• NEW: Added ‘Goto location’ to context menu to highlight the file in Windows Explorer.
• NEW: Added ‘Show information’ to context menu to expose more internal information to the end user. Tip: the information can be copy-pasted.
• NEW: Added third opinion scan using VirusTotal.
  To use this feature you enter your personal VirusTotal Public API Key on the Advanced tab under Settings.
• NEW: Added detection for files signed with weak Authenticode signatures (RSA 512-bit keys).
  See also: http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/
• NEW: Added chevrons to highlight items in the result list that are running [PID] or start by [Run], [Service] or [Driver].
• NEW: Added detection and repair for the HOSTS file that was altered by malware.
• NEW: Added /clean command line switch to automatically quarantine and remove malware.
• NEW: Added the option to disable the automatic upload of suspicious files to the Scan Cloud.
• IMPROVED: Cloud Assisted Miniport Hook Bypass
• IMPROVED: Detection and removal of Sinowal, Mebroot rootkit
• IMPROVED: Removal of TDL4 (and variants) on systems where Boot Configuration Data (BCD) was persistently malformed by TDL4. Removing TDL4 from those systems could cause a non-bootable system (BSOD). HitmanPro now repairs BCD before removing TDL4 (or variants).
• IMPROVED: NTFS Parser to work better with heavily fragmented files.
• IMPROVED: Direct Disk Access now always scans using the lowest possible level.
• IMPROVED: Firefox and Chrome cookie scan.
• CHANGED: For regular users Early Warning Scoring (EWS) is no longer available from the Next button. Expert users can re-enable the EWS scan mode on the Advanced tab under Settings.
• INFO: 3.6.0 is currently only available in English.

Hitman Pro 3.5 users will not be automatically upgraded since 3.6.0 is currently only available in English. Automatic upgrade of Hitman Pro 3.5 will occur with version 3.6.1.

Installing HitmanPro 3.6 will automatically upgrade an existing Hitman Pro 3.5 installation.

Downloads
32-bit: http://dl.surfright.nl/HitmanPro36.exe
64-bit: http://dl.surfright.nl/HitmanPro36_x64.exe

The 10 highest scoring products detected between 97.3% and 99.7% of the test set of over 200,000 malicious files, which means that on average over 2,000 (!) malicious files were not detected.

And if you are not using one of the Antivirus products in the top-10 but one of the other products (including some very well known names), you might even be at bigger risk.

See http://www.av-comparatives.org/images/stories/test/ondret/avc_od_aug2011.pdf for the full test report.

Click here to check what your Antivirus product might have missed.

The ZeroAccess rootkit uses advanced stealth tactics, similar to the infamous TDL3 rootkit. The ZeroAccess rootkit itself is hiding, but it’s payload is not.  It actually is very visible to the user as it redirects e.g. Google Search results in your web browser.

Most antivirus programs are hardened against termination by an external (malicious) process. But it turns out that most antivirus programs are not that tough against themselves.

When an antivirus program tries to scan one of ZeroAccess’s rootkit components, the rootkit strikes back by injecting (from kernel-mode) a small piece of malicious code into the antivirus process space. The code will effectively call the ExitProcess function.
The rootkit then queues the code to be run by the antivirus process by means of an APC (asynchronous procedure call). As soon as one of the threads of the antivirus process becomes idle, the queued code executes and ExitProcess is called: the antivirus program terminates itself.

In addition to the self-termination of the antivirus process, the rootkit also changes the access rights (DACL) of the antivirus program’s EXE file so that it cannot be restarted. This leaves the computer unprotected against new malware infections as well.

Hitman Pro 3.5.9 build 127 contains protection against these types of malicious code injections and monitors and restores the DACL on its EXE file. Users of Hitman Pro will automatically be updated to the latest version in the next few days.

Malware like Popureb overwrites the hard drive’s Master Boot Record (MBR), the first sector – sector 0 – where code is stored to bootstrap the operating system after the computer’s BIOS completed its start-up checks. The rootkit hides the MBR by hooking the DriverStartIo of the harddisk driver atapi.sys, making it effectively invisible to both the operating system and most security software.

The Cloud Assisted Miniport Hook Bypass technology that was added to Hitman Pro in an earlier release this month is designed to detect these sophisticated rootkits. Our Cloud Assisted Miniport Hook Bypass is capable of detecting and removing the Popureb bootkit.

Build 126 of Hitman Pro 3.5 contains a new Tool Action: Replace with standard MBR.

This new action offers users a means to overwrite a non-standard MBR with a standard MBR returning it to a clean state. This new Tool Action is only available to users when scanning a system with Hitman Pro in Early Warning Scoring (EWS) mode. Users do not need to use the Windows Recovery Console to return the MBR to a clean state.

A beta version of Hitman Pro 3.5.9 build 126 can be downloaded here:

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

UPDATE: Click here to view Hitman Pro in action against Popureb.

“In the past weeks, we noticed an increase in highly advanced rootkits such as Mebroot, Sinowal and TDL4 who were trying to defeat detection by Hitman Pro” according to Mark Loman, CEO of SurfRight. “With this new release we are able to better detect and remove these sophisticated threats.”

The most important features in this new version are:

• Cloud Assisted Miniport Hook Bypass feature.
• Mebroot/Sinowal detection and removal.
• Removal of new variant of Trojan Vundo.
• Master Boot Record (MBR) protection when restoring infected MBR to counter rootkit watchdogs.
• Repair for BCD testsigning. Testsigning is a feature of 64-bit Windows that, when enabled, allows loading of non-signed drivers on 64-bit Windows. Testsigning is typically abused by 64-bit bootkits.

The full release notes and changelog of Hitman Pro 3.5.9 build 124 can be found on www.surfright.com/hitmanpro/whatsnew.

Existing users of Hitman Pro will automatically be updated to the latest version in the next few days.

Highly advanced rootkits like the TDSS family (TDL, Alureon.DX, Olmarik) and new variants of Mebroot and Sinowal work on both 32-bit and 64-bit versions of Windows and infect the Master Boot Record (MBR). This means that these so called Bootkits start before Windows boots up, which gives the bootkit an obvious advantage. Any protection mechanism imposed by Windows (or antivirus that is loaded by Windows) can be defeated (the program that is started first, can have control over the others).

Once Windows is booting, the rootkit attaches a filtering mechanism to the hard disk driver. This filter gives the rootkit complete control over the hard drive. For example, when an antivirus tries to read the MBR (sector 0) of the hard drive (to see if it is infected), the rootkit will simply serve a regular MBR so that it appears that the MBR is clean. Hence, the rootkit is undetected.

Now in order to read the actual infected MBR you need get around the rootkit’s filtering mechanism.

For this you need to know two things:

1. The hard disk miniport driver that is hooked (e.g. atapi.sys, iaStor.sys, nvstor32.sys, amdsata.sys, etc.)
2. How the rootkit is hooking into it

When you know the exact hard disk driver that is in use, you are able to communicate directly with it, reading around the hooks of the rootkit.

The problem is that there are literally thousands of different brands, types and versions of hard disk drivers and they all need to be addressed differently. This is where Cloud Assisted Miniport Hook Bypass comes in.

Cloud Assisted Miniport Hook Bypass collects hard disk miniport driver information from clean computers and stores a representation of this information (a fingerprint of a few bytes) in the Cloud. When Hitman Pro detects a hook on the hard disk driver, it consults the Cloud on how to work around it. This allows Hitman Pro to read around the rootkit’s filtering and effectively reading the actual infected sectors. This works for ANY hard disk driver and not just the common ones.

If you run Hitman Pro with Early Warning Scoring (a mode for experts) on a Mebroot infected system you can see Cloud Assisted Miniport Hook Bypass in action. If the yellow sticky mentions bypassed then Hitman Pro should be able to detect presence of the rootkit:

The yellow sticky only appears in Early Warning Scoring scan. In the Default Scan or Quick Scan the sticky is not displayed because non-expert users have no idea what a kernel-mode hook is. Of course, when an infected MBR is detected it is listed, regardless of the chosen scan.

Cloud Assisted Miniport Hook Bypass collectively helps Hitman Pro users to combat the toughest malware threat: Rootkits.

Available in Hitman Pro 3.5.9 (or newer).

See www.surfright.com/press for the full results.

TDL4 infects the Master Boot Record (MBR) and effectively loads before Windows boot up. This gives so called bootkits the upper hand in countering the protection mechanisms introduced by 64-bit Windows.

We started to see this new variant a few days ago when we received reports that Hitman Pro was no longer able to remove the TDL4 rootkit. Hitman Pro was detecting the presence of the rootkit but it was no longer able to determine its load point, which is needed for the rootkit’s removal. The reports also outline that the few dedicated TDSS removal tools from other vendors were also having difficulties to detect and remove it, which is a clear indication that we are dealing with a new variant.

Key survival strategy for rootkits is that they must be undetectable by antivirus software. TDL4 does so by attaching itself to the hard disk (at the lowest level) and filtering all read/write operations. When antivirus software reads data from the drive, the rootkit just serves clean uninfected data, effectively blinding antivirus and internet security software.

In order to detect the presence of rootkits like TDL4 an antivirus must get around the rootkit’s filtering. Only then the actual infected disk sectors can be read and inspected.

Hitman Pro’s Direct Disk Access technology is specifically made to get around such rootkit techniques by scanning computers at a much deeper level. Many of our first-time users are infected with the TDL4 rootkit, despite up-to-date protection software from renowned security vendors. Even though these vendors frequently write reports about this threat, the rootkit does not appear in any top threat list because most products lack the technology to detect and remove it.

Hitman Pro 3.5.8 build 121 is able to detect and remove the latest TDL4 bootkit variant. A beta version can be downloaded from here:

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

Changelog (Build 121)

• Added detection and removal of latest TDL4 bootkit
• Improved behavioral scan
• Improved removal engine
• Added Indonesian language
• Updated Czech language

The router checks each URL request and each file download through our servers on the Internet (the Cloud) after the service is activated. The user does not need to install anything. Dangerous websites are blocked by the router including phishing sites and sites that are hosting viruses or other malicous content. Users are also protected against downloading files that contain viruses, spyware or other malware. The service can also block advertisement that will improve browsing experience and will load web site content faster. Sitecom Cloud Security is powered by the proven technology of Hitman Pro.

See www.surfright.com/home/press/sitecom-cloud-security for more details.