HitmanPro 3.6 Build 159

June 21, 2012

Today we’ve released a new version of HitmanPro 3.6 to our users. Build 159 includes many improvements over earlier releases. But I would like to blog about one particular new feature today: the detection of the XULRunner malware.

XULRunner redirect
This particular malware, a browser hijacker, affects the Mozilla Firefox browser and redirects Google Search results to e.g. happili.com.

Contrary to sophisticated bootkits that usually cause search redirects (like TDL4 and ZeroAccess), the XULRunner is a fairly basic program. To stay somewhat concealed, it installs a legitimate-seeming add-on in the Firefox browser to ‘hide’ itself: the malware impersonates and abuses the XULRunner name to fool users into believing the add-on is a core part of the browser. The real XULRunner is actually the internal XUL runtime developed by Mozilla, to run XUL-based applications in Firefox: http://en.wikipedia.org/wiki/XULRunner

The XULRunner malware typically creates a folder with a random name in the “Application Data” folder below the user’s profile. Example: C:\Documents and Settings\John\Local Settings\Application Data\{2C02AAE7-C9F9-4B88-8233-CD0895C71420}\

The script that causes the redirects is called overlay.xul. When looking at this JavaScript file, a trained eye can see that it affects popular search engines:

if (loc.match(/google.*\/(search|cse).*[&\?]q=/) || loc.match(/\/search\.yahoo.*search.*[&\?]p=/) || loc.match(/ask.com.*\/web.*[&\?]q=/) || loc.match(/bing.com\/search.*[&\?]q=/) || loc.match(/aol\/search.*(query|q)=/))

To manually determine whether or not your Firefox browser contains the malicious XULRunner add-on, click in Firefox on the Tools menu and select Add-ons:

To get rid of this malware, HitmanPro build 159 (or newer) will detect and thoroughly remove the XULRunner malware, including its files, folders and registry keys.

Full release notes of HitmanPro

  • ADDED: Windows 8 Release Preview support.
  • ADDED: Detection and removal of XULRunner redirect scripts.
  • ADDED: /fb command-line option to perform Force Breach.
  • ADDED: HitmanPro switches the desktop to ensure visibility.
  • Some Ransomware use a dedicated desktop to prevent applications from popping up.
  • IMPROVED: Force Breach to kill more processes.
  • IMPROVED: Force Breach now works under SYSTEM or SERVICE account.
  • IMPROVED: Detection and removal of ZeroAccess/Sirefef CLSID variant.
  • IMPROVED: Improved removal of MaxSS bootkit.
  • IMPROVED: Improved Volume Boot Record (VBR) handling.
  • FIXED: A problem where Default scheduled scan would not scan for cookies.
  • FIXED: SafeBoot Minimal was not working.
  • FIXED: Behavioral scoring on WOW64 uninstall keys.
  • FIXED: Compatibility issue with Dataplex caching software from NVELO.
  • UPDATED: Portugues language.
  • UPDATED: Internal white lists.


32-bit: http://dl.surfright.nl/HitmanPro36.exe
64-bit: http://dl.surfright.nl/HitmanPro36_x64.exe

HitmanPro 3.6

December 23, 2011

With great pleasure we announce the release of HitmanPro 3.6.

The highlights of this release are a brand new Remnant Scan, a new Scheduler with more options, a new Shell Extension, revamped graphics and many improvements which make this release the best release yet.

For the complete list of changes see the below changelog.


  • Hitman Pro is now called HitmanPro. On Twitter use #HitmanPro.
  • NEW: Added Scanning for Malware Remnants.
    This new feature scans the File System and Registry for common malware related paths (files, folders, keys). The Remnant Scan combines a multi-threaded local scan with cloud based confirmation. In 3.6.0 we are detecting only a few hundred remnants; more will be added to the cloud in the coming weeks. We are still fine tuning the tooling on the back end.
  • NEW: Added new Scheduler to allow scanning Daily, At Startup, Mon, Tue, Wed, Thu, Fri, Sat, Sun at specific times. The scheduler is a process called hmpsched.exe.
  • NEW: Shell integration by using a Shell Extension which adds an icon to the context menu and also allows multiple selected files to be scanned.
  • NEW: Added ‘Goto location’ to context menu to highlight the file in Windows Explorer.
  • NEW: Added ‘Show information’ to context menu to expose more internal information to the end user. Tip: the information can be copy-pasted.
  • NEW: Added third opinion scan using VirusTotal.
    To use this feature you enter your personal VirusTotal Public API Key on the Advanced tab under Settings.
  • NEW: Added detection for files signed with weak Authenticode signatures (RSA 512-bit keys).
    See also: http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/
  • NEW: Added chevrons to highlight items in the result list that are running [PID] or start by [Run], [Service] or [Driver].
  • NEW: Added detection and repair for the HOSTS file that was altered by malware.
  • NEW: Added /clean command line switch to automatically quarantine and remove malware.
  • NEW: Added the option to disable the automatic upload of suspicious files to the Scan Cloud.
  • IMPROVED: Cloud Assisted Miniport Hook Bypass
  • IMPROVED: Detection and removal of Sinowal, Mebroot rootkit
  • IMPROVED: Removal of TDL4 (and variants) on systems where Boot Configuration Data (BCD) was persistently malformed by TDL4. Removing TDL4 from those systems could cause a non-bootable system (BSOD). HitmanPro now repairs BCD before removing TDL4 (or variants).
  • IMPROVED: NTFS Parser to work better with heavily fragmented files.
  • IMPROVED: Direct Disk Access now always scans using the lowest possible level.
  • IMPROVED: Firefox and Chrome cookie scan.
  • CHANGED: For regular users Early Warning Scoring (EWS) is no longer available from the Next button. Expert users can re-enable the EWS scan mode on the Advanced tab under Settings.
  • INFO: 3.6.0 is currently only available in English.

Hitman Pro 3.5 users will not be automatically upgraded since 3.6.0 is currently only available in English. Automatic upgrade of Hitman Pro 3.5 will occur with version 3.6.1.

Installing HitmanPro 3.6 will automatically upgrade an existing Hitman Pro 3.5 installation.

32-bit: http://dl.surfright.nl/HitmanPro36.exe
64-bit: http://dl.surfright.nl/HitmanPro36_x64.exe

Hitman Pro removes Popureb.E

June 30, 2011

The latest release of Hitman Pro 3.5.9 – build 126 – will remove the infamous Trojan “Popureb” without the need to reinstall the operating system as previously advised by Microsoft.

Malware like Popureb overwrites the hard drive’s Master Boot Record (MBR), the first sector – sector 0 – where code is stored to bootstrap the operating system after the computer’s BIOS completed its start-up checks. The rootkit hides the MBR by hooking the DriverStartIo of the harddisk driver atapi.sys, making it effectively invisible to both the operating system and most security software.

The Cloud Assisted Miniport Hook Bypass technology that was added to Hitman Pro in an earlier release this month is designed to detect these sophisticated rootkits. Our Cloud Assisted Miniport Hook Bypass is capable of detecting and removing the Popureb bootkit.

Build 126 of Hitman Pro 3.5 contains a new Tool Action: Replace with standard MBR.

This new action offers users a means to overwrite a non-standard MBR with a standard MBR returning it to a clean state. This new Tool Action is only available to users when scanning a system with Hitman Pro in Early Warning Scoring (EWS) mode. Users do not need to use the Windows Recovery Console to return the MBR to a clean state.

A beta version of Hitman Pro 3.5.9 build 126 can be downloaded here:

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

UPDATE: Click here to view Hitman Pro in action against Popureb.

Hitman Pro 3.5.9 build 124

June 16, 2011

The main purpose of Hitman Pro 3.5.9 build 124 is the addition of the Cloud Assisted Miniport Hook Bypass feature.

In the past weeks, we noticed an increase in highly advanced rootkits such as Mebroot, Sinowal and TDL4 who were trying to defeat detection by Hitman Pro” according to Mark Loman, CEO of SurfRight. “With this new release we are able to better detect and remove these sophisticated threats.

The most important features in this new version are:

  • Cloud Assisted Miniport Hook Bypass feature.
  • Mebroot/Sinowal detection and removal.
  • Removal of new variant of Trojan Vundo.
  • Master Boot Record (MBR) protection when restoring infected MBR to counter rootkit watchdogs.
  • Repair for BCD testsigning. Testsigning is a feature of 64-bit Windows that, when enabled, allows loading of non-signed drivers on 64-bit Windows. Testsigning is typically abused by 64-bit bootkits.

The full release notes and changelog of Hitman Pro 3.5.9 build 124 can be found on www.surfright.com/hitmanpro/whatsnew.

Existing users of Hitman Pro will automatically be updated to the latest version in the next few days.

Cloud Assisted Miniport Hook Bypass

June 16, 2011

The toughest types of malware are rootkits. Rootkits embed themselves deep in the operating system where they hide for antivirus software. The longer a rootkit stays alive on a computer, the more profit the malware authors make because the computer is under their control.

Highly advanced rootkits like the TDSS family (TDL, Alureon.DX, Olmarik) and new variants of Mebroot and Sinowal work on both 32-bit and 64-bit versions of Windows and infect the Master Boot Record (MBR). This means that these so called Bootkits start before Windows boots up, which gives the bootkit an obvious advantage. Any protection mechanism imposed by Windows (or antivirus that is loaded by Windows) can be defeated (the program that is started first, can have control over the others).

Once Windows is booting, the rootkit attaches a filtering mechanism to the hard disk driver. This filter gives the rootkit complete control over the hard drive. For example, when an antivirus tries to read the MBR (sector 0) of the hard drive (to see if it is infected), the rootkit will simply serve a regular MBR so that it appears that the MBR is clean. Hence, the rootkit is undetected.

Now in order to read the actual infected MBR you need get around the rootkit’s filtering mechanism.

For this you need to know two things:

  1. The hard disk miniport driver that is hooked (e.g. atapi.sys, iaStor.sys, nvstor32.sys, amdsata.sys, etc.)
  2. How the rootkit is hooking into it

When you know the exact hard disk driver that is in use, you are able to communicate directly with it, reading around the hooks of the rootkit.

The problem is that there are literally thousands of different brands, types and versions of hard disk drivers and they all need to be addressed differently. This is where Cloud Assisted Miniport Hook Bypass comes in.

Cloud Assisted Miniport Hook Bypass collects hard disk miniport driver information from clean computers and stores a representation of this information (a fingerprint of a few bytes) in the Cloud. When Hitman Pro detects a hook on the hard disk driver, it consults the Cloud on how to work around it. This allows Hitman Pro to read around the rootkit’s filtering and effectively reading the actual infected sectors. This works for ANY hard disk driver and not just the common ones.

If you run Hitman Pro with Early Warning Scoring (a mode for experts) on a Mebroot infected system you can see Cloud Assisted Miniport Hook Bypass in action. If the yellow sticky mentions bypassed then Hitman Pro should be able to detect presence of the rootkit:

The yellow sticky only appears in Early Warning Scoring scan. In the Default Scan or Quick Scan the sticky is not displayed because non-expert users have no idea what a kernel-mode hook is. Of course, when an infected MBR is detected it is listed, regardless of the chosen scan.

Cloud Assisted Miniport Hook Bypass collectively helps Hitman Pro users to combat the toughest malware threat: Rootkits.

Available in Hitman Pro 3.5.9 (or newer).

TDL4 bootkit reinstates 64-bit infection capability

May 2, 2011

Microsoft released security update KB2506014 on April 12 to address a vulnerability which allowed unsigned drivers to be loaded by 64-bit Windows. The TDSS/Alureon rootkit family, where TDL4 is a part of, was one of the more advanced rootkits that abused this vulnerability to load the rootkit during Windows boot up. TDL4 is also known as the Google Redirect Virus.

TDL4 infects the Master Boot Record (MBR) and effectively loads before Windows boot up. This gives so called bootkits the upper hand in countering the protection mechanisms introduced by 64-bit Windows.

We started to see this new variant a few days ago when we received reports that Hitman Pro was no longer able to remove the TDL4 rootkit. Hitman Pro was detecting the presence of the rootkit but it was no longer able to determine its load point, which is needed for the rootkit’s removal. The reports also outline that the few dedicated TDSS removal tools from other vendors were also having difficulties to detect and remove it, which is a clear indication that we are dealing with a new variant.

Key survival strategy for rootkits is that they must be undetectable by antivirus software. TDL4 does so by attaching itself to the hard disk (at the lowest level) and filtering all read/write operations. When antivirus software reads data from the drive, the rootkit just serves clean uninfected data, effectively blinding antivirus and internet security software.

In order to detect the presence of rootkits like TDL4 an antivirus must get around the rootkit’s filtering. Only then the actual infected disk sectors can be read and inspected.

Hitman Pro’s Direct Disk Access technology is specifically made to get around such rootkit techniques by scanning computers at a much deeper level. Many of our first-time users are infected with the TDL4 rootkit, despite up-to-date protection software from renowned security vendors. Even though these vendors frequently write reports about this threat, the rootkit does not appear in any top threat list because most products lack the technology to detect and remove it.

Hitman Pro 3.5.8 build 121 is able to detect and remove the latest TDL4 bootkit variant. A beta version can be downloaded from here:

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

Changelog (Build 121)

  • Added detection and removal of latest TDL4 bootkit
  • Improved behavioral scan
  • Improved removal engine
  • Added Indonesian language
  • Updated Czech language

Hitman Pro 3.5.8 build 119

March 7, 2011

Hitman Pro 3.5.8 build 119 is now available for download.

What’s New

  • Added support for Windows 7 SP1 & 2008 SP1
  • Improved method of replacing infected system files
  • Updated internal embedded white list
  • Bulgarian language added
  • Swedish language updated

A full list of changes can be found here.

Existing users are automatically updated to the new build. New users can download from www.surfright.com/downloads.