Archive for April, 2007

New Panda Anti-Rootkit – Version 1.07

April 27th, 2007 101 comments

We're experiencing a lot of downloads of Panda AntiRootkit. Many thanks to all the people that are helping us improve this free utility by sending suggestions, comments, feedback and submitting new rootkits that are being found in the wild.

I'm happy to say that I have a couple of good news. The first one is that based on your many suggestions we have created version 1.07 of Panda AntiRootkit. Version 1.07 has the following improvements:

  • Capable of deactivating unknown rootkits. We consider "unknown" a rootkit for which Panda AntiRootkit does not have a deactivation routine. This does not mean that Panda does not know about the rootkit. Rather that we have not yet included the full deactivation routine in Panda AntiRootkit. But now you'll be able to deactivate all rootkits. By default you'll be presented with deactivation of known rootkits plus the option to deactivate any unknown rootkits found on your system.
  • Deletes registry keys transparently. Up to version 1.06 we only deleted the necessary registry keys to deactivate the rootkit and prevent it from functioning. Some leftover keys made some users worry about incomplete deactivation. Version 1.07 now transparently deletes all rootkit associated registry keys for piece of mind.
  • Cleaner interface. We have cleaned the results window for a more efficient use of available space. Now a mouse-over a detected object will present you with its type (file, process, ADS, registry, etc.).
  • Various improvements have also been made to the disinfection of unknown rootkits, some false positives reported by some of you, and more deactivation routines.

Get it from CNET!

Alternative download link here.

The second good news is that Panda AntiRootkit 1.07 has achieved the prestigious Editor's Choice award from PC Magazine USA. Read the review to see how Panda AntiRootkit and other anti-rootkits performed during detection and deactivation tests. Again many thanks for your support and remember to perform a full system scan with a signature based antivirus after deactivating a rootkit.

Categories: Rootkits, Utils Tags:

The rise of the (http) botnet

April 17th, 2007 Comments off

We're seeing more and more http-based botnet controllers. Even though these botnets are still limited in number of infected hosts, there's also some new and interesting exploit-frameworks being used to infect and populate these http-controlled bots. More to come soon.

Categories: Malware Tags:

ANI loader vulnerability analysis

April 10th, 2007 Comments off

The guys over at Hispasec have just published a very nice analysis of the ANI loader vulnerability. It's also very interesting to see the stats of unique samples received at VirusTotal that exploit the ANI vulnerability.

Categories: Vulns Tags:

Point-and-click Internet Explorer VML exploits

April 9th, 2007 2 comments

Just a curiosity, but today's the 3 month anniversary of the integer overflow vulnerability in VML (vgx.dll). We shouldn't get too caught up on the latest and greatest media-friendly PoC and keep an eye on what's going on in the underground. Sure, MS released the patch for this some time ago and probably quite a few users are protected already, but how about those who haven't applied the patch or have deployed it internally in their networks? Most the time it's these people that cause the majority of the problems for the rest of us, and we're definately still seeing users being infected through this vector.

Couple of days ago I came across a recently released utility to create exploits for the VML vulnerability. The utility, named "MS-07004 V3.0", allows malicious users to easily create exploits using a graphical user interface. The utility creates HTML and JS files that exploit both MDAC and VML vulnerabilities, both of which allow remote attackers to execute arbitrary code.

All you need to do is provide a URL pointing to a critter of your choice. Then simply choose the type of exploit to use to execute the trojan remotely. You can choose between MS06-014, MS07-004 or a combination of both for "redundancy". If you simply choose MS07-004 it will create 3 files, a INDEX.HTM which loads MM.JS, which in turn references 07004.HTM.

Just a friendly reminder to those with responsability over "reminding people to patch their systems", to keep doing so. Users are much more likely to encounter a VML or ANI exploit than having their iPod catch a cold.

Categories: Vulns Tags:

Updated Command-Line Scanner

April 2nd, 2007 12 comments

Our win32 command-line scanner based on the Panda Engine v1.4.3 is still undergoing QA testing but we're releasing it here first for research purposes. Some of the new functionalities included are support of Vista platforms, Office12, SIS, MMS formats, low-level rootkit detection and more. Check out the specs of the Panda Engine v1.4.3 for more info.

The current Panda Antivirus Command-Line (aka PAVCL) is version and can be downloaded from here. There's also a linux scanner available in (EDIT LINK) rpm and (EDIT LINK) tgz even though that is still based on a previous version of the engine. As soon as we're done integrating 1.4.3 into linux I'll post it here.

It's basic syntax is:
pavcl.exe [parameter] [what to scan]

Simply run "pavcl.exe" to get a complete listing of the available parameters. Some of the most interesting and commonly used ones are the following:

Do not scan boot sector
Delete infected files
Seach for viruses in compressed files
Disinfect viruses found
Activates heuristic high sensibility
Does not allow Ctrl-C breaking of the program
Deactivate sounds
Create a report file
Scan all extensions
Scan memory
Do no scan memory

Some typical examples:
pavcl -cmp -aex -clv c:\windows
pavcl -cmp -aex -nob -nos -heu:1 -nomem "c:\utilities\downloads from internet"

Categories: Utils Tags:

Panda AntiRootkit Official Release

April 2nd, 2007 44 comments

We're very glad to announce that Panda AntiRootkit 1.06 has finally been officially released for the mass market. It has taken a while since we've been implementing a lot of the suggestions and reports received during the alpha and beta testing phases started in December 2006. Many thanks to all the people (over 20,000 downloads) who have helped us improve this free utility for the community.

Panda AntiRootkit 1.06

Panda AntiRootkit is a free utility that performs in-depth scans of your computer in search for hidden resources, identifying and disinfecting known and unknown rootkits. Unlike other rootkit utilities which merely "reveal" hidden objects, Panda AntiRootkit positively identifies known and unknown rootkits and gives the option of removing them, including their associated registry entries, processes and files.

In addition Panda AntiRootkit has an Exhaustive Scan Monitor (requires reboot) capable of monitoring drivers and processes loading at boot time. It's unique technology does this at a lower level than any other AntiRootkit utility, therefore revealing all hiding techniques used by the latest generation rootkits.

Panda AntiRootkit discovers hidden files, registry entries, drivers,
processes, modules, SDT modifications, EAT hooks, modifications to IDT,
non-standard INT2E, non-standard SYSENTER, IRP hooks, and much more.
Among many things we have added an extended .CSV report which can be
exported for consulting detailed information of hidden objects found,
and some interface process refinements.

Panda AntiRootkit runs on Windows 2000 SP4 and Windows XP and above. For a version that
runs on servers please contact your local Panda Technical Support
office. Keep in mind that Panda AntiRootkit is not an antivirus
solution nor does it provide real-time protection. If Panda AntiRootkit
has detected and disinfected a rootkit from your system, we still
recommend that you run a complete AV scan afterwards to delete any
malicious files that might be left over.

For those interested you can also run Panda AntiRootkit 1.06 from the command-line. This is specially useful in corporate networked environments that wish to run Panda AntiRootkit from a login script or centralized management tool. The available command-line switches are:

/CLEAN Automatically remove detected rootkits
Send all suspicious items detected to PandaLabs
Log all results to a file
Restart automatically to complete cleaning
Hide on-screen messages during execution

Even though you can still comment and download Panda AntiRootkit 1.06 from our Research blog here, it will be officially distributed and supported from now on from our regular website.

Categories: Rootkits, Utils Tags: