Archive for the ‘Rootkits’ Category

Tis the comparative season

April 25th, 2011 Comments off

There’s been a few comparative tests published as of late. In case you’ve missed any of them here’s a quick rundown of the most significant ones.

First on the list are the Q1-2011 quarterly results of the Full Product Test (FPT)  by These FPT’s are performed on a monthly basis and are very in-depth, covering pretty much all aspects of a modern security software and testing from a users’ perspective by replicating infection vectors and user experience. The areas tested include real-time blocking of malicious websites, detection of relevant and active malware samples (zoo malware, wildlist malware according to criteria of wildlist, not the limited list), false positive testing, performance testing, disinfection testing, detection and disinfection of active rootkits, behaviour-based dynamic detection, dynamic false positives and packing and archive support. Overall one of the most comprehensive regular tests out there. It’s such a tough test that 5 out of the 22 vendors tested did not obtain the minimum score to achieve certification. Panda Internet Security came out with very good scores and achieved certification. The report on Panda Internet Security can be found here (PDF) and the complete results for all vendors here.

Next in line are a couple of tests by The first one is the traditional On-Demand test from February 2011 which also tests false positives and performance of the on-demand scanner. In this test Panda Antivirus Pro achieved the #4 rank in terms of malware detection. We still had 18 false positives that, even though are of low prevalence according to, prevented us from achieving the Advanced+ certification. We’re doing a lot of work in improving in this area. Panda Antivirus Pro also achieved the #2 rank in the performance test for scanning speeds. The full report can be downloaded from the website here.

The second test by that has been published recently is the Whole-Product Test. Similar to the Full Product Test, this test tries to test user experience by replicating the infection vector. Unlike the FPT, this one focuses only on malicious websites and behaviour-based dynamic detection. Panda Internet Security scored very good with a 98.8% protection index. More information can be found at the site here.

If you’re interested in these types of AV tests, make sure to vote on your favourite AV testing outfit in our open poll here. So far both AV-Comparatives and AV-Test are leading the pack.

First Independent Test of Panda Internet Security 2010

June 26th, 2009 23 comments

As you may know we released our Panda 2010 products yesterday. In addition to the traditional Panda Antivirus Pro 2010, Panda Internet Security 2010 and Panda Global Protection 2010, this year we've also released a tailor-made product for netbooks and ultra portables called Panda Antivirus for Netbooks.

I just got word from Andreas Marx from that they've put Panda Internet Security 2010 (PIS 2010) to the test today. Some conclusions from the test can be seen below, using Andreas' own words:

WildList Test.  We started with a detection test against all samples from the most recent WildList 05/2009 and malware from older releases. Our test set includes 3,194 confirmed malicious and widespread samples. We tested the set with the on-demand scanner and on-access guard. In both cases, Panda was able to detect and remove these viruses, worms and bots easily.

Full Collection Test. We were able to test PIS 2010 against a larger set of about 680,000 malware samples, including ad- and spyware, trojan horses and other critters. It detected 99.6% of these files, without flagging any files in our false positive / clean file test set, which is a very good result.

TruPrevent Test.  We have tested the dynamic (behaviour-based) detection with a few recently released malware samples which are not yet detected by heuristics, signatures or the "in the cloud" features and found that Panda warned in about 45% of the cases when we executed the malware sample. However, it only blocked and quarantined just a few of these tested samples. (More testing in this area needs to be performed to report statistically significant results.)

Disinfection Test. The detection and removal of an already infected PC was working properly, all active components were removed during the system repair process and just in some cases, registry keys belonging to the malware were left behind.

Rootkit Test. The detection and removal of actively running rootkits was quite impressive: all rootkits in our test were successfully identified and deleted.

As you may imagine we're very happy about the results of this test and hope other independent tests come along soon that also validate the highest level of quality provided by our most advanced ever anti-malware solutions.

For detailed testing methodology (for rootkit detection and removal, system disinfection, dynamic detection, etc.) I recommend you visit Papers selection.

Other advanced testing methodologies worth reading up on can also be found at ATMSO's Document Library.

Most Popular Freeware Championship 2008

July 9th, 2008 Comments off

First it was the Eurocup, then Wimbeldon, and to top it all off, Panda Anti-Rootkit has won Germany's PC WELT "Most Popular Freeware Tool" Championship 2008. This is a prize run by members of PC Welt forums and the selection is done by reader voting. Panda Anti-Rootkit won the final after a close vote against finalist IPTV Zattoo (52,32% vs. 47,68%).

This latest prize, in addition to PC Magazine USA Editor's Choice Award, confirms the quality and effectiveness of Panda Anti-Rootkit in helping users free their PCs from hidden malware and rootkits.

Again many many thanks to readers of this blog for spreading the word about Panda Anti-Rootkit.

Categories: News, Rootkits Tags:

New Panda Antivirus Command Line 9.5.1

July 4th, 2008 44 comments

I'm happy to announce the availability of our new Panda Antivirus Command-Line scanner (PAVCL) version This new engine incorporates interesting features over previous versions specially focused on detecting and deactivating active rootkits and improved heuristic detection of new and unknown malware:

* Engine version 1.5.1 integration.
* Reboot driver. Disinfection during reboot of active rootkits. Needs to run with admin priviledge.
* Integration of Heuristic engine 7.0.7 with improved performance. Defaults to medium sensitivity.
* Suspicious detection counter in both console and logs.
* Digitally signed executables.
* New log in CSV format (pavcl.log).

The new log format is as follows:

As always we have a signature file available from the blog for testing purposes which is NOT updated on a regular basis. For production and critical scanning systems make sure to contact us for a regular signature feed.

Download the new PAVCL from
Get it from CNET!

Return codes are available for integrations of PAVCL with automated scanning systems. PAVCL returns a numeric value of 4 bytes to indicate the type of program exit, the type of operation performed and the number of malware detected. For more info on this contact me.

This version is compatible with Windows 2000, 2003, XP (32 and 64 bits) and Vista (32 and 64 bits).

Categories: News, Rootkits, Utils Tags:

Banking Trojans III

June 2nd, 2008 4 comments

In previous posts Banking Trojans I and Banking Trojans II we did an overview of the main banker trojan families and their simple characteristics (files and registry entries). Let's dig a little deeper now and take a look at their infection and hiding techniques.

Banbra (Dadobra, Nabload)
* Static process
* Process injected into other process
* Encrypted / packed file

* Static process
* Process injected into other process
* Encrypted / packed file

Bankdiv (Banker.BWB)
* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files
* Substitution of Operating System files

Bankolimb (NetHell, Limbo)
* Static process
* Process injected into other process
* Encrypted / packed file

* Static process
* Process injected into other process
* Encrypted / packed file
* Modification of Operating System files

* Static process
* Process injected into other process
* Encrypted / packed file

Cimuz (Bzud, Metafisher, Abwiz, Agent DQ)
* Static process
* Process injected into other process
* Encrypted / packed file

Dumador (Dumarin, Dumaru)
* Static process
* Process injected into other process
* Encrypted / packed file

Goldun (Haxdoor, Nuclear grabber)
* Static process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit

Nuklus (Apophis)
* Static process
* Process injected into other process
* Encrypted / packed file

* Static process
* Process injected into other process
* Encrypted / packed file

* Static process
* Process injected into other process
* Encrypted / packed file

Sinowal (Wsnpoem, Anserin)
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Polymorphic file
* Encrypted / packed file
* File hidden by rootkit

Snatch (Gozi)
* Static process
* Process injected into other process
* Encrypted / packed file

* Static process
* Process injected into other process
* Encrypted / packed file

Torpig (Xorpix, Mebroot)
* Static process
* Polymorphic process
* Process injected into other process
* Process hidden by rootkit
* Encrypted / packed file
* File hidden by rootkit
* MBR rootkit

Categories: Malware, Rootkits Tags:

Anti-Rootkit Testing

May 16th, 2008 4 comments

DarkReading issued a note a few days ago titled "New Tests Show Rootkits Still Evade AV". These tests, originally performed by, are becoming more important every day as malware is making use of advanced rootkit and hiding techniques to evade detection by security solutions. This, of course, is not news to anyone.

What is news is the effectiveness of rootkit-based malware. It really doesn't make much of a difference if solution XYZ detects the most amount of malware using traditional AV signatures if it can't even "see" the malware which is hidden by a rootkit. Modern security solutions need not only count with advanced heuristics and behavioral analysis and blocking but must also be able to dig deeper into the Operating System or else fail to protect users correctly.

The results of the test are very satisfactory for Panda products, thanks mostly to the technology incorporated into our products which has been tested thoroughly by Panda Anti-Rootkit, specially by regular readers of this blog.

In the online-scanner portion of the anti-rootkit test we did pretty well, with the highest scores in both detection and removal of malware hidden by rootkits:

                                                                                Detection         Removal
Security ActiveScan 5.54.01                                26                      26
F-Secure Online Virus Scanner 3.2 Beta (1.0.64)            26                      23
Microsoft Windows Live Safety Scanner                         25                       8
Kaspersky Online Scanner                                            21                       0
Trend Micro HouseCall                                                  5                        1
BitDefender Online Scanner                                          3                        0


In the Windows Vista test we did pretty good as well:

Three AV tools had perfect scores, catching all active and
inactive rootkits as well as removing all of them: Norton Antivirus
2008; Panda Security Antivirus 2008 3.00.00; and F-Secure
Anti-Virus 2008 6.80.2610.0.


The test is available here for those who want to take a deeper look (look for "Anti-Stealth Fighters: Testing for Rootkit Detection and Removal", Virus Bulletin 04/2008). Again many thanks to the people who've helped us test and improve our anti-rootkit technology.

EDIT: Updated link to Papers section of AV-Test Website and F-Secure detection and removal rations (26/23 vs. 23/26).

Categories: News, Rootkits Tags:

Banking Trojans II

April 21st, 2008 Comments off

In Banking Trojans Part I I covered some banking trojan families. Here I will list the rest of the most dangerous of these types of malicious codes.


Goldun, Haxdoor, Nuclear Grabber
It usually drops a DLL and a SYS file with rootkit functionality.
It creates a registry entry in order to load the DLL:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

Cimuz, Bzud, Metafisher, Abwiz, Agent DQ
It usually drops a DLL as a Browser Helper Object (BHO) with these names:

We have seen also other names for these files.

Bankolimb, Nethell, Limbo
It usually drops a DLL as a Browser Helper Object (BHO) and an encrypted XML which acts as a configuration file for the Trojan.
Some variants create the following registry entry:
Others create the following one:

Briz, VisualBreez
Programmed in Visual Basic, it creates the following files:


Registry entry:
And usually modifies the hosts file.

Nuklus, Apophis
It usually downloads the following files:


BankDiv, Banker.BWB
Creates the following files:


Snatch, Gozi
It usually installs a driver with rootkit functionalities:
    %WindowsRoot%\driver new_drv.sys

Creates the following registry entries:
    “ttool” = %WindowsRoot%\svcs.exe

It modifies the following system files:

And creates the files:

Usually targets banks from the Netherlands.

Drops file in %SystemRoot% with random names, for example:

Creates a registry entry:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Drivers32 “midi1”

If you suspect infection by these or any other type of malware I encourage you to double check by scanning your PC online with ActiveScan 2.0.

Categories: Malware, Rootkits Tags:

Banking Trojans I

April 18th, 2008 Comments off

Some of the most dangerous types of threats out there today are banking trojans. These malicious trojans are very specialized and focused at stealing banking credentials. They use advanced techniques to fool users, such as injecting HTML code to ask for additional confidential information such as SSN, PINs, coordinate cards, intercept Transaction Account Numbers (TAN) and replace them with bogus ones, and many more dirty tricks. There's no real solution to the problem in place and certainly no banking customer is safe from this threat today.

These are normally developed by real cyber-criminal mafias such as the Russian Business Network (RBN) and go through great lenghts in order to avoid being detected by traditional antivirus techniques. Not only do they go through QA testing prior to being released but they are also packed with advanced techniques and purpose-made packers that make signature detection less efficient. Specialized heuristics is the most interesting area of research to counter these attacks.

In order to familiarize yourselves with this new type of threats it is important to understand how they work on how they install themselves in your system. In this post I'll show you basic characteristics of some banking trojan families. Watch out for some more details in future posts.

Banbra, Dadobra, Nabload, Banload
Programmed in Delphi, usually packed using Yoda Protector or Telock.
They are usually big (more than 1MB in size), but the Trojan Downloaders which installs it are smaller.
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Programmed in Visual Basic.
Similar to the Banbra family but in VBasic, they are usually big (more than 1MB).
It usually sends out the stolen information via e-mail or ftp to a remote server.
It contains Portuguese strings and usually targets banks from Brazil and Portugal.

Dumador, Dumarin, Dumaru
Programmed in Delphi, usually packed using FSG.
It creates the following files:
It also creates the following registry entries:
Some variants also modify the hosts file.

Sinowal, Wspoem, Anserin, AudioVideo
It creates the following files:
    %SystemRoot%\ntos.exe. (usually loaded by svchost.exe to avoid being listed as an active processes).
It creates the folder %SystemRoot%\wsnpoem, where it saves the files audio.dll and video.dll.
They are not really DLL files. In one of these files the Trojan saves an encrypted list of targeted banks. In the other file it saves the stolen data.
It also modifies the the following registry entry in order to run every boot:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    Old value = "%SystemRoot%\userinit.exe"
    Modified = "%SystemRoot%\userinit.exe", "%SystemRoot%\ntos.exe"
It downloads the file cfg.bin that usually contains the encrypted text strings for the banks.

Torpig, Xorpig, Mebroot
It creates the following files:
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe
    %CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.dll
The "?" is normally replaced by a digit (ex. ibm00001.exe).
And the following registry entry:
        “Shell” = "%CommonFilesRoot%\Microsoft Shared\Web Folders\ibm0000?.exe"
It usually creates a service in order to load the file ibm0000?.dll through svchost.exe.

Recent variants of Torpig, Xorpig and Mebroot:

The latest trend is that it modifies the computer's Master Boot Record (MBR) to run rootkit code and which is used to hide the Trojan. Sometime later it forces a computer reboot and creates the following files:


Thanks to Vicen from PandaLabs for the info.

Categories: Malware, Rootkits Tags:

Rootkits in the mist

June 26th, 2007 7 comments

During the last 7 months we've been able to gather some really interesting statistics thanks to Panda Anti-Rootkit on which rootkits are most actively infecting users as well as new emerging rootkit techniques being used in the wild.

Out of the tens of thousands of machines cleaned so far, the most prevalent rootkits in-the-wild are by far Beagle.FU and Adware/NaviPromo. Together they account for almost 64% of all rootkit detections. The different variants of Rustock come in third place with 16% of the infections, followed by Flush.K, Zlob.A and Peacomm.B.

The simplest technique used by rootkits to hide files, processes and registry entries are based on hooking the IAT/EAT functions of the processes. Rootkits can then intercept and hide the information sent from the system to the querying process. These hooks are done in user-mode and only affect the processes whose IAT/EAT has been hooked.

Kernel-mode rootkits on the other hand use a driver that normally modifies the Service Description Table (SDT) or the Interrupt Description Table (IDT) as well as more advanced techniques which modify the kernel data structure (DKOM), the registry MSR_SYSENTER and the IRP, effectively filtering calls to the drivers. In the following table we can see which technique each of the Top5 rootkits use.

Advanced rootkit techniques
Lately rootkits are using news techniques to evade detection by anti-rootkit utilities. To achieve this they install themselves into an NTFS ADS, which makes detection, and specially disinfection, much more difficult. Some good examples of these are Oddysee.B which installs itself in an ADS of NTOSKRNL.EXE, Rustock.A which installs in an ADS of the C:\Windows\System32 directory and the atypical Unreal which installs in an ADS of the system drive.

One of the most common strategies for detecting objects hidden by rootkits are based on cross-view comparison algorithms. To detect that a file is hidden the anti-rootkit first parses the files using system API functions that have been hooked by the rootkit. The hidden file will not show on the results of this search. The anti-rootkit then performs a second search using more advanced low level access which is not intercepted by the rootkit and then compares both results. Thanks to this cross-view anti-rootkits can enumerate files which are hidden. However many of these cross-view techniques do not enumerate in low level the different system ADS and therefore these advanced rootkits go undetected.

Rustock is worth mentioning again when we're talking about ADS rootkits. It is probably the most dangerous rootkit in the wild, not only because it's the third most prevalent rootkit but also because of the advanced techniques it uses and malicious actions it performs:

  • Hides in an ADS of the C:\Windows\System32 directory.
  • Hides its execution by injecting itself in kernel threads and avoids being detected as a hidden process.
  • Gets rid of its own kernel structure entries typically searched for by anti-rootkits to detect hidden drivers.
  • Searches for certain security products to further evade detection.
  • Installs a hidden proxy to send spam.

Because of this Rustock is definately the most difficult rootkit to detect and specially to disinfect. Therefore it receives our "Most Interesting Rootkit" award.

Categories: Rootkits, Stats Tags:

New Panda Anti-Rootkit – Version 1.07

April 27th, 2007 101 comments

We're experiencing a lot of downloads of Panda AntiRootkit. Many thanks to all the people that are helping us improve this free utility by sending suggestions, comments, feedback and submitting new rootkits that are being found in the wild.

I'm happy to say that I have a couple of good news. The first one is that based on your many suggestions we have created version 1.07 of Panda AntiRootkit. Version 1.07 has the following improvements:

  • Capable of deactivating unknown rootkits. We consider "unknown" a rootkit for which Panda AntiRootkit does not have a deactivation routine. This does not mean that Panda does not know about the rootkit. Rather that we have not yet included the full deactivation routine in Panda AntiRootkit. But now you'll be able to deactivate all rootkits. By default you'll be presented with deactivation of known rootkits plus the option to deactivate any unknown rootkits found on your system.
  • Deletes registry keys transparently. Up to version 1.06 we only deleted the necessary registry keys to deactivate the rootkit and prevent it from functioning. Some leftover keys made some users worry about incomplete deactivation. Version 1.07 now transparently deletes all rootkit associated registry keys for piece of mind.
  • Cleaner interface. We have cleaned the results window for a more efficient use of available space. Now a mouse-over a detected object will present you with its type (file, process, ADS, registry, etc.).
  • Various improvements have also been made to the disinfection of unknown rootkits, some false positives reported by some of you, and more deactivation routines.

Get it from CNET!

Alternative download link here.

The second good news is that Panda AntiRootkit 1.07 has achieved the prestigious Editor's Choice award from PC Magazine USA. Read the review to see how Panda AntiRootkit and other anti-rootkits performed during detection and deactivation tests. Again many thanks for your support and remember to perform a full system scan with a signature based antivirus after deactivating a rootkit.

Categories: Rootkits, Utils Tags: