Hi Guys,
As an update to this topic, the default configuration of CFP, needs to be modified slightly to provide a complete defense against this type of rootkit. One should add \Device\LanmanRedirector to the my protected files in Defense+ to see the real harm that can be caused by this rootkit. Fortunately, CFP clearly warns the user with the heuristics before it is run. Experienced users may try adding this file and deny every single popup shown by the rootkit. Experinced users only! In a VM only!
We will be making the necessary changes and update the default configuration next week. But until that time, I strongly warn the novice users to avoid running this rootkit in their PCs.
Remember, this is not a harmless test. It is a real rootkit and without making the above changes, it can seriously damage your computer.
Egemen
egemen, you are right that once the driver is loaded, it is game over basically. my concern then, is over the method used to prevent the driver from loading. defense+ seems to rely on 3 different filters to prevent the driver from loading:
1. device driver
2. registry
3. protected files/folders
is it not possible to update defense+ to rely only on the first module? the number of registry entries that could be used to load drivers is vast! to include protection against every possible such entry would greatly increase the number of popups. the same is true of #3. plus, couldn't someone modify the trojan slightly and take advantage of another line in the registry or another vulnerable folder directory that hasn't yet been added? if the device driver filter was strengthened, wouldn't that stop such rootkits far more effectively?
Author