Malwarebytes Anti-Rootkit Documentation

The purpose of this document is to provide basic documentation for the use of Malwarebytes Anti-Rootkit BETA. Use of Malwarebytes Anti-Rookit BETA (MBAR) requires that you agree to and accept the terms of use described in the accompanying “license.rtf” file included within the archive.

Contents

Introduction: 2

Background: 3

Scope of Malwarebytes Anti-Rootkit: 4

Usage Instructions: 5

fixdamage.exe: 6

Command Line Syntax and Advanced Usage: 6

Log Files: 7

Quarantine and Ignore List: 9

Contact Us: 9

Introduction:

Malwarebytes Anti-Rootkit (MBAR) is a tool designed by Malwarebytes Corporation to detect and remove sophisticated, stealthy forms of malware called “Rootkits”. Rootkits are hidden forms of malware which most normal malware scanning tools cannot detect or remove.

Background:

Rootkits have the ability to infect the very core or ‘root’ of an operating system and hide the existence of certain processes and malicious programs from normal methods of detection. Rootkits can also enable continued privileged access to a computer to make system level modifications, leaving the system heavily compromised.

Malwarebytes Anti-Rootkit (MBAR) is designed to counteract malicious attempts to subvert base core subsystems of an OS which usually make it impossible to detect rootkits using conventional methods. Besides the general functionality of allowing a user to detect and remove rootkits automatically, MBAR contains a set of tools allowing to an experienced user to perform some actions to locate unknown rootkits and remove them manually. To protect itself from being terminated by a rootkit or other malware, MBAR uses Malwarebytes Chameleon technologies which prevent modification or removal or MBAR by malware which may reside on the system. This allows MBAR to complete the detection and removal process regardless of such attacks. MBAR uses an active internet connection to keep its database up to ensure that the most current definitions are used in order to detect and remove the latest 0-day rootkits.

Scope of Malwarebytes Anti-Rootkit:

Malwarebytes Anti-Rootkit (MBAR) has been tested and proven to be effective against the following types of rootkits:

• Kernel mode drivers hiding themselves, like TDL1, TDL2/TDSS, MaxSS, Srizbi, Necurs, Cutwail, etc.

• Kernel mode driver patchers/infectors, embedding malicious code into core files of an Operating System, such as TDL3, ZeroAccess, Rloader, etc.

• Master Boot Record infectors such as TDL4, Mebroot/Sinowal, MoastBoot, Yurn, Pihar, etc.

• Volume Boot Record/OS Bootstrap infectors like Cidox

• Disk Partition table infectors like SST/Elureon

• User mode patchers/infectors like ZeroAccess.

• And many more!

MBAR provides a comprehensive system scan to check for rootkits that includes drivers, MBRs (Master Boot Records) and VBRs (Volume Boot Records).

Usage Instructions:

Malwarebytes Anti-Rootkit (MBAR) is provided as an archive package and does not require installation. Users simply need to download the package and extract it into a folder on the local hard drive keeping the archive’s directory structure intact (It is possible to unpack all files directly to the system desktop although it is not recommended and if possible, you should instead extract it to its own folder, for example a folder called ‘MBAR’ on the desktop. A sample folder “C:\MBAR\” as a home directory is used in all of the following examples). The current MBAR implementation is based on a simple to use wizard. To perform a normal system scan and cleanup a user should just run the program and follow the onscreen instructions; no other options are necessary. Administrative privileges are required. MBAR will scan the system and will prompt the user to perform recommended actions.

If any infections are detected during the scan, the user should use the ‘Cleanup’ button to remove them, restarting the system if prompted.

Important! Shutdown is an essential part of the threat removal process. A computer should not be hard-reset after the scan is completed and malware removal scheduled.

Once you have restarted, it is important that you run another scan to verify that no additional infections remain. If the scan comes back infected again, remove any found threats and restart again, running another scan after reboot to then verify that it comes back clean.

Note:

• On some hardware the computer may hang at the very end of the reboot process if malware cleanup was scheduled. It does not affect the removal process and the computer can be manually restarted using the ‘Reset’ button or by pressing and holding the ‘Power’ button on the PC for 5 seconds if no noticeable disk activity is present (HDD LED is not flashing) within five minutes after restart has been initiated.

• In some cases additional MBAR scans might be necessary to cleanup any leftovers which were not detected or removed during the previous scan (This is not necessary if the previous scan came back clean with no threats of any kind detected). It is recommended that a second scan always be performed after the removal and reboot process to ensure that all active threats have been removed and that no further threats remained. This should be repeated until the scan comes back with no detections.

• Don’t remove MBAR’s drivers from memory using “/r” option if a cleanup has been scheduled as the drivers are required for the removal process.

Some malware may block the loading of drivers so anti-rootkit utilities which use kernel-mode drivers are unable to perform scans. In this case MBAR may try to load its drivers on boot to complete the scan. In such cases you will be prompted to reboot the computer to install the drivers:

DDA driver was not installed which may be caused by rootkit activity.
Do you want to reboot the computer to install DDA driver (Scan will continue after reboot) (Y/N)?

MBAR will restart a computer and automatically open so that the user may initiate the malware scan after the system restart is complete.

MBAR is able to work in a Safe Mode which may be useful if malware is blocking the tool from functioning in normal mode.

fixdamage.exe:

If after running the MBAR, restarting and verifying that the system is now clean of infection you experience other problems, such as lack of internet connectivity then run the tool fixdamage.exe included with the package. It will repair certain system services and settings which are frequently broken by certain rootkits. After running this tool you should always restart your computer even if it does not prompt you to do so.

Command Line Syntax and Advanced Usage:

The available command line syntax and switches for Malwarebytes Anti-Rootkit are as follows:

Usage: MBAMAntiRootkit.exe [/r] [/u] [/z]

• /r - Remove driver. This option will remove drivers from memory which were installed by MBAR. Usually MBAR removes its drivers after use when they are no longer required, but in some cases when MBAR was abruptly terminated, some drivers may remain loaded. MBAR keeps drivers in memory if malware was found and system cleanup on reboot is necessary. To completely remove them from memory use this option. This will terminate a scheduled cleanup task as well.

• /u - Disable rootkit unhooking mechanism. MBAR uses a sophisticated mechanism to counteract malicious changes on the System (“Hooks”) and it is still experimental. In some rare cases this mechanism may prove unstable. Using this option disables this mechanism but makes detection less reliable.

• /z - Do not activate protection driver. Normally MBAR installs the Chameleon self-protection driver right before a scan is started. In some cases this driver may conflict with other software on the system and should be disabled using this option should such a conflict occur.

Log Files:

Malwarebytes Anti-Rootkit (MBAR) creates two log files to save all valuable information about a malware scan and the hardware used. The malware scan log is created in the current directory in a format similar to that used by Malwarebytes Anti-Malware. The following is an example of the naming scheme for this scan log:

mbar-log-2012-06-25 (16-30-00).txt

A log file with detections might look like this, containing info about all detected items:

Malwarebytes Anti-Rootkit 1.1.0.1000

www.malwarebytes.org

Database version: v2012.06.25.10
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
:: WMXP32 [administrator]

6/25/2012 4:30:00 PM
mbar-log-2012-06-25 (16-30-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: PUP | PUM | P2P
Objects scanned: 24649
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 3
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RUNTIME (Rootkit.Agent) -> Delete on reboot. [a3d9b340f76567cf5ae9a8458c774db3]
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_RUNTIME2 (Rootkit.Agent) -> Delete on reboot. [bdbfb34075e753e368dc6a838a79ca36]
HKLM\System\CurrentControlSet\Services\runtime (Rootkit.Agent) -> Delete on reboot. [9ddfc132e17b44f25672eb0670935fa1]

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\WINDOWS\system32\drivers\runtime2.sys (Rootkit.Cutwail) -> Delete on reboot. [763bd40c542382a03a9081fd64c2bd49]
C:\Documents and Settings\Administrator\Desktop\readme(30).exe (Rootkit.0Access) -> Delete on reboot. [cbb1e80ba1bb47ef8ca45c281fe155ab]
C:\WINDOWS\system32\8_exception.nls (Trojan.Tibs) -> Delete on reboot. [1f5dae4561fb4ee80d419ad422e14db3]

(end)

Scan logs are created as a separate file for each scan performed. In addition to the scan log, MBAR creates another log file with environmental information in it. Its name is always “system-log.txt” and the file is appended to every time Malwarebytes Anti-Rootkit is executed.

Quarantine and Ignore List:

Malwarebytes Anti-Rootkit (MBAR) is a stand-alone application but it shares some features of Malwarebytes Anti-Malware (MBAM) which may or may not be already installed on the computer, though certain functions dealing with ignore listing and managing the quarantine may only be available if Malwarebytes Anti-Rootkit is installed.

1. Quarantine - MBAR uses the same format for quarantined items as MBAM and stores quarantined items in the same location that MBAM does so all quarantined items appear in the Quarantine tab in MBAM. This makes it possible to manage them using MBAM. It should also be noted that MBAR does not have the capability to manage or restore quarantined items by itself, so MBAM must be used if an item needs to be restored.

Note: some items like MBR, VBR and patched drivers are currently quarantined as binary files only and cannot be restored using MBAM.

2. Ignore List - MBAR uses the same ignore list used by MBAM so exclusions may be managed using the Ignore List tab in MBAM. In order to add or remove an item to be ignored by MBAR, MBAM must be installed as MBAR currently cannot add or remove any items to or from the Ignore List on its own.

Contact Us:

If you continue experiencing problems or MBAR fails to completely detect and remove a rootkit from your system then please contact us by filling out the form at http://www.malwarebytes.org/contact_consumer.