Coffeehouse Post

Single Post Permalink

View Thread: I've got a rootkit...
  • User profile image

    , W3bbo wrote

    I'm running a Trend Micro house call right now, but I'm sceptical - rootkits usually can't be detected by AV software by their very nature.

    On the contrary. That's actually one of the rare things that AV companies are good at. AVs go out of their way to make sure any common strain of malware in the wild gets pick up by them. If you're the first to be hit with a new strain they might not pick it up straight away, but if you got it from dodgy executables, drive-by-downloads or publically known exploits on the internet the AV will have seen it and signatured it.

    I can assure you, I haven't been running any programs like that. This appears to be an example of the worst kind of drive-by download you can get: unauthorised remote code execution.

    If you're running latest OS / browser / flash it won't have been a drive-by download attack. Zero days are traded for hundreds of thousands of dollars on the black market and criminals aren't stupid enough to use them on machines that don't have something really valuable on them.

    Now you've got me scared. I recently downloaded and installed the ffmpeg binaries from, but that was hours before any problems started appearing.

    Lots of malware is bundled with the single task of download and run executables from a known source. The original exploit kit or executable author then "sells" installs to the criminals behind zeus and other malware who are then responsible for monetizing the infected computers - either through credit card theft, information theft, attaching the computer to a bot-net for DDoS and so on.

    This behaviour can cause a delay between you running something dodgy and it getting picked up by AV vendors, or between you running something and your computer starting to behave maliciously.

    To be honest, I know you think you probably haven't done anything wrong and it's easier to blame ingenious hackers and exploits, but the reality is that exploits are the exception rather than the norm (and almost exclusively against old machines running Windows XP and running software that hasn't been patched for months on end) for client machines getting infected.