Categories

Malwarebytes News

Meet Malwarebytes Anti-Rootkit

Did you know the term ‘malware’ refers to more than just viruses and worms? Did you know that there are types of malware that infect your system at so deep a level that the operating system doesn’t even realize they are there? Did you know that some malware could make the files, services and running processes associated with its operations invisible? This kind of malware is known as a rootkit and it is a serious problem in today’s computer security world.  Many antivirus solutions have a hard time even detecting rootkit activity, let alone removing it.  To answer the call in the fight against rootkits, Malwarebytes has taken up arms and introduced a new soldier in the cyber-war. Meet Malwarebytes Anti-Rootkit.

Disclaimer

Malwarebytes Anti-Rootkit, as you will find out in this blog post, is a very useful and powerful tool. However, it is currently in a BETA status, meaning that we are still testing it out and making sure that it works across all operating systems and with all users, it also means that we cannot guarantee that the software will perform error free.  In saying that, there might be a chance that using this software could damage your system and you should use it AT YOUR OWN RISK.  If you do decide to use this tool in its current state, you are agreeing to the terms of our license agreement, included with the software as “License.rtf”.

Please be sure to backup any valued data you have before you proceed to use this tool, just as a precaution.  Finally, Malwarebytes bears no responsibility for issues that may arise during use of this tool, however all reasonable efforts will be made by Malwarebytes to assist in recovery should the need arise. Thanks!

What is a Rootkit?

A rootkit is a special type of malware that embeds itself deep into the operating system at a level that allows it to manipulate the information the operating system sends back to the user as well as applications.  This means that rootkits can completely control the operating system as well as hide any presence of its existence.

Rootkits have been around for about 20 years and were originally developed for non-malicious purposes and not even for the Windows operating system.  As the years progressed, it became apparent to cyber-criminals that the employment of rootkits was the way to go, and therefore, we have rootkit malware like ZeroAccess and Rustock.

The biggest issue with rootkits, beyond their intended operations, is how to get rid of them.  See, rootkits embed themselves into the operating system in such a way that allows many legitimate and important function calls and data to be passed through their oversight. Think of it like a hard-water filter installed on your water pipe system right outside of the point where the water enters your house.  If you tried to remove that filter, you would then have a problem with your water correctly getting into your house.  In the same regard, if you removed a rootkit, you might inadvertently break some vital functionality of the operating system; in the worst case, it might even make your system un-bootable.

To put our foot down and fight back against stubborn rootkit malware, Malwarebytes has developed a new product designed specifically for the detection and removal of rootkits: Malwarebytes Anti-Rootkit.

What can it do?

At a high level, this is what Malwarebytes Anti-Rootkit, or ”MBAR”, can do for you:

  • Kills what other tools cannot.  Those nasty rootkits, MBR infectors and the nastiest of nasty Trojans and blended threats like ZeroAccess
  • Goes well beyond other malware removal tools and repairs broken services and system files often damaged by many infections.
  • The same incredible heuristics used by Malwarebytes Anti-Malware for detecting the latest 0-hour threats is applied to the anti-rootkit definitions used by MBAR to find and kill the latest rootkits
  • It uses our Chameleon self-protection to keep it running even when threats try to shut it down

Malwarebytes Anti-Rootkit scans your systems drivers, hard drive sectors, and system files to seek out rootkit activity and remove it from your system.  This means that MBAR will delve into the dark crevices of your system where rootkits like to hide and disrupt their ability to link into the operating system and modify data, disrupt system calls, etc.

Once it removes the links, it will use the Malwarebytes Anti-Rootkit engine to detect all additional rootkit files and set them for removal.  After this, the system will require a restart that allows Malwarebytes Anti-Rootkit to remove the malware before it has a chance to embed itself into the system again.

Why is it necessary?

In the distant past, malware consisted of a few viruses that destroy data and worms that try to spread malware as far as they could.  In those days, a simple antivirus/anti-malware solution would be the answer for nearly all computer security issues. However, currently we deal with much more advanced, targeted and nefarious types of malicious software such as rootkits.  Therefore, it is necessary to be able to protect your system against these threats that conventional antivirus/anti-malware solutions cannot.

In addition, think back to the water filter analogy, where breaking the connection between the water filter and the pipes could cause serious damage to the water system.  Malwarebytes Anti-Rootkit not only removes the rootkits or evil water filter but also repairs the damage it made to the system by reestablishing links and fixing vital services that had been modified by the rootkit, in essence it ensures that your water is flowing.  It does this with a tool known as fixdamage.exe that is included with the Malwarebytes Anti-Rootkit ZIP file.

Where can I download it?

So now that you know what a rootkit is, what Malwarebytes Anti-Rootkit can do about them and how it does it, naturally want to try it out for yourself.  To do this, just click the link below and download the ZIP file containing Malwarebytes Anti-Rootkit and read on to find out how to use it.

Download Malwarebytes Anti-Rootkit

How do I use it?

Here is a step-by-step breakdown on how to use Malwarebytes Anti-Rootkit.

  1. Download the ZIP file containing the MBAR files from the link above.

  1. Save the ZIP file and double click it to open it.

  1. Extract/Copy the “mbar” to your hard drive; you could put it on the Desktop or just in your root drive like “C:\” it does not really matter. Once done, open the folder in your Windows Explorer.

  1. We recommend you check out the “ReadMe.rtf” file for information on usage instructions and advanced command line parameters available for the tool in addition to the End-user License Agreement (EULA). It is a very useful resource for using this tool or if you want to learn even more about what it is capable of.

  1. To use Malwarebytes Anti-Rootkit simply click on the “mbar.exe” icon.  MBAR does not require installation like Malwarebytes Anti-Malware does and can be used as soon as the files are extracted. If you are using Windows 7 or above, make sure to allow mbar.exe to use administrative privileges when prompted.

  1. Once executed, MBAR will present you with a graphic interface and an introduction about the product and informs you about the licensing of the tool. To continue, press “Next”.

  1. Next, you are presented with the “Update” interface, which allows you to download the most current definitions from our Anti-Malware servers to be used to scan the system for rootkits. Click “Update” to download the newest database then click “Next” once it completes the update.

  1. You should now be at the “Scan System” interface; this is where you will allow MBAR to search your system for rootkit activity. To perform the most complete scan, make sure that the “Scan Targets” are set to all possible options (Drivers/Sectors/System).  Then click “Scan” when you are ready.

 

  1. Once the scan is complete, MBAR will inform you if it has detected any malware and will advise to you to clean your system. It also has a “Create Restore Point” option that we highly recommend you select in case something goes wrong with the removal of the rootkits.

 

  1. After the restore point is created and the rootkit cleanup is scheduled, you will receive a prompt asking for a reboot of your system.  Select “yes” to reboot your system and clean the rootkits.

 

     11.    After your reboot, you should run MBAR again to ensure that all infections have been removed from the system.

  1. Once you are rootkit free, in order to ensure that any damage done by removing the rootkit is repaired, you should run the “fixdamage.exe” application, located in the same MBAR directory as “mbar.exe”

  1. Clicking on “fixdamage.exe” will open the console application and request confirmation to apply any fixes to the operating system. Input “Y” to being the fix.

  1. After the fix is complete, it will request you to restart the system again.

Keep in mind that Malwarebytes Anti-Rootkit does not require an installation of Malwarebytes Anti-Malware and makes it a great tool for quickly disinfecting the systems of your friends and family on the fly if they can’t install Anti-Malware because of the rootkit blocking them.  Put it on a USB stick with an up to date definition file or onto a CD with other valuable tools.

This product will always be updated and upgraded in order to have the best chance of taking out the bad guys and defeating rootkits as they come out.  If you want to help in this fight, please do, by letting us know on our forums what kind of experiences you have had with MBAR and even how you think it might be better. Thanks for reading and stay safe!


23 thoughts on “Meet Malwarebytes Anti-Rootkit

  1. jameshurd says on November 17, 2012 at 9:31 am :

    How will this react to various boot sectors? The problems I’ve faced in the past is root kit removers do their job of removing the root kit, but ruin specialized boot sectors such as the ones made by Dell and HP.

  2. Adam Kujawa says on November 21, 2012 at 8:11 am :

    Hi Jameshurd:
    To answer your question, unfortunately we’ll have problems with it too. Though, we’ll try our best to handle third-party boot managers… If you have any kind of feedback about how it is running on third-party boot managers we would love to hear it. The tool is still in BETA especially for this purpose, to make sure we can make it better with the help of our community. Thanks for the comment!

    -Adam

  3. brianwoodbury says on November 27, 2012 at 4:46 am :

    Thanks for coming up with this program. I’ve run across 2 rootkit/mbr issues and it took care of both just fine. I haven’t run across the TDL variant that infects the TCP/IP stack lately, but I’m curious to see how well it will work against that one.

    Brian

  4. shaw says on November 30, 2012 at 10:13 am :

    Will these features be combined into the MBAM product? And if not, will there be additional licensing costs for the MBAR product? Thanks.

  5. exile360 says on November 30, 2012 at 10:28 am :

    @Brian: MBAR nails the TCP/IP (hijacker) variant of TDL and once cleaned up, fixdamage.exe repairs the TCP/IP stack thus restoring internet connectivity.

    @Shaw: We haven’t decided that yet. For now we just want to test this new technology and if it proves stable, then we’ll decide on what we’re going to do with it.

  6. tservo says on December 3, 2012 at 1:46 pm :

    Hi just ran the beta and the only thing it came up with was unknown MBR which I assume is related to me having Farstone Snapshot installed. Would this be correct ? Looking forward to have Anti Rootkit as regular MBAM product.

  7. doanviettrung says on December 5, 2012 at 9:16 pm :

    mbar-1.01.0.1009 was flagged as malware by 2 out of 45 engines on VirusTotal:

    eSafe says it is Win32.TrojanHorse
    TrendMicro-Housecall says TROJ_GEN.F47V1112

    I hope to hear from you before I start installing it.

  8. Adam Kujawa says on December 5, 2012 at 9:54 pm :

    doanviettrung: Can you give us the MD5 or the link to the VirusTotal results page? Also, where did you download the ZIP? Thanks!

  9. ebbo says on December 11, 2012 at 6:20 am :

    Hello, Prior to running anti rootkit a box came on screen: Probable rootkit activity detected. registry value “APPLNT_DLLS” has been found, which may be caused by rootkit actvity. I chose to click on option NO and then proceeded with the scan, which came up clear. I have watched a demo of this product on You-tube and was impressed, although it did not get rid of all the rootkits(in fact one remained). The auther was able to delete the offending file manually but also recommended using HitmanPro 3.6.2 and/or Rogue Killer neither of which I have used. I have used your anti rootkit four times in two days and it has not found anything. Each time I use it that same box comes on screen before I run the anti rootkit. When starting the computer each day I now get a box entitled “OPEN FILE -SECURITY WARNING” with th option of run or cancel. I choose cancel and the computer starts normally. Hope this all makes sense and I look forward to your comments/reply.Thank you in advance, ebbo.

  10. Adam Kujawa says on December 13, 2012 at 4:22 pm :

    Hi Ebbo, When you restart your computer, be sure to select “Run” instead of “Cancel” so MBAR can finish what it needs to do. Thanks for the comment!

  11. bigarrrrrrr says on January 23, 2013 at 2:57 pm :

    Hi.

    This program is failing to load it’s driver and failing to restart the computer so it can. And then alternately it’s also telling me it can’t continue the scan because the system appears encrypted.

    Your product can’t scan an encrypted system drive?

  12. Adam Kujawa says on January 24, 2013 at 11:27 am :

    Hi bigarrrrr,

    In order to help you further we are going to need some more information:

    > This program is failing to load it’s driver and failing to restart the
    computer so it can.

    Inability to load a driver may be caused by some rootkit activity, like Necurs rootkit. But we don’t catch what “failing to restart” means. If your computer doesn’t reboot automatically, in this case it can be reset manually. Does MBAR dialog appear after reboot as it should? Did you try to run MBAR in a safe mode?

    > Your product can’t scan an encrypted system drive?

    No it can’t. If the system drive is indeed encrypted using Bitlocker,
    TrueCrypt or similar we can’t continue. But if the drive is not indeed
    encrypted this might be a bug which we fixed recently when our driver could
    not access system drive reporting it as encrypted when it was not. This fix
    will be available soon beginning with MBAR build 1.01.0.1018.

  13. bigarrrrrrr says on January 24, 2013 at 6:02 pm :

    Hi Adam,

    My system is encrypted with TrueCrypt, so I guess I can’t use MBAR. Is this because it’s portable rather than installed?

    Well anyway, just for your information, what I meant was that the driver would not install initially and I got the message about rootkits possibly interfering with that and the option to restart. Only when I clicked to allow MBAR to restart, it didn’t but instead immediately put up the message that it failed to load it’s driver upon restart. I ran it again and restarted it manually at that point but when the system came back up, MBAR did not reload.

    I do have MBAM installed and have successfully run it as well as Chameleon. Does MBAR perform a more intensive rootkit scan than those? I should also mention that I got the same registry value message ebbo experienced as well.

  14. ragavan says on February 8, 2013 at 12:58 am :

    can game theory can be used to optimize the rootkit detection..?

  15. arif says on February 8, 2013 at 5:24 pm :

    Beginning with build 1.01.0.1020 MBAR has a limited support of encrypted by TrueCrypt drives. Tested ans successfully removed such infections like ZeroAccess, Necurs and TDL4.

  16. bsharpe37 says on March 19, 2013 at 12:47 pm :

    Just updated with latest. Ran Scan and it found 4 issues. However these are Policies assigned by a GPO.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispAppearancePage or \NoDispBackgroundPage

    There are also keys for System restore being turned off also by GPO.

    I know there is spyware or virus’ out there that add these key’s but would there be a way to make it detect if a GPO is being applied from A Windows 2003 Server?

  17. cryptoknight says on March 21, 2013 at 1:07 pm :

    I see MBAR supports TrueCrypt as of Feb 8. Are there plans to support Bitlocker? Thankyou.

  18. Adam Kujawa says on March 21, 2013 at 1:36 pm :

    Hey Cryptoknight,
    No, there are currently no such plans because BitLocker has a proprietary undocumented internal structure which we don’t know.

    Thanks for the comment!

    Adam

  19. Adam Kujawa says on March 21, 2013 at 1:56 pm :

    Hey bsharpe37,
    The keys you reference are detected as belonging to Potentially Unwanted Programs or PUP. You can modify the detection of PUP in the Malwarebytes Anti-Malware settings so they will not show up when you do scans. Unfortunately we don’t have the ability to determine whether or not the key is put there by a legitimate source or malware but since you know they are there because of the W2k3 Server GPO, you can disable their future detections =). Check out
    Our Helpdesk for more detail on removing the detection.

    Thanks for the comment and good luck!

    Adam

  20. Jennifer Landry says on October 10, 2013 at 5:21 pm :

    Help!!! I downloaded the files, my computer completely froze, lost my mouse, had to do a hard reboot. Then I right clicked on the application, clicked on Run as Administrator, and completely frozen and stuck again! I have a windows7 Dell laptop, am I doing something wrong? I’m not getting prompted for anything, just completely freezes my computer, argh!

  21. Jennifer Landry says on October 10, 2013 at 5:25 pm :

    Got it working in safe mode … Fingers crossed!!

  22. doommetal says on January 4, 2014 at 2:47 pm :

    hi, i need help with this particular program, it seems to work fine during the scan until it reaches the rohan.esp from merp, then it seems to stay there permanently, never passing it? is it it’s size, or could there be another problem, either way i’d really like to use this but it kinda sucks when after hours it still hasn’t scanned it.

  23. Sotiris Priftis says on March 1, 2014 at 5:20 am :

    Stucked at a prmpla mpla.chm file in ~\APPDATA\ROAMING\SoftMaker\ folder. Windows 7 64. The .chm filename appear to have a blank space. Full & nonstop HD activity. pskill won’t kill it from cmd neither taskkill, x button works but after many minutes to close the mbar. SoftMaker is a german software firm I believe. The FreeOffice is installed here

Leave a Reply

Subscribe to our YouTube Channel