Cloud Assisted Miniport Hook Bypass detects rootkits that are embedded deeply in the operating system
Hengelo, June 16, 2011 - SurfRight, a developer of tools that give users more control over their PC security, today announced the release of Hitman Pro 3.5.9. The main purpose of this release is the addition of the Cloud Assisted Miniport Hook Bypass feature.
"In the past weeks, we noticed an increase in highly advanced rootkits such as Mebroot, Sinowal and TDL4 who were trying to defeat detection by Hitman Pro" according to Mark Loman, CEO of SurfRight. "With this new release we are able to better detect and remove these sophisticated threats".
The most important features in this new version are:
The full release notes and changelog of Hitman Pro 3.5.9 build 124 can be found on www.surfright.com/hitmanpro/whatsnew
Existing users of Hitman Pro will automatically be updated to the latest version in the next few days.
The toughest types of malware are rootkits. Rootkits embed themselves deep in the operating system where they hide for antivirus software. The longer a rootkit stays alive on a computer, the more profit the malware authors make because the computer is under their control. Highly advanced rootkits like the TDSS family (TDL, Alureon.DX, Olmarik) and new variants of Mebroot/Sinowal work on both 32-bit and 64-bit versions of Windows and infect the Master Boot Record (MBR). This means that these so called Bootkits start before Windows boots up, which gives the bootkit an obvious advantage. Any protection mechanism imposed by Windows (or antivirus that is loaded by Windows) can be defeated (the program that is started first, has control over the others).
Once Windows is booting, the rootkit attaches a filtering mechanism to the hard disk driver. This filter gives the rootkit complete control over the hard drive. For example, when an antivirus program tries to read the MBR (sector 0) of the hard drive (to see if it is infected), the rootkit will simply serve a regular MBR so that it appears that the MBR is clean. Hence, the rootkit is undetected.
Now in order to read the actual infected MBR you need get around the rootkit’s filtering mechanism. For this you need to know two things:
When you know the exact hard disk driver that is in use, you are able to communicate directly with it, reading around the hooks of the rootkit.
The problem is that there are literally thousands of different brands, types and versions of hard disk drivers and they all need to be addressed differently. This is where Cloud Assisted Miniport Hook Bypass comes in.
Cloud Assisted Miniport Hook Bypass collects hard disk miniport driver information from clean computers and stores a representation of this information (a fingerprint of a few bytes) in the Cloud. When Hitman Pro detects a hook on the hard disk driver, it consults the Cloud on how to work around it. This allows Hitman Pro to read around the rootkit’s filtering and effectively reading the actual infected sectors. This works for ANY hard disk driver and not just the common ones.
The Cloud collectively helps Hitman Pro users to combat the toughest malware threat: Rootkits.