Adware blocks Antivirus | SmartService Rootkit

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

it seems we've come to a point where adware blocks your ap program and not the other way around police found orb and bleeping computer have drawn my attention to a new silent installer which does more than sneak ads behind your back this threat actually embeds itself in your system like a rootkit does not allow you to modify its registry keys and even prevents other security solutions from being started so how the hell does this happen let me show you this is Leo and you are watching the PC security Channel [Music] I think I've named the folder quite appropriately ss if you remember the Nazi days in here we have the actual cell and installer payload and some arguments that we need to use to launch it as it is region specific it seems that mostly targets users from the US in order to ensure that it works out as expected I'm going to have to use command prompt to launch it along with the arguments but this could easily be a background process initiated when you're installing some program which is accompanied by one of these bundle installers there we go now we're ready to launch but before that let's load up some analysis tool so that we can actually see what happens since as I've mentioned earlier this thing is really sneaky and it does not want you to know what's going on now we're primarily going to use a couple of tools TCP view to show us the connections that it's going to make and red shot to show us the file and registry modifications so I'm going to scan the entire C directory and we're going to take a reference shop now and we'll take another shot after the program has installed and we'll compare the two as you can notice TCP view is showing us only the default system connections but we will see new things over here once the program has launched so now we're ready to go as you can see immediately lots of new connections and nothing is actually shown there's no installer but everything's happening in the background and we already have a new desktop icon now while it's working let's take a look at the first whole scan results for this threat at the moment it seems to be detected by quite a few engines 41 out of 61 so most major AV vendors block it and that's not really a surprise given that the file first scene I think over a month ago there you go and since a lot of people have been crusading about the effectiveness of Windows Defender once again I would like to point out that it does not block this threat despite it being quite dangerous and quite old - that's not the point I'm trying to prove with this video but just so you know another argument that people often make is that if you're smart you can avoid all sorts of malware I'd like you to think about this if you try to download safe VLC media player and you've got this as a bundled installer you just clicked on install and in the background of launch this process now the process would say something like this installer so it granted privileges and sometimes that's not even required so how do you think you're going to figure out what's happening until you see random icons on your desktop the reality is with a lot of attack vectors there is really no way to know and nobody gets infected when they're patiently looking at things or analyzing stuff people get infected when they're having a bad day when they're in a hurry for a presentation and as humans we always have those scenarios right now this is the only thing that we can see here but soon this whole thing is going to be flooded with a lot of fee MX client processes which is when we know that the malware has taken full effect the process can take five to ten to twenty minutes so we'll have to wait and be patient we're starting to see some vmx client process so I guess it's time for the second shot as you can see there are a ton of these all over the place now it's time to take a look at the terrible modifications that have taken place none of it on screen everything invisibly in the background now let's compare the results and see what the log file tells us lots of things have happened in the driver database tons of keys have been deleted over here we have a new folder ll soft when VM X and it seems there is a driver over here as well and this is the original executable that we're seeing in the process list and this is located in system 32 now let's see what happens when we try to run any AV program on this computer we have a few second opinion scanners here to try out immediately hitman pro huh the requested resource is in use that's funny malwarebytes well we can see the complete list of block digital signatures over here as you can see it pretty much encompasses the entire third party ap industry and here are some processes that are going to be blocked as well let's see if we can start task manager okay that works fine but if we try to launch an AP program which might remove the adware this is what we get modified AV executables will work and Ximena has an instant fix so if we go ahead and launch the Manta anti-malware portable it is going to be able to bypass the rootkit and it will instantly detect it so you can see rootkit detected when NT ad clicker and this is the malicious driver before I wrap this up I'd like to show you how persistent the rootkit is so even if you try to terminate these processes on your own you won't be able to do that as well because access is going to be denied once the RHIB kid is on your system removal is going to be very difficult if you are infected then I would strongly recommend going to bleeping computer which I will link in the description and going through the instructions over there but this should clearly demonstrate how dangerous adware has become and why you need to watch your back so that's it for today I hope you guys enjoyed this video and found it useful hit the like button if you did and don't forget to subscribe you are watching the PC security Channel and it's always stay informed stay secure [Music]

Info

Channel: The PC Security Channel

Views: 39,976

Rating: 4.9361882 out of 5

Keywords: TPSC, The PC Security Channel, Security, Internet Security, Antivirus, Reviews, Security software reviews, test, malware, prevention, detection, removal, antimalware, tutorial, virus, trojan, 2017, Adware blocks Antivirus, Smart Service Rootkit, s5mark, Smart Service, Rootkit, Adware, Malware blocks Antivirus, PUP, PUP blocks AV, Adware blocks AV

Id: 7XgJ6qRJct8

Channel Id: undefined

Length: 7min 54sec (474 seconds)

Published: Mon May 01 2017