Jump to content

RogueKiller versus Malwarebytes: What's different?


Amaroq_Starwind

Recommended Posts

I recently learned about a piece of Anti-Malware software called RogueKiller. Well, I guess "learned about" is a bit generous, because other than being similar to Malwarebytes in a lot of ways, at least at a cursory glance, I know next to nothing about it, and further information is pretty difficult to come across. For instance, the Wikipedia article was mysteriously deleted three years ago.

However, allegedly one of the developers of RogueKiller is also a developer at Malwarebytes, so I was wondering; could somebody please help me shed some light on the differences between RogueKiller and MalwareBytes?

Link to post
Share on other sites

RogueKiller (the user who created the tool) developed the application as a portable scanner designed to target difficult to remove infections, particularly those such as rogue/fake AVs known for blocking Malwarebytes and other security apps from running.  Over time the scanner became pretty robust and eventually RogueKiller (again, the user who created the tool) was hired by Malwarebytes to work as a member of the Research team (this is not unlike how sUBs, developer of ComboFix also works for Malwarebytes as a member of Research).

I'm not sure what the status of RogueKiller (the scanner) is these days, but based on what I know of it, it is just a basic scan/remediation tool based on what are essentially scripts/batch files using custom rolled defs made by the developer of the tool to target the threats he came across in his own research.  It was definitely a useful tool, especially when other tools would fail to run, but compared to Malwarebytes it is quite limited in its capabilities as I understand it.  You can learn more about it here.  Apparently the paid version offers extended features such as automatic updates, more control over scan options, access to CLI functions and ticketed private support.  It doesn't appear to offer any sort of real-time protection/preventative protection so it's mainly just a more robust version of the free tool with access to support tacked on.

Link to post
Share on other sites

Perhaps, but it depends on whether the bad guys have coded it to block RogueKiller or not, and often times they'll just use a whitelist rather than a blacklist so that everything outside of the applications they specify are blocked, which would prevent even unknown security tools from running (there are ways around this, but they require additional steps to 'trick' the malware into allowing the tool/scanner to run; we did all of this when we built Chameleon for Malwarebytes 1.x; if such threats become commonplace they'll likely adapt Chameleon to 3.x to deal with them).

Link to post
Share on other sites

That's the problem, it really doesn't work because as soon as Chameleon launches MB2, it tries to update to MB3 which Chameleon isn't compatible with so the process fails and the scan never runs.  You have to disable checking for new versions in MB2 to do it which isn't easy with all the automation that Chameleon uses.  Besides that, the threat signatures/engine in MB2 are very lackluster compared to the latest MB3 builds so there is a very good chance that any new resident threat that successfully blocks Malwarebytes would not be detectable/removable via MB2.

That said, the Research team is investigating the current round of threats to be doing this (apparently variants of SmartService/Yelloader; PUP-installing rootkits that cropped up over the past year or two but disappeared for a while which have now returned once more) and I expect they have a plan to deal with them.

Edited by exile360
Link to post
Share on other sites

16 hours ago, exile360 said:

Besides that, the threat signatures/engine in MB2 are very lackluster compared to the latest MB3 builds so there is a very good chance that any new resident threat that successfully blocks Malwarebytes would not be detectable/removable via MB2.

This is a very true statement... just yesterday I scan a computer that had MB2 and every time the user opened up the Chrome browser they would immediately get Block notifications from MB2 in the system tray.  Scanning with v2 yielded no results.  I asked the user why they were not using MB3 and they stated they did not even know there was a new version.  So I upgraded them to MB3 and then performed a scan.  Low and behold, found 89 items. Performed a clean, reboot and all is well now, so having the latest version is always the best course for scans to be fully effective.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.