Jump to content

"Fuzzy Rootkit"


Recommended Posts

Checking if anyone out there can advise if this rootkit is able to be detected and remediated with MBAM. We're using MBAM 1.80.2 via Automate/Labtech on the latest database version.
Below is info found out by our partner MSP.



Hitman pro log:   Fuzzy  . . . . . . : 23.0

         The file is completely hidden from view and most antivirus products. It may belong to a rootkit.

         Uses the Windows Registry to run each time the user logs on.

         Program starts automatically without user intervention.

         Time indicates that the file appeared recently on this computer.

         The file is in use by one or more active processes.

         Starts automatically as a service during system bootup.

         Program is code signed with a valid Authenticode certificate.

Link to post
Share on other sites

I am not a member of Research, however I do know from experience that the terms 'Generic' and 'Fuzzy', both of which are used to describe this detection and the signature that hit it, are heuristic types of detections which may be more prone to false positives than a more targeted signature type.  I have no idea if this specific detection was a legitimate rootkit or a false positive, however I am fairly certain that without a copy of the object that was detected, Research will not be able to determine whether or not Malwarebytes is capable of detecting the same rootkit (again, assuming it is an actual rootkit and not a false positive due to the fuzzy/generic/heuristic signature).

Link to post
Share on other sites

Thank you both for the replies - in this case, I do not have the infected file, only the description from a Bitdefender scan. I see how it can be generic, thankfully we haven't had cases of this for our systems, but will continue to be on the look out and post additional information here when possible.

Link to post
Share on other sites

  • Root Admin

Ever changing threat scope. Make sure all computers are protected, and continue user education. One bad system can often wreak havoc.

Perhaps not something to make large scale changes in a business environment but for general knowledge we do have the following post geared for home users.

Tips to help protect from infection




Link to post
Share on other sites

Bitdefender should still have a copy of the file in quarantine assuming it was not deleted.  If you have access to the machine you should be able to restore the file from quarantine and then ZIP it and post it here for analysis.  In fact, if Bitdefender offers the option as some AVs do, you can possibly restore the file to a location of your choosing so that you can simply restore it to somewhere like a folder on the desktop to make it easier to find for attaching.  I do not know if Bitdefender offers such an option though, so you may need to restore it to its original location and grab it from there.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.