Adlice forum

Software feedback => RogueKiller PREMIUM => Topic started by: mark.reed@ntebb.no on March 27, 2021, 05:26:23 pm

Title: Does Rogus Killer guard against Purple Fox Roootkit / Worm?
Post by: mark.reed@ntebb.no on March 27, 2021, 05:26:23 pm
See for example https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/
Title: Re: Does Rogus Killer guard against Purple Fox Roootkit / Worm?
Post by: Curson on March 28, 2021, 11:29:35 pm
Hi Mark,

Welcome to Adlice.com forum.

We were not able to get any Purple Fox malware payloads, so I can't answer you with certainty.
However, I can provide you some insights at what point, RogueKiller will trigger an alert. I will refer to the Guardicore tehnical as a reference.

The MSI/MOE installer being launched from a SMB drive will normally be detected as [Suspicious.Path].
The encrypted file containing the rootkit will be detected by MalPE, our heuristic engine.

Unfortunately, Guardicore does not provide any indication about the DLL payloads (winupdate64/winupdate32), so I don't have any clue about them.

Regards.