Hitman Pro can now detect sophisticated rootkits

SurfRight, announced today the release of Hitman Pro 3.5.9 (build 124). The main purpose of this release is the addition of the Cloud Assisted Miniport Hook Bypass feature.

“In the past weeks, we noticed an increase in highly advanced rootkits such as MEBroot, Torpig, Sinowal and TDL4 who were trying to defeat detection by Hitman Pro” according to Mark Loman, CEO of SurfRight. “With this new release we are able to better detect and remove these sophisticated threats”

The most important features in this new version are:

  • Cloud Assisted Miniport Hook Bypass feature.
  • MEBroot/Torpig/Sinowal detection and removal.
  • Removal of new variant of Trojan Vundo.
  • Master Boot Record (MBR) protection when restoring infected MBR to counter rootkit watchdogs.
  • Repair for BCD testsigning. Testsigning is a feature of 64-bit Windows that, when enabled, allows loading of non-signed drivers on 64-bit Windows. Testsigning is typically abused by 64-bit bootkits.

The full release notes and changelog of Hitman Pro 3.5.9 build 124 can be found on http://www.surfright.com/hitmanpro/whatsnew

About Cloud Assisted Miniport Hook Bypass
Cloud Assisted Miniport Hook Bypass collects hard disk miniport driver information from clean computers and stores a representation of this information (a fingerprint of a few bytes) in the Cloud. When Hitman Pro detects a hook on the hard disk driver, it consults the Cloud on how to work around it. This allows Hitman Pro to read around the rootkit’s filtering and effectively reading the actual infected sectors. This works for ANY hard disk driver and not just the common ones.

If you run Hitman Pro with Early Warning Scoring (a mode for experts) on a Mebroot infected system you can see Cloud Assisted Miniport Hook Bypass in action. If the yellow sticky mentions bypassed then Hitman Pro should be able to detect presence of the rootkit:

[Image: camhb.png]

The yellow sticky only appears in Early Warning Scoring scan. In the Default Scan or Quick Scan the sticky is not displayed because non-expert users have no idea what a kernel-mode hook is. Of course, when an infected MBR is detected it is listed, regardless of the chosen scan.

Cloud Assisted Miniport Hook Bypass collectively helps Hitman Pro users to combat the toughest malware threat: Rootkits.



We love Malwarebytes and HitmanPro!

We really like the free versions of Malwarebytes and HitmanPro, and we love the Malwarebytes Premium and HitmanPro.Alert extra features.

Malwarebytes Logo Malwarebytes Premium sits beside your traditional antivirus, filling in any gaps in its defenses, providing extra protection against sneakier security threats.

Malwarebytes Premium Features

HitmanPro Logo HitmanPro.Alert prevents good programs from being exploited, stops ransomware from running, and detects a host of different intruders by analyzing their behavior. HitmanPro.Alert will run alongside your current antivirus without any issues.

HitmanPro.Alert Features

I am the creator and owner of the MalwareTips Community. I've started this site in 2010 to help people solve their computer problems.
I live in Bucharest, where I run my own local computer repair shop. My area of expertise includes malware removal and computer forensics. I'm active in the various online anti-malware communities where I do researches for new malware threats as they are released.