Following recent discoveries that PowerShadow wont protect the MBR from tampering i was just wondering what was the behaviour of
ShadowUser
and
DeepFreeze
in this respect.

As a corollary,i'd like to know-provided that if one uses a serious HIPS it must be an unlikely occurrence-if and how a trojan or hacker could remotely manipulate one's MBR.

-{ Quote: "Following recent discoveries that PowerShadow wont protect the MBR from tampering i was just wondering what was the behaviour of
ShadowUser
and
DeepFreeze
in this respect.

As a corollary,i'd like to know-provided that if one uses a serious HIPS it must be an unlikely occurrence-if and how a trojan or hacker could remotely manipulate one's MBR." }-

Shadowuser fails, and if I remember right Deepfreeze passes. Do a search on Killdisk.

Ironically testing with Killdisk trojan, it was the AV's that were the stars. Using both KAV and F-prot, they refused to let Killdisk run. I had to disable both of them. Both ProSecurity, and SSM, do give you an alert to the direct disk activity, but if you accidently allow it, then bye bye.

What killdisk does is corrupt the partition table. Don't know about remotely, but once on your machine it's not to hard.

Pete

Thanks for your reply Peter2150, and also for your other thread about the Horus-HP Backup affair.
I run PowerShadow in one pc and ShadowUser in the other one,so i should begin to worry,but,perhaps,i can rely on ProSecurity....some more reboots and just one more cup of coffee to be awake when alerts show up.
If even AVs can cope i hope Antivir can/will stop it as well,and this makes the picture less fearsome.
Moreover,using SU or PS ,depending on how long it takes for a Killdisk-like malware to bring about its deeds, i wonder if making frequent reboots,lets say one every couple of hours,can help in halting the threat.
In addition to that i navigate the web with a limited account,which is ProSecurity protected,AV protected,ShadowUser protected,BOClean protected,firewall Application Behaviour protected,....i think i would receive at least one alert of it.......;D ...perhaps......

-{ Quote: "Thanks for your reply Peter2150, and also for your other thread about the Horus-HP Backup affair.
I run PowerShadow in one pc and ShadowUser in the other one,so i should begin to worry,but,perhaps,i can rely on ProSecurity....some more reboots and just one more cup of coffee to be awake when alerts show up.
If even AVs can cope i hope Antivir can/will stop it as well,and this makes the picture less fearsome.
Moreover,using SU or PS ,depending on how long it takes for a Killdisk-like malware to bring about its deeds, i wonder if making frequent reboots,lets say one every couple of hours,can help in halting the threat.
In addition to that i navigate the web with a limited account,which is ProSecurity protected,AV protected,ShadowUser protected,BOClean protected,firewall Application Behaviour protected,....i think i would receive at least one alert of it.......;D ...perhaps......" }-

Killdisk does it's work very quickly. Once you execute it, a little window with a chinese looking title pops up. Has an okay button on it. But at that point regardless what you do, the system reboots, and thats it. Deed done. And you can't just restore an image.

Returnil, later versions of Power shadow, and Sandboxie, all stop most of this stuff.

I would continue to use Shadowuser, and try running Sandboxie with it.

Pete

If killdisc goes after the partition table then how did powershadow 2.6 survive the test if powershadow doesn't protect the MBR?

-{ Quote: "If killdisc goes after the partition table then how did powershadow 2.6 survive the test if powershadow doesn't protect the MBR?" }-

I am not sure if it was 2.6. It's been a while since i did those tests. Your going to have to search for my posts to check it out now. I honestly don't remember.

I use ShadowSurfer -- a baby brother of ShadowUser. I never considered the possibility that it doesn't protect MBR.

HOWEVER-- since MBR is so important, I have for some time been covering it with a 2nd layer of protection. Namely I periodically use the freebie HDHacker (http://dimio.altervista.org/eng/) to back-up MBR to an external drive.
-{ Quote: "HDHacker is a stand-alone micro-utility that saves, visualizes, and restores the MBR (from a physical drive), the BootSector (from a logical drive) or any specified sector from any disk (even removable disks)." }-

I use ShadowUser without the Commit feature and dont save anything in it,so i have neutralized it into its baby brother Shadow Surfer....
I've downloaded HDHacker,Bellgamin,thanks for letting us know about this programmer.
Indeed it is a SECOND layer of protection,though,in the sense that if a killdisk- like malware gets going ,as Peter2150 says,its already too late to do anything.
It is usefull for 'normal' unfortunate, events,though,but not for hard-core and lightning fast ones which deal with the MBR....
We need something for that as i think its too risky to rely on a HIPS alert,be it ProSecurity or SSM,or even a BB.......... i had many,but i think a moment of stupidity can happen to anyone....

What kind of sandboxing you think might be the answer for my set up Peter2150 ? (ltd Account,Boclean,ProSecurity,ShadowUser)
Are you thinking about a Buffer-Zone type or a Defense-Wall one?

-{ Quote: "I use ShadowUser without the Commit feature and dont save anything in it,so i have neutralized it into its baby brother Shadow Surfer....
I've downloaded HDHacker,Bellgamin,thanks for letting us know about this programmer.
Indeed it is a SECOND layer of protection,though,in the sense that if a killdisk- like malware gets going ,as Peter2150 says,its already too late to do anything.
It is usefull for 'normal' unfortunate, events,though,but not for hard-core and lightning fast ones which deal with the MBR....
We need something for that as i think its too risky to rely on a HIPS alert,be it ProSecurity or SSM,or even a BB.......... i had many,but i think a moment of stupidity can happen to anyone....

What kind of sandboxing you think might be the answer for my set up Peter2150 ? (ltd Account,Boclean,ProSecurity,ShadowUser)
Are you thinking about a Buffer-Zone type or a Defense-Wall one?" }-

If you don't want to change your setup, I try Sandboxie, and see if it plays well. You could use the commit function in SU to have a safe folder to move something you download into the sandbox to, for safe reboot keeping.

Downloaded HDhacker, but I am not sure how it would really help in the Killdisk attack.

Bellgamin, you mentioned you use it, so I turn it to you. How would you use it to recover from a killdisk attack. Machine doesn't boot as partition table has been corrupted. What does HDhacker give you and how do you use it. I looked at it, and didn't see it helping.

Pete

Fwiw, I do know that Prevx stops the killdisk virus ever since Prevx1, and Prevx2 is better yet! ;)

Hello,

A few neat solutions:

MBR corruption is nothing serious. If you use Windows loader, then it's just fixmbr, if you are using GRUB, then it's find /boot/grub/stage1 and set it up again.

How to salvage destroyed partition table? Well, I have mentioned if quite a few times, and the links are included in my lists of cool tools.

TestDisk
http://www.cgsecurity.org/wiki/TestDisk

Comes on Knoppix or SystemRescueCD live CDs.

http://www.knoppix.org/

http://www.sysresccd.org/System-tools

Then, don't forget other great tools like GParted, QTParted, Partimage, Grub, Lilo, sfdisk, which are more than useful, plus running from live CDs, so it's not really important if system is bootable or not.

Most of these tools are included with the two live CDs.

Mrk

-{ Quote: "Hello,

A few neat solutions:

MBR corruption is nothing serious. If you use Windows loader, then it's just fixmbr, if you are using GRUB, then it's find /boot/grub/stage1 and set it up again.

How to salvage destroyed partition table? Well, I have mentioned if quite a few times, and the links are included in my lists of cool tools.

TestDisk
http://www.cgsecurity.org/wiki/TestDisk

Comes on Knoppix or SystemRescueCD live CDs.

http://www.knoppix.org/

http://www.sysresccd.org/System-tools

Then, don't forget other great tools like GParted, QTParted, Partimage, Grub, Lilo, sfdisk, which are more than useful, plus running from live CDs, so it's not really important if system is bootable or not.

Most of these tools are included with the two live CDs.

Mrk" }-

Hi MRk

Thanks for the links. The catch22 I got into when I really messed up the partition table(made Killdisk look like a baby), I couldn't even boot the Windows XP CD. It BSOD'd. Many of the above tools wouldn't have worked as the couldn't have seen my disks, because of the nvidia raid drivers not being preseent. Disk drivers can be an issue.

Pete

Hello,

TestDisk would have worked. Trust me. It's a magnificent piece of tool.

My brother had a disk that got its first sector moved to the last. Don't ask how. But TestDisk saved the comp like charm.

BTW, you can try to break the system again and see how superbly powerful these tools are.

Mrk

-{ Quote: "Hello,

TestDisk would have worked. Trust me. It's a magnificent piece of tool.

My brother had a disk that got its first sector moved to the last. Don't ask how. But TestDisk saved the comp like charm.

BTW, you can try to break the system again and see how superbly powerful these tools are.

Mrk" }-

No doubt it would have done it's job if I could have run it. But the only recovery environments I've had any success in are Windows variants, such as BartePe or Winpe or VistaPe and of course the Windows CD. All of these were Blue screening. WD has a great DOS based utility also, but it couldn't see the disks. I am going to test DBAN, but what did work was BootitNG.

And honestly this one test I'd prefer not to repeat.

Pete

-{ Quote: "Downloaded HDhacker, but I am not sure how it would really help in the Killdisk attack.

Bellgamin, you mentioned you use it, so I turn it to you. How would you use it to recover from a killdisk attack. Machine doesn't boot as partition table has been corrupted. What does HDhacker give you and how do you use it. I looked at it, and didn't see it helping.

Pete" }-I mentioned HDHacker only because, AFAIK, it's one of the few stand-alone apps that can back-up & restore MBR per se.

Since I image often to an external drive, & retain copies going back several weeks, THAT (not HDHacker) is my *security* against killdisk, HD failure, tsunamis, jishins, & the heartbreak of psoriasis. :)

For power users, I might mention Terabyte's free MBRWork (http://www.terabyteunlimited.com/utilities.html). MBRWork is a DOS application. DOS is probably where you want to be when Windows is in bad straits, right? Yes, DOS is still available in XP & (AFAIK) in Vista.

MBRWork can perform the following:
1 - Backup the first track on a hard drive. || 2 - Restore the backup file.
3 - Reset the EMBR area to all zeros. || 4 - Reset the MBR area to all zeros.
5 - Install standard MBR Code || 6 - Set a partition active (avail on the command line too)
7 - Work with multiple hard drives.
8 - Edit MBR partition entry values.
A - If no partitions exist in the MBR and no EMBR exists then this option
will allow you to recover lost FAT, HPFS, NTFS, and Extended partitions.
C - Capture up to 64 disk sectors to a file.
R - Restore up to 64 disk sectors from a file. This feature should only
be used by those* who completely understand what they are doing!
T - Transfer/Copy sectors from disk to disk. This feature should only
be used by those* who completely understand what they are doing!
P - Compare sectors.

* I am NOT one of "those." I have no idea of what I'm talking about.