So how about a brief list of those apps that are 100% efficient against the likes of RobotDog, StealthMBR, Gromozon, etc. on the before hand.

SandboxIE, latest Returnil, etc

I think it would be a little more helpful to do a quick rundown for membership here instead of spreading topics of the successes all over the place.

Some of you impliment very different programs than mentioned above, so please present your findings with those apps how well you find them against the likes of such MBR infectors etc.

And in fairness, what if any apps are effective AFTER these MBR infectors are allowed to run, if any.

Thanks.

Most of Sandboxes like GesWall, DefenceWall, SafeSpace and Sandboxie will be successfull.

How about a list of MBR/ Deep Disk attacking malware/ POC etc:

KillDisk
MBR tool
MBR rootkit
Bypass dll
Robodog trojan

?
?

Robodog does not modify the boot sector. It uses a driver to restore the SSDT hooks of boot-to-restore programs.

-{ Quote: "Most of Sandboxes like GesWall, DefenceWall, SafeSpace and Sandboxie will be successfull.

How about a list of MBR/ Deep Disk attacking malware/ POC etc:

KillDisk
MBR tool
MBR rootkit
Bypass dll
Robodog trojan

?
?" }-

Thanks aigle:

And what about now Virtual programs since it's concluded Sandboxes are more than a match for these malware mentioned.

-{ Quote: "Robodog does not modify the boot sector. It uses a driver to restore the SSDT hooks of boot-to-restore programs." }-
Thanks Solcroft! Did u try it against Eaz-Fix?

Nope, sorry. I'm not familiar with that one.

-{ Quote: "Thanks Solcroft! Did u try it against Eaz-Fix?" }-

its doesnt hold... qq2592 already test it ...


http://www.wilderssecurity.com/showpost.php?p=1186730&postcount=50

http://www.wilderssecurity.com/showpost.php?p=1186955&postcount=16

cheers ;)

Not sure! I am still waiting for his detailed response.

Did he tried to revert to a previous snapshot via pre-boot console? What were the results then?

-{ Quote: "Robodog does not modify the boot sector. It uses a driver to restore the SSDT hooks of boot-to-restore programs." }-

Hi solcroft,

somewhere in another thread you mentioned Robodog downloads a trojan upon reboot. To your knowledge, will most two-way software firewalls alert on this attempt, or does Robodog typically accomplish this before the firewall loads and protects?

Thanks in advance!

Thanks solcroft for your explaination.

RobotDog is more a destructor of ISR apps and pulls the sys driver (hooks) flat out of the line up rendering those apps gaping at nothing to act on. It also works on HIPS too no doubt.

I'm more no worse for wear then since it doesn't do a KillDisk to the MBR, but thats almost as bad i suppose. One would likely need to reinstall again their ISR after they pulled the remnants of it's supporting crew, whatever they may be.

EASTER

-{ Quote: "Hi solcroft,

somewhere in another thread you mentioned Robodog downloads a trojan upon reboot. To your knowledge, will most two-way software firewalls alert on this attempt, or does Robodog typically accomplish this before the firewall loads and protects?

Thanks in advance!" }-
Trojans, actually.

It's kind of hard to answer that question, as different variants of Robodog insert themselves into different startup entries, ranging from the Startup folder to sticking a dll into svchost.exe IIRC. That, and I'm a firm believer of the uselessness of outbound protection on my computer (I use only the inbuilt XP firewall).

In other words, I don't really know. ;D

-{ Quote: "Trojans, actually.

It's kind of hard to answer that question, as different variants of Robodog insert themselves into different startup entries, ranging from the Startup folder to sticking a dll into svchost.exe IIRC. That, and I'm a firm believer of the uselessness of outbound protection on my computer (I use only the inbuilt XP firewall).

In other words, I don't really know. ;D" }-

No problem, thanks! I suppose that's where the HIPS, either built-in to the fw or a separate product, could *hopefully* alert on the dll injection. Further to that, I have very restrictive rules on svchost.exe where it's allowed access to only MS update servers on ports 80 & 443, time server on 123, dns to specific ISP ip on 53 and localhost connection. I would think that even if the dll injection was successful the fw would still alert on svchost attempting the IIRC connection?