Only ShadowDefender version 1.1.0.261 is able to withstand the cs.exe malware at this time.:lurking:

Any version lower than 261 has also been "bypassed".

How's that for Tony's response 8)

Can you post some more details about it?

Thanks

{QUOTE-> Only ShadowDefender version 1.1.0.261 is able to withstand the cs.exe malware at this time.:lurking:

Any version lower than 261 has also been "bypassed".

How's that for Tony's response 8) <-QUOTE}

That is great news but where can we download Shadow Defender version 1.1.0.261? It doesn't appear on Tony's site.

Please more info on cs.exe. Sharpei/Gigabyte?

{QUOTE-> That is great news but where can we download Shadow Defender version 1.1.0.261? It doesn't appear on Tony's site. <-QUOTE}

Mods here dun allow direct download link. So you should be able to figure out how to download v 1.1.0.261 given the link address to download v1.1.0.259, ie. change a few numbers will work :P

{QUOTE-> Please more info on cs.exe. Sharpei/Gigabyte? <-QUOTE}

It was detected by my AV as a TrojanDownloader.NYX.Trojan and quarantined. Did not want to download it to cause me troubles.

Be warned.

For those that are interested,

The following links below describe cs.exe.

http://www.peterszor.com/sharpei.pdf
http://www.file.net/process/cs.exe.html
http://www.prevx.com/filenames/131946120005927461-0/CS.EXE.html
http://www.symantec.com/security_response/writeup.jsp?docid=2002-022617-0242-99&tabid=1
http://www.threatexpert.com/files/cs.exe.html


Peace & Gratitude,

CogitoErgoSum

Hello nanana1,

Out of curiosity, are you using NOD32? KAV? Thanks in advance.


Peace & Gratitude,

CogitoErgoSum

NOD32 here :-*

Hi , you have OPEN PORTS ? Perfect solution : Seconfig XP .

Hello nanana1,

Since you are using NOD32, the piece of malware that you encountered must have been Win32/TrojanDownloader.Agent.NYX.

~VirusTotal and\or Jotti link removed per Policy (http://www.wilderssecurity.com/showthread.php?t=180057)....Bubba~

Peace & Gratitude,

CogitoErgoSum

{QUOTE-> Only ShadowDefender version 1.1.0.261 is able to withstand the cs.exe malware at this time.:lurking:

Any version lower than 261 has also been "bypassed".

How's that for Tony's response 8) <-QUOTE}

Hi nanana1,
The Anti-Execute plug-in in the 2.01 Premium Edition can stop this in its tracks. Please try a new test with the latest Beta.

Thanks
Mike

{QUOTE-> Hi nanana1,
The Anti-Execute plug-in in the 2.01 Premium Edition can stop this in its tracks. Please try a new test with the latest Beta.

Thanks
Mike <-QUOTE}

It is claimed tht this version of Returnil Virtual System 2008 Premium Edition v2.0.1.7067 Beta has been "bypassed". Do you refer to this version ? If not, please provide build number.

Hello,
Care to elaborate what you mean by "bypassed?"
Mrk

{QUOTE-> Hello,
Care to elaborate what you mean by "bypassed?"
Mrk <-QUOTE}

'bypassed" is the word that Perman chose to describe his cs.exe virus.
More accurate is 'bypassed' = penetrated:P

{QUOTE-> It is claimed tht this version of Returnil Virtual System 2008 Premium Edition v2.0.1.7067 Beta has been "bypassed". Do you refer to this version ? If not, please provide build number. <-QUOTE}

Please send me a PM with the link to the executable so we can test your report.

Thanks
Mike

Hello,

So, this virus has an implementation that can leave the virtual device sandbox and write to physical device. This means that the programs are not fullproof in enforcing this principle.

This is similar to chroot jail it seems, and apparently the virtualization programs use more than the basic set of permissions and files needed to virtualize the layer.

Mrk

{QUOTE-> Please send me a PM with the link to the executable so we can test your report.

Thanks
Mike <-QUOTE}

PM sent !

nanana1, if you could try it with Geswall it would be greatly appreciated.

{QUOTE-> Hi nanana1,
The Anti-Execute plug-in in the 2.01 Premium Edition can stop this in its tracks. Please try a new test with the latest Beta.

Thanks
Mike <-QUOTE}


Coldmoon,

You may be right. RVS2008 may have been penetrated because the anti-execute plug-in may not have been properly set up. Anyway, it's good to test, are RVS free version compromised by this virus ?

This affects only NTFS system, FAT O/S is safe from this.

{QUOTE-> Coldmoon,

You may be right. RVS2008 may have been penetrated because the anti-execute plug-in may have been properly set up. Anyway, it's good to test, are RVS free version compromised by this virus ?

This affects only NTFS system, FAT O/S is safe from this. <-QUOTE}

Hi,
As you can see from our test (see image), the Anti-Execute plug-in will flag this malware if it attempts to execute. You are correct however that the 2.0 series is vulnerable however.

We added the AE and Auto-runs plug-ins in 2.01 to address issues with the dog Trojans. To date we have had a very positive response from testers in China regarding the effectiveness of these plug-ins against the dogs and other similar types of ISR bypass malware.

Mike

@coldmoon

Will those protections be included in the next free version as well?

{QUOTE-> @coldmoon

Will those protections be included in the next free version as well? <-QUOTE}

Hi Firebytes,
It is too early in the Public Beta for 2.01 to detail what will or will not be included in the Personal Edition when it is released. I have made sure though that your question is added to the discussion agenda and will be considered thoroughly.

Mike

{QUOTE-> Mods here dun allow direct download link. So you should be able to figure out how to download v 1.1.0.261 given the link address to download v1.1.0.259, ie. change a few numbers will work :P <-QUOTE}

Thanks nanana1, I have now successfully downloaded Shadow Defender v 1.1.0.261
Tony sent me a link but as you said I could have worked it out.

Thanks anyway

{QUOTE-> It is too early in the Public Beta for 2.01 to detail what will or will not be included in the Personal Edition when it is released. I have made sure though that your question is added to the discussion agenda and will be considered thoroughly. <-QUOTE}

Thanks for adding it for consideration. I believe in the past you have stated that although the preminum version has extra features that critical security issues would be addressed in both the free and premium versions. I hope that mindset continues with Returnil.

shadow defender 1.1.0.261 defends cs.exe ok
but i faced alot of problems with this version
i think it is still under internal testing that's why not available at the homepage
back to previos version 1.1.0.259 till the problems fixed as i care about my system integrity more than the so called cs.exe

yes nanana1, if you could try this virus out against geswall and post the results?

i'm still sort of shocked this thing got past so many different virtualization (or is it ISR?) products. this is why even with all the fancy security programs you have it's still worth it to run in a limited user account.

{QUOTE-> yes nanana1, if you could try this virus out against geswall and post the results?

i'm still sort of shocked this thing got past so many different virtualization (or is it ISR?) products. this is why even with all the fancy security programs you have it's still worth it to run in a limited user account. <-QUOTE}
It's an executable. In my case AE will kill it. HIPS will do the same. All these ISR-killers are executables.

{QUOTE-> i'm still sort of shocked this thing got past <-QUOTE}
Really?! If you care to strive to circumvent or outwit a program an idea, is it a surprise that you just may succeed? Just yesterday I analyse a malware that broke out of Sandboxie.
Anyway it is a game that will undoubtedly make this software stronger.
{QUOTE-> still worth it to run in a limited user account <-QUOTE}
I agree, then again running as a limited user does not protect you from all malware.

@ErikAlbert

yup, i've noticed that too.

@Meriadoc

{QUOTE-> I agree, then again running as a limited user does not protect you from all malware. <-QUOTE}

never said it did ;) , just a nice first step (see my sig) along with software restriction policy (with the added bonus of blocking all startup locations from being written to thanks to KAFU). that right there cuts the heart out of the most vicious malware and restricts the damage to the limited user account.

{QUOTE-> never said it did <-QUOTE}
Yeah I know :) - it wasn't directed at you, I just wanted to comment on limited account.
{QUOTE-> and restricts the damage <-QUOTE}
Yes exactly.

{QUOTE-> shadow defender 1.1.0.261 defends cs.exe ok
but i faced alot of problems with this version
i think it is still under internal testing that's why not available at the homepage
back to previos version 1.1.0.259 till the problems fixed as i care about my system integrity more than the so called cs.exe <-QUOTE}

hany3

I'm curious to know what problems you have experienced.

{QUOTE-> hany3

I'm curious to know what problems you have experienced. <-QUOTE}
hi pido
this is the bug report that has been sent to tony
u can have alook

""
after downloading version 1.1.0.261
l lost my all system because of it
and finally i restored a ghost image as a final solution to regain my
windows back
althought this version is designed to fight the malware cs.exe
here's the full story :---

i was connecting my other sata hard disk to my pc
so my pc was having 2 hard disks
then during this time i downloaded the new version which does not
appear on the home page
uninstalled the prevois version
installed the new one 1.1.0.261
every thing is ok till now
then i enabled shadow mode of systen drive only and to continue after
restart (my second hard still connected till now )
then i turned off my pc
removed the extra sata hard disk
turned on the pc
the result ------- pc complete freeze at windows loading while loading
SD and the antivirus " avira antivir "
many many restarts but useless , with same results
the i reconnected the second hard as i thought the it may by the cause
because SD was installed in its presence
but even after i reconnected the second hard , no good news
another odd behavior i noticed
every time i click on the sd quick launch icon the result is -----
automatic restart of the pc which was a previous bug that is supposed
to be fixed in previous versions ""

{QUOTE->

I'm curious to know what problems you have experienced. <-QUOTE}
After installing this version and activating the shadow mode, the system reboots continually ???
Back to the build 1.1.260, all is fine.

Can anyone test it against some sandboxes n HIPS like:

GesWall, DW, SBIE, SafeSpace

CFP, PS, OA and

TF

Thanks?

Does it installs a driver?

Also I am still curious to know what is meant by bypass? Does malware persists totally after reboot or it just corrupts the ISR software?

Thanks

it is clear to know who made this virus, this thread tells me much. 8)

Tried it with GesWall.

When you say it bypassed Returnil do you mean it's still around after a reboot?

Nanana, could you pm a link to download cs,exe please.

hello y'all

This thread is jumping about a bit :blink:
{QUOTE-> So, this virus has an implementation that can leave the virtual device sandbox and write to physical device. This means that the programs are not fullproof in enforcing this principle. <-QUOTE}
{QUOTE-> When you say it bypassed Returnil do you mean it's still around after a reboot? <-QUOTE}??yes or no.

Is there some link for reading up on this: does this bypass all virtual layers/sandboxes other than GESwall ?

Do any hips alert ?
Does this get out of VMWare vm's?
Will it write to FDISR snapshot files ??

@Meriadoc:
{QUOTE-> Just yesterday I analyse a malware that broke out of Sandboxie. <-QUOTE} :o What?.
I just checked sandboxie forums: nothing there: where are you up to??

This looks a bit worrying. :-\

{QUOTE-> Just yesterday I analyse a malware that broke out of Sandboxie.
<-QUOTE}

Let Tsuk know !!;)

great aigle, Geswall saves the day.:thumb:

{QUOTE-> When you say it bypassed Returnil do you mean it's still around after a reboot? <-QUOTE}

Yes, it is around after a reboot and some system files are corrupted.:wacko:

{QUOTE-> Yes, it is around after a reboot and some system files are corrupted.:wacko: <-QUOTE}
How is that possible in a virtual system partition ? A virtual system is supposed to be even safer than FDISR.
This can happen to me also of course, but only as a temporary infection, never as a permanent infection.

Thanks for the link Nanana.

Default sandbox where nothing can run or connect except FF of course couldn't even unrar it.

Unrarred then tried to run cs.exe in the default box and no go again.

Setup a test sandbox with default settings where it executed and seemed to be contained with a folder named "Nt_File_Temp" being created containing 1 file named "__write_ok__" of 0 bytes.

Deleted the sandbox with no noticeable probs.

Tests done in a VM with only Sandboxie as the only security app active.Returnil is installed but I forgot to turn it on.:ouch:

For those who are interested,

Both Ilya and I can confirm that DefenseWall successfully blocks and restricts cs.exe. Additionally, I can also report that I have seen similar event logs to both aigle and Franklin when executing this malware sample.


Peace & Gratitude,

CogitoErgoSum

Does anyone know if cs.exe corrupts the real system when only using Returnil's disk cache method and not the mem cache, or does it corrupt the system if using either method?

Kudos to Geswall and Defensewall.:)

{QUOTE-> it is clear to know who made this virus, this thread tells me much. 8) <-QUOTE}

This is the way you think?
in the past years you keep attacking DF, SD, PS, may i conclude you are working for a some company?

this thread tells me much too.

I am with you here Tony. I said this a few months back it appeared evertime something good was said about SD, someone showed up to piss on the party.>:(

{QUOTE-> This is the way you think?
in the past years you keep attacking DF, SD, PS, may i conclude you are working for a some company?

this thread tells me much too. <-QUOTE}

Hi Tony, welcome back to the forums. I am still hunting a job. How much will you pay me if I post thread like nanana1?

BTW, Is this your thread?

http://www.cnsw.org/bbs/viewthread.php?tid=75160&page=1#pid281625

That guy admitted he had copied other's code/manual/website, yes?

I wonder how can a chinese people make product/manual in english though he did not know what is the meaning of "Internet cafe".

http://www.cnsw.org/BBS/thread-77308-1-4.html ;D

{QUOTE-> Hi Tony, welcome back to the forums. I am still hunting a job. How much will you pay me if I post thread like nanana1?

BTW, Is this your thread?

http://www.cnsw.org/bbs/viewthread.php?tid=75160&page=1#pid281625

That guy admitted he had copied other's code/manual/website, yes? <-QUOTE}

As the threadstarter, this is for the benefit of everyone who is concerned with the security of their system. Tony has as much contributed to this forum's objective of better and improved security software as ColdMoon, etc.

QQ2595 is knowledgeable on this subject matter based on his previous posts but let's all be constructive on our comments. To allege that someone made this virus based on conjecture and induction processes is not helpful at all.::)

SD did concede that he followed SU's manual, etc due likely to a English language proficiency but as clearly stated by StorageCraft (SU developer) on this forum when SD was first introduced, SD did NOT copy the SU's code or violate SU's IP.8)

QQ2595 may never care but it will be a loss to others if Tony has not developed SD, so let's be constructive and positive in our comments.:thumb:

PS. I am NOT related to SD or Tony in any way nor do I seek to be "paid" in this thread as QQ2595 has suggested.*puppy*

{QUOTE-> I wonder how can a chinese people make product/manual in english though he did not know what is the meaning of "Internet cafe".

http://www.cnsw.org/BBS/thread-77308-1-4.html ;D <-QUOTE}

This is absurd and irrelevant !:lurking:

{QUOTE-> This is absurd and irrelevant !:lurking: <-QUOTE}

after googled some chinese forums, I found so many absurd thread from same people. ;D

in china, there are many interesting people like Mj0011. they make virus to attack their competitor's product and post threads similar as this title in their competitor's support forums.:thumbd:

{QUOTE-> after googled some chinese forums, I found so many absurd thread from same people. ;D

in china, there are many interesting people like Mj0011. they make virus to attack their competitor's product and post threads similar as this title in their competitor's support forums.:thumbd: <-QUOTE}

This is old wine in new bottle, ever heard the similar line that AV software developers paid people to write and post viruses so that they can sell more AV softwares ? Whether in China or not doesn't matter.8)

If you look back at this forum, this first thread about cs.exe is the mention about SD being "bypassed".:P

Anyway, we're off topic. Let's stick to the main concern here which is to make such security softwares able to withstand any virus, malware and trojans as they show up:lurking:

{QUOTE->
If you look back at this forum, this first thread about cs.exe is the mention about SD being "bypassed".:P
<-QUOTE}

what is the link please?

{QUOTE-> what is the link please? <-QUOTE}

First mention is on Jun 9th at 5:51pm from Perman and the link is here

http://www.wilderssecurity.com/showpost.php?p=1257807&postcount=7

I started this thread on Jun 12th at 6:03pm.8)

{QUOTE-> First mention is on Jun 9th at 5:51pm from Perman and the link is here

http://www.wilderssecurity.com/showpost.php?p=1257807&postcount=7

I started this thread on Jun 12th at 6:03pm.8) <-QUOTE}

sorry, I mean the link to download SC.exe. :thumb:

{QUOTE-> sorry, I mean the link to download SC.exe. :thumb: <-QUOTE}

PM sent !

So bottom line so far is that several virtualizating apps such as Returnil are bypassed by this, but for what I understand, sandboxes (GesWall, DW, and SBIE) seem to protect well against this.

I have 2 questions:

1.- Mainly addressed to Coldmoon:
Since the "dogs" came out, I see that Returnil is heading into the "execution prevention" path. How hard (and I don't mean this in a ironic/hostile/rude manner...just asking) is it to develop virtual protection against this? I mean, I would like that Returnil remains being the excelent virtualization software that it is now. For execution protection one can have a HIPS or AE, etc. Personally I prefer an app that does the work it's intended to do in an excelent manner, instead of filling gaps with different features.
I hope Returnil doesn't become a Suite in the future or changes it's main objective.

2.- (off topic):
{QUOTE-> Just yesterday I analyse a malware that broke out of Sandboxie. <-QUOTE}
Would you like to elaborate on this? maybe in another thread in order to not hijack this one.

{QUOTE-> PM sent ! <-QUOTE}

thanks. got it and had a short try. it is almost same as a RobotDog which crash the ISR market in china.

There are too many way to bypass the ISR as I know.

1) direct I/O to the disk port.
2) send SATA command to the disk.
3) replace the volume filter stack
....

It is not news since 2007. I can simply bypass any ISR with sectorEditor. but with any HIPS/AE even limited account, it will be stopped.:argh:

{QUOTE->
replace the volume filter stack
<-QUOTE}
Do you mean manipulating the storage stack?
{QUOTE-> even limited account, it will be stopped <-QUOTE}
The most powerful protection :)

{QUOTE->

Do you mean manipulating the storage stack?

<-QUOTE}

I am not a kernel programer, but I think yes.

I just tested the SD 262 with CleanMBR. it can still bypass the lastest SD.

I found SD never protect the MBR, it just backup/restore the MBR every per second. the new CleanMBR can casue a BSOD and prevent any restore opeartion.

Does SRP stop cs.exe from executing?

Thank you.

{QUOTE-> I am not a kernel programer, but I think yes.

I just tested the SD 262 with CleanMBR. it can still bypass the lastest SD.

I found SD never protect the MBR, it just backup/restore the MBR every per second. the new CleanMBR can casue a BSOD and prevent any restore opeartion. <-QUOTE}

i think is best to combine AE or Executable Lockdown from hds ... it will over come all DOGS and other nasty we been talk can bypass sd returnil or isr software.

for my point of view this is not realy bypass coz SD/DF/RETURNIL should return pc to his state on reboot....if it do it (recover/restore 100% data ) it do what he made for. malware arent part of the deal , they attack pc`s , no matter what software they hold


chers

{QUOTE-> for my point of view this is not realy bypass coz SD/DF/RETURNIL should return pc to his state on reboot <-QUOTE}

Thats exactly the point... malware is still there after reboot

just use Geswall or VBA32 and quit worrying. Enjoy the weekend, not the malware creators.:P

{QUOTE-> after googled some chinese forums, I found so many absurd thread from same people. ;D

in china, there are many interesting people like Mj0011. they make virus to attack their competitor's product and post threads similar as this title in their competitor's support forums.:thumbd: <-QUOTE}
Hi, my QQ friend:

I am entirely objected to your views:

Firstly, Just look into mirror to see whether you are just as ugly(absurd) as those people you referred ? then fire your shots. eh?

Secondly, making virus to attack rivals' products or posting negative comments towards rivals' programs are not new. A friend of my friend(sounding very much distant ?) just completed a tour of duty for working rivals of his true, nothing but true lord. Can you image the magnitude of success/damage (depending on how you to measure this) of his daring mission.

Stay open minded, my friend. The nationality should not be in Wilders' vocabulary, at least not in any average High tech people(with reasonable level of IQ)'s minds.

You read English here, any posting or program presented in working English should be all right as well.

This has already been asked once but I don't think it was ever answered... which AV, HIPS, AS, behavior blockers can stop cs.exe and prevent it from ever having the chance to bypass the virtualization softwares in the first place?

How many other malwares are out there right now that are known to be able to bypass virtualization softwares?

I think it,s a new cat n mouse game.

ISRs versus Dog malware

The best n easiet way for me is that. I will install a specially configurable HIPS( like EQS) with ISR. The HIPS will dent by default the install of any new service, any new driver and any direct disk access etc. Every other action will be allowed by default. Zero pop ups in both cases. Nowur ISR might be immune to all such Dogs.

Nore interestingly ISR can have a built in HIPS especially configured for these needs with no pop ups and some extra options for power users. The limited HIPS part might not be a part of default install of ISR.

By the way I think all such dogs who defeat ISRs will usually fail against sandboxes/ HIPS etc due to very nature of their actions.

{QUOTE-> By the way I think all such dogs who defeat ISRs will usually fail against sandboxes/ HIPS etc due to very nature of their actions. <-QUOTE}

Hopefully TF is able to stop this type of malware as well.

The dogs can only bite a few, after their found, Look Out! The DogCatcher is coming! ;D

{QUOTE-> The dogs can only bite a few, after their found, Look Out! The DogCatcher is coming! ;D <-QUOTE}
Hi, well said, except...

some top rated ones may be not that smart or that-not-stubborn.

Enlisting services of multilanguage scouts may be able to spot the first sign of new-born puppy. eh ?

{QUOTE-> It's an executable. In my case AE will kill it. HIPS will do the same. All these ISR-killers are executables. <-QUOTE}

Not needed. A LUA/SRP approach does the same reliably.

{QUOTE-> Not needed. A LUA/SRP approach does the same reliably. <-QUOTE}

Indeed. YEP!

Just found that out myself today.

I set aside a Hard Drive to throw everything at it including the kitchen sink, so am ready to see "IF" anything is up to my challenge. Because they can't hurt a thing.

EASTER

{QUOTE-> Indeed. YEP!

Just found that out myself today.

I set aside a Hard Drive to throw everything at it including the kitchen sink, so am ready to see "IF" anything is up to my challenge. Because they can't hurt a thing.

EASTER <-QUOTE}

how did u do that? can u explain ?

chers

{QUOTE-> Just yesterday I analyse a malware that broke out of Sandboxie.
<-QUOTE}


Hi, can you PM me the link to it. I did send u a PM twice.

Thanks

interesting info on SB being posted at the following topic;)
http://forum.sysinternals.com/forum_posts.asp?TID=15072

{QUOTE-> What?.
I just checked sandboxie forums: nothing there: where are you up to??

This looks a bit worrying. <-QUOTE}
Please, no worry - carry on using Sandboxie - very good program:). It is really no surprise that someone circumvent any software.
Where are we up to is that it seems a malware has been able to write some entries to the registry while run under sandboxie but it is unfinished work and hasn't been tested over - will know more Monday and if verified by our group will contact tzuk.

{QUOTE-> I did send u a PM twice.
<-QUOTE}
PMed.

Thanks. Please atleast let us know. By the way can you test it with GesWall and DefenceWall too and share ur results?

By the way ur PM box is full.

{QUOTE-> I am not a kernel programer, but I think yes.

I just tested the SD 262 with CleanMBR. it can still bypass the lastest SD.

I found SD never protect the MBR, it just backup/restore the MBR every per second. the new CleanMBR can casue a BSOD and prevent any restore opeartion. <-QUOTE}

the imaginary tool that u call "cleanMBR" seems to has no true existence in the real world except in ur imagination or may be in just in ur pc
u may face a difficulty in distributing such malwares to the real world
there's a fact in programming that says " sometimes making the malware is so much easier than distributing its infection to other pc's"

so u say that the cleanMBR bypass SD and may cause BSODs with it
so u have to prove this or at least send it to me to know if u are telling the truth
if u will not prove , or if u will not send this imaginary tool that seems to be just a private malware tool only in ur pc ,, if u will not , then just stop telling us about the imaginary abilities of ur imaginary tools that are only present in ur imaginary pc

{QUOTE-> the imaginary tool that u call "cleanMBR" seems to has no true existence in the real world except in ur imagination or may be in just in ur pc <-QUOTE}While I won't vouch for all recent variants...., the "tool" does exist, by that name, ~ 50 KB in size.

Blue

{QUOTE-> While I won't vouch for all recent variants...., the "tool" does exist, by that name, ~ 50 KB in size.

Blue <-QUOTE}

so how can i obtain it ?
i searched over the net but couldn't get anything by that name
i just need it to test it against my shadow defender
and if it really bypass it ,we will find a fix

{QUOTE-> so how can i obtain it ? <-QUOTE}hany3, This isn't a malware exchange, so don't bother asking
If you can't find it, you probably shouldn't be looking for it.
If you can't find a copy with a directed search, what makes you believe that you're vulnerable just sitting on the net?
I guess I'm unclear on what "we will find a fix" means. You're going to reprogram the application?
Blue

{QUOTE-> hany3, This isn't a malware exchange, so don't bother asking
If you can't find it, you probably shouldn't be looking for it.
If you can't find a copy with a directed search, what makes you believe that you're vulnerable just sitting on the net?
I guess I'm unclear on what "we will find a fix" means. You're going to reprogram the application?
Blue <-QUOTE}

we are are just testers
but we are in close contact with the vendor
i think the above words can explain to u the word "we"
all of that is because neither the users nor the vendor could find such a tool
best regards

hany3
I wonder how well you searched. A quick google search with the terms "cleanmbr sample" (without ""), shows that this malware is well known. There are some threads here in wilders which mention it, and in castlecops there also info about it, saying that returnil 2.0 protects against it.
So, even if the sample is hard to get (that's good news), it definetly is not an imaginary tool.

{QUOTE-> but we are in close contact with the vendor <-QUOTE}and this is primarily Chinese based malware. Due to this, the vendor is much better positioned to obtain this material.

Blue

{QUOTE-> hany3
I wonder how well you searched. A quick google search with the terms "cleanmbr sample" (without ""), shows that this malware is well known. There are some threads here in wilders which mention it, and in castlecops there also info about it, saying that returnil 2.0 protects against it.
So, even if the sample is hard to get (that's good news), it definetly is not an imaginary tool. <-QUOTE}

hurst

i meant that this malware could exist or not
1-if yes , may be so rare
2-if it was but now no , so speaking about its supernatural powers to bypass all the ISR is useless
3-if not present , so it may worth the word "imaginary"
as it's hard for me to believe something i didn't see
and quick search in google will bring u some wilders's pages from thraed speaking about it



AND

if this tool is not imaginary , its supernatural abilities to bypass all the know ISR softwares may be so

by the way , did you ever encountered with such supernatural miraculous malware ?
or u r just like me , just heared or red about it ?

REMARK
don't believe every thing u read
u have to see by ur eyes the ask , how ? and why ?

best regards

I emailed Tony at Shadow Defender about this

and his reply was

Note - message removed. Cut/paste quoting email messages should not be done (read the TOS) unless there is firm confirmation from both parties that the public posting of the contents is agreed to in advance. In the absence of that, a concise summary of the content in your own words is suitable - Blue

There was once upon a time a dll named bxxs5.dll courtesy BookedSpace Spyware.

The mere act of just clicking on the dll sent System Safety Monitor (HIPS) into an endless loop of DENY's every second as it continuously attempted to add itself to the startup.

{QUOTE-> bxxs5.dll is a module belonging to the BookedSpace range of spywares. This module monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system. Please see additional details regarding this process. <-QUOTE}

This intrigued me because it wasn't an executable per say, but it immediately on just clicking it registered itself and then the marathon pop ups began in earnest. I dunno if even AE could abort this wild and wooly thing (likely on HIGH), but i used it to test my IE's BHO blocking abilities in certain security programs.

As per CleanMBR, it does definitely exists and happens to be housed in my vast collection although i've never gotten around to actually testing it since was busy with rootkit/hiders research. But just like KillDisk Trojan, if indeed it can infiltrate user's system then you would have to seriously consider such a POC a real threat if it ever got bundled by a binder into some screensaver or the like i would think. That's "IF" the recipient wasn't properly protected from just such a threat.

EASTER

To Confirm

1) Cleanmbr exists, and does wipe out the MBR
2) Shadowdefender does indeed protect the system.
3) I am 99.9% sure Returnil does also.
4) I emailed tony to confirm no.2 and offered to help him acquire said program.

Pete

{QUOTE-> To Confirm

1) Cleanmbr exists, and does wipe out the MBR
2) Shadowdefender does indeed protect the system.
3) I am 99.9% sure Returnil does also.
4) I emailed tony to confirm no.2 and offered to help him acquire said program.

Pete <-QUOTE}

@Pete

Just to help clarify my sample CleanMBR :gack: MBR disrupters give me the absolute creeps, worse fear short of file infectors :doubt:

CleanMBR is a Dll or Exe?

Thanks, and many thanks for your past testing that cruel KillDisk Trojan that still gives me the willies in my collection box every time i see it.

EASTER

{QUOTE-> To Confirm

2) Shadowdefender does indeed protect the system.
3) I am 99.9% sure Returnil does also.


Pete <-QUOTE}


2) Shadowdefender does indeed protect the system.

-u mean protect the system generally speaking ? or protect specifically from this malware tool cleanMBR ?
-tony never got this malware ,so how can believe that SD protects from this malware tool ?
-if u have the cleanMBR , u can help tony by sending it to him , we will very much appreciate this .
-the so called " QQ2595 " claims that SD and other ISR do NOT protect from cleanMBR

best regards

{QUOTE-> I emailed Tony at Shadow Defender about this

and his reply was

Note - message removed. Cut/paste quoting email messages should not be done (read the TOS) unless there is firm confirmation from both parties that the public posting of the contents is agreed to in advance. In the absence of that, a concise summary of the content in your own words is suitable - Blue <-QUOTE}

Hi Blue...sorry I should have summarized it...but Tony had said previously that I could use emails on the forum...so I didn't think I was doing any harm.
In future I will do a concise summary as recommended

{QUOTE-> @Pete



CleanMBR is a Dll or Exe?



EASTER <-QUOTE}

It's an exe.

Pete

{QUOTE->
-u mean protect the system generally speaking ? or protect specifically from this malware tool cleanMBR ?
-tony never got this malware ,so how can believe that SD protects from this malware tool ?
-if u have the cleanMBR , u can help tony by sending it to him , we will very much appreciate this .
-the so called " QQ2595 " claims that SD and other ISR do NOT protect from cleanMBR <-QUOTE}
The how I can believe it simple. I turn off other security software, and run it and then reboot, and the system can't boot. It's hosed. Then I turn on Shadow Protect, and run it and reboot and the system is fine.

I am not surprised. Tony had SD protecting from other things that try to write to track 0 so I wouldn't have suspected this one would fail.

I have contacted Tony.

Pete

{QUOTE-> It's an exe.

Pete <-QUOTE}

Thanks. I been have had this a good while now but not any real effort to run a full test with it, but from the looks of your "hosed" statement, once engaged at the system without proper protection, she's done and only thing to do is pull up an image restore.

Maybe. Surely if this, and other MBR infectors just writes, zeroes, and so forth, theres got to be the old hat way of inserting either a floppy, CD or such with the original MBR and just overwrite the MBR back again, or for that matter let your imaging software (if available) repair it itself, if it can.

EASTER

{QUOTE-> Thanks. I been have had this a good while now but not any real effort to run a full test with it, but from the looks of your "hosed" statement, once engaged at the system without proper protection, she's done and only thing to do is pull up an image restore.

Maybe. Surely if this, and other MBR infectors just writes, zeroes, and so forth, theres got to be the old hat way of inserting either a floppy, CD or such with the original MBR and just overwrite the MBR back again, or for that matter let your imaging software (if available) repair it itself, if it can.

EASTER <-QUOTE}

I haven't tried with CleanMBR, but with Killdisk, you couldn't just restore an image. You had to delete the partition first.

Pete

{QUOTE-> I haven't tried with CleanMBR, but with Killdisk, you couldn't just restore an image. You had to delete the partition first.

Pete <-QUOTE}

Yeah, that one is pretty rough. As much as i would like to investigate if an alternative recovery method is possible another way, like say for instance, hypothetically (TestDisk) to re-write back the original partition, i just don't have the enthusiasm right now to blow another gasket with KillDisk only to have to pop the partition and go thru a image recovery.

That's why it looks to me there should be floating about someplace a small tool of sorts to either re-direct such a disruption or stop it completely without having to resort to an entire program really designed to perform other features like a simple virtual system-boot-to-restore.

{QUOTE-> (TestDisk) to re-write back the original partition <-QUOTE}

i think testdisk can indeed recover from a killdisk attack. there was a forum member here who actually tested it (forgot his name sorry) and PMed me back that testdisk was able to recover the MBR. i believe this was confirmed on a wiki page devoted to testdisk. if i find it i'll edit my message and include the link.

hope that helped.

{QUOTE-> i think testdisk can indeed recover from a killdisk attack. there was a forum member here who actually tested it (forgot his name sorry) and PMed me back that testdisk was able to recover the MBR. i believe this was confirmed on a wiki page devoted to testdisk. if i find it i'll edit my message and include the link.

hope that helped. <-QUOTE}

Thanks zopzop

I know during one of my malware testing sessions i completely lost a whole partition x3 but minus 1. I was at a loss to find it with everything i had on hand at my disposal. The very last resort i tried before i would finally give up was the CD PARTED MAGIC that has TestDisk on it.

After a thorough scan it not only located the missing partition but re-wrote it back in it's entirety and to my knowledge 99% of all my programs and files were still intact and working fine. Just a small percentage seemed to have been tarnished, likely been wrote over before i discovered it missing, which i presume the malware i tested deleted that partition.

Let us know if you get some confirmation on that, and i might just try that myself when i get up enough energy again to take a chance on running old KillDisk (dat dog)

@easter

ok i just checked my PM folder and luckily i didn't erase the PM with the poster's name that was testing killdisk vs testdisk. his (her?) forum name is [suave]. you could pm him if you want, but he told me straight up he tested it and testdisk recovered the mbr.

{QUOTE-> @easter

ok i just checked my PM folder and luckily i didn't erase the PM with the poster's name that was testing killdisk vs testdisk. his (her?) forum name is [suave]. you could pm him if you want, but he told me straight up he tested it and testdisk recovered the mbr. <-QUOTE}

That's a comforting confirmation. Thanks.

If that's the same returned result each time then we're really on to something finally i think regarding MBR/Partition disruptors.

Leave it to these Windows 98/Me programs that are considered by most far outdated to still come though with flying colors.

Same thing for me with FileMapp byBB when it recorded a dropped rootkit hider file when nothing else detected it was even created, let alone residing on disk invisible. That was another Windows 98/Me app that still works like a charm on XP.

EASTER

{QUOTE->
Where are we up to is that it seems a malware has been able to write some entries to the registry while run under sandboxie but it is unfinished work and hasn't been tested over - will know more Monday and if verified by our group will contact tzuk.
<-QUOTE}
Any updates? I am so curious! :o

Be patient my friend.:)

How long dear? ;D

Any news?

Yes, use a Limited user account and block executables.
Or as Mrk says, don't double click malware.

ping aigle
PMed

{QUOTE-> ping aigle
PMed <-QUOTE}
If this is not about sandboxie, my apologies.
If it is about sandboxie, why the secrecy? why not make it public?
If not make it public, have you informed the developer (tzuk)?
To repeat, if this is not about sandboxie, my apologies.

soccerfan

{QUOTE-> If this is not about sandboxie, my apologies.
If it is about sandboxie, why the secrecy? why not make it public?
If not make it public, have you informed the developer (tzuk)?
To repeat, if this is not about sandboxie, my apologies.

soccerfan <-QUOTE}

I don't think it was about SandboxIE, it seems to be the only app that managed to NOT get fooled if I'm following the thread correctly.

@dw426
Meriadoc told earlier on this thread that he found a malware sample that escaped the sandbox.
Maybe it was related with that.

@Meriadoc:
If it's about SBIE, we all want to know ;D

{QUOTE-> ping aigle
PMed <-QUOTE}

Thanks. Pls empty ur PM box as I can,t send u PM. I do have BTW.

Wouldn't mind this exploit if someone could PM me please.

Was this this exploit picked up in the wild or deliberately created to bypass Sandboxie?

@aigle
I think you intended to quote Meriadoc, not me. Am I right?

I'm finding the ambiguity in some of these recent posts very confusing.

1. Has malware been identified that escapes Sandboxie's containment? Yes or No?

2. If so, then has someone contacted tzuk at Sandboxie? Yes or No?

Perhaps the personal messages are to mitigate possible widespread damage caused by the malware if, in fact, it is escaping Sandboxie. But it would be good for all of us if we had clarity to the above two questions.

{QUOTE-> I'm finding the ambiguity in some of these recent posts very confusing.

1. Has malware been identified that escapes Sandboxie's containment? Yes or No?

2. If so, then has someone contacted tzuk at Sandboxie? Yes or No?

Perhaps the personal messages are to mitigate possible widespread damage caused by the malware if, in fact, it is escaping Sandboxie. But it would be good for all of us if we had clarity to the above two questions. <-QUOTE}

I would check the Sandboxie forum, but I believe the answer to 1) is no. And if there was Tzuk would be aware by now.

Pete

{QUOTE-> @aigle
I think you intended to quote Meriadoc, not me. Am I right? <-QUOTE}
You are right. I slipped. ;D Corrected now.

Thanks

Interesting

I would like to try this

Please patients, no more requests yet please - I haven't even heard from tzuk.

Because of my work commitment have not had the time to even reverse anything. *I may even have something wrong with my install.* In a vm I had a bsod and I've not had the time for a fresh install, so have a little patients and I will post later on hopfully after I've had contact with tzuk.

OK,

Thanks!

can you send me the download link of cs.exe?

thanks

{QUOTE-> can you send me the download link of cs.exe? <-QUOTE}sec15,

We do not permit sharing of malware privately or publically.