http://blog.fireeye.com/research/2009/07/ddos-madness-climax.html

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.EB&VSect=T

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090710

It seems very interesting. It attacks MBR and destroys it and also encrypts ur data so that u can,t access it( ransomware type?). I will love to test it against:

CIS
GesWall
DefenceWall
ThreatFire etc

Also it may be a good challenge for IRS like Eaz-Fix, Returnil, SD etc

What do you guys think? I have grabbed the sample already. :P :P

test out rollback rx against it, im curious to see how it fares. :)

-{ Quote: "http://blog.fireeye.com/research/2009/07/ddos-madness-climax.html

http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.EB&VSect=T

http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090710

It seems very interesting. It attacks MBR and destroys it and also encrypts ur data so that u can,t access it( ransomware type?). I will love to test it against:

CIS
GesWall
DefenceWall
ThreatFire etc

Also it may be a good challenge for IRS like Eaz-Fix, Returnil, SD etc

What do you guys think? I have grabbed the sample already. :P :P" }-

Why not attach the sample in the accessory;D Can't wait for the results against DW and GW~:thumb:

-{ Quote: "Why not attach the sample in the accessory;D Can't wait for the results against DW and GW~:thumb:" }-

Because it would be deleted here, thats why?

Pete

I can,t do any testing on request as i have no VM that is necessary due to the very nature of this malware.

aigle

Yeah saw those links, bad karma !

When i get back to my XP PC hopefully later on this week, or next, i might test it on Returnil. That is, if they can fix the Restore points issue. At the moment it only appears to pertain to Vista, i never had probs on XP, but i'd rather wait and be sure !

Anyways, if you and others test it on various Apps in the meantime, that could be very revealing.

aigle, can you do me a personal favor and try it with Prevx 3.0 please. Thank you.

I tested as follows:

First I didn't check the encryption part, but it wipes out the disk that's for sure.


Shadowdefender. Protects the system just fine.

Malware Defender. Protects if you know to block it from either running or block direct disk access.

Sandboxie. But of course system is protected just fine.

Online Armor++

1) Detects it as malware
2) Protects system if you block it as in MalwareDefender.
3) Protects the system if you allow everything, but use RunSafe.

Pete

Edit: Just reran it and saw no evidence of encrypted files. Doesn't make much sense to encrypt stuff if you are going to destroy the disk, I guess.

Guy's

Regretfully I can't test against anything else. Partly it's time, partly, getting trials that will still run. Very time consuming.

Pete

How bout for $25.00;)

Thanks for testing Peter2150. :thumb:

peter many thanks for testing MalWare Defender:thumb:

OK, I have analyzed the worm a bit. Very interesting indeed. It does two actions mainly.

1- Destroys MBR
2- Encrypts data files( txt, xml, doc, zip etc) so u lose ur data

Tested GesWall, SBIE and partially CFP

SBIE- Pass
GesWall- Pass
CFP- MBR access intrecepted( i did not test whether it can block it effectively or not but I think it will pass here)
data file encrption will be intercepted if u add data files( txt, doc, zip) etc into ur protected files( it,s not feasible though in day o day use of ur system) or put ur data files in a confidential folder( with custom rules for this folder)- again I did noot test it completely and did not test whether it can block it effectively or not but I guess it can. May be I can test it later. It needs time that I lack.

CFP intercepting worm,s actions.

210600
210601
210602
210603

GesWall intercepting malicious actions.

210604
210605
210606
210607
210617

-{ Quote: "
1- Destroys MBR
2- Encrypts data files( txt, xml, doc, zip etc) so u lose ur data" }-
I don't understand this - I must be missing something (?)

Come to think of it, me neither :)

Destroying the MBR makes it impossible to access data on the OS partition, does it encrypts files on other partitions?

Cheers Kees

Can you test if OnlineArmor RunSafer feature pass this?

-{ Quote: "Come to think of it, me neither :)

Destroying the MBR makes it impossible to access data on the OS partition, does it encrypts files on other partitions?

Cheers Kees" }-
http://blog.fireeye.com/research/2009/07/ddos-madness-climax.html

Reads this. Yes it does encrypt data on other partitions as well.

Even if MBR is destroyed u can read ur data by booting from other media. But after this encryption, it,s not possible.

@ rdsu, from Pete's post #9 above - a good reason to have 'Run Safer unknown programs by default' turned on.
Note point 3) - even if you allow Run Safer stops it doing anything.

-{ Quote: "I tested as follows:

Online Armor++

1) Detects it as malware
2) Protects system if you block it as in MalwareDefender.
3) Protects the system if you allow everything, but use RunSafe.

Pete" }-

-{ Quote: "http://blog.fireeye.com/research/2009/07/ddos-madness-climax.html

Reads this. Yes it does encrypt data on other partitions as well.

Even if MBR is destroyed u can read ur data by booting from other media. But after this encryption, it,s not possible." }-

Some Chinese safety ethusiasts have tested this POC by using MD and EQS,they post the blocking log which indicated the primary behaviors:
1. attack MBR,run conime.exe
2. change the .txt, .xml,.doc,.zip,.asp(all the text files that are not 0 byte and some compressed files) into encrypted .gz files
3. delete the orginal file itself

So the key to interception:
1.protect MBR, watch out for any access to disk by strange executables;
2. protect overall important files if possible.

BTW:this executable can't run as expected in WIN7

Thanks for confirming.

Prevx and Hitman Pro get this with no problem.

Puss

-{ Quote: "Prevx and Hitman Pro get this with no problem.

Puss" }-

Great, but what if they didn't - and what about some future threat? Could happen to any AM product. That's why I've finally began to use GeSWall myself to atleast sandbox my browser. So far there's just been some hitches, but I know that I'm MUCH more secure - simply because everything is isolated. Just about two clicks directly and I'm running an installation that I trust without isolation - it's that simple.

Ok, some more details.
CFP- Stops it altogether.
It protects MBR if you deny direct disk access. It also protects data files if there are appropriate rules and you deny access to those files.
Returnil- failed and system became un-bootable.
Eaz-Fix- passed. Only current snapshot was lost.
Threatfire- Protects MBR and system but data files lost without any alerts.

-{ Quote: "Ok, some more details.
CFP- Stops it altogether.
It protects MBR if you deny direct disk access. It also protects data files if there are appropriate rules and you deny access to those files.
Returnil- failed and system became un-bootable.
Eaz-Fix- passed. Only current snapshot was lost.
Threatfire- Protects MBR and system but data files lost without any alerts." }-wooo but threatfire has outbound like protection for protecting network and maybe file theft isn't?

Can Online Armor (without AV part) stop it without Run Safer?

-{ Quote: "Guy's

Regretfully I can't test against anything else. Partly it's time, partly, getting trials that will still run. Very time consuming.

Pete" }-

Thanks for what you do here Pete, as well as the other posters here who test these nasties.
It's terrific that we have people like you that will do this.

To all testers-- Thank You! ;D :thumb:

For those who are interested,

I can personally confirm that DefenseWall v2.56 successfully contains the malware sample in question under Vista 32 SP2.


Peace & Gratitude,

CogitoErgoSum

-{ Quote: "To all testers-- Thank You! ;D :thumb:" }-
I agree and extend my appreciation as well! :)

-{ Quote: "For those who are interested,

I can personally confirm that DefenseWall v2.56 successfully contains the malware sample in question under Vista 32 SP2.


Peace & Gratitude,

CogitoErgoSum" }-
Thanks. Was expecting so.

-{ Quote: "Prevx and Hitman Pro get this with no problem.

Puss" }-
Kudos Prevx:thumb:

-{ Quote: "Can Online Armor (without AV part) stop it without Run Safer?" }-

Absolutely, assuming you answer the pop ups correctly. If you deny direct disk access, shows over for malware.

Pete

-{ Quote: "For those who are interested,

I can personally confirm that DefenseWall v2.56 successfully contains the malware sample in question under Vista 32 SP2.


Peace & Gratitude,

CogitoErgoSum" }-
Hi sorry for the same question. Does this worm works under vista?

-{ Quote: "Hi sorry for the same question. Does this worm works under vista?" }-

Yes.


Peace & Gratitude,

CogitoErgoSum

Hesitant to test Outpost because I don't think it offers file protection. Maybe someone can tell me otherwise? I know it will protect MBR via direct disk access.

BTW I must say thanks to Rmus for poiting out this malware for testing and also to Stefan( from Avira) for providing me with the sample. So many thanks to both of them.

For the users who requested for testing I will apologize. I have no VM and have loaded a fresh complete system image just now. I will not be able to test on wish as it needs a lot of time that i don,t have at the moment.

-{ Quote: "For those who are interested,

I can personally confirm that DefenseWall v2.56 successfully contains the malware sample in question under Vista 32 SP2.


Peace & Gratitude,

CogitoErgoSum" }-thanks cogito very nice some one tested my beloved defensewall

-{ Quote: "Hesitant to test Outpost because I don't think it offers file protection. Maybe someone can tell me otherwise? I know it will protect MBR via direct disk access." }-

I would advise everyone to be very careful playing about with this and any other malware.

Worms are a nightmare. Running tests under Returnil and similar light virtualisation is not advised as they wont prevent it working and many worms are VM aware and / or wont yeild realistic results in full virtual environments.

You have been warned.

Puss

very good point puss, very good point.

-{ Quote: "I would advise everyone to be very careful playing about with this and any other malware.

Worms are a nightmare. Running tests under Returnil and similar light virtualisation is not advised as they wont prevent it working and many worms are VM aware and / or wont yeild realistic results in full virtual environments.

You have been warned.

Puss" }-

What would happen if a user downloaded this kind of virus through their web-browser while running software like SBIE, DW or GeSWall in their respective default settings? Penetrated or not?

-{ Quote: "What would happen if a user downloaded this kind of virus through their web-browser while running software like SBIE, DW or GeSWall in their respective default settings? Penetrated or not?" }-

I use Sandboxie usually and have found it to be very rubust and secure with IE for normal browsing - cant think of any times when its been compromised.

This is not to say it is safe to purposefully experement with sandboxed malware. I guess most members here have their home PC with all their security apps on, along with all their personal files, photos, work etc - it is not wise to play with malware under any circumstances on your home PC - not worth the risk, its all too easy to get infected / lose your data / spread malware.

As for DW / GESWall - I have not used them so cant comment.

Puss

-{ Quote: "OK, I have analyzed the worm a bit. Very interesting indeed. It does two actions mainly.

1- Destroys MBR
2- Encrypts data files( txt, xml, doc, zip etc) so u lose ur data

Tested GesWall, SBIE and partially CFP

GesWall- Pass
" }-

Hi, aigle! Was wondering if you're running GeSWall with any modifications to its defaults, e.g. new/modified/deleted rules and such - when it successfully blocked this malware's actions? Thanks! :)

There are some additional rules but default settings will stop the worm without any issues.

-{ Quote: "What would happen if a user downloaded this kind of virus through their web-browser while running software like SBIE, DW or GeSWall in their respective default settings? Penetrated or not?" }-
Ofcourse not.

-{ Quote: "
You have been warned.
Puss" }-

No need to be warned. I'm on a test machine...could care less what happens to it...just don't want to go through the trouble of recovering from this and having to install a fresh copy of Win.

I remember when Gromozon first came out and I purposely ran it. What a nightmare.

Wait a minute...that wasn't a nightmare...that was damn fun. :P

-{ Quote: "There are some additional rules but default settings will stop the worm without any issues." }-

Aha! Now you made me curious. ;D - What rules? ;D Don't worry, I simply just wanna learn more - that's what I always do in this hobby. :D

-{ Quote: "No need to be warned. I'm on a test machine...could care less what happens to it...just don't want to go through the trouble of recovering from this and having to install a fresh copy of Win.

I remember when Gromozon first came out and I purposely ran it. What a nightmare.

Wait a minute...that wasn't a nightmare...that was damn fun. :P" }-

Haha, that comment made me laugh. ;D

The warning posted should really be heeded. Don't play with this stuff unless you fully understand what you are doing.

Some of these worms, when the do the number on your hard drive, even make restoring an image impossible unless you know what to do.

So if you are reading this thread, and think it would be cool to try, DON'T.

Pete

-{ Quote: "The warning posted should really be heeded. Don't play with this stuff unless you fully understand what you are doing.

Some of these worms, when the do the number on your hard drive, even make restoring an image impossible unless you know what to do.

So if you are reading this thread, and think it would be cool to try, DON'T.

Pete" }-

Thanks Pete - I respect your warning and obviously the original one from Puss as well. On another note I never do this kind of dangerous testing. I only try to stay secure. ;)

-{ Quote: "Plan A1: Junk overwrite the 1st 1 MB of each physical drive on the system.

Although the execution of Plan A and B should be enough to damage the infected system, the code repeats Plan A1. It's kind of like shooting a dead body. But there is good news as well, wmcfg.exe has a dependency over VS 2005 run time libraries like msvcr90.dll. These libraries do not come by default with the Windows installation but might be installed by third party applications. The absence of these libraries will fail the execution of wmcfg and hence mstimer.dll and the killer component." }-

I wonder if anyone tried with those runtime files onboard.

Reassuring to see something I use passed safely :P Thanks testers.

-{ Quote: "Aha! Now you made me curious. ;D - What rules? ;D Don't worry, I simply just wanna learn more - that's what I always do in this hobby. :D" }-
I have added some gloal rules so that no isolated application is allowed to write non-OS partitions.
In the past i also added rules that any thing executing from non-OS partition will be isolated. Also defined a confidential folder for data. Used a rule to stop internet access for all isolated applications with allow rules for browsers etc( but this feature is i little buggy at the moment and needs a fix ).

-{ Quote: "I have added some gloal rules so that no isolated application is allowed to write non-OS partitions.
In the past i also added rules that any thing executing from non-OS partition will be isolated. Also defined a confidential folder for data. Used a rule to stop internet access for all isolated applications with allow rules for browsers etc( but this feature is i little buggy at the moment and needs a fix )." }-

Isolated applications indeed seem unable to write to any locations that are not specified as excluded (by yourself), and if they indeed are, the objects that comes through an isolated application will be isolated in their turn - I got this result proven when the directory on my file-drive where I tried to save my bookmarks wasn't excluded.

Or did you mean something different? :)

-{ Quote: "I have added some gloal rules so that no isolated application is allowed to write non-OS partitions.
In the past i also added rules that any thing executing from non-OS partition will be isolated. Also defined a confidential folder for data. Used a rule to stop internet access for all isolated applications with allow rules for browsers etc( but this feature is i little buggy at the moment and needs a fix )." }-
Being quite interested in the extra global rules;)

Isolated applications are allowed to write and create files anywhere( except some critical areas like system32 folder, start up folders and registry etc) unless specified. But there files created by isolated applications wil remain marked as untrusted. This is the default behavior of geswall.

-{ Quote: "Isolated applications are allowed to write and create files anywhere( except some critical areas like system32 folder, start up folders and registry etc) unless specified. But there files created by isolated applications wil remain marked as untrusted. This is the default behavior of geswall." }-

Understood... wonder what's up with the directory on my file-drive. ;D Anyways, since it's better to install trusted software non-isolated (or do you often not do that or need to?), wouldn't a global-rule to write anywhere - except for the exclusions - be in place for security, or would that create lots and lots of trouble? Please shed some light. ;D ::)

EDIT: Thinking about it... without any custom rules from me in-place, the bookmark file would not be written to my file-drive (not even the system-drive), unless specifically excluding the appropriate directory.

I have tested this malware with Shadow Defender, Returnil 2008, Returnil 2010 beta, and Deep Freeze.

Results:

Shadow Defender can restore the MBR after reboot, but it hasn't blocked malware to modify MBR during shadow mode

Returnil 2008 has been bypassed

Returnil 2010 beta has protected the MBR also during shadow mode

Deep Freeze has protected the MBR also during shadow mode

Bootloader before (http://www.pctunerup.com/up/results/_200907/20090722215300_myd1.jpg)
Bootloader after (http://www.pctunerup.com/up/results/_200907/20090722215420_myd1-1.jpg)


Deep Freeze before (http://www.pctunerup.com/up/results/_200907/20090722215051_myd7.jpg)
Deep Freeze after (http://www.pctunerup.com/up/results/_200907/20090722215156_myd8.jpg)

-{ Quote: "Understood... wonder what's up with the directory on my file-drive. ;D Anyways, since it's better to install trusted software non-isolated (or do you often not do that or need to?), wouldn't a global-rule to write anywhere - except for the exclusions - be in place for security, or would that create lots and lots of trouble? Please shed some light. ;D ::)

EDIT: Thinking about it... without any custom rules from me in-place, the bookmark file would not be written to my file-drive (not even the system-drive), unless specifically excluding the appropriate directory." }-

Hi, answer to your couple of Qs.

1- About Opera bookmarks, seems u r saving them in a non-default folder. Just make an allow rule for this folder in Opera rules. They will still be marked isolated as this is part of geswall security policy.

2- All installations must be done as non-isolated( trusted).

-{ Quote: "Understood... wonder what's up with the directory on my file-drive. ;D Anyways, since it's better to install trusted software non-isolated (or do you often not do that or need to?), wouldn't a global-rule to write anywhere - except for the exclusions - be in place for security, or would that create lots and lots of trouble? Please shed some light. ;D ::)

EDIT: Thinking about it... without any custom rules from me in-place, the bookmark file would not be written to my file-drive (not even the system-drive), unless specifically excluding the appropriate directory." }-

Hi, answer to your couple of Qs.

1- About Opera bookmarks, seems u r saving them in a non-default folder. Just make an allow rule for this folder in Opera rules. They will still be marked isolated as this is part of geswall security policy.

2- All installations must be done as non-isolated( trusted).

-{ Quote: "Hi, answer to your couple of Qs.

1- About Opera bookmarks, seems u r saving them in a non-default folder. Just make an allow rule for this folder in Opera rules. They will still be marked isolated as this is part of geswall security policy.

2- All installations must be done as non-isolated( trusted)." }-

Okay, thanks. On the first one... I thought GW was even more non-restrictive when it comes to other drives than the system-drive. :doubt: I had an allow-rule in-place after some thinking previously, but this confuses me a little - could you please elaborate? :) Would that for example mean that, even if not on a completely different drive, if I for example create a new directory - let's say "Games" on C: (my system-drive) - will I not even be able to write to that custom-directory (from your message, that's what I understand as a non-default folder)?

To sum it up... I simply don't get this thing that you mention now. :P

I think we both are confused. lol

Can u tel me step by step what u mean by saving opera bookmarks and where u save them? spoon feeding.

-{ Quote: "I have tested this malware with Shadow Defender, Returnil 2008, Returnil 2010 beta, and Deep Freeze.

Results:

Shadow Defender can restore the MBR after reboot, but it hasn't blocked malware to modify MBR during shadow mode

Returnil 2008 has been bypassed

Returnil 2010 beta has protected the MBR also during shadow mode

Deep Freeze has protected the MBR also during shadow mode

Bootloader before (http://www.pctunerup.com/up/results/_200907/20090722215300_myd1.jpg)
Bootloader after (http://www.pctunerup.com/up/results/_200907/20090722215420_myd1-1.jpg)


Deep Freeze before (http://www.pctunerup.com/up/results/_200907/20090722215051_myd7.jpg)
Deep Freeze after (http://www.pctunerup.com/up/results/_200907/20090722215156_myd8.jpg)" }-
Thanks. Very nice testing.

-{ Quote: "I think we both are confused. lol

Can u tel me step by step what u mean by saving opera bookmarks and where u save them? spoon feeding." }-

Okay, let's see... I'll try to take it step by step and then you can tell me what's happening and why. :)



1. Inside the latest stable Opera, I click File, then go down to Import and Export, then select to Export my bookmarks.


2. I browse through my system to my "file-drive" (which is an entirely different drive, and not just a partition of the very same drive even), which goes under the letter "G:".


3. I continue my browsing to a folder called "Saves", from there I go to a folder I've named "Opera" (convenient, huh? ;D).


4. Last thing is to overwrite my existing bookmark-file(s). I've two in that folder - one which is the "main-one", and one which I use as backup if I would accidentaly overwrite with no entries or something, where I've simply added "bak" to its name to easily keep track of which is which.


5. GW being enabled during this whole process, redirects what I'm trying to do, unless I specify an allow-rule for Opera to that folder - the folder which contains my backup of my bookmarks, in the form of a "bookmark file".





Hope that was spoon feeding enough. :D

Ok, here we go.

GesWall with default rules. No custom rules pls.

I can save my bookmarks in a non-OS hard drive( USB). Bookmarks file opera6.adr is marked isolated ofcourse.

I can save bookmarks again on top of it, overwriting it.

If I mark this file as trusted, it can,t be overwritten by Opera. Means I can,t save bookmarks on top of it.

Am I right? Infact u need to play a bit to know.

aigle, with regards to ThreatFire, what is the extent of the data files lost?

The files in user documents encrypted/compressed? (just reading the FireEye explanation)

My documents( not sure), program files, windows directory etc.

It encrypted a lot of files, I did not gave much attention because I did not expect TF to give pop up on data file encryption as it,s no way a malicious action. TF will protect if malware attacks system files( executables).

Thank you for the explanation. :)

-{ Quote: "Ok, here we go.

GesWall with default rules. No custom rules pls.

I can save my bookmarks in a non-OS hard drive( USB). Bookmarks file opera6.adr is marked isolated ofcourse.

I can save bookmarks again on top of it, overwriting it.

If I mark this file as trusted, it can,t be overwritten by Opera. Means I can,t save bookmarks on top of it.

Am I right? Infact u need to play a bit to know." }-


Okay... so it's because isolated software should not be able to modify, e.g. overwrite a file for the sake of security, but can create new since then, for example, it's still not able to say overwrite a system file?

But by default the software has for example specified allow-rules for the locations where e.g. Opera keeps its bookmarks, so that it CAN overwrite the file in its original place.


Have I understood it correctly? Do I really need to un-isolate a bookmark file for it to work? Atleast it doesn't seem like it. :)

Just tell me if I should use spoon feeding again. ;D

You are right. BTW bookmark file when saved will be marked untrusted automatically. Just leave it like that.

-{ Quote: "You are right. BTW bookmark file when saved will be marked untrusted automatically. Just leave it like that." }-

Understood. :) I've actually seen that the original was since that's the first directory you see everytime you export it, but I was still not completely sure for some reason. :D

Can System Safety Monitor (or EQSecure 3.41 or Real Time Defender) stop this malware?

I guess, they will, just like CIS.
However SSM i think lacks file protection, though i am not sure. Any way text, doc, zip etc type of file protection even by CIS is im-practical.

So the only practical way to protect files from being encrypted is sandboxing?

seems so.