Introducing Diskshot™ - an alternative to Shadow Defender

[aladdin]

Quote:

Originally Posted by Cutting_Edgetech

That's a lot of functionality for an application with a 1mb installer!

Toolwiz Time Machine has the same functionality and footprint.

Best regards,

[ViVek]

Diskshot@Home 3.7.970 vs 5 MBR/VBR Rootkits
-http://www.youtube.com/watch?v=N-Cku8V4TiQ&feature=player_embedded-

[bo elam]

Quote:

Originally Posted by Cutting_Edgetech

Good luck with that! Korean would take a long time to learn! Buena suerte con Eso! Va a tomar mucho tiempo para aprender Korean!

Hey, hey, pareces hispano escribiendo Español, te felicito, saludos desde Centro America.

I think an English translation of the program would be enough for most people, it would be nice if they put one out in the near future.

Bo

[Wendi]

Quote:

Originally Posted by ViVek

Diskshot@Home 3.7.970 vs 5 MBR/VBR Rootkits
-http://www.youtube.com/watch?v=N-Cku8V4TiQ&feature=player_embedded-

So it appears that Diskshot is no better than SD (re infections)!!! ...and so much for all of Diskshot's 'fanfare'.

ViVek, thanks very much for the link to the test.

Wendi

[Cruise]

Quote:

Originally Posted by ViVek

Diskshot@Home 3.7.970 vs 5 MBR/VBR Rootkits
-http://www.youtube.com/watch?v=N-Cku8V4TiQ&feature=player_embedded-

Wow, that dude (testzabezpieczenpc) is exposing just about everything out there! Anyone know of an app that can translate Youtube videos 'on the fly' (from Polish to English)?

Cruise

[Arcanez]

why translate anything from those Videos. He's not even talking there's just Music in the Background and everything important that you Need to know is highlighted in green and red which is basically "failed" or "passed"....

Also an interesting Thing is that the only malwares that get through are basically that TDL4 and Sinowal...All the tested light virtualization Softwares score a 4/5 because either the TDL4 or the Sinowal got through...

[Cruise]

Quote:

Originally Posted by Arcanez

why translate anything from those Videos. He's not even talking there's just Music in the Background and everything important that you Need to know is highlighted in green and red which is basically "failed" or "passed"....

Not to 'hear' anything, but to 'read' the commentaries/messages as to what is happening and any impressions he may be sharing.

Cruise

[artoor]

Quote:

Originally Posted by Cruise

Not to 'hear' anything, but to 'read' the commentaries/messages as to what is happening and any impressions he may be sharing.

Cruise

25sec he explained that because of that he doesn't know Korean he isn't sure if he's defined everything correct.
37sec because DiskShot modifies MBR, TDSSKiller shows this modification as malicious software. So he does quick scan with GMER
1min20sec GMER descried modification connected with DiskShot, and obviously it is a fals alarm.
1min44sec Thanks to this option each modification on the Hard Drive should be undo (cancel) after rebooting
3min05sec There is an infection (Sinowal) failure
Next attempts are passed

[The Shadow]

Quote:

Originally Posted by aladdin

Toolwiz Time Machine has the same functionality and footprint.

Unliess I'm mistaken, and this wouldn't be the first time, Diskshot modifies the MBR (similar to Rollback Rx and its clones), but not TTM + TTF.

[Cruise]

Quote:

Originally Posted by artoor

25sec he explained that because of that he doesn't know Korean he isn't sure if he's defined everything correct.
37sec because DiskShot modifies MBR, TDSSKiller shows this modification as malicious software. So he does quick scan with GMER
1min20sec GMER descried modification connected with DiskShot, and obviously it is a fals alarm.
1min44sec Thanks to this option each modification on the Hard Drive should be undo (cancel) after rebooting
3min05sec There is an infection (Sinowal) failure
Next attempts are passed

Thanks for the help artoor!

[Cutting_Edgetech]

Here are some rootkit results against Diskshot. This person also tested Shadow Defender against the same rootkits. My apologies is this has already been posted. -http://malwaretips.com/Thread-Diskshot-Home-3-7-970-vs-5-MBR-VBR-Rootkits.

[umbrapolaris]

No more news about it ?

[carfal]

I must say, the development of this project needs to slow down. I'm having trouble keeping up with all the changes.

[dax123]

Quote:

Originally Posted by ViVek

Diskshot@Home 3.7.970 vs 5 MBR/VBR Rootkits
-http://www.youtube.com/watch?v=N-Cku8V4TiQ&feature=player_embedded-

Hello!
It's been a while since i've met you guys, I was busy doing my job..

First of all, I must say there are some misunderstandings, for the test was not based on proper technical background.
Actually both SD and Diskshot passed the test, and the thing TDSSKiller detects is only leftover.

To Understand this, we need to know the way the 'Sinowal' code works.
The head developer (of the Diskshot) said that malware is very 'stupid'
because the infection code runs only on ring3, and is not technically sophiscated at all(in a point of rootkit infection).

there's an analysis of the rootkit Sinowal:
http://stoned-vienna.com/html/index....sis-of-sinowal

Quote:

The first thing I see is that there is no import for CloseHandle function, which leads me to say that this is filthy written code.

...

It uses the common used WriteFile interface for writing the sectors onto hard disk.

...

Sinowal is a Bootkit, which means it overwrites the Master Boot Record and later then hooks and bypasses every Windows System function. So, the first thing Sinowal for infection does is, to read the Master Boot Record and copying the Partition Table from it. Then it takes its own Master Boot Record, which is included in the infector binary file, and copies the new Partition Table into it. But not only the Partition Table should be preserved, also the Microsofts original Master Boot Record. For this, the infector copies the first sector of the original Master Boot Record into the last sector of the new malicious Boot Record. Then it's ready to write the new malicious Master Boot Record to disk. The functions and parts of the new malicious Master Boot Record will be discussed later.

Money is not the total, so infecting just a Master Boot Record is not enough, it's just the at-runtime infecting/hooking part but not the executive. Sinowal copies also a malicious kernel driver onto the disk, at the end of the disk, offset is ~ -10 MB from end. This is the place where no partition is, the space is and should be reserved, Microsoft Software will never allow it to be used by any partition. This hidden 10 MB contain some Microsoft -only information and system restore information.

That's it! That is the execution of the Sinowals infector file.

According to this, Sinowal exploits some remaining sectors(that every windows-installed HDD has to have), and locates their main code to the end of HDD sector, like TDLFS filesystem.
Basically, Diskshot and Shadow defnder only prevents the system drive(and MBR) from modification, so any remaining partition is left behind.
to describe the problem, let me show this picture...




so like a gun without a trigger, the remaining code (at the end of the HDD) will never be executed..
But TDSSKiller detects the (neutralised)remainings and warns it to user..
He(who tested these software) didn't know that fact and just relied on what TDSSkiller says, so he could say there were failures..

above all, your system is still safe while you are using SD / Diskshot.
if you want to erase the remaings, you could use TDSSKiller or bcwipe or ccleaner etc.

PS: The developer told me that to get around the misunderstandings shown above, Diskshot will apply whitelist protection mechanism as of DS@Home 3.8.
(which prevents any modification of the entire HDD partitions except specified)
And DS@home could have some AV engine (especially for password-stealing trojans/sophiscated rootkits), trying to prevent online system infection (like returnil)

Have a nice day!

[umbrapolaris]

anyway , no english version = useless

[dax123]

Quote:

Originally Posted by umbrapolaris

anyway , no english version = useless

For translation issues, it will definately be multilingual once the software is prepared for international purpose.. they are just hesitating..

[umbrapolaris]

Quote:

Originally Posted by dax123

For translation issues, it will definately be multilingual once the software is prepared for international purpose.. they are just hesitating..

hesitating to get more market shares...strange business behavior...

[dax123]

Quote:

Originally Posted by umbrapolaris

hesitating to get more market shares...strange business behavior...

Well.. once it gets international, they need to employ international customer support team, translation team, etc.. maybe it needs much money...
though DS@home is free for personal use, They are commercial company, and it's already prospering in south korea..
(south korea has so much internet cafes, and much of them uses Diskshot..)

going to give you the lifetime license before the international version is launched.