Deep Freeze 7 bypassed

Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jun 27, 2010.

Thread Status:
Not open for further replies.
  1. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Hi.

    I can confirm that Deep Freeze 7 is bypassed by the malware known as SafeSys.

    Some technical information about the malware can be found here:
    http://www.prevx.com/blog/134/A-puzzle-called-SafeSys.html

    I knew MebRoot malware was able to infect machines "protected" by Deep Freeze. I even got confirmation by e-mail directly from Faronics, despite I had first hand experience on that.

    So the conclusion is that if a machine is running with admin rights, Deep Freeze 7 offers no protection at all.
     
  2. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    13,744
    Location:
    Canada
    thanks for the info;)
     
    Last edited: Jun 27, 2010
  3. cruchot

    cruchot Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    126
    Location:
    Germany
    Yes, thanks for the info Buster.
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    So what do Faronics say on the matter (not the contents of the email just the essence) . Are they going to fix the issue etc etc

    It went something like this
    https://www.wilderssecurity.com/showthread.php?t=247937
     
    Last edited: Jun 27, 2010
  5. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    833
    I'm froze now with deep freeze 7, good thing I found this thread. But I have defensewall on too. The new one out was yesterday with updates.
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Is this the W32.SafeSys.Worm?

    How did you load it into the system? What is the file extension?

    Are Administrative rights required for this infection to take place?

    ----
    rich
     
  7. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Cudni: Faronics didn´t say if they are going to fix the issue, and with "the issue" I mean the MBR infection problem. They just said that Deep Freeze doesn´t protect the MBR.

    My opinion is they are not going to fix it because they know about the problem, they have had enough time to find a solution and include it on version 7 but they didn´t. So I guess this problem will remain there forever or until they loose enough customers so they are forced to do something about that.

    Much more disturbing is the information I found here while looking at Google for information about SafeSys:

    http://www.dslreports.com/forum/r22521466-Worm-bypasses-Software-like-DeepFreeze

    I would pay attention specially to next posts:

    http://www.dslreports.com/forum/r22529278-

    http://www.dslreports.com/forum/r22535000-

    On this second post, a user quotes a reply from Faronics dated over 1 year ago, where Faronics says:

    Well, I got the sample and I only needed 1 minute to reproduce the results.

    It´s also disturbing that Faronics didn´t make any public claim about the article published by PrevX (already published in this thread). At least I can not find anything.

    So considering all the above, on my opinion Faronics is perfectly aware of the issue with SafeSys but they are unable to find a solution to avoid permanent changes, if not, after over 1 year, they would have included a solution to avoid the huge hole they have in their product.

    They make false publicity on purpose:

    That´s wrong!

    MebRoot and SafeSys are just two examples of malicious programs which are able to bypass Deep Freeze and make permanent changes. More examples may exist.

    At dslreports.com, users requests that Faronics participate in the thread but they never did. They were waiting for a public reaction and never was one.

    It´s sad when a security company behaves like that.
     
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Well, the identification name is always a problem because every company detects things with a different name.

    You can take a look to detection names here:

    ~ Virus Total Results Removed per Policy ~

    I ran an executable (EXE).

    Yes, admin rights are required.
     
    Last edited by a moderator: Jun 28, 2010
  9. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    If anyone is interested on testing by him/herself the bypass can find the malware here:

    ~ Removed Link as per Policy - Wilders is not a Malware Exchange Forum - Please Abide by our TOS ~
     
    Last edited by a moderator: Jun 28, 2010
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Thanks, I thought so, but wanted to be sure.

    I haven't followed this for several years.

    Note this comment by Marco in the blog you referenced:

    Actually, the weakness of these programs has been known for some years on some of the technical forums, as far back as 2007, if I remember correctly.

    An early incarnation of such malware was the robot dog and the pcihdd.sys file. These were popular in Asian internet cafes where stealing gaming passwords and the like was quite popular.

    The malware executable needs to write to the disk controller, which requires Administrative privileges, and, of course, the malware executable cannot run in the first place with a program such as Anti-Executable on the system.

    Regarding Mebroot, aka Sinowal, has anything changed in the past few years? As far as I know, it's still distributed via exploit packs in drive-by downloads, and are certainly the easiest of exploits to prevent.

    This takes nothing away from the fact that it can bypass Deep Freeze when running with Administrative privileges. But people I've corresponded with for some years were always hesitant to depend on roll-back products as the sole security solution for the system, and I then stopped recommending Deep Freeze for that sole use, and I use it more as a Maintenance product.

    I've not kept up with Faronics' responses, but if the malware does indeed bypass Deep Freeze running with Administrative privileges, then their claim to restore to original state on reboot is not true (when running as Administrator).

    ----
    rich
     
  11. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    5,614
    Location:
    Milan and Seoul
    I'd be a little cautious about describing Faronics as indifferent to criticism: Deep Freeze 7 will integrate with their new antivirus which I'm pretty sure will detect those 2 rogues (I'm certain that any AV would probably detect them anyway).

    Running DeepFreeze along with Anti-Executable would also neutralize just about any malware.

    2 pieces of malware bypass DeepFreeze: thousands if not tens of thousand of new viruses aren't detected by most AVs, still most people (including myself) pay for a resident AV nonetheless.

    As far as I could understand, you planted the malware on the system, in normal circumstances it wouldn't be easy for the malware to execute.
     
  12. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    First Faronics' responses were something like "we are studying the issue", "we can not reproduce the issue", but after a while they stopped responding.

    After one year of the discover of SafeSys I still didn´t hear an official announcement from them.

    And of course, their claim to restore to original state on reboot is completly false. Someone could sue them for doing such claim when they know that´s not true.
     
    Last edited: Jun 28, 2010
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    One thing is criticism and other a vulnerability. You can be indifferent or not to criticism but you can not be indifferent (don´t make any public statement) to a vulnerability in your product.

    Please, tell me where I can find an official response from Faronics about SafeSys because I´m unable to find it.

    I have tried Deep Freeze 7 Standard Edition and it didn´t include anything of that.

    And what´s up if I don´t want any antivirus technology and I only want a product that, in words of Faronics: makes computers indestructible and prevents against unwanted workstation changes?

    Personally I don´t like the way you seem to pretend to turn the discussion from a product that is publicited to stop any changes to system into "Deep Freeze 7 will include different technologies and then the problem will be solved".

    In normal circumstances?

    The circumstances where a user trusts Faronic´s publicity and only relies on Deep Freeze because that´s the only thing he considers he needs to stop malwares on their tracks?

    Come on...
     
  14. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    And more important:

    No! There are two methods to bypass Deep Freeze.

    Very different things.
     
  15. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,156
    This reminds me of the statement that X made to me in a PM Malware Defender's Vendor, Should you let malware to run to begin with there are many ways malware can bypass security products. X was sorta saying that's its not possible to plug every single hole. I don't care as much as I used too about security products not being able to control the behavior of POC's and malware because there will always be new undiscovered holes.

    Solution is don't let it run in the first place.
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    arran: that´s true, but here we are not discussing what´s the method to stop every single malware or if there is always a malware that can bypass a security product.

    Here we are discussing that the publicity that Faronics uses to sell Deep Freeze is not true and they must know it.
     
    Last edited: Jun 28, 2010
  17. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    I wonder why there are no users asking if other virtualization programs like Shadow Defender/Shadow User/... are affected by this malware too.
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Buster, have you or anyone else tested Shadow Defender, Sandboxie, Defensewall and Returnil?
     
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Sandboxie, by default, doesn´t allow installing drivers, so the malware can not bypass Sandboxie.

    Defensewall is a HIPS, so if the malware bypasses it or not, depends of user actions: if user allows the execution of malicious actions or not.

    I didn´t test Shadow Defender or Returnil.
     
  20. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Could someone test ShadowDefender against these two malwares? Thanks.
     
  21. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    No bullet proof defense exists, everybody knows, and frustration every time the next malware found. No, I won't ask you Buster whether any program vulnerable or not. ;) Sorry.
     
    Last edited: Jun 28, 2010
  22. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Leach: Agreeded, no bullet proof defense exists.

    I´m just telling that you can not tell in your publicity "makes computers indestructible and prevents against unwanted workstation changes" (indestructible? Woah! What a statement!) when you know there are ways to make permanent changes.

    Also you can not stay silent about the issue ignoring it publicly.

    Is so difficult for Faronics make a public declaration about the issue?

    I bet many people (users from this forum and people all around the world) trust and consider to be true the publicity used by Deep Freeze.

    I think Deep Freeze users deserve to know the truth.
     
  23. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @Buster_BSA et al

    Have you tried installing MBRguard, and then seeing if DF or other such apps pass/fail ?

    It "might" make a difference if MBRguard was installed before/after the infection ?

    MBRguard from Blue Ridge Networks

    http://www.blueridgenetworks.com/support/mbguard/mbguard.php
     
  24. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    CloneRanger: I guess in the case of MebRoot MBRGuard would protect the system from infection, but in the case of SafeSys MBRGuard will be useless.
     
  25. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Some motherboards provided the MBR protection with their BIOS, I'd suggest to check it before wasting money. In any case if a malware takes such control level over the system I can say there are plenty of places to hide at instead of MBR - empty sectors after MBR, the last cluster of any program nearly always has a free space, any free sector on the disk which could be marked as bad or just protected to overwrite etc... If a pass is found there's no trouble to hide itself. Prevention is the best defense.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.