|
|
#1
June 29th, 2010, 12:44 PM
|
|||
|
|||
a TDL rootkit passed through time freeze
Hi:
I am disappointed at time freeze. I got it on the free giveaway and it failed for me to protect the pc I used it from malwares (eventhough I used optimum setting). I had to format to be sure all is clean and back to the shadow defender on that pc. In my openion time freeze is not worth it. I got infected with a TDL rootkit that passed through time freeze and deeply infected my windows xp sp2 pc. P.S. I got infected with the malware also in my test pc with time freeze on and using malwaredomainlist malwares. It seems only rootkits made through?? |
|
#2
June 29th, 2010, 01:53 PM
|
|||
|
|||
Re: Wondershare Time Freeze - Giveaway
taleblou,
Thanks for warnings although I made a massive amount of tests since I installed it including malwarebytes domains. Possibly I haven't got the malware which could pass through WTF but any program can be bypassed sooner or later, Shadow Defender is not an exсeption, have a look at Deep Freeze thread. I would still use Shadow Defender but at the time I tested Defense Wall it had a conflict with SD - sporadic slowdowns on startup. WTF can make drives ReadOnly, a possibility which I find very usefull and haven't seen free. It suits me quite well - I use a clone of a real system more often than a fresh and clean VM installation. Besides it won't slow down the system at all which happens when you use VM or sandbox. Haven't seen any signs of vulnerabilities but I'll have a closer look into it. Last edited by Leach : June 29th, 2010 at 02:07 PM. |
|
#3
June 29th, 2010, 03:52 PM
|
|||
|
|||
|
Re: Wondershare Time Freeze - Giveaway
Hi:
Yeah I was shocked too. From all the positive reading I done and demos I seen I thought time-freeze was bullet proof and even has boot protection feature but I was surprised when I got infected and I only noticed it when I ran hitman pro 305 and it was the only one out of the 5 antimalware programs I used to scan that detected the TDL rootkit. By the way before installing the time freze I had scanned the pc with all 5 anti-mlawares incl. hitman pro and all was clean. Therefore the infection happened after time freeze was protecting. If you want to test time freeze I suggest try malwaredomainlist links, specialy the TDL rootkits and see for yourself. By the 5 anti-malwares I use for scanning are: a-square free, malwarebyte, superantispyware, hitman pro, Comodo. P.S. I have e-mailed wondershare about this and waiting for their reply. |
|
#4
June 30th, 2010, 09:36 AM
|
|||
|
|||
|
Re: Wondershare Time Freeze - Giveaway
Hi taleblou,
Made some research and got interesting results about TDSS TDL you mentioned. I got a bunch of critters of the TDSS serie and tried them against Time Freeze v1.0.0.1 and then against Shadow Defender v1.1.0.325, both are configured to reset the original state of the OS after reboot. XP sp3 x32 has been used installed on VirtualPC, the latest updates applied. To check if the system is infected or not I used a special utility TDSSKiller by Kaspersky Lab. No antivirus were installed, only shadowing systems and Delfi 7 with some libs. The procedure is rather simple - a) The system is checked with TDSSKiller and shadow mode is turned on b) Samples are launched directly from the desktop one at a time to avoid "self false positive detection" of a rootkit and thus refusing to install. Smart viruses are checking their presence in a system before trying to infect it. c) After a short downtime the system is rebooted and checked with TDSSKiller again after a short downtime. A delay is needed to let the rootkit initialize / start normally after reboot because some versions use a short delay after system restart before initialising to avoid detection by anti-rootkit programs. I have tested it twice to be sure and the results are identical. The fact is this sample of TDSS trojan is detected by AV programs, two of them I used at least - MBAM and SuperAntiSpyware. You were right - WTF has been compromised, and so was I - Shadow Defender is not an exception. The second sample has bypassed Time Freeze as well as Shadow Defender later. In both cases the OS has been infected with a rootkit after reboot and the shadowing systems supposedly cleaned OS. Here are some screen shots: Last edited by LowWaterMark : June 30th, 2010 at 06:41 PM. Reason: adjusted display of screenshots |
|
#5
June 30th, 2010, 11:51 AM
|
|||
|
|||
Re: Wondershare Time Freeze - Giveaway
Hi;
Thanks for the test. I appreciate it. ALso can you test comodo time machine and returnil against these tdss tdk rootkits and please let me know if they pass the test or not. Please tell me so if any of them passes the test then I will use that software for protection. Thanks in advance. Looking forward to your test result on comodo time-machine and returnil. |
|
#6
June 30th, 2010, 05:29 PM
|
||||
|
||||
|
Re: Wondershare Time Freeze - Giveaway
Hi Leach, what version of ShadowDefender were you using and what is the md5 or sha1 hash of the tdl/tdss (dogma.exe) you were using, thanks.
latest md5 : 55A16DB3018A69A7D27F0DEAF632273F sha-1 : 1B1B5AF63CB048FCF47BDCE96CCFEA1301034137
__________________
Who controls the past controls the future Who controls the present controls the past vmworld Last edited by Meriadoc : June 30th, 2010 at 10:11 PM. |
|
#7
June 30th, 2010, 08:03 PM
|
||||
|
||||
Re: TDL/TDSS trojan series bypassing isolation software
Well i tried to get a new thread going MBR bypass thread http://www.wilderssecurity.com/showthread.php?t=276136 as i felt it would be useful in many ways.
As you can see it's been locked rather early on  But the reasons for that, and why this one has been started in it's place, have been explained to me, and i understand and agree  So we're good to go 
__________________
. Malware = You don't scare me A different perspective https://rt.com - https://rt.com/on-air |
|
#9
June 30th, 2010, 09:50 PM
|
||||
|
||||
|
Re: TDL/TDSS trojan series bypassing isolation software
Hi Leach,
Please test DefenseWall 3.03 against these rootkits. You can download it here: DefenseWall_Personal_Firewall V 3.03
__________________
Laptop: Win7 x64 | AppGuard 3.4.2 | Rollback Rx | Macrium Reflect Last edited by BlueZannetti : June 30th, 2010 at 10:00 PM. Reason: Edited direct exe download link to location from which download can be initiated |
|
#11
July 1st, 2010, 12:40 AM
|
|||
|
|||
|
Re: a TDL rootkit passed through time freeze
Quote:
Thanks, -rich |
|
#12
July 1st, 2010, 01:23 AM
|
|||
|
|||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
__________________
Nick |
|
#13
July 1st, 2010, 01:39 AM
|
|||
|
|||
|
Re: TDL/TDSS trojan series bypassing isolation software
Sandboxie doesn´t allow installing drivers, that´s why Sandboxie can not be bypassed that way.
Leach: You got a PM.
__________________
http://bsa.isoftware.nl |
|
#14
July 1st, 2010, 01:46 AM
|
|||
|
|||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
__________________
Nick |
|
#15
July 1st, 2010, 01:55 AM
|
||||
|
||||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
Tested Bufferzone, Sandboxie and Defensewall 3.03 against SafeSys.exe. All three seemed to contain or cannot run fully and delete all dregs, or at least that's what TDSSKiller and Malwarebytes scans are showing.
__________________
Lean, Mean and Clean!  Sandboxie, Buster Sandbox Analyser, Returnil 2008, Microsoft Virtual PC 2007 SP1, Drive Snapshot
|
|
#17
July 1st, 2010, 02:05 AM
|
||||
|
||||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
Read this for more information.... http://www.wilderssecurity.com/showthread.php?t=276023
__________________
∆√♪ηάکђ ℓєтک υηcσммpℓιcαтє http://www.adminus.net http://technonxt.wordpress.com |
|
#18
July 1st, 2010, 02:16 AM
|
||||
|
||||
|
Re: TDL/TDSS trojan series bypassing isolation software
@Franklin I had to reboot the vm (vmware 7.0.1) to get it to work so could not test ShadowDefender in vmware.
dogma.exe md5 : 55A16DB3018A69A7D27F0DEAF632273F retrieved config.ini from tdl3 rootkit Quote:
__________________
Who controls the past controls the future Who controls the present controls the past vmworld |
|
#19
July 1st, 2010, 02:18 AM
|
||||
|
||||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
__________________
Lean, Mean and Clean! Sandboxie, Buster Sandbox Analyser, Returnil 2008, Microsoft Virtual PC 2007 SP1, Drive Snapshot
|
|
#20
July 1st, 2010, 02:26 AM
|
|||
|
|||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
__________________
Nick |
|
#21
July 1st, 2010, 02:30 AM
|
||||
|
||||
|
Re: TDL/TDSS trojan series bypassing isolation software
Thanks for the testing Franklin.
__________________
Laptop: Win7 x64 | AppGuard 3.4.2 | Rollback Rx | Macrium Reflect |
|
#22
July 1st, 2010, 02:34 AM
|
||||
|
||||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
Read it again...I am not talking about SandboxIE, i am talking about Avast Sandbox... 
__________________
∆√♪ηάکђ ℓєтک υηcσммpℓιcαтє http://www.adminus.net http://technonxt.wordpress.com |
|
#23
July 1st, 2010, 02:45 AM
|
|||
|
|||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
__________________
Nick |
|
#24
July 1st, 2010, 03:02 AM
|
|||
|
|||
|
Re: TDL/TDSS trojan series bypassing isolation software
Quote:
hey thanks for the link,,,good to know sbie is stronger.,effective. |
|
#25
July 1st, 2010, 04:28 AM
|
|||
|
|||
|
Re: Wondershare Time Freeze - Giveaway
Quote:
Good you found the sample - I just wanted to ask for a help. Shadow Defender with full DEP enabled has been tested by request - no changes except the targeted .DLL, system remains infected. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
