TDL/TDSS trojan series bypassing isolation software

[acuariano]

Quote:

Originally Posted by J_L

Can you test Comodo Defense+ w/ SandBox? It should be included by default in all of the downloads here, although they don't advertise it.

i's like to know aboit latest CIS...please.

[Leach]

Quote:

Originally Posted by taleblou

Look at the shadow defender result? This is confusing.

Please take a closer look - they used another version of a virus - safesys, while as I'm using TDL3 not safesys. Buster_BSA and me we are trying to understand what's happening.

[Buster_BSA]

Quote:

Originally Posted by HAN

they may not be bullet proof as often advertised

That´s eufemistic, man!

They are not bullet proof as advertised. Just look at Faronics or Returnil publicity and then look how they fail to restore a system where SafeSys or TDSS was executed.

And do you know the best? They knew the publicity was wrong so they fooled customers on purpose.

Faronics received reports about SafeSys bypassing their software 1 year ago. All this time they have been telling they were unable to reproduce or that they developers were investigating the issue.

It´s incredible. In fact I consider this to be the biggest scandal in the security industry since some years ago some av vendors were announcing their products to have "100% virus detection".

[Leach]

Ok I resolved the issue with Shadow Defender. It was the OS difference on which the samples has been tested. I used Windows XP for windows 7, while Buster_BSA was using original XP as a host system and original XP as a guest system. Hence here's the difference in virus behaviour - the real XP system will not be infected after a malware execution in shadow mode and thus goes into reboot clean. That's what happened in Buster's case and mine after I installed VirtualBox with a real Windows XP. The Win7's version of Windows XP was infected and went onto reboot infected too. So to decide if Shadow Defender is bypassed or not is up to you
I made a test on a real Windows 7 system which I'm using now (a clone of course) and here's what I got:

[Hugger]

Quote:

Originally Posted by Leach

Ok I resolved the issue with Shadow Defender. It was the OS difference on which the samples has been tested. I used Windows XP for windows 7, while Buster_BSA was using original XP as a host system and original XP as a guest system. Hence here's the difference in virus behaviour - the real XP system will not be infected after a malware execution in shadow mode and thus goes into reboot clean. That's what happened in Buster's case and mine after I installed VirtualBox with a real Windows XP. The Win7's version of Windows XP was infected and went onto reboot infected too. So to decide if Shadow Defender is bypassed or not is up to you
I made a test on a real Windows 7 system which I'm using now (a clone of course) and here's what I got:

If I missed this I apologize.
Is anybody testing this on Windows 7 x64?
Thanks.
Hugger

[culla]

curious to know i run returnil2008 and then open browser in sanboxie within returnil
can this be tested thanks

[Leach]

Quote:

Originally Posted by culla

curious to know i run returnil2008 and then open browser in sanboxie within returnil
can this be tested thanks

Sandboxie is not bypassed so you won't need even returnil to be safe enough.

Quote:

Originally Posted by Hugger

If I missed this I apologize.
Is anybody testing this on Windows 7 x64?
Thanks.
Hugger

Nope, 64 bit versions were not tested.

[AvinashR]

You guys doing great... SandboxIE is really a nice and trusted application.

Anyways i have tested Safe n Sec 2009 (ver. 3.5.1.865)... As per the vendor it provides proactive protection from known and unknown malicious software and Internet threats due to advanced technology of behavioral analysis and up-to-the-minute V.I.P.O (Valid Inside Permitted Operations) solution... V.I.P.O. (Valid Inside Permitted Operations) prevents malicious actions of any unknown and potentially dangerous application...

So i have tested some Zero Day nasties and latest TDSS aka TDL3 .. I have executed all the threats, and allowed them to run on my system...and to be very honest TDL3 unable to infect my system. It kept under the VIPO user account of Safe n Sec but didn't able to infect me.

I am unable to provide you the screen-shots because by tomorrow i'll show you the video of the same...so i thought why screen-shot..

Anyways even i really don't how to take screen-shots...

Last but not least this application "Safe n Sec" deserves my two up ..

[cruchot]

Are there other comments or test results about 'Safe n Sec'?

http://www.safensoft.com/

[Meriadoc]

Safe n Sec contains the rktrap antirootkit engine, can one scan for tdss on an already infected system with SnS and do you have any results ?

[cruchot]

Quote:

Originally Posted by Meriadoc

can one scan for tdss on an already infected system with SnS and do you have any results ?

Yes, would like to see some tests against TDSS / SafeSys.

[AvinashR]

Quote:

Originally Posted by cruchot

Yes, would like to see some tests against TDSS / SafeSys.

Roger that !! I'll try to test it against pre-infected system..But it will spoil my 1 and half hour.. Its really slow while updating and making system profile...

[taleblou]

Hi:

The tdss/tdl rootkit that originaly infected my pc even with CIS set to highrest setting and even scanning with comodo and a-squares, malwarebyte, superantispyware all did not detect and time freeze failed and it infected the atapi.sys driver (hitman identified it as atapi.sys rootkit) that was very new. Perhapse can anyone test this particular rootkit against these security softwares? I think I may have gotten it through malwaredomainlist site link testing.

So I think the atapi rootkit is a badass one. SO if you guys can test this rootkit as well would be great.

[Windchild]

Quote:

Originally Posted by Franklin

XP LUA and ran SafeSys.exe.

Didnt seem to do much except drop a .tmp file within the LUA account.
_mcvvd.tmp - Result: 39/41 (95.13%) - VirTool:WinNT/Rootkitdrv.LH

TDSSKiller couldn't run in the LUA account.

Funny thing is that Malwarebytes picked up the _mcvvd.tmp.tmp but missed the SafeSys.exe with both a right click and quick scans run within the LUA account but on rebooting into admin then a quickscan with Malwarebytes picks up both files?

Yeah, SafeSys would require the load driver privilege, and limited users don't have that, so SafeSys would do nothing.

TDSSKiller also requires that privilege, so it can only run as admin. So to test whether one managed to get the entire system infected from a limited user account, one would have to log in as admin to run tests like TDSSKiller.

MBAM always acted weird under LUA, but then, stuff like that should be run with admin privileges, so it can look as deep in the system as possible.

[Meriadoc]

Quote:

Originally Posted by taleblou

Hi:

The tdss/tdl rootkit that originaly infected my pc even with CIS set to highrest setting and even scanning with comodo and a-squares, malwarebyte, superantispyware all did not detect and time freeze failed and it infected the atapi.sys driver (hitman identified it as atapi.sys rootkit) that was very new. Perhapse can anyone test this particular rootkit against these security softwares? I think I may have gotten it through malwaredomainlist site link testing.

So I think the atapi rootkit is a badass one. SO if you guys can test this rootkit as well would be great.

Mmm, I have harvested tdl/tdss since late in the year of '09...and this is of no surprise. Vendors seemed to of simply ignored the problem or have been unable to manage it.

[Leach]

Shadow Defender 1.1.0.326 is infected in VBOX unlike 325. And TDSS keeps behaving strangely in VBOX - kills himself after detecting with TDSSKiller so there's no need in TDSSKiller any more to cure the system. Don't think behaviour should be investigated in VBOX but rather in VPC, VPC with W7's XP system seems frightens the virus much less and results are more stable. What do you think?

Correction:
1. TDSS kills itself after being detected with TDSSKiller in VPC too.
2. TDSSKiller seems trying to restore the normal state of the infected DLL after restart.
3. Windows Defender detects now that critter.

[Leach]

Power Shadow v2.6 is bypassed time to time by TDSS TDL.

[Franklin]

XP VM.

Testing safesys.exe and beta Returnil Virtual System Lite 2011 using the memory cache.

On the first run of safesys.exe and rebooting out of Returnil mode Malwarebytes finds one suss reg key:

Quote:

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler (Malware.Packer)

I let MBAM delete that key, reboot to clear and rerun safesys.exe in Returnil mode.

Reboot again out of Returnil mode and a scan with MBAM shows all clear?

[CloneRanger]

Originally Posted by Franklin

Quote:

XP VM.

Testing safesys.exe and beta Returnil Virtual System Lite 2011 using the memory cache.

I like the memory cache approach

Quote:

On the first run of safesys.exe and rebooting out of Returnil mode Malwarebytes finds one suss reg key:
Quote:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spooler (Malware.Packer)

I have spooler disabled as i use another comp for printing. I wonder if some of these RK's would be fooled etc if tested in this way ?

Quote:

I let MBAM delete that key, reboot to clear and rerun safesys.exe in Returnil mode.

Reboot again out of Returnil mode and a scan with MBAM shows all clear?

Not being funny, but can you be sure MBAM caught everything. What if you used the available removal tools to also check for remnants, or worse ? And for eg Gmer/Rku ?

Also as you tested in VM, maybe you would get different results without ?

Plus what would happen if you didn't use MBAM after RVS reboot ?

TIA

[Leach]

Quote:

Originally Posted by acuariano

i's like to know aboit latest CIS...please.

Quote:

Originally Posted by J_L

Can you test Comodo Defense+ w/ SandBox? It should be included by default in all of the downloads here, although they don't advertise it.

Comodo FW D+ without antivirus cis_4.1.150349.920_x86 installed. Sandbox was enabled, the rest settings left by default.

Sandboxed TDSS did nothing, the system is not affected.

Normally launched TDSS gave the same warning and infected the system, as it should

[Franklin]

Quote:

Originally Posted by CloneRanger

Originally Posted by Franklin
I have spooler disabled as i use another comp for printing. I wonder if some of these RK's would be fooled etc if tested in this way ?

Not being funny, but can you be sure MBAM caught everything. What if you used the available removal tools to also check for remnants, or worse ? And for eg Gmer/Rku ?

Also as you tested in VM, maybe you would get different results without ?

Plus what would happen if you didn't use MBAM after RVS reboot ?

TIA

Spooler is disabled in that VM.

MBAM seems to cleanup all dregs of the infection finding around 130 entries after safesys.exe is installed with most being the image execution reg hijacks.

Will test further a bit later.

[J_L]

Quote:

Originally Posted by Leach

Sandboxed TDSS did nothing, the system is not affected.

Normally launched TDSS gave the same warning and infected the system, as it should

Interesting, thanks for testing it.

[acuariano]

Leach thanks for the report,very informative.

[xorrior]

Quote:

Originally Posted by nick s

I've tested hundreds of TDL/TDSS samples using Sandboxie and none have touched the real system.

not yet they don't, but they do detect it's injected modules even in the latest release and hold their payloads, like most updated malwares do against sandboxie. If there is a memory corruption or a way to use native API to detach sandboxie you'll see it in one of these industrial rootkits first.

EDIT: Some variants in the 7.10.09.10 Avira DB now defeat NIS 2011 and some other solutions btw..

[dax123]

Quote:

Originally Posted by xorrior

not yet they don't, but they do detect it's injected modules even in the latest release and hold their payloads, like most updated malwares do against sandboxie. If there is a memory corruption or a way to use native API to detach sandboxie you'll see it in one of these industrial rootkits first.

EDIT: Some variants in the 7.10.09.10 Avira DB now defeat NIS 2011 and some other solutions btw..

sounds like hell