TDL/TDSS trojan series bypassing isolation software

[Technical]

A lot of products are being tested here:
https://forums.comodo.com/news-annou...2131#msg412131

Also some comments here: https://forums.comodo.com/news-annou...t58723.45.html

[Novastar 3d]

Looks like someone got Egg on their face to go along with their coffee.
Xorrior, let us know what you hear man.

[SourMilk]

With all the posts concerning this trojan, I am considering buying Faronics Anti-Executable. Is there any drag on performance or does it just filter execs like UAC?

Thanks for any reply,
SourMilk out

[Boost]

Quote:

Originally Posted by SourMilk

With all the posts concerning this trojan, I am considering buying Faronics Anti-Executable. Is there any drag on performance or does it just filter execs like UAC?

Thanks for any reply,
SourMilk out

No drag on performance,you forget that it's there.

I tested a ton of malware with it,and nothing executes,go figure.

[Hugger]

Quote:

Originally Posted by SourMilk

With all the posts concerning this trojan, I am considering buying Faronics Anti-Executable. Is there any drag on performance or does it just filter execs like UAC?

Thanks for any reply,
SourMilk out

We have/had a member, Easter(?), who was quite fond of AE and other security products.
Look up some of his posts to get some info.
Hugger

[BlueZannetti]

Quote:

Originally Posted by SourMilk

With all the posts concerning this trojan, I am considering buying Faronics Anti-Executable. Is there any drag on performance or does it just filter execs like UAC?

No drag in my experience.

Blue

[SourMilk]

Thanks for the replies. I'm going to try it out. TDSS, I believe, may become more popular with black hats because of it's sinister nature. My hobby might have to change if I can't get a handle on it. For enterprises, the battle wages on. May the best software engineer win. Hmm, cellphones will probably be next - who knows?

SourMilk out

[Dark Star 72]

Quote:

Originally Posted by SourMilk

With all the posts concerning this trojan, I am considering buying Faronics Anti-Executable. Is there any drag on performance or does it just filter execs like UAC?

Thanks for any reply,
SourMilk out

As the others have said, no drag at all.
It also integrates very nicely with Sandboxie, if anything tries to start or run in Sandboxie that is not on the real system Faronics AE will stop it dead in the sandbox.
Highly recommended.

[cheater87]

For people testing Sandboxie on this nasty thing, are you doing it with default settings or tweaked such as only allow such and such to have access to internet or be allowed to run? Oh and has anyone tested DefenseWall against this?

[the_sly_dog]

Quote:

Originally Posted by Leach

Well, I wouldn't doubt in DW's abilities. Here we are:
The critter just committed suicide in untrusted.

defensewall passed

sandboxie passed to because it doesn`t allow loading of drivers

[Osaban]

Quote:

Originally Posted by SourMilk

With all the posts concerning this trojan, I am considering buying Faronics Anti-Executable. Is there any drag on performance or does it just filter execs like UAC?

Thanks for any reply,
SourMilk out

System impact is negligible, used along with Sandboxie or any virtualizer will make any computer a fortress. There are however some issues about its usage: One ought to deny any execution as a policy, which is not always very practical.

It builds a white list of existing executables which can be edited, but doesn't necessarily allow an existing white listed application to launch another one unless specifically given permission. Basically it means that sometimes there are situations whereby something (benign) is silently blocked and one is left there wondering what the hell is going on. I suppose that in the long run one can fine tune AE to a particular system. I ran it, but found it too fastidious. It is particularly useful if there are several people accessing the same machine.

[the_sly_dog]

Someone please wouldn`t happen to have faronics anti-exectuable installer 3.50 standard please today i updated to 3.60 but it doesnt like my system and my system crashed upon startup and i lost my parrels snapshot

can`t find the disc i burnt it version 3.50 to neither Hmmm

all faronics site has is 3.60

many thanks

[Serapis]

Is it better to use faronice AE against drivebys or to use sandboxie's start/run?
plz note tht there is no need for systemwide when considering my case; the browser is the one and only threat gate on my rig.

Also curious, does sandboxie's start/run on x64, rely on an arbitrary mechanism to gurantee non execution or does it merely 'recommend' tht a program not start?

Thanks,

Serapis

[Longboard]

Re: AE

Quote:

Originally Posted by BlueZannetti

No drag in my experience.
Blue

One of the best recommendations yet
Ta.


Rmus is "reasonably" well acquainted with AE as well

[arran]

Quote:

Originally Posted by SourMilk

With all the posts concerning this trojan, I am considering buying Faronics Anti-Executable. Is there any drag on performance or does it just filter execs like UAC?

Thanks for any reply,
SourMilk out

Faronics Anti-Executable is good yes, however any product which has an
Anti-Executable feature in it is just as effective as Faronics Anti-Executable
no need to spend money on Faronics Anti-Executable if you can't afford it when there are many other free products with an Anti-Executable feature.

Quote:

Originally Posted by Hugger

We have/had a member, Easter(?), who was quite fond of AE and other security products.
Look up some of his posts to get some info.
Hugger

yea Easter is a well respected member I always enjoy reading his informative posts, he posted a short while ago he should be active again later.
http://www.wilderssecurity.com/showthread.php?t=273918

sorry admins if the following paragraph is a little off topic I just wanna add my 2 cents.

To xorrior please make a POC to prove your claims, or I will take it as your claims being nonsense.

[Hugger]

arran,
Thanks. I think Easter needs to hurry home.
Hugger

[acuariano]

did it pass malware defender 2.71 ?

[tlu]

Quote:

Originally Posted by Rmus

Quote:

Quote:

Can you explain how the infection occurred? Drive-by download? P2P?, etc.

Thanks,

-rich

@taleblue: You haven't answered Rmus' question (unless I overlooked it). Would be interesting to know.

[taleblou]

Hi:

Sorry I was away. Well it all happened when I visted and tested TDSS link from malwaredomainlist on one of my pcs with time freeze active. After tested about 5 links with trojans and tdss rootkits. Later I rebooted and all malwares were gone by time freeze but to be sure I scanned it with several spftwares like malwarebyte, superantispyware, a-squared, CIS and all showed clean and when i tried hitman pro it showed a tdss infection in a driver and a temp folder and so did GMER showed active tdss. Thats when i found that time freeze failed protection. Hope this answers your questions.

P.S. Also except for a old desktop that I can not install linux on it because of no graphic card support and only windows xp sp2 works on that pc, my other pcs and laptops all have linux mint 9 installed. Still though I am a bet uneasy for that particular win xp desktop as for security. Right now I am using CIS plus MBRGUard, disabled autorun and using the new epic web browser that has antimalware protection and a couple of tweaks on that pc and browse only safe sites on it sometimes. Using my linux mint desktop most of the time.

[Greg S]

Quote:

Originally Posted by taleblou

Hi:

Sorry I was away. Well it all happened when I visted and tested TDSS link from malwaredomainlist on one of my pcs with time freeze active. After tested about 5 links with trojans and tdss rootkits. Later I rebooted and all malwares were gone by time freeze but to be sure I scanned it with several spftwares like malwarebyte, superantispyware, a-squared, CIS and all showed clean and when i tried hitman pro it showed a tdss infection in a driver and a temp folder and so did GMER showed active tdss. Thats when i found that time freeze failed protection. Hope this answers your questions.

If Time Freeze is like Eaz-Fix, CTM etc.. Hitman would show the infected files over and over again as well as suspect files it has scanned in the past that may no longer be on your HD, especially if Hitman is scanning in Direct Disk Access. If scanning is done with Compatible Disk Access it will not show previous suspect files on the HD. Having said that, it's very possible that you were no longer infected but Hitman was still dectecting it even though it no longer existed.

[erikloman]

Quote:

Originally Posted by Greg S

If Time Freeze is like Eaz-Fix, CTM etc.. Hitman would show the infected files over and over again as well as suspect files it has scanned in the past that may no longer be on your HD, especially if Hitman is scanning in Direct Disk Access. If scanning is done with Compatible Disk Access it will not show previous suspect files on the HD. Having said that, it's very possible that you were no longer infected but Hitman was still dectecting it even though it no longer existed.

If Hitman shows the 'golden TDL3 sticky' on top of the results then the machine is actually infected (the sticky is the result of a memory analysis).

You are right though that tools like Eaz-Fix don't work correctly with Hitman Pro in Direct Access Mode as tools like Eaz-Fix serve a different MFT to Windows as actually exist on the physical disk. In Direct Access Mode, Hitman Pro scans the MFT from physical disk and does not get the file system structure from Windows.

[taleblou]

Hi:

No this was just reply to how I got infected originaly. Since then I had formated and had win 7 home installed and tried sandboxie for protection and bam the installation of the latest sandboxie gave my pc BSOD and would not allow me to go beyoned windows logo and not even to safemode. Sandboxie crashed and killed my pc and forced me to use linux mint 9 which I am using now on that pc. Heck sandboxie was even more dangerous then a tdss. lol. ANyway right now only one very old pc has win xp sp2 and the rest of the pcs are all linux mints.

Anyway I have no more tdss problems now. By the way if it was not for the old gaphic card for my old pc which can not be upgraded I would have used linux on that machine too. Heck the only OP that cna be installed don that machine is up to win xp. lol pro savage DDR graphic card are ***** old no good cards with no update driver for anything beyond win xp.

[Greg S]

Quote:

Originally Posted by erikloman

If Hitman shows the 'golden TDL3 sticky' on top of the results then the machine is actually infected (the sticky is the result of a memory analysis).
.

I will keep this in mind. Seeing how I've thankfully never had this infection, I was unaware of the sticky. Thanks for the info

How thorough is the Compatible Disk Access in comparison to Direct Disk Access or is one just a work around for those who have ISR type tools?

[Franklin]

Quote:

Originally Posted by taleblou

Since then I had formated and had win 7 home installed and tried sandboxie for protection and bam the installation of the latest sandboxie gave my pc BSOD and would not allow me to go beyoned windows logo and not even to safemode. Sandboxie crashed and killed my pc and forced me to use linux mint 9 which I am using now on that pc. Heck sandboxie was even more dangerous then a tdss. lol.

Get outta here!

Sandboxie forced you to use a linux system, oh yeh, ok then.

[Searching_ _ _]

Sounds like TDSS/TDL was still active on taleblou's system when it crashed after installing Sandboxie.