New sandbox/virtulization bypass under ring3

Can anyone translate exactly what that screen says? I've tried running it but it appears to do nothing.

 

If it overwrites the first 4 KB of data, why isn't it considered as destructive malware, but stealth malware. I don't see the logic of this ?

It's almost predictable that FDISR will fail, Killdisk and the DEL-command destroyed FDISR already. That was not a valid reason for me to ditch FDISR.
What I can do with FDISR, can not be done with Returnil, PowerShadow, ...
I'm not going to sacrifice this, just because of a few destructive malware, that never destroyed my system partition since 1948 in the first place.
I restored my images so many times over a zeroed harddisk successfully, that I'm not worried. I'm prepared.

If this new malware destroys my hardware components, then I'm really scared.

 

LOL. If it is an object on my HDD, it will be removed during reboot, before it does nothing.

It strikes me, that this type of malware is always discussed in a misty way, like a ghost.
Where does it come from ? Nobody knows.
How does it get on your computer ? Nobody knows.
What does it do ? Nobody knows, but many scary and sensational suppositions.
How do you get rid of it ? Nobody knows.
Let's not scare eachother. That's the job of the bad guys.

Symantec has at least an encyclopedia of many malware with a decent description.

 

Let's each speak for ourselves, ErikAlbert. You're free to advertise your ignorance all you want, but that doesn't necessarily stand true for your fellow forum members.

 

Wrong. "Robodog" the password-stealing trojan forever shattered the myth of ISR software when it surfaced this September in China, successfully bypassing FD-ISR, DeepFreeze and many hardware ISR solutions with a ring0 kernel driver. (ThreatFire stopped it dead cold, btw. ) This POC test in this thread isn't the first, and I doubt it'll be the last.

 

Any malware can install itself in a snapshot of FDISR.
FDISR or any other ISR-software isn't a security software. Security softwares have to stop this malware, like ThreatFire.
Some users consider ISR-softwares as security softwares, which is wrong because ISR-softwares are recovery softwares and that has nothing to do with security.
PowerShadow was discussed in the wrong Anti-Malware forum, PowerShadow is not an Anti-Malware software, it's a recovery software and nothing more than that.
If you want to stop malware, use real security softwares, not ISR-softwares.

The only difference that might be important is that some ISR-softwares use a virtual environment, while others use a real environment. The ones with a virtual environment should have a better recovery result.
That's why FDISR is sometimes weaker, because it works with a real environment and if it fails, no problem, ShadowProtect will fix it. I didn't buy FDISR for security, but for many OTHER reasons and FDISR is the best, compared with other ISR-softwares.
So forget about ISR-softwares as security and Image Backup is also recovery, not security.

 

Anyone tested it against GW, DW and other HIPS like EQS, SSM, PS etc?

 

Nope, doesn't change the fact that FD-ISR, DeepFreeze etc fails to do what it claims to be able to do when faced against this trojan.

So much for your claims of "my boot-to-restore will fix if not destructive".

 

So what does it do ? how would anyone know if it was on a machine ? how could it be removed ? or destroyed ?

 

I know a little on how some malware works but pretty much nothing about the low level stuff we're talking about here.

That said, I do have a question. It's been mentioned here that existing approaches are not having much luck stopping this test. Don't you still execute something at a higher level (inside regular Windows for eg.) to start the process? If so, it would seem it would be possible to prevent it somehow once it's means of delivery has been analyzed??

While not related, rootkits seem to be on a similar order, in that they require something launched in regular Windows to begin the dirty work process...

 

Curious about those myself as well as AE.

 

This POC overwrites the first 4kb of your hard drive. I'm not particularly familiar about FD-ISR, but from what I've read: FD-ISR apparently stores its presence on the first 4kb of your hard drive, and overwriting that will kick FD-ISR from the HD boot sector, as well as render your computer unbootable.

This is a POC. It's destructive, but only a POC test nonetheless, not malware. Consider this as a HIPS leaktest that will conveniently trash your HD if your HIPS fails. Assuming you don't know how to reconstruct your boot sector using special utilities, the only recovery method is a reformat.

Any HIPS or sandbox that blocks low-level physical disk access should defeat this POC. However, there's been reports that EQSecure 3.41 fails this test due to a logic bug in the program. Running this POC under a Limited User Account (it's more useful than you think, folks) renders it sterile as well.

This is a POC test; it clearly states the consequences of executing it, albeit in Chinese. It's about as harmful as format.com and fdisk.exe. Does it really have to fall under the classification of malware?

 

Thanks - so at the moment it is not really a problem ? If I understand correctly ( I don't use FD-ISR by the way) I would be unable to boot - so I would use my Acronis CD and restore an image or if that failed I would format C: and then use Acronis ?

I assume that programs like DeepFreeze and Returnil will now counter and that next week someone else will come up with an equally irritating problem ?

 

FDISR will certainly fail, but we know this already for quite some time, that some "malware" are able to corrupt FDISR, like Killdisk, DEL-command, ...
Two possibilities :
A. One of my security softwares will stop it and I never count on that, if not plan B.
B. Zero my HDD and restore a clean image.
I will always use plan B in such cases, that's a standard procedure for all such malware.
I'm not going to ditch FDISR for that and when is this going to happen ?
This is certainly not a stealth malware, if I can't boot anymore.

 

Ok, fellows, dumb question ... what does POC stand for? Thanks.

Acadia

 

I think it means Proof Of Concept
http://en.wikipedia.org/wiki/Proof_of_concept

 

I was wrong. This PoC is certainly of destructive nature, but changing it to stealth is relatively easy. It could easily preserve the boot structures while executing itself like old MBR viruses.

You're right. FD-ISR places itself in the Partition Boot Record to give you the option of choosing which snapshot you want to boot into.

Hardware ISR solutions. What's that?

 

Some legitimate softwares corrupt FDISR also.
Baseline Shield of Horizon Datasys corrupted FDISR on my computer, not as serious as this malware, but I needed ShadowProtect to save my system partition.
I consider this as normal and predictable. ISR-softwares are always on-line and confronted with all kinds of softwares, malware, etc. and this happened 4 times since March 2006.

 

Apparently it's something very prevalent in China; a system snapshot backed up to a device attached to the BIOS, independent of the hard drive. I was confused as well when people first mentioned it to me. The majority of netcafes in China seem to rely on this measure to protect their computers, and the robodog caused absolute havoc when it first surfaced.

 

Please decode some of the alphabet soup.

ISR?
FDISR?

Would this thing do any damage if executed from a limited user account? I suspect not.

 

Very interesting, thanks
No wonder the malware authors are working hard on stealth malware to bypass this. So, the only secure way of using PCs in Chinese netcafes is having a LiveCD with VPN support.

 

Well I guess I'll never get to test this beast out against Returnil latest version which protects against low level sector fills...........a hunting I will go.......