TDL/TDSS trojan series bypassing isolation software

Discussion in 'sandboxing & virtualization' started by taleblou, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. taleblou
    Online

    taleblou Registered Member

    a TDL rootkit passed through time freeze

    Hi:
    I am disappointed at time freeze. I got it on the free giveaway and it failed for me to protect the pc I used it from malwares (eventhough I used optimum setting). I had to format to be sure all is clean and back to the shadow defender on that pc. In my openion time freeze is not worth it. I got infected with a TDL rootkit that passed through time freeze and deeply infected my windows xp sp2 pc.

    P.S. I got infected with the malware also in my test pc with time freeze on and using malwaredomainlist malwares. It seems only rootkits made through??
  2. Leach
    Offline

    Leach Registered Member

    Re: Wondershare Time Freeze - Giveaway

    taleblou,

    Thanks for warnings although I made a massive amount of tests since I installed it including malwarebytes domains. Possibly I haven't got the malware which could pass through WTF but any program can be bypassed sooner or later, Shadow Defender is not an exсeption, have a look at Deep Freeze thread. I would still use Shadow Defender but at the time I tested Defense Wall it had a conflict with SD - sporadic slowdowns on startup. WTF can make drives ReadOnly, a possibility which I find very usefull and haven't seen free. It suits me quite well - I use a clone of a real system more often than a fresh and clean VM installation. Besides it won't slow down the system at all which happens when you use VM or sandbox. Haven't seen any signs of vulnerabilities but I'll have a closer look into it.
    Last edited: Jun 29, 2010
  3. taleblou
    Online

    taleblou Registered Member

    Re: Wondershare Time Freeze - Giveaway

    Hi:

    Yeah I was shocked too. From all the positive reading I done and demos I seen I thought time-freeze was bullet proof and even has boot protection feature but I was surprised when I got infected and I only noticed it when I ran hitman pro 305 and it was the only one out of the 5 antimalware programs I used to scan that detected the TDL rootkit. By the way before installing the time freze I had scanned the pc with all 5 anti-mlawares incl. hitman pro and all was clean. Therefore the infection happened after time freeze was protecting.

    If you want to test time freeze I suggest try malwaredomainlist links, specialy the TDL rootkits and see for yourself.

    By the 5 anti-malwares I use for scanning are: a-square free, malwarebyte, superantispyware, hitman pro, Comodo.

    P.S. I have e-mailed wondershare about this and waiting for their reply.
  4. Leach
    Offline

    Leach Registered Member

    Re: Wondershare Time Freeze - Giveaway

    Hi taleblou,

    Made some research and got interesting results about TDSS TDL you mentioned. I got a bunch of critters of the TDSS serie
    and tried them against Time Freeze v1.0.0.1 and then against Shadow Defender v1.1.0.325, both are configured to
    reset the original state of the OS after reboot. XP sp3 x32 has been used installed on VirtualPC, the latest updates
    applied. To check if the system is infected or not I used a special utility TDSSKiller by Kaspersky Lab. No antivirus were
    installed, only shadowing systems and Delfi 7 with some libs.

    The procedure is rather simple -
    a) The system is checked with TDSSKiller and shadow mode is turned on
    b) Samples are launched directly from the desktop one at a time to avoid "self false positive detection" of a rootkit and
    thus refusing to install. Smart viruses are checking their presence in a system before trying to infect it.
    c) After a short downtime the system is rebooted and checked with TDSSKiller again after a short downtime. A delay
    is needed to let the rootkit initialize / start normally after reboot because some versions use a short delay after system
    restart before initialising to avoid detection by anti-rootkit programs.

    I have tested it twice to be sure and the results are identical. The fact is this sample of TDSS trojan is detected by AV
    programs, two of them I used at least - MBAM and SuperAntiSpyware. You were right - WTF has been compromised,
    and so was I - Shadow Defender is not an exception. The second sample has bypassed Time Freeze as well as Shadow
    Defender later. In both cases the OS has been infected with a rootkit after reboot and the shadowing systems supposedly
    cleaned OS.
    Here are some screen shots:

    MBAM_state.jpg

    InitialState.jpg

    WTF_infected.jpg

    SD_infected.jpg

    Mods, Sorry, I didn't expect such a mess. Can it be cured?
    Last edited by a moderator: Jun 30, 2010
  5. taleblou
    Online

    taleblou Registered Member

    Re: Wondershare Time Freeze - Giveaway

    Hi;
    Thanks for the test. I appreciate it. ALso can you test comodo time machine and returnil against these tdss tdk rootkits and please let me know if they pass the test or not. Please tell me so if any of them passes the test then I will use that software for protection. Thanks in advance.

    Looking forward to your test result on comodo time-machine and returnil.
  6. Meriadoc
    Offline

    Meriadoc Registered Member

    Re: Wondershare Time Freeze - Giveaway

    Hi Leach, what version of ShadowDefender were you using and what is the md5 or sha1 hash of the tdl/tdss (dogma.exe) you were using, thanks.

    latest
    md5 : 55A16DB3018A69A7D27F0DEAF632273F
    sha-1 : 1B1B5AF63CB048FCF47BDCE96CCFEA1301034137
    Last edited: Jun 30, 2010
  7. CloneRanger
    Offline

    CloneRanger Registered Member

    Well i tried to get a new thread going MBR bypass thread http://www.wilderssecurity.com/showthread.php?t=276136 as i felt it would be useful in many ways.

    As you can see it's been locked rather early on :p But the reasons for that, and why this one has been started in it's place, have been explained to me, and i understand and agree ;)

    So we're good to go :thumb:
  8. Serapis
    Offline

    Serapis Registered Member

    How does Cleanslate 6.5 fare against these rootkits?:doubt:
  9. Kid Shamrock
    Offline

    Kid Shamrock Registered Member

    Last edited by a moderator: Jun 30, 2010
  10. acuariano
    Offline

    acuariano Registered Member

    did it pass sandboxie?...since it did to sd and tf
  11. Rmus
    Offline

    Rmus Exploit Analyst

    Re: a TDL rootkit passed through time freeze

    Can you explain how the infection occurred? Drive-by download? P2P?, etc.

    Thanks,

    -rich
  12. nick s
    Offline

    nick s Registered Member

    I've tested hundreds of TDL/TDSS samples using Sandboxie and none have touched the real system.
  13. Buster_BSA
    Offline

    Buster_BSA Registered Member

    Sandboxie doesn´t allow installing drivers, that´s why Sandboxie can not be bypassed that way.

    Leach: You got a PM.
  14. nick s
    Offline

    nick s Registered Member

    Indeed. Permitting driver install is a recipe for disaster.
  15. Franklin
    Offline

    Franklin Registered Member

    The dogma.exes seem to be VM aware?

    Tested Bufferzone, Sandboxie and Defensewall 3.03 against SafeSys.exe.

    All three seemed to contain or cannot run fully and delete all dregs, or at least that's what TDSSKiller and Malwarebytes scans are showing.
  16. acuariano
    Offline

    acuariano Registered Member

    great,thanks
  17. AvinashR
    Offline

    AvinashR Registered Member

  18. Meriadoc
    Offline

    Meriadoc Registered Member

    @Franklin I had to reboot the vm (vmware 7.0.1) to get it to work so could not test ShadowDefender in vmware.

    dogma.exe md5 : 55A16DB3018A69A7D27F0DEAF632273F

    retrieved config.ini from tdl3 rootkit
  19. Franklin
    Offline

    Franklin Registered Member

    Thanks Meriadoc, will give it a go. :)
  20. nick s
    Offline

    nick s Registered Member

    Whatever demonstrated Sandboxie bypasses that existed last year have been addressed. None of those bypasses had the ability to successfully install a driver on the real system.
  21. Kid Shamrock
    Offline

    Kid Shamrock Registered Member

    Thanks for the testing Franklin.
  22. AvinashR
    Offline

    AvinashR Registered Member

    Read it again...I am not talking about SandboxIE, i am talking about Avast Sandbox...:D
  23. nick s
    Offline

    nick s Registered Member

    I know, but others were. I was just clarifying the situation regarding Sandboxie.
  24. acuariano
    Offline

    acuariano Registered Member

  25. Leach
    Offline

    Leach Registered Member

    Re: Wondershare Time Freeze - Giveaway

    md5: 55a16db3018a69a7d27f0deaf632273f *dogma.exe

    Good you found the sample - I just wanted to ask for a help.

    Shadow Defender with full DEP enabled has been tested by request - no changes except the targeted .DLL, system remains infected.

    Attached Files:

Thread Status:
Not open for further replies.