TDL/TDSS trojan series bypassing isolation software

Discussion in 'sandboxing & virtualization' started by taleblou, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    973
    a TDL rootkit passed through time freeze

    Hi:
    I am disappointed at time freeze. I got it on the free giveaway and it failed for me to protect the pc I used it from malwares (eventhough I used optimum setting). I had to format to be sure all is clean and back to the shadow defender on that pc. In my openion time freeze is not worth it. I got infected with a TDL rootkit that passed through time freeze and deeply infected my windows xp sp2 pc.

    P.S. I got infected with the malware also in my test pc with time freeze on and using malwaredomainlist malwares. It seems only rootkits made through??
     
  2. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Re: Wondershare Time Freeze - Giveaway

    taleblou,

    Thanks for warnings although I made a massive amount of tests since I installed it including malwarebytes domains. Possibly I haven't got the malware which could pass through WTF but any program can be bypassed sooner or later, Shadow Defender is not an exсeption, have a look at Deep Freeze thread. I would still use Shadow Defender but at the time I tested Defense Wall it had a conflict with SD - sporadic slowdowns on startup. WTF can make drives ReadOnly, a possibility which I find very usefull and haven't seen free. It suits me quite well - I use a clone of a real system more often than a fresh and clean VM installation. Besides it won't slow down the system at all which happens when you use VM or sandbox. Haven't seen any signs of vulnerabilities but I'll have a closer look into it.
     
    Last edited: Jun 29, 2010
  3. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    973
    Re: Wondershare Time Freeze - Giveaway

    Hi:

    Yeah I was shocked too. From all the positive reading I done and demos I seen I thought time-freeze was bullet proof and even has boot protection feature but I was surprised when I got infected and I only noticed it when I ran hitman pro 305 and it was the only one out of the 5 antimalware programs I used to scan that detected the TDL rootkit. By the way before installing the time freze I had scanned the pc with all 5 anti-mlawares incl. hitman pro and all was clean. Therefore the infection happened after time freeze was protecting.

    If you want to test time freeze I suggest try malwaredomainlist links, specialy the TDL rootkits and see for yourself.

    By the 5 anti-malwares I use for scanning are: a-square free, malwarebyte, superantispyware, hitman pro, Comodo.

    P.S. I have e-mailed wondershare about this and waiting for their reply.
     
  4. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Re: Wondershare Time Freeze - Giveaway

    Hi taleblou,

    Made some research and got interesting results about TDSS TDL you mentioned. I got a bunch of critters of the TDSS serie
    and tried them against Time Freeze v1.0.0.1 and then against Shadow Defender v1.1.0.325, both are configured to
    reset the original state of the OS after reboot. XP sp3 x32 has been used installed on VirtualPC, the latest updates
    applied. To check if the system is infected or not I used a special utility TDSSKiller by Kaspersky Lab. No antivirus were
    installed, only shadowing systems and Delfi 7 with some libs.

    The procedure is rather simple -
    a) The system is checked with TDSSKiller and shadow mode is turned on
    b) Samples are launched directly from the desktop one at a time to avoid "self false positive detection" of a rootkit and
    thus refusing to install. Smart viruses are checking their presence in a system before trying to infect it.
    c) After a short downtime the system is rebooted and checked with TDSSKiller again after a short downtime. A delay
    is needed to let the rootkit initialize / start normally after reboot because some versions use a short delay after system
    restart before initialising to avoid detection by anti-rootkit programs.

    I have tested it twice to be sure and the results are identical. The fact is this sample of TDSS trojan is detected by AV
    programs, two of them I used at least - MBAM and SuperAntiSpyware. You were right - WTF has been compromised,
    and so was I - Shadow Defender is not an exception. The second sample has bypassed Time Freeze as well as Shadow
    Defender later. In both cases the OS has been infected with a rootkit after reboot and the shadowing systems supposedly
    cleaned OS.
    Here are some screen shots:

    MBAM_state.jpg

    InitialState.jpg

    WTF_infected.jpg

    SD_infected.jpg

    Mods, Sorry, I didn't expect such a mess. Can it be cured?
     
    Last edited by a moderator: Jun 30, 2010
  5. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    973
    Re: Wondershare Time Freeze - Giveaway

    Hi;
    Thanks for the test. I appreciate it. ALso can you test comodo time machine and returnil against these tdss tdk rootkits and please let me know if they pass the test or not. Please tell me so if any of them passes the test then I will use that software for protection. Thanks in advance.

    Looking forward to your test result on comodo time-machine and returnil.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Re: Wondershare Time Freeze - Giveaway

    Hi Leach, what version of ShadowDefender were you using and what is the md5 or sha1 hash of the tdl/tdss (dogma.exe) you were using, thanks.

    latest
    md5 : 55A16DB3018A69A7D27F0DEAF632273F
    sha-1 : 1B1B5AF63CB048FCF47BDCE96CCFEA1301034137
     
    Last edited: Jun 30, 2010
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,690
    Well i tried to get a new thread going MBR bypass thread http://www.wilderssecurity.com/showthread.php?t=276136 as i felt it would be useful in many ways.

    As you can see it's been locked rather early on :p But the reasons for that, and why this one has been started in it's place, have been explained to me, and i understand and agree ;)

    So we're good to go :thumb:
     
  8. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    How does Cleanslate 6.5 fare against these rootkits?:doubt:
     
  9. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    171
    Last edited by a moderator: Jun 30, 2010
  10. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    did it pass sandboxie?...since it did to sd and tf
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,855
    Location:
    California
    Re: a TDL rootkit passed through time freeze

    Can you explain how the infection occurred? Drive-by download? P2P?, etc.

    Thanks,

    -rich
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I've tested hundreds of TDL/TDSS samples using Sandboxie and none have touched the real system.
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Sandboxie doesn´t allow installing drivers, that´s why Sandboxie can not be bypassed that way.

    Leach: You got a PM.
     
  14. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Indeed. Permitting driver install is a recipe for disaster.
     
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    The dogma.exes seem to be VM aware?

    Tested Bufferzone, Sandboxie and Defensewall 3.03 against SafeSys.exe.

    All three seemed to contain or cannot run fully and delete all dregs, or at least that's what TDSSKiller and Malwarebytes scans are showing.
     
  16. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    great,thanks
     
  17. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
  18. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    @Franklin I had to reboot the vm (vmware 7.0.1) to get it to work so could not test ShadowDefender in vmware.

    dogma.exe md5 : 55A16DB3018A69A7D27F0DEAF632273F

    retrieved config.ini from tdl3 rootkit
     
  19. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks Meriadoc, will give it a go. :)
     
  20. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Whatever demonstrated Sandboxie bypasses that existed last year have been addressed. None of those bypasses had the ability to successfully install a driver on the real system.
     
  21. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    171
    Thanks for the testing Franklin.
     
  22. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Read it again...I am not talking about SandboxIE, i am talking about Avast Sandbox...:D
     
  23. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I know, but others were. I was just clarifying the situation regarding Sandboxie.
     
  24. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
  25. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Re: Wondershare Time Freeze - Giveaway

    md5: 55a16db3018a69a7d27f0deaf632273f *dogma.exe

    Good you found the sample - I just wanted to ask for a help.

    Shadow Defender with full DEP enabled has been tested by request - no changes except the targeted .DLL, system remains infected.
     

    Attached Files:

Thread Status:
Not open for further replies.