TDL/TDSS trojan series bypassing isolation software

Discussion in 'sandboxing & virtualization' started by taleblou, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    Re: Wondershare Time Freeze - Giveaway

    i's like to know aboit latest CIS...please.
     
  2. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Please take a closer look - they used another version of a virus - safesys, while as I'm using TDL3 not safesys. Buster_BSA and me we are trying to understand what's happening.
     
  3. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    That´s eufemistic, man!

    They are not bullet proof as advertised. Just look at Faronics or Returnil publicity and then look how they fail to restore a system where SafeSys or TDSS was executed.

    And do you know the best? They knew the publicity was wrong so they fooled customers on purpose.

    Faronics received reports about SafeSys bypassing their software 1 year ago. All this time they have been telling they were unable to reproduce or that they developers were investigating the issue.

    It´s incredible. In fact I consider this to be the biggest scandal in the security industry since some years ago some av vendors were announcing their products to have "100% virus detection".
     
  4. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Ok I resolved the issue with Shadow Defender. It was the OS difference on which the samples has been tested. I used Windows XP for windows 7, while Buster_BSA was using original XP as a host system and original XP as a guest system. Hence here's the difference in virus behaviour - the real XP system will not be infected after a malware execution in shadow mode and thus goes into reboot clean. That's what happened in Buster's case and mine after I installed VirtualBox with a real Windows XP. The Win7's version of Windows XP was infected and went onto reboot infected too. So to decide if Shadow Defender is bypassed or not is up to you :)
    I made a test on a real Windows 7 system which I'm using now (a clone of course) and here's what I got:
     

    Attached Files:

    Last edited: Jul 2, 2010
  5. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    If I missed this I apologize.
    Is anybody testing this on Windows 7 x64?
    Thanks.
    Hugger
     
  6. culla

    culla Registered Member

    Joined:
    Aug 15, 2005
    Posts:
    504
    curious to know i run returnil2008 and then open browser in sanboxie within returnil
    can this be tested thanks
     
  7. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Sandboxie is not bypassed so you won't need even returnil to be safe enough.
    Nope, 64 bit versions were not tested.
     
  8. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1

    You guys doing great...
    SandboxIE is really a nice and trusted application.

    Anyways i have tested Safe n Sec 2009 (ver. 3.5.1.865)... As per the vendor it provides proactive protection from known and unknown malicious software and Internet threats due to advanced technology of behavioral analysis and up-to-the-minute V.I.P.O (Valid Inside Permitted Operations) solution... V.I.P.O. (Valid Inside Permitted Operations) prevents malicious actions of any unknown and potentially dangerous application...

    So i have tested some Zero Day nasties and latest TDSS aka TDL3 .. I have executed all the threats, and allowed them to run on my system...and to be very honest TDL3 unable to infect my system. It kept under the VIPO user account of Safe n Sec but didn't able to infect me.

    I am unable to provide you the screen-shots because by tomorrow i'll show you the video of the same...so i thought why screen-shot..

    Anyways even i really don't how to take screen-shots...:p

    Last but not least this application "Safe n Sec" deserves my two :thumb::thumb: up ..
     
  9. cruchot

    cruchot Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    126
    Location:
    Germany
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Safe n Sec contains the rktrap antirootkit engine, can one scan for tdss on an already infected system with SnS and do you have any results:) ?
     
  11. cruchot

    cruchot Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    126
    Location:
    Germany
    Yes, would like to see some tests against TDSS / SafeSys.
     
  12. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Roger that !! I'll try to test it against pre-infected system..But it will spoil my 1 and half hour.. Its really slow while updating and making system profile...:ninja:
     
  13. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,004
    Hi:

    The tdss/tdl rootkit that originaly infected my pc even with CIS set to highrest setting and even scanning with comodo and a-squares, malwarebyte, superantispyware all did not detect and time freeze failed and it infected the atapi.sys driver (hitman identified it as atapi.sys rootkit) that was very new. Perhapse can anyone test this particular rootkit against these security softwares? I think I may have gotten it through malwaredomainlist site link testing.

    So I think the atapi rootkit is a badass one. SO if you guys can test this rootkit as well would be great.
     
  14. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Yeah, SafeSys would require the load driver privilege, and limited users don't have that, so SafeSys would do nothing.

    TDSSKiller also requires that privilege, so it can only run as admin. So to test whether one managed to get the entire system infected from a limited user account, one would have to log in as admin to run tests like TDSSKiller.

    MBAM always acted weird under LUA, but then, stuff like that should be run with admin privileges, so it can look as deep in the system as possible. :)
     
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Mmm, I have harvested tdl/tdss since late in the year of '09...and this is of no surprise. Vendors seemed to of simply ignored the problem or have been unable to manage it.
     
  16. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Shadow Defender 1.1.0.326 is infected in VBOX unlike 325. And TDSS keeps behaving strangely in VBOX - kills himself after detecting with TDSSKiller so there's no need in TDSSKiller any more to cure the system. Don't think behaviour should be investigated in VBOX but rather in VPC, VPC with W7's XP system seems frightens the virus much less and results are more stable. What do you think?

    Correction:
    1. TDSS kills itself after being detected with TDSSKiller in VPC too.
    2. TDSSKiller seems trying to restore the normal state of the infected DLL after restart.
    3. Windows Defender detects now that critter.
     
    Last edited: Jul 3, 2010
  17. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Power Shadow v2.6 is bypassed time to time by TDSS TDL.
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    XP VM.

    Testing safesys.exe and beta Returnil Virtual System Lite 2011 using the memory cache.

    On the first run of safesys.exe and rebooting out of Returnil mode Malwarebytes finds one suss reg key:
    I let MBAM delete that key, reboot to clear and rerun safesys.exe in Returnil mode.

    Reboot again out of Returnil mode and a scan with MBAM shows all clear?
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,704
    Originally Posted by Franklin

    I like the memory cache approach :thumb:

    I have spooler disabled :D as i use another comp for printing. I wonder if some of these RK's would be fooled etc if tested in this way ?

    Not being funny, but can you be sure MBAM caught everything. What if you used the available removal tools to also check for remnants, or worse ? And for eg Gmer/Rku ?

    Also as you tested in VM, maybe you would get different results without ?

    Plus what would happen if you didn't use MBAM after RVS reboot ?

    TIA :thumb:
     
  20. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Re: Wondershare Time Freeze - Giveaway

    Comodo FW D+ without antivirus cis_4.1.150349.920_x86 installed. Sandbox was enabled, the rest settings left by default.

    Sandboxed TDSS did nothing, the system is not affected.

    Normally launched TDSS gave the same warning and infected the system, as it should :)
     

    Attached Files:

    Last edited: Jul 4, 2010
  21. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Spooler is disabled in that VM.

    MBAM seems to cleanup all dregs of the infection finding around 130 entries after safesys.exe is installed with most being the image execution reg hijacks.

    Will test further a bit later.
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,043
    Re: Wondershare Time Freeze - Giveaway

    Interesting, thanks for testing it.
     
  23. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    Re: Wondershare Time Freeze - Giveaway

    Leach thanks for the report,very informative.
     
  24. xorrior

    xorrior Registered Member

    Joined:
    Mar 22, 2010
    Posts:
    66

    not yet they don't, but they do detect it's injected modules even in the latest release and hold their payloads, like most updated malwares do against sandboxie. If there is a memory corruption or a way to use native API to detach sandboxie you'll see it in one of these industrial rootkits first.

    EDIT: Some variants in the 7.10.09.10 Avira DB now defeat NIS 2011 and some other solutions btw..
     
  25. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    sounds like hell :eek:
     
Thread Status:
Not open for further replies.