TDL/TDSS trojan series bypassing isolation software

Discussion in 'sandboxing & virtualization' started by taleblou, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. acuariano
    Offline

    acuariano Registered Member

    Re: Wondershare Time Freeze - Giveaway

    i's like to know aboit latest CIS...please.
  2. Leach
    Offline

    Leach Registered Member

    Please take a closer look - they used another version of a virus - safesys, while as I'm using TDL3 not safesys. Buster_BSA and me we are trying to understand what's happening.
  3. Buster_BSA
    Offline

    Buster_BSA Registered Member

    That´s eufemistic, man!

    They are not bullet proof as advertised. Just look at Faronics or Returnil publicity and then look how they fail to restore a system where SafeSys or TDSS was executed.

    And do you know the best? They knew the publicity was wrong so they fooled customers on purpose.

    Faronics received reports about SafeSys bypassing their software 1 year ago. All this time they have been telling they were unable to reproduce or that they developers were investigating the issue.

    It´s incredible. In fact I consider this to be the biggest scandal in the security industry since some years ago some av vendors were announcing their products to have "100% virus detection".
  4. Leach
    Offline

    Leach Registered Member

    Ok I resolved the issue with Shadow Defender. It was the OS difference on which the samples has been tested. I used Windows XP for windows 7, while Buster_BSA was using original XP as a host system and original XP as a guest system. Hence here's the difference in virus behaviour - the real XP system will not be infected after a malware execution in shadow mode and thus goes into reboot clean. That's what happened in Buster's case and mine after I installed VirtualBox with a real Windows XP. The Win7's version of Windows XP was infected and went onto reboot infected too. So to decide if Shadow Defender is bypassed or not is up to you :)
    I made a test on a real Windows 7 system which I'm using now (a clone of course) and here's what I got:

    Attached Files:

    Last edited: Jul 2, 2010
  5. Hugger
    Offline

    Hugger Registered Member

    If I missed this I apologize.
    Is anybody testing this on Windows 7 x64?
    Thanks.
    Hugger
  6. culla
    Offline

    culla Registered Member

    curious to know i run returnil2008 and then open browser in sanboxie within returnil
    can this be tested thanks
  7. Leach
    Offline

    Leach Registered Member

    Sandboxie is not bypassed so you won't need even returnil to be safe enough.
    Nope, 64 bit versions were not tested.
  8. AvinashR
    Offline

    AvinashR Registered Member


    You guys doing great...
    SandboxIE is really a nice and trusted application.

    Anyways i have tested Safe n Sec 2009 (ver. 3.5.1.865)... As per the vendor it provides proactive protection from known and unknown malicious software and Internet threats due to advanced technology of behavioral analysis and up-to-the-minute V.I.P.O (Valid Inside Permitted Operations) solution... V.I.P.O. (Valid Inside Permitted Operations) prevents malicious actions of any unknown and potentially dangerous application...

    So i have tested some Zero Day nasties and latest TDSS aka TDL3 .. I have executed all the threats, and allowed them to run on my system...and to be very honest TDL3 unable to infect my system. It kept under the VIPO user account of Safe n Sec but didn't able to infect me.

    I am unable to provide you the screen-shots because by tomorrow i'll show you the video of the same...so i thought why screen-shot..

    Anyways even i really don't how to take screen-shots...:p

    Last but not least this application "Safe n Sec" deserves my two :thumb::thumb: up ..
  9. cruchot
    Offline

    cruchot Registered Member

  10. Meriadoc
    Offline

    Meriadoc Registered Member

    Safe n Sec contains the rktrap antirootkit engine, can one scan for tdss on an already infected system with SnS and do you have any results:) ?
  11. cruchot
    Offline

    cruchot Registered Member

    Yes, would like to see some tests against TDSS / SafeSys.
  12. AvinashR
    Offline

    AvinashR Registered Member

    Roger that !! I'll try to test it against pre-infected system..But it will spoil my 1 and half hour.. Its really slow while updating and making system profile...:ninja:
  13. taleblou
    Offline

    taleblou Registered Member

    Hi:

    The tdss/tdl rootkit that originaly infected my pc even with CIS set to highrest setting and even scanning with comodo and a-squares, malwarebyte, superantispyware all did not detect and time freeze failed and it infected the atapi.sys driver (hitman identified it as atapi.sys rootkit) that was very new. Perhapse can anyone test this particular rootkit against these security softwares? I think I may have gotten it through malwaredomainlist site link testing.

    So I think the atapi rootkit is a badass one. SO if you guys can test this rootkit as well would be great.
  14. Windchild
    Offline

    Windchild Registered Member

    Yeah, SafeSys would require the load driver privilege, and limited users don't have that, so SafeSys would do nothing.

    TDSSKiller also requires that privilege, so it can only run as admin. So to test whether one managed to get the entire system infected from a limited user account, one would have to log in as admin to run tests like TDSSKiller.

    MBAM always acted weird under LUA, but then, stuff like that should be run with admin privileges, so it can look as deep in the system as possible. :)
  15. Meriadoc
    Offline

    Meriadoc Registered Member

    Mmm, I have harvested tdl/tdss since late in the year of '09...and this is of no surprise. Vendors seemed to of simply ignored the problem or have been unable to manage it.
  16. Leach
    Offline

    Leach Registered Member

    Shadow Defender 1.1.0.326 is infected in VBOX unlike 325. And TDSS keeps behaving strangely in VBOX - kills himself after detecting with TDSSKiller so there's no need in TDSSKiller any more to cure the system. Don't think behaviour should be investigated in VBOX but rather in VPC, VPC with W7's XP system seems frightens the virus much less and results are more stable. What do you think?

    Correction:
    1. TDSS kills itself after being detected with TDSSKiller in VPC too.
    2. TDSSKiller seems trying to restore the normal state of the infected DLL after restart.
    3. Windows Defender detects now that critter.
    Last edited: Jul 3, 2010
  17. Leach
    Offline

    Leach Registered Member

    Power Shadow v2.6 is bypassed time to time by TDSS TDL.
  18. Franklin
    Offline

    Franklin Registered Member

    XP VM.

    Testing safesys.exe and beta Returnil Virtual System Lite 2011 using the memory cache.

    On the first run of safesys.exe and rebooting out of Returnil mode Malwarebytes finds one suss reg key:
    I let MBAM delete that key, reboot to clear and rerun safesys.exe in Returnil mode.

    Reboot again out of Returnil mode and a scan with MBAM shows all clear?
  19. CloneRanger
    Offline

    CloneRanger Registered Member

    Originally Posted by Franklin

    I like the memory cache approach :thumb:

    I have spooler disabled :D as i use another comp for printing. I wonder if some of these RK's would be fooled etc if tested in this way ?

    Not being funny, but can you be sure MBAM caught everything. What if you used the available removal tools to also check for remnants, or worse ? And for eg Gmer/Rku ?

    Also as you tested in VM, maybe you would get different results without ?

    Plus what would happen if you didn't use MBAM after RVS reboot ?

    TIA :thumb:
  20. Leach
    Offline

    Leach Registered Member

    Re: Wondershare Time Freeze - Giveaway

    Comodo FW D+ without antivirus cis_4.1.150349.920_x86 installed. Sandbox was enabled, the rest settings left by default.

    Sandboxed TDSS did nothing, the system is not affected.

    Normally launched TDSS gave the same warning and infected the system, as it should :)

    Attached Files:

    Last edited: Jul 4, 2010
  21. Franklin
    Offline

    Franklin Registered Member

    Spooler is disabled in that VM.

    MBAM seems to cleanup all dregs of the infection finding around 130 entries after safesys.exe is installed with most being the image execution reg hijacks.

    Will test further a bit later.
  22. J_L
    Online

    J_L Registered Member

    Re: Wondershare Time Freeze - Giveaway

    Interesting, thanks for testing it.
  23. acuariano
    Offline

    acuariano Registered Member

    Re: Wondershare Time Freeze - Giveaway

    Leach thanks for the report,very informative.
  24. xorrior
    Offline

    xorrior Registered Member


    not yet they don't, but they do detect it's injected modules even in the latest release and hold their payloads, like most updated malwares do against sandboxie. If there is a memory corruption or a way to use native API to detach sandboxie you'll see it in one of these industrial rootkits first.

    EDIT: Some variants in the 7.10.09.10 Avira DB now defeat NIS 2011 and some other solutions btw..
  25. dax123
    Offline

    dax123 Registered Member

    sounds like hell :eek:
Thread Status:
Not open for further replies.