TDL/TDSS trojan series bypassing isolation software

Discussion in 'sandboxing & virtualization' started by taleblou, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. Technical
    Offline

    Technical Registered Member

  2. Novastar 3d
    Offline

    Novastar 3d Registered Member

    Looks like someone got Egg on their face to go along with their coffee. :D
    Xorrior, let us know what you hear man.
  3. SourMilk
    Offline

    SourMilk Registered Member

    With all the posts concerning this trojan, I am considering buying Faronics Anti-Executable. Is there any drag on performance or does it just filter execs like UAC?

    Thanks for any reply,
    SourMilk out
  4. Boost
    Offline

    Boost Registered Member

    No drag on performance,you forget that it's there.

    I tested a ton of malware with it,and nothing executes,go figure. :D
  5. Hugger
    Offline

    Hugger Registered Member

    We have/had a member, Easter(?), who was quite fond of AE and other security products.
    Look up some of his posts to get some info.
    Hugger
  6. BlueZannetti
    Offline

    BlueZannetti Administrator

    No drag in my experience.

    Blue
  7. SourMilk
    Offline

    SourMilk Registered Member

    Thanks for the replies. I'm going to try it out. TDSS, I believe, may become more popular with black hats because of it's sinister nature. My hobby might have to change if I can't get a handle on it. For enterprises, the battle wages on. May the best software engineer win. Hmm, cellphones will probably be next - who knows?

    SourMilk out
  8. Dark Star 72
    Offline

    Dark Star 72 Registered Member

    As the others have said, no drag at all.
    It also integrates very nicely with Sandboxie, if anything tries to start or run in Sandboxie that is not on the real system Faronics AE will stop it dead in the sandbox.
    Highly recommended.
  9. cheater87
    Offline

    cheater87 Registered Member

    For people testing Sandboxie on this nasty thing, are you doing it with default settings or tweaked such as only allow such and such to have access to internet or be allowed to run? Oh and has anyone tested DefenseWall against this?
    Last edited: Jul 14, 2010
  10. the_sly_dog
    Offline

    the_sly_dog Registered Member

    defensewall passed

    sandboxie passed to because it doesn`t allow loading of drivers
  11. Osaban
    Offline

    Osaban Registered Member

    System impact is negligible, used along with Sandboxie or any virtualizer will make any computer a fortress. There are however some issues about its usage: One ought to deny any execution as a policy, which is not always very practical.

    It builds a white list of existing executables which can be edited, but doesn't necessarily allow an existing white listed application to launch another one unless specifically given permission. Basically it means that sometimes there are situations whereby something (benign) is silently blocked and one is left there wondering what the hell is going on. I suppose that in the long run one can fine tune AE to a particular system. I ran it, but found it too fastidious. It is particularly useful if there are several people accessing the same machine.
  12. the_sly_dog
    Offline

    the_sly_dog Registered Member

    Someone please wouldn`t happen to have faronics anti-exectuable installer 3.50 standard please today i updated to 3.60 but it doesnt like my system and my system crashed upon startup and i lost my parrels snapshot

    can`t find the disc i burnt it version 3.50 to neither Hmmm

    all faronics site has is 3.60

    many thanks
    Last edited: Jul 15, 2010
  13. Serapis
    Offline

    Serapis Registered Member

    Is it better to use faronice AE against drivebys or to use sandboxie's start/run?
    plz note tht there is no need for systemwide when considering my case; the browser is the one and only threat gate on my rig.

    Also curious, does sandboxie's start/run on x64, rely on an arbitrary mechanism to gurantee non execution or does it merely 'recommend' tht a program not start? o_O

    Thanks,

    Serapis
  14. Longboard
    Offline

    Longboard Registered Member

    Re: AE
    One of the best recommendations yet
    Ta.
    :)

    Rmus is "reasonably" well acquainted with AE as well :cool:
    Last edited: Jul 16, 2010
  15. arran
    Offline

    arran Registered Member

    Faronics Anti-Executable is good yes, however any product which has an
    Anti-Executable feature in it is just as effective as Faronics Anti-Executable
    no need to spend money on Faronics Anti-Executable if you can't afford it when there are many other free products with an Anti-Executable feature.


    yea Easter is a well respected member I always enjoy reading his informative posts, he posted a short while ago he should be active again later.
    http://www.wilderssecurity.com/showthread.php?t=273918

    sorry admins if the following paragraph is a little off topic I just wanna add my 2 cents.

    To xorrior please make a POC to prove your claims, or I will take it as your claims being nonsense.
  16. Hugger
    Offline

    Hugger Registered Member

    arran,
    Thanks. I think Easter needs to hurry home.
    Hugger
  17. acuariano
    Offline

    acuariano Registered Member

    did it pass malware defender 2.71 ?
  18. tlu
    Offline

    tlu Registered Member

    Re: a TDL rootkit passed through time freeze

    @taleblue: You haven't answered Rmus' question (unless I overlooked it). Would be interesting to know.
  19. taleblou
    Offline

    taleblou Registered Member

    Hi:

    Sorry I was away. Well it all happened when I visted and tested TDSS link from malwaredomainlist on one of my pcs with time freeze active. After tested about 5 links with trojans and tdss rootkits. Later I rebooted and all malwares were gone by time freeze but to be sure I scanned it with several spftwares like malwarebyte, superantispyware, a-squared, CIS and all showed clean and when i tried hitman pro it showed a tdss infection in a driver and a temp folder and so did GMER showed active tdss. Thats when i found that time freeze failed protection. Hope this answers your questions.

    P.S. Also except for a old desktop that I can not install linux on it because of no graphic card support and only windows xp sp2 works on that pc, my other pcs and laptops all have linux mint 9 installed. Still though I am a bet uneasy for that particular win xp desktop as for security. Right now I am using CIS plus MBRGUard, disabled autorun and using the new epic web browser that has antimalware protection and a couple of tweaks on that pc and browse only safe sites on it sometimes. Using my linux mint desktop most of the time.
  20. Greg S
    Offline

    Greg S Registered Member

    If Time Freeze is like Eaz-Fix, CTM etc.. Hitman would show the infected files over and over again as well as suspect files it has scanned in the past that may no longer be on your HD, especially if Hitman is scanning in Direct Disk Access. If scanning is done with Compatible Disk Access it will not show previous suspect files on the HD. Having said that, it's very possible that you were no longer infected but Hitman was still dectecting it even though it no longer existed.
  21. erikloman
    Offline

    erikloman Developer

    If Hitman shows the 'golden TDL3 sticky' on top of the results then the machine is actually infected (the sticky is the result of a memory analysis).

    You are right though that tools like Eaz-Fix don't work correctly with Hitman Pro in Direct Access Mode as tools like Eaz-Fix serve a different MFT to Windows as actually exist on the physical disk. In Direct Access Mode, Hitman Pro scans the MFT from physical disk and does not get the file system structure from Windows.
  22. taleblou
    Offline

    taleblou Registered Member

    Hi:

    No this was just reply to how I got infected originaly. Since then I had formated and had win 7 home installed and tried sandboxie for protection and bam the installation of the latest sandboxie gave my pc BSOD and would not allow me to go beyoned windows logo and not even to safemode. Sandboxie crashed and killed my pc and forced me to use linux mint 9 which I am using now on that pc. Heck sandboxie was even more dangerous then a tdss. lol. ANyway right now only one very old pc has win xp sp2 and the rest of the pcs are all linux mints.

    Anyway I have no more tdss problems now. By the way if it was not for the old gaphic card for my old pc which can not be upgraded I would have used linux on that machine too. Heck the only OP that cna be installed don that machine is up to win xp. lol pro savage DDR graphic card are ***** old no good cards with no update driver for anything beyond win xp.
  23. Greg S
    Offline

    Greg S Registered Member

    I will keep this in mind. Seeing how I've thankfully never had this infection, I was unaware of the sticky. Thanks for the info

    How thorough is the Compatible Disk Access in comparison to Direct Disk Access or is one just a work around for those who have ISR type tools?
  24. Franklin
    Offline

    Franklin Registered Member

    Get outta here!

    Sandboxie forced you to use a linux system, oh yeh, ok then. :rolleyes:
  25. Searching_ _ _
    Offline

    Searching_ _ _ Registered Member

    Sounds like TDSS/TDL was still active on taleblou's system when it crashed after installing Sandboxie.
Thread Status:
Not open for further replies.