Worm Allegedly Bypasses System Rollback Software

Thank you developers for taking the time to run these tests. But I do have one question though. How does this type of virus bypass rollback type software but not sandboxes like Sandboxie? I mean don't they do the same thing? One sandboxes the whole drive the other sandboxes specific programs or am I understanding something wrong?

So how is this virus able to defeat one but not the other?

 

GesWall intercepts it very well.

I did not try with CFP but from the pop ups created by CFP while I tried malware inside GesWall, it appears that CFP will handle it as well.

I will just upload pics randomly for those who are interested.

 

More pics....

 

More pics--- interceptions by CFP.

 

Still more....

 

Meriadoc says in his test DeepFreeze withstood the attack (post #15), are you talking about another type of malware?

 

I would be very surprised if it bypasses Faronics AE.
For example the SysSafe.Exe shown in the screenshots above looks like something AE should catch.

And if a piece of code is needed to run , for example the one mentioned earlier , again this would ath the very least have to be part of a new process which I think , would also be picked up by AE. Not 100% sure on that.

If say a malware driver file , bad.sys was coped to a system folder, does anyone know how these are normally run ?
Does it have to be part if a new exe or a process ?

How is this malware ran in the first place ?

 

AE will stop it ofcourse, no surprizes. No execution, no infection.

We are testing one step ahead. Execute it and then stop it from damaging ur system.

 

Interesting testing... But - and is something I'm going to ask - I wonder if Windows SteadyState was installed, disk protection activated, and then charge on it? It allows to apply software restriction policies, so I am wondering if the results would had been different from those. If something can't execute or change certain Operating System parts, then no damage.

Anyway, thank you.

 

Hmmm... interesting.

Can anyone test it with Eaz-Fix to see if booting into a fresh snapshot will get rid of it or not? May be I will try myself.

 

I would like to see BlueRidge AppGuard, and Online Armor tested against these kill disk trojans, and worms. With my current security setup i seriously doubt that any of them would get through. I've had the same setup for about a year now. As far as i know i have never been infected by anything for over 5 years. Before that i only got infected because i installed software that had trojans in them. So that was my own fault.

 

Yell, i haven't had anything flagged in a long time. Your right, but then again i just recently starting using Sonicwall. When i was speaking of having the same security setup for about a year i should have mentioned that. My bad. I was not speaking of hardware. I was using a Cisco firewall with SPI, and IPS for the past several years. I came across a hell of deal on the NSA 240, though i still spent a hell of a lot of money for most home users. Its just a new toy for me to play with. The TZ210 would have been the best way to go. Well back to the point. Your right, i haven't had anything flagged in a long time lol

 

ok, so so far 2 people have tested the worm execution in Admin mode on XP.
One reports that it didnt bypass DF, and the other says it did bypass DF.
Both cant be right.

 

Well, I tested it again yesterday with the same result. After a reboot, safesys was gone from C, program files and startup.

 

Strange...

so you mean you have tested in a vm with DF?

 

Just a friendly reminder to fellow forumists: testing malware in virtual machines is occasionally very deceiving. More and more malware these days change their behavior when they detect a virtual machine. As in, in a VM, they do not show their fancy moves, but in a real environment, they don't pull any punches. So, when you test something, do report on whether the tests were done in a real environment or in a virtual machine. That may be quite revealing.

 

Indeed and is why mentioned in the first instance that this was a test in a vm - amoungst other things malware can count 'time' from epoch - time stamp and determine environment (although this is not always correct.) That said there are some things that can be done in hiding vms.

I have an invested interest in DF and will be looking at this malware at work.

 

yes i have to agree with you on that, we need to know where it was tested? some malware stops when it detects vm environment

 

i think worm makes its copies as hidden so you need to look for that.

 

Yes it does, thanks.