cs.exe has "bypassed" all latest version of RVS2008, ShadowUser and PowerShadow

Discussion in 'sandboxing & virtualization' started by nanana1, Jun 12, 2008.

Thread Status:
Not open for further replies.
  1. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    shadow defender 1.1.0.261 defends cs.exe ok
    but i faced alot of problems with this version
    i think it is still under internal testing that's why not available at the homepage
    back to previos version 1.1.0.259 till the problems fixed as i care about my system integrity more than the so called cs.exe
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    yes nanana1, if you could try this virus out against geswall and post the results?

    i'm still sort of shocked this thing got past so many different virtualization (or is it ISR?) products. this is why even with all the fancy security programs you have it's still worth it to run in a limited user account.
     
  3. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    It's an executable. In my case AE will kill it. HIPS will do the same. All these ISR-killers are executables.
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Really?! If you care to strive to circumvent or outwit a program an idea, is it a surprise that you just may succeed? Just yesterday I analyse a malware that broke out of Sandboxie.
    Anyway it is a game that will undoubtedly make this software stronger.
    I agree, then again running as a limited user does not protect you from all malware.
     
  5. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    @ErikAlbert

    yup, i've noticed that too.

    @Meriadoc

    never said it did ;) , just a nice first step (see my sig) along with software restriction policy (with the added bonus of blocking all startup locations from being written to thanks to KAFU). that right there cuts the heart out of the most vicious malware and restricts the damage to the limited user account.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Yeah I know :) - it wasn't directed at you, I just wanted to comment on limited account.
    Yes exactly.
     
  7. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    hany3

    I'm curious to know what problems you have experienced.
     
  8. hany3

    hany3 Registered Member

    Joined:
    Dec 2, 2007
    Posts:
    207
    hi pido
    this is the bug report that has been sent to tony
    u can have alook

    ""
    after downloading version 1.1.0.261
    l lost my all system because of it
    and finally i restored a ghost image as a final solution to regain my
    windows back
    althought this version is designed to fight the malware cs.exe
    here's the full story :---

    i was connecting my other sata hard disk to my pc
    so my pc was having 2 hard disks
    then during this time i downloaded the new version which does not
    appear on the home page
    uninstalled the prevois version
    installed the new one 1.1.0.261
    every thing is ok till now
    then i enabled shadow mode of systen drive only and to continue after
    restart (my second hard still connected till now )
    then i turned off my pc
    removed the extra sata hard disk
    turned on the pc
    the result ------- pc complete freeze at windows loading while loading
    SD and the antivirus " avira antivir "
    many many restarts but useless , with same results
    the i reconnected the second hard as i thought the it may by the cause
    because SD was installed in its presence
    but even after i reconnected the second hard , no good news
    another odd behavior i noticed
    every time i click on the sd quick launch icon the result is -----
    automatic restart of the pc which was a previous bug that is supposed
    to be fixed in previous versions ""
     
  9. alloucho

    alloucho Registered Member

    Joined:
    Dec 26, 2007
    Posts:
    145
    After installing this version and activating the shadow mode, the system reboots continually o_O
    Back to the build 1.1.260, all is fine.
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Can anyone test it against some sandboxes n HIPS like:

    GesWall, DW, SBIE, SafeSpace

    CFP, PS, OA and

    TF

    Thanks?

    Does it installs a driver?
     
    Last edited: Jun 12, 2008
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Also I am still curious to know what is meant by bypass? Does malware persists totally after reboot or it just corrupts the ISR software?

    Thanks
     
    Last edited: Jun 12, 2008
  12. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    it is clear to know who made this virus, this thread tells me much. :cool:
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Tried it with GesWall.
     

    Attached Files:

  14. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    When you say it bypassed Returnil do you mean it's still around after a reboot?

    Nanana, could you pm a link to download cs,exe please.
     
  15. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    hello y'all

    This thread is jumping about a bit :blink:
    ??yes or no.

    Is there some link for reading up on this: does this bypass all virtual layers/sandboxes other than GESwall ?

    Do any hips alert ?
    Does this get out of VMWare vm's?
    Will it write to FDISR snapshot files ??

    @Meriadoc:
    :eek: What?.
    I just checked sandboxie forums: nothing there: where are you up to??

    This looks a bit worrying. :doubt:
     
  16. Huupi

    Huupi Registered Member

    Joined:
    Sep 2, 2006
    Posts:
    2,024
    Let Tsuk know !!;)
     
  17. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    great aigle, Geswall saves the day.:thumb:
     
  18. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Yes, it is around after a reboot and some system files are corrupted.o_O
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    How is that possible in a virtual system partition ? A virtual system is supposed to be even safer than FDISR.
    This can happen to me also of course, but only as a temporary infection, never as a permanent infection.
     
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks for the link Nanana.

    Default sandbox where nothing can run or connect except FF of course couldn't even unrar it.

    Unrarred then tried to run cs.exe in the default box and no go again.

    Setup a test sandbox with default settings where it executed and seemed to be contained with a folder named "Nt_File_Temp" being created containing 1 file named "__write_ok__" of 0 bytes.

    Deleted the sandbox with no noticeable probs.

    Tests done in a VM with only Sandboxie as the only security app active.Returnil is installed but I forgot to turn it on.:ouch:
     
  21. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    Both Ilya and I can confirm that DefenseWall successfully blocks and restricts cs.exe. Additionally, I can also report that I have seen similar event logs to both aigle and Franklin when executing this malware sample.


    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited: Jun 13, 2008
  22. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Does anyone know if cs.exe corrupts the real system when only using Returnil's disk cache method and not the mem cache, or does it corrupt the system if using either method?
     
  23. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Kudos to Geswall and Defensewall.:)
     
  24. tonycn

    tonycn Registered Member

    Joined:
    Dec 31, 2007
    Posts:
    6
    This is the way you think?
    in the past years you keep attacking DF, SD, PS, may i conclude you are working for a some company?

    this thread tells me much too.
     
  25. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I am with you here Tony. I said this a few months back it appeared evertime something good was said about SD, someone showed up to piss on the party.:mad:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.