TDL/TDSS trojan series bypassing isolation software

Comodo Time Machine is tested - fail. This time I just ignored all request to cure the system by TDSSKiller, just closed the window, except
the case of retesting. I'll try to show in pictures, initial system state is clean of course:












Sorry, pictures just won't place right...

 

Well, I wouldn't doubt in DW's abilities. Here we are:
The critter just committed suicide in untrusted.

 

Nice screenshots.

Now that you're in a testing mood, here's an idea that might make for an interesting test: create yourself a limited user account in Windows, and execute dogma.exe when you're logged in to that limited user account.

Absolutely right.

 

The trojan won't bypass sandboxie, the result is the same as for DW - the malicious processes self-terminated after a few seconds.

 

by sandboxie, do you also mean the x64 version?

 

Hi Serapis,

I didn't test 64-bit versions.

 

XP LUA and ran SafeSys.exe.

Didnt seem to do much except drop a .tmp file within the LUA account.
_mcvvd.tmp - Result: 39/41 (95.13%) - VirTool:WinNT/Rootkitdrv.LH

TDSSKiller couldn't run in the LUA account.

Funny thing is that Malwarebytes picked up the _mcvvd.tmp.tmp but missed the SafeSys.exe with both a right click and quick scans run within the LUA account but on rebooting into admin then a quickscan with Malwarebytes picks up both files?

 

Has anyone tried these against Returnil 2010, with and without the Anti Execute function enabled.

 

Hi:

Well I am for returnil and comodo time machine test aswell. But also I like to see the following application called " Fortres Grand Corporation: Virtual Sandbox Free Edition" to be tested aswell to see if it stops the tdl rootkits from by-passing it when it is downloaded. Also if possible to test "Bufferzone" as well.

I know for a fact that sandboxie fails but if any of these sandbox types programs pass tests then having a good sandbox would put us more at ease. Thanks in advance.

 

I would test it but I can't find a clear link - the page with a free version is all flooded with adware and the links I can see leads whereever but RVS. Can anyone give me a straight link?

 

HeHe - me thinks you are infected

 

@Leach

http://www.returnilvirtualsystem.com/rvs-home-free/trialpay

Or try the Download Mirrors at the page bottom

 

Ok, this link was especially hard one, thank you very much.

RVS failed, sorry. Antivirus system was turned off - that was not the goal of the test. Other setting untouched.

 

Please repeat the test with the Virus guard and Anti-execute option active to test whether the user is protected using all the protections for a base line here.

Thanks
Mike

 

Looks like we win this time, the system is NOT infected after reboot!

 

Re: Wondershare Time Freeze - Giveaway

Can you test Comodo Defense+ w/ SandBox? It should be included by default in all of the downloads here, although they don't advertise it.

 

Hi:

So the TDSS/TDL rootkit did not passed sandboxie defenses then. hmm thats good news and so perhapse I should sandboxie then. Thanks for the tests. I was looking for a passing software and so far defense wall and sandboxie are the only one. Also can you try "Bufferzone free" and let me know if it is any good? Thanks in advance. I am trying to make effective security suites for the my windows pc that are good against TDL rootkits.

Right now I am thinking of getting defense wall and sandboxie. Waiting for your other tests. By the way I have already made my host files read-only and am using MBRguard.

 

Hi Leach can you test new Wondershare Time Freeze 2.0 against this TDL/TDSS trojan ?

new version
http://www.disk-utilities.com/time-freeze/

 

Thanks for the link lunaticdreams, I have missed it. Alas:

 

If you get time, pls test GesWall, ThreatFire and EAz-Fix too. Did you use latest version of CTM?

Thanks

 

Yes, used the latest version - CTM_2.7.150952.175 beta.

There may be differences in results. We are discussing the methodology with Buster_BSA right now as there are some mismatches we discovered.

 

Thanks Leach

 

Her is something strange. Over at comodo forum they have tested a bunch of virtualization software aginst tdss/tdl rootkits and it seems something is at odd with results over here. The result for "shadow defender" I mean??. Here is the result. Look at the shadow defender result? This is confusing.

C&P
worm works on VPC.
Test was performed on XP SP3 with no updates.
you can also see the related articles on wilders security and prevx
Virtualization/Rollback software test
TDL/TDSS trojan series bypassing isolation software
Deep Freeze 7 bypassed

A puzzle called SafeSys

=====================================================
RESULT against SafeSys Worm:
CTM 2.7 beta - INFECTED
CTM 2.6 - INFECTED
Shadow Defender 1.1.0.325 - Not infected
Windwos Steadystate 2.5 - INFECTED
Wondershare Time Freeze 2.0 rev674 - INFECTED
Retrunil Virtual system 2010 (3.1.8774.5254) - INFECTED
Deep Freeze 7.0.20.3172 - Evil INFECTED Evil
Powershadow 2.2.2.21 - Evil INFECTED Evil
Wondershare Time freeze 1.0 Free rev587 - INFECTED
Rollback Rx Professional v9.1 - INFECTED
EAZ-FIX -> INFECTED
=====================================================

=====================================================
RESULT against TDSS infection:
Shadow Defender 1.1.0.325 - Not infected*
=====================================================

(*: contradicts results from wilders security https://www.wilderssecurity.com/showpost.php?p=1704272&postcount=4
Checked twice and found nothing. I'll test it under real environment for verification
maybe his sample is stronger )

The result is frustrating.
but shadow defender shows good results.
I think we would rather use disk imaging utility for security's sake

 

This is what I have been thinking for quite some time. I do use Sandboxie and DefenseWall but have considered roll back or frozen state software to not be the thing for me. I didn't like the idea of always having to reboot to clean out the system, or not being able to defrag and on and on. Now we are learning they may not be bullet proof as often advertised. Unless something new shows up that radically changes the landscape, I think I'll stay where I am..

 

As yet I've not been able to bypass Shadow Defender with TDL/TDSS and I know my version of safesys does not either.