cs.exe has "bypassed" all latest version of RVS2008, ShadowUser and PowerShadow

Hi Tony, welcome back to the forums. I am still hunting a job. How much will you pay me if I post thread like nanana1?

BTW, Is this your thread?

http://www.cnsw.org/bbs/viewthread.php?tid=75160&page=1#pid281625

That guy admitted he had copied other's code/manual/website, yes?

 

I wonder how can a chinese people make product/manual in english though he did not know what is the meaning of "Internet cafe".

http://www.cnsw.org/BBS/thread-77308-1-4.html

 

As the threadstarter, this is for the benefit of everyone who is concerned with the security of their system. Tony has as much contributed to this forum's objective of better and improved security software as ColdMoon, etc.

QQ2595 is knowledgeable on this subject matter based on his previous posts but let's all be constructive on our comments. To allege that someone made this virus based on conjecture and induction processes is not helpful at all.

SD did concede that he followed SU's manual, etc due likely to a English language proficiency but as clearly stated by StorageCraft (SU developer) on this forum when SD was first introduced, SD did NOT copy the SU's code or violate SU's IP.

QQ2595 may never care but it will be a loss to others if Tony has not developed SD, so let's be constructive and positive in our comments.

PS. I am NOT related to SD or Tony in any way nor do I seek to be "paid" in this thread as QQ2595 has suggested.

 

This is absurd and irrelevant !

 

after googled some chinese forums, I found so many absurd thread from same people.

in china, there are many interesting people like Mj0011. they make virus to attack their competitor's product and post threads similar as this title in their competitor's support forums.

 

This is old wine in new bottle, ever heard the similar line that AV software developers paid people to write and post viruses so that they can sell more AV softwares ? Whether in China or not doesn't matter.

If you look back at this forum, this first thread about cs.exe is the mention about SD being "bypassed".

Anyway, we're off topic. Let's stick to the main concern here which is to make such security softwares able to withstand any virus, malware and trojans as they show up

 

what is the link please?

 

First mention is on Jun 9th at 5:51pm from Perman and the link is here

https://www.wilderssecurity.com/showpost.php?p=1257807&postcount=7

I started this thread on Jun 12th at 6:03pm.

 

sorry, I mean the link to download SC.exe.

 

PM sent !

 

So bottom line so far is that several virtualizating apps such as Returnil are bypassed by this, but for what I understand, sandboxes (GesWall, DW, and SBIE) seem to protect well against this.

I have 2 questions:

1.- Mainly addressed to Coldmoon:
Since the "dogs" came out, I see that Returnil is heading into the "execution prevention" path. How hard (and I don't mean this in a ironic/hostile/rude manner...just asking) is it to develop virtual protection against this? I mean, I would like that Returnil remains being the excelent virtualization software that it is now. For execution protection one can have a HIPS or AE, etc. Personally I prefer an app that does the work it's intended to do in an excelent manner, instead of filling gaps with different features.
I hope Returnil doesn't become a Suite in the future or changes it's main objective.

2.- (off topic):

Would you like to elaborate on this? maybe in another thread in order to not hijack this one.

 

thanks. got it and had a short try. it is almost same as a RobotDog which crash the ISR market in china.

There are too many way to bypass the ISR as I know.

1) direct I/O to the disk port.
2) send SATA command to the disk.
3) replace the volume filter stack
....

It is not news since 2007. I can simply bypass any ISR with sectorEditor. but with any HIPS/AE even limited account, it will be stopped.

 

Do you mean manipulating the storage stack?

The most powerful protection

 

I am not a kernel programer, but I think yes.

I just tested the SD 262 with CleanMBR. it can still bypass the lastest SD.

I found SD never protect the MBR, it just backup/restore the MBR every per second. the new CleanMBR can casue a BSOD and prevent any restore opeartion.

 

Does SRP stop cs.exe from executing?

Thank you.

 

i think is best to combine AE or Executable Lockdown from hds ... it will over come all DOGS and other nasty we been talk can bypass sd returnil or isr software.

for my point of view this is not realy bypass coz SD/DF/RETURNIL should return pc to his state on reboot....if it do it (recover/restore 100% data ) it do what he made for. malware arent part of the deal , they attack pc`s , no matter what software they hold


chers

 

Thats exactly the point... malware is still there after reboot

 

just use Geswall or VBA32 and quit worrying. Enjoy the weekend, not the malware creators.

 

Hi, my QQ friend:

I am entirely objected to your views:

Firstly, Just look into mirror to see whether you are just as ugly(absurd) as those people you referred ? then fire your shots. eh?

Secondly, making virus to attack rivals' products or posting negative comments towards rivals' programs are not new. A friend of my friend(sounding very much distant ?) just completed a tour of duty for working rivals of his true, nothing but true lord. Can you image the magnitude of success/damage (depending on how you to measure this) of his daring mission.

Stay open minded, my friend. The nationality should not be in Wilders' vocabulary, at least not in any average High tech people(with reasonable level of IQ)'s minds.

You read English here, any posting or program presented in working English should be all right as well.

 

This has already been asked once but I don't think it was ever answered... which AV, HIPS, AS, behavior blockers can stop cs.exe and prevent it from ever having the chance to bypass the virtualization softwares in the first place?

How many other malwares are out there right now that are known to be able to bypass virtualization softwares?

 

I think it,s a new cat n mouse game.

ISRs versus Dog malware

The best n easiet way for me is that. I will install a specially configurable HIPS( like EQS) with ISR. The HIPS will dent by default the install of any new service, any new driver and any direct disk access etc. Every other action will be allowed by default. Zero pop ups in both cases. Nowur ISR might be immune to all such Dogs.

Nore interestingly ISR can have a built in HIPS especially configured for these needs with no pop ups and some extra options for power users. The limited HIPS part might not be a part of default install of ISR.

 

By the way I think all such dogs who defeat ISRs will usually fail against sandboxes/ HIPS etc due to very nature of their actions.

 

Hopefully TF is able to stop this type of malware as well.

 

The dogs can only bite a few, after their found, Look Out! The DogCatcher is coming!

 

Hi, well said, except...

some top rated ones may be not that smart or that-not-stubborn.

Enlisting services of multilanguage scouts may be able to spot the first sign of new-born puppy. eh ?