New sandbox/virtulization bypass under ring3

Bypass such protection without using any drivers. Works in Ring3 and will destroy the first 4kb data on HD. Don't want to test it on my PC, still need it for Christmas

 

I've been trying to search for this sample for the past 3 hours... without success. If you have it, send it to me via PM, and I'll be more than happy to test it out.

 

I've just found a copy of this.

ThreatFire has zero capability to protect against low-level write access, and fails, as expected.

Returnil 1.7.0.7502 is immune to this attack.

 

Solcroft,
Can you test it against Sandboxie and GeSWall?
What's the difference between this and KillDisk?
Thanks

 

Solcroft only has Threatfire and Returnil. But I know Sandboxie passed this test.
This is just a friendly POC, I have noticed that there's a better version which will bypass all HIPS and Virtulization software/hardware currently available. And yes, I don't have a copy of this one because it costs USD 50,000

 

The difference between this one and KillDisk is that this one claims to bypass ISR software, right from ring3 without having to load any drivers, etc.

Although after abit of further analysis on this program, I'm beginning to wonder how far this claim is true.

 

Well even if it is true it wouldn't be the first time something like this POC is been compiled to work from userland, and in this case carry out maximum disruption from higher level.

 

Could someone send me a copy of this? I'd like to test SSM with it.
Rick

 

I would also like a copy of this as I would like to test it against latest version of Returnil 2.0.0.2621 which protects against low level sector fills. PM me please thanks.

 

Wow, that sounds really bad. And USD 50,000? Who are the buyers of this thing?

This is why I asked. Judging by R8y's description, it doesn't seem more advanced than KillDisk to me

 

If it can be fixed with a simple restore of an image, it's not a disaster, just like Killdisk. If it is an executable, it won't have a chance either with AE on board.

 

I wonder if SafeSpace stops this thing.

As far as the other one, that costs $50,000, who but Governments would want something like that, and what earthly reason would they have for wanting it? Kind of a rhetorical question, considering governments and the oxygen thieves we put in office.

 

I didn't forget, that's why I have my zero tool. I've mentioned this more than once at Wilders and I have a partition software, just in case.

 

As a malware-writer, I would never write a destructive malware, that is stupid.
You don't kill the goose with the golden eggs, you steal from it.

 

KillDisk is destructive malware, this is stealth malware.

 

If it isn't destructive, my boot-to-restore will fix it.

 

I'm not sure of that.

 

PM this malware to me and I test it myself, then we are sure.

 

I really enjoy these type topics.

Members scrutinize every single point and leave not a single stone unturned or some potential malware end result imagined. And it puts our defenses to the ultimate tests, and from the looks of things we all enjoy a better measure of success against intrusions even destructive one's due in large part to these comparisons and discussions. Keep it up, these make this forum a PROVING GROUND of sorts for both us and vendor's claims. LoL

PM me the sample too if you wish, now that you have attracted quite a flurry over this.

 

I don't have a copy of it. PM R8y or solcroft.
Also, if it overwrites the first 4 KB of data, it will kick FD-ISR out of the PBR.

 

That's good, than I can see it the rest works.

 

I'm still on powershadow 2.6 , I wonder how it would fare
(no, I don't have a test machine to try it)?

soccerfan

 

Hello soccerfan

Power Shadow loyal here too, and the same version i might add. I also team up SandboxIE & EQSecure 3.41 (HIPS) along with Snoopfree for good measure.

Am anxiously curious to find that out myself. I'm relatively confident Returnil's latest version will stop it in it's tracks but someone needs to sample this piece of code against them first.