cs.exe has "bypassed" all latest version of RVS2008, ShadowUser and PowerShadow

Discussion in 'sandboxing & virtualization' started by nanana1, Jun 12, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Yeah, that one is pretty rough. As much as i would like to investigate if an alternative recovery method is possible another way, like say for instance, hypothetically (TestDisk) to re-write back the original partition, i just don't have the enthusiasm right now to blow another gasket with KillDisk only to have to pop the partition and go thru a image recovery.

    That's why it looks to me there should be floating about someplace a small tool of sorts to either re-direct such a disruption or stop it completely without having to resort to an entire program really designed to perform other features like a simple virtual system-boot-to-restore.
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    i think testdisk can indeed recover from a killdisk attack. there was a forum member here who actually tested it (forgot his name sorry) and PMed me back that testdisk was able to recover the MBR. i believe this was confirmed on a wiki page devoted to testdisk. if i find it i'll edit my message and include the link.

    hope that helped.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks zopzop

    I know during one of my malware testing sessions i completely lost a whole partition x3 but minus 1. I was at a loss to find it with everything i had on hand at my disposal. The very last resort i tried before i would finally give up was the CD PARTED MAGIC that has TestDisk on it.

    After a thorough scan it not only located the missing partition but re-wrote it back in it's entirety and to my knowledge 99% of all my programs and files were still intact and working fine. Just a small percentage seemed to have been tarnished, likely been wrote over before i discovered it missing, which i presume the malware i tested deleted that partition.

    Let us know if you get some confirmation on that, and i might just try that myself when i get up enough energy again to take a chance on running old KillDisk (dat dog)
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    @easter

    ok i just checked my PM folder and luckily i didn't erase the PM with the poster's name that was testing killdisk vs testdisk. his (her?) forum name is [suave]. you could pm him if you want, but he told me straight up he tested it and testdisk recovered the mbr.
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    That's a comforting confirmation. Thanks.

    If that's the same returned result each time then we're really on to something finally i think regarding MBR/Partition disruptors.

    Leave it to these Windows 98/Me programs that are considered by most far outdated to still come though with flying colors.

    Same thing for me with FileMapp byBB when it recorded a dropped rootkit hider file when nothing else detected it was even created, let alone residing on disk invisible. That was another Windows 98/Me app that still works like a charm on XP.

    EASTER
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Any updates? I am so curious! :eek:
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Be patient my friend.:)
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    How long dear? :D
     
  9. testerazzi

    testerazzi Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    21
    Any news?
     
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Yes, use a Limited user account and block executables.
    Or as Mrk says, don't double click malware.
     
  11. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    ping aigle
    PMed
     
  12. soccerfan

    soccerfan Registered Member

    Joined:
    Oct 15, 2007
    Posts:
    560
    If this is not about sandboxie, my apologies.
    If it is about sandboxie, why the secrecy? why not make it public?
    If not make it public, have you informed the developer (tzuk)?
    To repeat, if this is not about sandboxie, my apologies.

    soccerfan
     
  13. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    I don't think it was about SandboxIE, it seems to be the only app that managed to NOT get fooled if I'm following the thread correctly.
     
  14. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    @dw426
    Meriadoc told earlier on this thread that he found a malware sample that escaped the sandbox.
    Maybe it was related with that.

    @Meriadoc:
    If it's about SBIE, we all want to know :D
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Thanks. Pls empty ur PM box as I can,t send u PM. I do have BTW.
     
    Last edited: Jul 2, 2008
  16. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Wouldn't mind this exploit if someone could PM me please.

    Was this this exploit picked up in the wild or deliberately created to bypass Sandboxie?
     
  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    @aigle
    I think you intended to quote Meriadoc, not me. Am I right?
     
  18. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    237
    I'm finding the ambiguity in some of these recent posts very confusing.

    1. Has malware been identified that escapes Sandboxie's containment? Yes or No?

    2. If so, then has someone contacted tzuk at Sandboxie? Yes or No?

    Perhaps the personal messages are to mitigate possible widespread damage caused by the malware if, in fact, it is escaping Sandboxie. But it would be good for all of us if we had clarity to the above two questions.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I would check the Sandboxie forum, but I believe the answer to 1) is no. And if there was Tzuk would be aware by now.

    Pete
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    You are right. I slipped. :D Corrected now.

    Thanks
     
  21. testerazzi

    testerazzi Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    21
    Interesting

    I would like to try this
     
  22. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Please patients, no more requests yet please - I haven't even heard from tzuk.

    Because of my work commitment have not had the time to even reverse anything. *I may even have something wrong with my install.* In a vm I had a bsod and I've not had the time for a fresh install, so have a little patients and I will post later on hopfully after I've had contact with tzuk.
     
  23. testerazzi

    testerazzi Registered Member

    Joined:
    Jun 13, 2008
    Posts:
    21
    OK,

    Thanks!
     
  24. sec15

    sec15 Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    4
    can you send me the download link of cs.exe?

    thanks
     
  25. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    sec15,

    We do not permit sharing of malware privately or publically.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.