Malware bypassed ShadowSurfer

Not a suprise but i thought it might be of interest to some people here.
I tried this under shadow mode of shadow surfer. Some parts of this malware survive the reboot and after reboot malware uses some applications on your system or your browsers to download loads of malware. It's nasty. Still i can't find the actual piece of malware that survives the reboot and manipulates browsers or trusted applications to download tons of malware.
Wil post more about it later as i am out of my home now.

 

I'd be interested to know if this malware also bypass Sandboxie, DefenseWall, Shadow Defender, Returnil.

 

Ok, I can confirm the bypass with ShadowSurfer.
GesWall could not be bypassed.
Will test CFP also. More i will not be able to do ATM. Any one if can try it pls with:

ShadowDefender
Returnil
SBIE
DW
MD
etc

I have no VM. So difficult n time consuming with to do this testing with the help of imaging only. PM me for sample pls. Don,t ask it on forums.

Thanks

 

What you discovered sounds rather ominous. I look forward to your discovery (hopefully) of the malware that survived the reboot.

 

What kind of malware? Do you have the name of it? Go ahead and PM me...I'll test Outpost.

Thanks,
Toby

 

Ha ha ... Toby u gave me that. Just run it via cmd.exe.

 

Are you gonna thank me for that?? Just Kiddin

Toby

 

Are you gonna thank me for testing it in this way?

Thanks any way, Very clever piece of malware. I love it.

BTW it has more bypasses but of some different kind. In another thread.

 

Of course - Thank You. We all appreciate the testing that you do!

 

What thread? Any links?

 

That thread still to come. If i am true there is a malicious behavior bypassing CFP, GW and OA. But i can't be sure unless more people wil test and confirm my findings. I have done the testing and taken all the pictures to explain. I am too busy and might need a week or so to compile it and then, by Allah's will, i am going to post that thread.

 

Ok cool!

 

Any one going to test this malware. Here is how you can reproduce this issue. Run the malware in shadow mode. Allow all prompts by your HIPS, if you have any. Malware wil make many registry changes, wil get debug privileges, wil copy some dlls. May be some service and driver install and direct disk ascess too. It wil try for outbound access too, just deny that.

Most important it wil copy a hidden autorun.inf file and a hidden .pif executable on all partitions/ disks or attachede USB flash sticks. When it,s done, just reboot your system.

After reboot you wil not find any visible files on your system as they wil be wiped away by the shadow surfer.

Now just run your browser and browse the internet for few minutes. Keep your HIPS watching the system. If all goes well, soon you might see some trusted appliction trying for outbound access that it should never do. If allowed it wil download tons of malware and execute them. Also you might find your browser or some trusted application on system trying to make a lot of registry changes.

Still i am puzzled and failed to understand that which malware component survives the reboot and after reboot manipulates browsers or some trusted applicatins to go outbound and download the crap. Sure it,s a root kit but i can't detect/ catch it.

I wil post some screen shots later when i am home.

 

If it has direct disk access then no wonder it can defeat your virtualiser. How exactly is OA bypassed if you allow all HIPS prompts?

 

As promised some of the pop up alerts by CFP.

 

More from CFP.

 

Rootkit scan before a reboot in shadow mode.

 

And finally geswall, seems angry red.

 

Wait for my second thread pls. I am not so sure about that issue indeed.

 

I attempted to run two of them sandboxed inside the VBox guest, that only resulted in error pop-ups. No damage done. So I ran the same two independently inside the VBox guest un-sandboxed and oh man the results were destructive The malware caused the VBox guest to shutdown. When I tried to re-start the current state I was greeted with an ominous "Invalid partition table" message (see screenshot). However, all I had to do was revert to the current snapshot (see screenshot) and all is well again, so VBox seems, so far anyways, to prove its worthiness

 

I launched the .x and .z files from the desktop and they both crippled the VBox' partition table. it seems to me the malware did a pretty good job of destruction in these tests, although maybe the partition tables could be restored with a Windows disk. Should they have been run via cmd line?

Anyways, I will try some more.

*EDIT*

I tried the same two from the desktop this time under my limited account. Both attempts resulted in errors with no subsequent damage. The virtues of a limited account seem to come through here.

 

One of the others launched via cmd line: see screenshots. I chose "Ignore" even though that is something in reality (non testing) I might not have done. These are not even HIPS-triggered alerts. The second one should pretty obviously trigger a red alert. The system again shut down and once again upon trying to restart the current state of VBox I was greeted with "Invalid partition table" message. BTW, trying to run them via cmd line under lua results in nothing happening. Score another point for lua

*EDIT*

the ".C" malware was a little nastier under lua; the whole VBox guest desktop froze, although I was able to finally close the machine using Process explorer. The current state started up again, but just to be safe, I restored the current snapshot. This VBox is excellent for instantly restoring normalcy again

 

Hi wat, sorry sent u wrongle samples. Check ur PM. I am sorry again. Actually some one asked for killdisk too at the same time. So many PMs and I was in hurry.

 

hey, no worries aigle This just gives something extra to test, but after this, I think that's it for me. I don't want to spend too much time at this (testing malware), nor make it a hobby. It's a bit too addictive - LOL!

Thanks again!