A Quick Rundown Of MBR Threats Protection

Discussion in 'other anti-malware software' started by EASTER, Feb 23, 2008.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    So how about a brief list of those apps that are 100% efficient against the likes of RobotDog, StealthMBR, Gromozon, etc. on the before hand.

    SandboxIE, latest Returnil, etc

    I think it would be a little more helpful to do a quick rundown for membership here instead of spreading topics of the successes all over the place.

    Some of you impliment very different programs than mentioned above, so please present your findings with those apps how well you find them against the likes of such MBR infectors etc.

    And in fairness, what if any apps are effective AFTER these MBR infectors are allowed to run, if any.

    Thanks.
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Most of Sandboxes like GesWall, DefenceWall, SafeSpace and Sandboxie will be successfull.

    How about a list of MBR/ Deep Disk attacking malware/ POC etc:

    KillDisk
    MBR tool
    MBR rootkit
    Bypass dll
    Robodog trojan

    ?
    ?
     
  3. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Robodog does not modify the boot sector. It uses a driver to restore the SSDT hooks of boot-to-restore programs.
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thanks aigle:

    And what about now Virtual programs since it's concluded Sandboxes are more than a match for these malware mentioned.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Solcroft! Did u try it against Eaz-Fix?
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Nope, sorry. I'm not familiar with that one.
     
  7. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not sure! I am still waiting for his detailed response.

    Did he tried to revert to a previous snapshot via pre-boot console? What were the results then?
     
  9. wat0114

    wat0114 Guest

    Hi solcroft,

    somewhere in another thread you mentioned Robodog downloads a trojan upon reboot. To your knowledge, will most two-way software firewalls alert on this attempt, or does Robodog typically accomplish this before the firewall loads and protects?

    Thanks in advance!
     
  10. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thanks solcroft for your explaination.

    RobotDog is more a destructor of ISR apps and pulls the sys driver (hooks) flat out of the line up rendering those apps gaping at nothing to act on. It also works on HIPS too no doubt.

    I'm more no worse for wear then since it doesn't do a KillDisk to the MBR, but thats almost as bad i suppose. One would likely need to reinstall again their ISR after they pulled the remnants of it's supporting crew, whatever they may be.

    EASTER
     
  11. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Trojans, actually.

    It's kind of hard to answer that question, as different variants of Robodog insert themselves into different startup entries, ranging from the Startup folder to sticking a dll into svchost.exe IIRC. That, and I'm a firm believer of the uselessness of outbound protection on my computer (I use only the inbuilt XP firewall).

    In other words, I don't really know. :D
     
  12. wat0114

    wat0114 Guest

    No problem, thanks! I suppose that's where the HIPS, either built-in to the fw or a separate product, could *hopefully* alert on the dll injection. Further to that, I have very restrictive rules on svchost.exe where it's allowed access to only MS update servers on ports 80 & 443, time server on 123, dns to specific ISP ip on 53 and localhost connection. I would think that even if the dll injection was successful the fw would still alert on svchost attempting the IIRC connection?
     
    Last edited by a moderator: Feb 26, 2008
Loading...
Thread Status:
Not open for further replies.