ai~ even Appdefend can't defend the disk bomb...

Discussion in 'Ghost Security Suite (GSS)' started by crazy4stef, May 19, 2006.

Thread Status:
Not open for further replies.
  1. crazy4stef

    crazy4stef Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    14
    last week,I received a virus named KillDisk.

    I wanted to know whether the Appdefend could protect my computer from this dangeous virus. Finally, Appdefend failed... I had to redistribute my harddisk , all my data in the disk is gone...

    I test the virus again in a virtual machine (VM Ware),I run the virus under the sandboxie. The sandboxie can't prevent it either...

    is there any software except antivirus software can prevent it from demolishing my system?

    Thanks a lot.
     
  2. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    You have to understand that appdefend only monitor certain behavior that are comon to malware. This include accesing the net, trying to hijack or kill another process.

    If your malware delete teh disk at a specific time, then i am sorry but deleting files or doing something like format is not a behavior monitored by appdefend.
    However the timing part... would require either an autostart entry or a sheduler entry wich sould be catched by regdefend.


    This is because it's not the role of sandboxie / appdefend to monitor disk access.

    I'd say no. A virus that only check the date and delete file triger nothing suspicious. Unless there is a program taht count the number of files deleted but that is just like .. oups it's half too late.

    You have to know that the program is malicious to stop it. And u guess only an antivirus would have cathed a program that show no special behavior.

    However YOU should have been able to stop it yourself when you realise it was autostarting or whatever way it use to trigger at that specific time.
     
  3. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Yes - Windows itself. Don't use the Administrator user unless you have to. Had you run any file-deleting malware under a limited user account, it would have been blocked (by NTFS file-permissions) from deleting critical system files.

    I would advise going a step further and setting Write permissions to Deny for all Limited Users on the Windows\WINNT folders - this means that virtually all program installs have to be run as Admin, but it would protect your Windows install (not your programs or data mind) from being wiped in this way.

    If you run as Administrator by default, you are effectively throwing away Windows' own security mechanisms. There is, unfortunately, a conflict in that AppDefend cannot be controlled from a limited user account (which apparently will be addressed in the next version), but this extra level of security is still very much worthwhile.
     
  4. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    whatever the "killdisk" file was, didn't you have to give it permission to run? wouldn't first windows ask you if you want to allow the file to run, and then wouldn't appdefend ask you again if you wanted to allow the file to run?
     
  5. herbalist

    herbalist Guest

    crazy4stef,
    Do you still have that disk bomb? I've been testing System Safety Monitor for some time with the worst I can find and would like to see what it could do against that.
    Rick
     
    Last edited by a moderator: May 21, 2006
  6. tlu

    tlu Guest

    P2K, I know that you're running Windows 2000, and I don't remember how the situation is there. On Windows XP users do not have write permissions for the Windows folder (with some exceptions) by default.

    Well, there's a solution - see https://www.wilderssecurity.com/showpost.php?p=740211&postcount=8
     
  7. crazy4stef

    crazy4stef Registered Member

    Joined:
    Aug 26, 2005
    Posts:
    14
    I'm so sorry that my english is poor. When it comes to express myself exactly,it is a little difficult for me. But I can understand what you posted.


    The disk bomb will overwrite Partition Table of your harddisk. Then your computer will fail to boot. This virus overwrite the critical sector of the harddisk at cylinder 0 magnetic 0 sector 1 not a directory like "C:\Windows".
    If you don't have a backup of your harddisk,the infomation in the Partition Table would be difficult to find back.

    I know it is a virus before I execute it,what's more,I turn off the monitor of GData AntiVirusKit.What I concern is that after executing the virus whether Appdefend or any other sofeware will detect its dangerous action and block it.

    To herbalist: I had tested the virus under SSM, SSM can detect the API it called, but didn't block it. :(

    Link removed.No links to malware on these forums please. - Ron - See the Terms of Service
     
    Last edited by a moderator: May 21, 2006
  8. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I presume for XP you mean Limited Users rather than Administrator/Owners? If so, then this would parallel Win2K.

    I should point out that there is a difference between not having Write permissions and setting Write permssions to Deny. The later will stop the creation of new files/folders while the former (in my testing) did not. However users must have write access to the Windows pagefile so don't set this to Deny. ;)
     
  9. herbalist

    herbalist Guest

    crazy4stef,
    Thanks for making that available. Hopefully in the next day or so I can load my test setup and see what happens with it.
    Rick
     
  10. tlu

    tlu Guest

    Yes, of course, I meant limited users. ;)

    Indeed. As a matter of fact I can't create files/folders in c:\Windows as a limited user. I can remember that I read somewhere at the time when WinXP was issued, that user permissions were tightened compared to W2K.
     
  11. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi crazy4stef,

    When I test your KillDisk file against AppDefend, AppDefend is always able to block its execution. If I allow it to execute, however, KillDisk will do its damage to the MBR. Beyond execution protection, AppDefend will not protect you. Regarding SSM, according to posts in their forum, defeating KillDisk's methods is now a top priority.

    Nick
     
  12. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    Nick S. i can confirm that geswall and bufferzone stop killdisk cold. geswall i tested myself and bufferzone, the developers tested and told me it stops it. regarding bufferzone i'm ASSuming all 3 versions defend against killdisk (free, home, and corporate). i pmed the dev and i'll update this post when he replies.

    edit and update:

    all 3 versions of bufferzone stop it.
     
    Last edited: May 29, 2006
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Are you running only AppDefend, or do you have RegDefend as well??

    Ideally, you'd want to run both GSS components. RegDefend would probably have prevented the driver from being registered to the system.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  15. ChanWai

    ChanWai Registered Member

    Joined:
    May 30, 2006
    Posts:
    4

    This virus doesn't add any driver to system.It only destroy partiton table of HD.

    to angle:

    I tested it with the latest version of sandboxie(2.4),but it didn't stop it!

    I will test it with bufferzone again and post the picture soon.
     
  16. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    chanwai, the bufferzone devs told me it stops killdisk (all 3 versions: free,home, and corporate).
     
  17. ChanWai

    ChanWai Registered Member

    Joined:
    May 30, 2006
    Posts:
    4
    I forgot it . Sandboxie 2.3 can't stop it . if sandboxied under version 2.4 ,this virus return before it can do its harm to HD as it will detect its CRC check, it will return if CRC check error. this doesn't realy mean sandboxie prevent it ,right?
     
  18. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    You don't need a driver; an executable alone can wipe out the MBR, if running as Admin.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I can,t say anything, but it was the claim of author on sandboxie forum.
    As he stated, I guessed the virus ran but could not do damage.
    It will be better if u can post in this thread and give us a follow up post.

    http://sandboxie.com/phpbb/viewtopic.php?t=305

    U don,t need to register, u can post as guest.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,038
    Location:
    The Netherlands
    But when you think of it, it´s kind of strange that not a single HIPS is able to prevent the damage done by this virus, and I´ve also noticed that most HIPS do not monitor changes to the file system, so there is definitely room for improvement. :shifty:
     
  21. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Tiny2005 would stop it I guess
     
  22. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    The moral of the story is: Backup, because it's your true last line of defense.
     
  23. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    has anyone tested it against tiny? i would love to see the results of that test.
     
  24. ChanWai

    ChanWai Registered Member

    Joined:
    May 30, 2006
    Posts:
    4
    the resual of Tiny Personal Firewall:

    I run it with reverse model,but tiny didn't show any alert.
     

    Attached Files:

  25. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    so that means tiny didn't stop it? i've never used tiny before :)
     
Thread Status:
Not open for further replies.