cs.exe has "bypassed" all latest version of RVS2008, ShadowUser and PowerShadow

Discussion in 'sandboxing & virtualization' started by nanana1, Jun 12, 2008.

Thread Status:
Not open for further replies.
  1. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Only ShadowDefender version 1.1.0.261 is able to withstand the cs.exe malware at this time.:ninja:

    Any version lower than 261 has also been "bypassed".

    How's that for Tony's response :cool:
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can you post some more details about it?

    Thanks
     
  3. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    That is great news but where can we download Shadow Defender version 1.1.0.261? It doesn't appear on Tony's site.
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Please more info on cs.exe. Sharpei/Gigabyte?
     
  5. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Mods here dun allow direct download link. So you should be able to figure out how to download v 1.1.0.261 given the link address to download v1.1.0.259, ie. change a few numbers will work :p
     
  6. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    It was detected by my AV as a TrojanDownloader.NYX.Trojan and quarantined. Did not want to download it to cause me troubles.

    Be warned.
     
  7. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  8. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello nanana1,

    Out of curiosity, are you using NOD32? KAV? Thanks in advance.


    Peace & Gratitude,

    CogitoErgoSum
     
  9. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    NOD32 here :-*
     
  10. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Hi , you have OPEN PORTS ? Perfect solution : Seconfig XP .
     
  11. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello nanana1,

    Since you are using NOD32, the piece of malware that you encountered must have been Win32/TrojanDownloader.Agent.NYX.

    ~VirusTotal and\or Jotti link removed per Policy....Bubba~

    Peace & Gratitude,

    CogitoErgoSum
     
    Last edited by a moderator: Jun 12, 2008
  12. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi nanana1,
    The Anti-Execute plug-in in the 2.01 Premium Edition can stop this in its tracks. Please try a new test with the latest Beta.

    Thanks
    Mike
     
  13. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    It is claimed tht this version of Returnil Virtual System 2008 Premium Edition v2.0.1.7067 Beta has been "bypassed". Do you refer to this version ? If not, please provide build number.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Care to elaborate what you mean by "bypassed?"
    Mrk
     
  15. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    'bypassed" is the word that Perman chose to describe his cs.exe virus.
    More accurate is 'bypassed' = penetrated:p
     
  16. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Please send me a PM with the link to the executable so we can test your report.

    Thanks
    Mike
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    So, this virus has an implementation that can leave the virtual device sandbox and write to physical device. This means that the programs are not fullproof in enforcing this principle.

    This is similar to chroot jail it seems, and apparently the virtualization programs use more than the basic set of permissions and files needed to virtualize the layer.

    Mrk
     
  18. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    PM sent !
     
  19. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    nanana1, if you could try it with Geswall it would be greatly appreciated.
     
  20. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947

    Coldmoon,

    You may be right. RVS2008 may have been penetrated because the anti-execute plug-in may not have been properly set up. Anyway, it's good to test, are RVS free version compromised by this virus ?

    This affects only NTFS system, FAT O/S is safe from this.
     
    Last edited: Jun 12, 2008
  21. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    As you can see from our test (see image), the Anti-Execute plug-in will flag this malware if it attempts to execute. You are correct however that the 2.0 series is vulnerable however.

    We added the AE and Auto-runs plug-ins in 2.01 to address issues with the dog Trojans. To date we have had a very positive response from testers in China regarding the effectiveness of these plug-ins against the dogs and other similar types of ISR bypass malware.

    Mike
     

    Attached Files:

  22. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    @coldmoon

    Will those protections be included in the next free version as well?
     
  23. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Firebytes,
    It is too early in the Public Beta for 2.01 to detail what will or will not be included in the Personal Edition when it is released. I have made sure though that your question is added to the discussion agenda and will be considered thoroughly.

    Mike
     
  24. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    Thanks nanana1, I have now successfully downloaded Shadow Defender v 1.1.0.261
    Tony sent me a link but as you said I could have worked it out.

    Thanks anyway
     
  25. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    903
    Thanks for adding it for consideration. I believe in the past you have stated that although the preminum version has extra features that critical security issues would be addressed in both the free and premium versions. I hope that mindset continues with Returnil.
     
Loading...
Thread Status:
Not open for further replies.