cs.exe has "bypassed" all latest version of RVS2008, ShadowUser and PowerShadow

Discussion in 'sandboxing & virtualization' started by nanana1, Jun 12, 2008.

Thread Status:
Not open for further replies.
  1. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    Hi Tony, welcome back to the forums. I am still hunting a job. How much will you pay me if I post thread like nanana1?

    BTW, Is this your thread?

    http://www.cnsw.org/bbs/viewthread.php?tid=75160&page=1#pid281625

    That guy admitted he had copied other's code/manual/website, yes?
     
  2. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
  3. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    As the threadstarter, this is for the benefit of everyone who is concerned with the security of their system. Tony has as much contributed to this forum's objective of better and improved security software as ColdMoon, etc.

    QQ2595 is knowledgeable on this subject matter based on his previous posts but let's all be constructive on our comments. To allege that someone made this virus based on conjecture and induction processes is not helpful at all.:rolleyes:

    SD did concede that he followed SU's manual, etc due likely to a English language proficiency but as clearly stated by StorageCraft (SU developer) on this forum when SD was first introduced, SD did NOT copy the SU's code or violate SU's IP.:cool:

    QQ2595 may never care but it will be a loss to others if Tony has not developed SD, so let's be constructive and positive in our comments.:thumb:

    PS. I am NOT related to SD or Tony in any way nor do I seek to be "paid" in this thread as QQ2595 has suggested.*puppy*
     
  4. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    This is absurd and irrelevant !:ninja:
     
  5. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    after googled some chinese forums, I found so many absurd thread from same people. :D

    in china, there are many interesting people like Mj0011. they make virus to attack their competitor's product and post threads similar as this title in their competitor's support forums.:thumbd:
     
  6. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    This is old wine in new bottle, ever heard the similar line that AV software developers paid people to write and post viruses so that they can sell more AV softwares ? Whether in China or not doesn't matter.:cool:

    If you look back at this forum, this first thread about cs.exe is the mention about SD being "bypassed".:p

    Anyway, we're off topic. Let's stick to the main concern here which is to make such security softwares able to withstand any virus, malware and trojans as they show up:ninja:
     
  7. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    what is the link please?
     
  8. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
  9. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
  10. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    PM sent !
     
  11. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    So bottom line so far is that several virtualizating apps such as Returnil are bypassed by this, but for what I understand, sandboxes (GesWall, DW, and SBIE) seem to protect well against this.

    I have 2 questions:

    1.- Mainly addressed to Coldmoon:
    Since the "dogs" came out, I see that Returnil is heading into the "execution prevention" path. How hard (and I don't mean this in a ironic/hostile/rude manner...just asking) is it to develop virtual protection against this? I mean, I would like that Returnil remains being the excelent virtualization software that it is now. For execution protection one can have a HIPS or AE, etc. Personally I prefer an app that does the work it's intended to do in an excelent manner, instead of filling gaps with different features.
    I hope Returnil doesn't become a Suite in the future or changes it's main objective.

    2.- (off topic):
    Would you like to elaborate on this? maybe in another thread in order to not hijack this one.
     
  12. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    thanks. got it and had a short try. it is almost same as a RobotDog which crash the ISR market in china.

    There are too many way to bypass the ISR as I know.

    1) direct I/O to the disk port.
    2) send SATA command to the disk.
    3) replace the volume filter stack
    ....

    It is not news since 2007. I can simply bypass any ISR with sectorEditor. but with any HIPS/AE even limited account, it will be stopped.:argh:
     
  13. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Do you mean manipulating the storage stack?
    The most powerful protection :)
     
  14. QQ2595

    QQ2595 Registered Member

    Joined:
    Jan 6, 2008
    Posts:
    159
    I am not a kernel programer, but I think yes.

    I just tested the SD 262 with CleanMBR. it can still bypass the lastest SD.

    I found SD never protect the MBR, it just backup/restore the MBR every per second. the new CleanMBR can casue a BSOD and prevent any restore opeartion.
     
  15. Trespasser

    Trespasser Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    1,204
    Location:
    Virginia - Appalachian Mtns
    Does SRP stop cs.exe from executing?

    Thank you.
     
  16. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    i think is best to combine AE or Executable Lockdown from hds ... it will over come all DOGS and other nasty we been talk can bypass sd returnil or isr software.

    for my point of view this is not realy bypass coz SD/DF/RETURNIL should return pc to his state on reboot....if it do it (recover/restore 100% data ) it do what he made for. malware arent part of the deal , they attack pc`s , no matter what software they hold


    chers
     
  17. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Thats exactly the point... malware is still there after reboot
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    just use Geswall or VBA32 and quit worrying. Enjoy the weekend, not the malware creators.:p
     
  19. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi, my QQ friend:

    I am entirely objected to your views:

    Firstly, Just look into mirror to see whether you are just as ugly(absurd) as those people you referred ? then fire your shots. eh?

    Secondly, making virus to attack rivals' products or posting negative comments towards rivals' programs are not new. A friend of my friend(sounding very much distant ?) just completed a tour of duty for working rivals of his true, nothing but true lord. Can you image the magnitude of success/damage (depending on how you to measure this) of his daring mission.

    Stay open minded, my friend. The nationality should not be in Wilders' vocabulary, at least not in any average High tech people(with reasonable level of IQ)'s minds.

    You read English here, any posting or program presented in working English should be all right as well.
     
  20. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    916
    This has already been asked once but I don't think it was ever answered... which AV, HIPS, AS, behavior blockers can stop cs.exe and prevent it from ever having the chance to bypass the virtualization softwares in the first place?

    How many other malwares are out there right now that are known to be able to bypass virtualization softwares?
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    I think it,s a new cat n mouse game.

    ISRs versus Dog malware

    The best n easiet way for me is that. I will install a specially configurable HIPS( like EQS) with ISR. The HIPS will dent by default the install of any new service, any new driver and any direct disk access etc. Every other action will be allowed by default. Zero pop ups in both cases. Nowur ISR might be immune to all such Dogs.

    Nore interestingly ISR can have a built in HIPS especially configured for these needs with no pop ups and some extra options for power users. The limited HIPS part might not be a part of default install of ISR.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    By the way I think all such dogs who defeat ISRs will usually fail against sandboxes/ HIPS etc due to very nature of their actions.
     
  23. Firebytes

    Firebytes Registered Member

    Joined:
    May 29, 2007
    Posts:
    916
    Hopefully TF is able to stop this type of malware as well.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    9,868
    Location:
    U.S.A. (South)
    The dogs can only bite a few, after their found, Look Out! The DogCatcher is coming! :D
     
  25. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,161
    Hi, well said, except...

    some top rated ones may be not that smart or that-not-stubborn.

    Enlisting services of multilanguage scouts may be able to spot the first sign of new-born puppy. eh ?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.