cs.exe has "bypassed" all latest version of RVS2008, ShadowUser and PowerShadow

Not needed. A LUA/SRP approach does the same reliably.

 

Indeed. YEP!

Just found that out myself today.

I set aside a Hard Drive to throw everything at it including the kitchen sink, so am ready to see "IF" anything is up to my challenge. Because they can't hurt a thing.

EASTER

 

how did u do that? can u explain ?

chers

 

Hi, can you PM me the link to it. I did send u a PM twice.

Thanks

 

interesting info on SB being posted at the following topic
http://forum.sysinternals.com/forum_posts.asp?TID=15072

 

Please, no worry - carry on using Sandboxie - very good program. It is really no surprise that someone circumvent any software.
Where are we up to is that it seems a malware has been able to write some entries to the registry while run under sandboxie but it is unfinished work and hasn't been tested over - will know more Monday and if verified by our group will contact tzuk.

PMed.

 

Thanks. Please atleast let us know. By the way can you test it with GesWall and DefenceWall too and share ur results?

By the way ur PM box is full.

 

the imaginary tool that u call "cleanMBR" seems to has no true existence in the real world except in ur imagination or may be in just in ur pc
u may face a difficulty in distributing such malwares to the real world
there's a fact in programming that says " sometimes making the malware is so much easier than distributing its infection to other pc's"

so u say that the cleanMBR bypass SD and may cause BSODs with it
so u have to prove this or at least send it to me to know if u are telling the truth
if u will not prove , or if u will not send this imaginary tool that seems to be just a private malware tool only in ur pc ,, if u will not , then just stop telling us about the imaginary abilities of ur imaginary tools that are only present in ur imaginary pc

 

While I won't vouch for all recent variants...., the "tool" does exist, by that name, ~ 50 KB in size.

Blue

 

so how can i obtain it ?
i searched over the net but couldn't get anything by that name
i just need it to test it against my shadow defender
and if it really bypass it ,we will find a fix

 

hany3,

• This isn't a malware exchange, so don't bother asking
• If you can't find it, you probably shouldn't be looking for it.
• If you can't find a copy with a directed search, what makes you believe that you're vulnerable just sitting on the net?
• I guess I'm unclear on what "we will find a fix" means. You're going to reprogram the application?

Blue

 

we are are just testers
but we are in close contact with the vendor
i think the above words can explain to u the word "we"
all of that is because neither the users nor the vendor could find such a tool
best regards

 

hany3
I wonder how well you searched. A quick google search with the terms "cleanmbr sample" (without ""), shows that this malware is well known. There are some threads here in wilders which mention it, and in castlecops there also info about it, saying that returnil 2.0 protects against it.
So, even if the sample is hard to get (that's good news), it definetly is not an imaginary tool.

 

and this is primarily Chinese based malware. Due to this, the vendor is much better positioned to obtain this material.

Blue

 

hurst

i meant that this malware could exist or not
1-if yes , may be so rare
2-if it was but now no , so speaking about its supernatural powers to bypass all the ISR is useless
3-if not present , so it may worth the word "imaginary"
as it's hard for me to believe something i didn't see
and quick search in google will bring u some wilders's pages from thraed speaking about it



AND

if this tool is not imaginary , its supernatural abilities to bypass all the know ISR softwares may be so

by the way , did you ever encountered with such supernatural miraculous malware ?
or u r just like me , just heared or red about it ?

REMARK
don't believe every thing u read
u have to see by ur eyes the ask , how ? and why ?

best regards

 

I emailed Tony at Shadow Defender about this

and his reply was

Note - message removed. Cut/paste quoting email messages should not be done (read the TOS) unless there is firm confirmation from both parties that the public posting of the contents is agreed to in advance. In the absence of that, a concise summary of the content in your own words is suitable - Blue

 

There was once upon a time a dll named bxxs5.dll courtesy BookedSpace Spyware.

The mere act of just clicking on the dll sent System Safety Monitor (HIPS) into an endless loop of DENY's every second as it continuously attempted to add itself to the startup.

This intrigued me because it wasn't an executable per say, but it immediately on just clicking it registered itself and then the marathon pop ups began in earnest. I dunno if even AE could abort this wild and wooly thing (likely on HIGH), but i used it to test my IE's BHO blocking abilities in certain security programs.

As per CleanMBR, it does definitely exists and happens to be housed in my vast collection although i've never gotten around to actually testing it since was busy with rootkit/hiders research. But just like KillDisk Trojan, if indeed it can infiltrate user's system then you would have to seriously consider such a POC a real threat if it ever got bundled by a binder into some screensaver or the like i would think. That's "IF" the recipient wasn't properly protected from just such a threat.

EASTER

 

@Pete

Just to help clarify my sample CleanMBR MBR disrupters give me the absolute creeps, worse fear short of file infectors

CleanMBR is a Dll or Exe?

Thanks, and many thanks for your past testing that cruel KillDisk Trojan that still gives me the willies in my collection box every time i see it.

EASTER

 

2) Shadowdefender does indeed protect the system.

-u mean protect the system generally speaking ? or protect specifically from this malware tool cleanMBR ?
-tony never got this malware ,so how can believe that SD protects from this malware tool ?
-if u have the cleanMBR , u can help tony by sending it to him , we will very much appreciate this .
-the so called " QQ2595 " claims that SD and other ISR do NOT protect from cleanMBR

best regards

 

Hi Blue...sorry I should have summarized it...but Tony had said previously that I could use emails on the forum...so I didn't think I was doing any harm.
In future I will do a concise summary as recommended

 

Thanks. I been have had this a good while now but not any real effort to run a full test with it, but from the looks of your "hosed" statement, once engaged at the system without proper protection, she's done and only thing to do is pull up an image restore.

Maybe. Surely if this, and other MBR infectors just writes, zeroes, and so forth, theres got to be the old hat way of inserting either a floppy, CD or such with the original MBR and just overwrite the MBR back again, or for that matter let your imaging software (if available) repair it itself, if it can.

EASTER