Deep Freeze 7 bypassed

Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jun 27, 2010.

Thread Status:
Not open for further replies.
  1. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    ShadowDefender is not bypassed by SafeSys.
     
  2. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Thanks for testing. :)
     
  3. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Kills Icesword and heaps of other apps through Image File Execution Options within the reg.

    You can enter the below to your own reg so that safesys.exe will never run on your machine.
    View attachment Safesys Install Log.txt
     
  4. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Bufferzone free contains safesys.exe .
     
  5. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Franklin: What did you use to generate Safesys Install Log.txt?
     
  6. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @Franklin

    Thanks for the safesys.exe reg entry details :thumb:

    If they alter the file name i presume this won't work ?

    So i guess we might be able use the same method in such a case, and other "similar" nasties ?
     
  7. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Out of curiosity, how does clean slate fare against this critter?
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    (At the time) not seeing any changes in a virtual machine tweaked an interest to look further on a test machine. Also having a vested interest in Faronics software, I fired over an email to them.

    At first I got a reply saying that they could not replicate findings others had and that was pretty much an end to it until after I sent them my new findings and received a reply comparable to what I've read here.

    There's some info online about safesys, what history and information I documented at the time pretty much mirrors bkis :

    Specifically I can add that autorun.inf is copied to disk, autorun to registry and a file appears in tmp with random name, dogkiller is then the driver that does the work. As mentioned by Franklin the key "Image Execution Options" is made and block a lot of tools. The worm spread easily because it takes advantage of spoolsv.eve.

    bkis original page with Yahoo 360 fake
     
    Last edited: Jun 28, 2010
  9. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Just got back - ZSoft Uninstaller.
     
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Yep, it will stop any exe but a simple name change renders it useless.
     
  11. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Do you still have their reply? What did they say exactly? And when did they say it?
     
    Last edited: Jun 29, 2010
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Exactly the same statement in the link from your second post in this thread, the one Smokey posted over BBR.
    18/07/09
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Then it´s amazing that almost one year later they release a new major version of Deep Freeze and the vulnerability is still there.

    Maybe you could mail them and ask again.
     
  14. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    I have been told that Faronics replied about SafeSys issue telling that their developers are investigating the malware.

    One year investigating the malware and still no solution! :eek:
     
  15. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    IMO they don't have the copy of that malware...Better u send it again. :D
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    They must know about Marco Giuliani´s article so they had enough time to mail him asking for a copy of the sample and technical details if necessary.

    Faronics doesn´t have any excuse at all.

    For a security company this issue is a big scandal!
     
  17. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I couldn't agree with you more. I think Faronics have totally messed up and dropped the ball with this situation. As for contacting them again I don't think it will change anything in the near future although I will, but more talk, articles online may.
     
  18. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Leach: Bad luck for Shadow Defender users because seems like the product will not be supported anymore.

    Is there any software like Deep Freeze or Shadow Defender which is not bypassed by TDSS or SafeSys?
     
  20. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    I've been asked to repeat the test against Shadow Defender with full DEP enabled. Will include Sandbox RX later, it's being developed right now, I had a contact with developers and I'm pretty sure they check this forum time to time.
     
  21. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Sorry, you are definitely wrong here. DefenseWal ldo not ask user for a correct action.

    And, BTW, I did test SafeSys against DefenseWall.
     
  22. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,253
    Location:
    New England
    Just for reference, the posts focusing on TDSS rootkits bypassing other isolation based products are now in their own thread:

    https://www.wilderssecurity.com/showthread.php?t=276152

    Let's use that thread for the TDSS / TDL tests and issues, and keep this one about the Deep Freeze problem.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Hi,

    Can you share details of your test method, and a screenshot of the DefenseWall alert?

    thanks,

    rich
     
  24. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    I didn´t test myself, so that´s my mistake, sorry.
     
  25. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Sorry, what alert? It was running as untrusted and just silently blocked, that's it.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.