Deep Freeze 7 bypassed

Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jun 27, 2010.

Thread Status:
Not open for further replies.
  1. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,545
    Buster_BSA could you please test Comodo Time Machine against these 2 malwares?
    please :-*
     
  2. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Konata: I plan doing some tests on virtualization software like that.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    OK, I understand -- so DefenseWall has execution protection.

    Of course, there are a number of products that block untrusted or non-white listed executables -- safesys.exe or anything else -- but I don't see the point of that in this thread.

    If a user is going to run execution protection along with Deep Freeze, then malware like safesys can't execute, therefore, cannot write to disk. Hence, no malware to discard on reboot.

    But Deep Freeze doesn't prevent malware from intruding -- it just purports, on reboot, to remove all traces of anything written to a frozen partition, which evidently it doesn't in the case of safesys.exe.

    If comparisons between Deep Freeze and other products are made, they should be with other similar products. Even Returnil is not a good comparison, since it now employs execution protection, if I've understood correctly.

    ----
    rich
     
  4. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    Last edited: Jul 1, 2010
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    From Blueridge:

    My emphasis.

    If you are going to use a standalone product, why take the chance of conflicts? Just install Faronics Anti-Executable which is designed to work with Deep Freeze. You will prevent any unwanted executable from intruding, not just MBR/TDL junk.

    Here is a Mebroot file being blocked in a test a while back:

    ae-block.gif


    And a recent TDL3 file:

    tdl3_ieExploit.gif

    (both executables obtained from malware lists and put into drive-by exploits to test)

    NOTE: This is protection only against the drive-by attack method.

    For those who regularly install cracks, keygens, free junk and the like which often are boobytrapped with the tdss rootkit, you need something like MBRguard:

    But you are back to square one with the possibility of conflicts, so careful testing is necessary.


    ----
    rich
     
  6. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Using execution protection, Deep Freeze will not be used to restore a malware attack ever, therefore Deep Freeze becomes pointless as protection against malwares.

    Correction: SafeSys AND TDSS.

    Check the thread at sandboxing & virtualization. ;)

    Obviously if I can not run a malware to check if the system restore function works properly then that product must be discarded from comparision.
     
  7. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Yes, TDSS can bypass Deep Freeze + MBRguard because TDSS doesn´t write to MBR.
     
  8. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Nope, it doesn't. It blocks its dangerous activity, but the process was still running.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Agreed, and I will paraphrase, If malware cannot get onto the system, there is no need for reboot-to-restore in the first place (if that is the reason one uses such a product)

    The weakness/vulnerability of Deep Freeze has been known since 2006 when the chinese robot dog first appeared - I mentioned this in the other thread. Even earlier than this, musings on various forums hinted at the potential weakness of device filters. So, as Mario mentioned in the Prevx blog, it was just a matter of time.

    Right, I just neglected to mention TDSS here, sorry. No doubt, other such malware will appear in the future!

    ----
    rich
     
  10. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    But as we are seeing in the tests being performed right now it´s not only a weakness/vulnerability of Deep Freeze. Seems like almost all rollback products have it!!!

    So this is not just a negligence of Faronics´ product. The problem is extended over almost every piece of software of this kind.

    If robot dog is known since 2006, how´s possible that all that products are still vulnerable to this issue?

    When I finish my tests I only need to write an article and publish test results where a lot of people can read them to create a big scandal on the security industry!

    And it´s really a big scandal and not just snake oil for next reasons:

    1) The problem has been known by the industry for years and nothing was done to fix it

    2) The security products are being sold using publicity like:

    (Faronics´ Deep Freeze)

    (Returnil)

    Man, if that publicity is not a case for the tribunals I don´t know what´s it!
     
    Last edited: Jul 2, 2010
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Because there is no solution to the design that uses low filter drivers to write to a temporary storage area, which is discarded on reboot. As one developer remarked, if you intercept every call to the device stack, you break legitimate drivers in legitimate products. Therefore, you can't prevent writing to the disk controller, unless running as non-Administrator. Re-read the Prevx Blog quoted in one of the other threads.

    As Faronics has pointed out, they can't require their customers to run as non-Administrator. That defeats the whole idea of Deep Freeze. For example, in computer classes, students need to be able to write to the Registry, change network settings, etc, as part of assignments. Adminstrator privileges are required. No problem, since the system will be restored to original state on reboot.

    I'm not sure how Returnil works, but its solution, according to Mike, was to add anti-execution protection. As you've pointed out, with this, you don't need ISR products for malware protection if malware can't run unauthorized in the first place.

    I'll look forward to reading it!

    ----
    rich
     
  12. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    But then they must face the fact that they can not use "indestructible" as publicity to sell their product.

    They are fooling their customers on purpose and they could be/should be send to tribunals for that.
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    As I commented in private to Mike, seems like the only way to stop malwares like SafeSys or TDSS is paying a price, like Sandboxie does.

    Sandboxie denies the installation of drivers. That makes secure the software, but at the same time makes that many software fails to run sandboxed.

    tzuk accepted to pay the price to get a safe security solution.

    Why do not rest of vendors dare to accept to pay too?
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Certainly true! I await your report.

    -----
    rich
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Thsi is not entirely correct, if you separate the two attack vectors:

    1) remote code execution (drive-by, autorun.inf)

    2) social engineering.

    Many solutions exist to prevent #1. Sandboxie is not the only way.

    For #2, much depends on the user. Many on these forums with the know-how first run all software in a virtual environment to monitor the installation/running. It is not possible for the average user to analyze the installation/running without that expertise.

    For this possible way of intrusion, the average user is better off trusting the source of the software and verifying its reliability with other users.

    ----
    rich
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Rmus: Induc.

    Do you need I explain that?
     
  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Yes, I do not know that word.

    thanks,

    rich
     
  18. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
  19. Lebowsky

    Lebowsky Registered Member

    Joined:
    Dec 3, 2004
    Posts:
    161
    Wow r u sure? because thats a total knockout for Deep Freeze then. Quite sad, i was hoping the 'new' version would have been all patched up, but alas...
     
  20. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    If it just was a knockout for Deep Freeze...

    Did you see the list of software bypassed by SafeSys and TDSS?

    It´s growing as I make tests. I mean this:

    https://www.wilderssecurity.com/showthread.php?t=276210
     
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    I asume your point is that there isn't 100% assurance that a product is safe. Think of many people who believe that there is an agreement between Microsoft and NSA, that the Operating Systems have a back door.

    Well, you could say the same thing about any product. There may be many other products out there that have some type of "Induc" on board.

    Still, at some point, we have to trust, or we wouldn't install anything!

    ----
    rich
     
  22. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294

    Deep freeze + Faronics anti-executable would stop Deepfreeze from being bypassed correct?
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
    Anti-Executable will prevent any unauthorized (non-white listed) executable from running, so yes, as long as the user isn't tricked into installing something that is infected!

    ----
    rich
     
  24. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294

    Thanks for the confirmation!
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,994
    Location:
    California
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.