Interesting malware/ DDOS worm testing?

Discussion in 'other anti-malware software' started by aigle, Jul 20, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    http://blog.fireeye.com/research/2009/07/ddos-madness-climax.html

    http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MYDOOM.EB&VSect=T

    http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090710

    It seems very interesting. It attacks MBR and destroys it and also encrypts ur data so that u can,t access it( ransomware type?). I will love to test it against:

    CIS
    GesWall
    DefenceWall
    ThreatFire etc

    Also it may be a good challenge for IRS like Eaz-Fix, Returnil, SD etc

    What do you guys think? I have grabbed the sample already. :p :p
     
  2. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    test out rollback rx against it, im curious to see how it fares. :)
     
  3. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    Why not attach the sample in the accessory:D Can't wait for the results against DW and GW~:thumb:
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Because it would be deleted here, thats why?

    Pete
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I can,t do any testing on request as i have no VM that is necessary due to the very nature of this malware.
     
  6. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    aigle

    Yeah saw those links, bad karma !

    When i get back to my XP PC hopefully later on this week, or next, i might test it on Returnil. That is, if they can fix the Restore points issue. At the moment it only appears to pertain to Vista, i never had probs on XP, but i'd rather wait and be sure !

    Anyways, if you and others test it on various Apps in the meantime, that could be very revealing.
     
  7. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    aigle, can you do me a personal favor and try it with Prevx 3.0 please. Thank you.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I tested as follows:

    First I didn't check the encryption part, but it wipes out the disk that's for sure.


    Shadowdefender. Protects the system just fine.

    Malware Defender. Protects if you know to block it from either running or block direct disk access.

    Sandboxie. But of course system is protected just fine.

    Online Armor++

    1) Detects it as malware
    2) Protects system if you block it as in MalwareDefender.
    3) Protects the system if you allow everything, but use RunSafe.

    Pete

    Edit: Just reran it and saw no evidence of encrypted files. Doesn't make much sense to encrypt stuff if you are going to destroy the disk, I guess.
     
    Last edited: Jul 20, 2009
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Guy's

    Regretfully I can't test against anything else. Partly it's time, partly, getting trials that will still run. Very time consuming.

    Pete
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    How bout for $25.00;)
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks for testing Peter2150. :thumb:
     
  12. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    peter many thanks for testing MalWare Defender:thumb:
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    OK, I have analyzed the worm a bit. Very interesting indeed. It does two actions mainly.

    1- Destroys MBR
    2- Encrypts data files( txt, xml, doc, zip etc) so u lose ur data

    Tested GesWall, SBIE and partially CFP

    SBIE- Pass
    GesWall- Pass
    CFP- MBR access intrecepted( i did not test whether it can block it effectively or not but I think it will pass here)
    data file encrption will be intercepted if u add data files( txt, doc, zip) etc into ur protected files( it,s not feasible though in day o day use of ur system) or put ur data files in a confidential folder( with custom rules for this folder)- again I did noot test it completely and did not test whether it can block it effectively or not but I guess it can. May be I can test it later. It needs time that I lack.
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    CFP intercepting worm,s actions.

    1.png
    2.png
    3.png
    4.png
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall intercepting malicious actions.

    g1 a.png
    g1 b.png
    g2.png
    g3.png
    s.png
     
    Last edited: Jul 21, 2009
  16. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I don't understand this - I must be missing something (?)
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Come to think of it, me neither :)

    Destroying the MBR makes it impossible to access data on the OS partition, does it encrypts files on other partitions?

    Cheers Kees
     
  18. rdsu

    rdsu Registered Member

    Joined:
    Jun 28, 2003
    Posts:
    4,456
    Can you test if OnlineArmor RunSafer feature pass this?
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    http://blog.fireeye.com/research/2009/07/ddos-madness-climax.html

    Reads this. Yes it does encrypt data on other partitions as well.

    Even if MBR is destroyed u can read ur data by booting from other media. But after this encryption, it,s not possible.
     
  20. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    @ rdsu, from Pete's post #9 above - a good reason to have 'Run Safer unknown programs by default' turned on.
    Note point 3) - even if you allow Run Safer stops it doing anything.

     
  21. MagisDing

    MagisDing Registered Member

    Joined:
    Jan 6, 2009
    Posts:
    41
    Some Chinese safety ethusiasts have tested this POC by using MD and EQS,they post the blocking log which indicated the primary behaviors:
    1. attack MBR,run conime.exe
    2. change the .txt, .xml,.doc,.zip,.asp(all the text files that are not 0 byte and some compressed files) into encrypted .gz files
    3. delete the orginal file itself

    So the key to interception:
    1.protect MBR, watch out for any access to disk by strange executables;
    2. protect overall important files if possible.

    BTW:this executable can't run as expected in WIN7
     
    Last edited: Jul 21, 2009
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for confirming.
     
  23. Retadpuss

    Retadpuss Suspended Member

    Joined:
    Apr 4, 2009
    Posts:
    226
    Prevx and Hitman Pro get this with no problem.

    Puss
     
  24. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Great, but what if they didn't - and what about some future threat? Could happen to any AM product. That's why I've finally began to use GeSWall myself to atleast sandbox my browser. So far there's just been some hitches, but I know that I'm MUCH more secure - simply because everything is isolated. Just about two clicks directly and I'm running an installation that I trust without isolation - it's that simple.
     
  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, some more details.
    CFP- Stops it altogether.
    It protects MBR if you deny direct disk access. It also protects data files if there are appropriate rules and you deny access to those files.
    Returnil- failed and system became un-bootable.
    Eaz-Fix- passed. Only current snapshot was lost.
    Threatfire- Protects MBR and system but data files lost without any alerts.
     

    Attached Files:

    • tf.png
      tf.png
      File size:
      15.3 KB
      Views:
      311
    Last edited: Jul 21, 2009
Loading...
Thread Status:
Not open for further replies.