Interesting malware/ DDOS worm testing?

I wonder if anyone tried with those runtime files onboard.

Reassuring to see something I use passed safely Thanks testers.

 

I have added some gloal rules so that no isolated application is allowed to write non-OS partitions.
In the past i also added rules that any thing executing from non-OS partition will be isolated. Also defined a confidential folder for data. Used a rule to stop internet access for all isolated applications with allow rules for browsers etc( but this feature is i little buggy at the moment and needs a fix ).

 

Isolated applications indeed seem unable to write to any locations that are not specified as excluded (by yourself), and if they indeed are, the objects that comes through an isolated application will be isolated in their turn - I got this result proven when the directory on my file-drive where I tried to save my bookmarks wasn't excluded.

Or did you mean something different?

 

Being quite interested in the extra global rules

 

Isolated applications are allowed to write and create files anywhere( except some critical areas like system32 folder, start up folders and registry etc) unless specified. But there files created by isolated applications wil remain marked as untrusted. This is the default behavior of geswall.

 

Understood... wonder what's up with the directory on my file-drive. Anyways, since it's better to install trusted software non-isolated (or do you often not do that or need to?), wouldn't a global-rule to write anywhere - except for the exclusions - be in place for security, or would that create lots and lots of trouble? Please shed some light.

EDIT: Thinking about it... without any custom rules from me in-place, the bookmark file would not be written to my file-drive (not even the system-drive), unless specifically excluding the appropriate directory.

 

I have tested this malware with Shadow Defender, Returnil 2008, Returnil 2010 beta, and Deep Freeze.

Results:

Shadow Defender can restore the MBR after reboot, but it hasn't blocked malware to modify MBR during shadow mode

Returnil 2008 has been bypassed

Returnil 2010 beta has protected the MBR also during shadow mode

Deep Freeze has protected the MBR also during shadow mode

Bootloader before
Bootloader after


Deep Freeze before
Deep Freeze after

 

Hi, answer to your couple of Qs.

1- About Opera bookmarks, seems u r saving them in a non-default folder. Just make an allow rule for this folder in Opera rules. They will still be marked isolated as this is part of geswall security policy.

2- All installations must be done as non-isolated( trusted).

 

Hi, answer to your couple of Qs.

1- About Opera bookmarks, seems u r saving them in a non-default folder. Just make an allow rule for this folder in Opera rules. They will still be marked isolated as this is part of geswall security policy.

2- All installations must be done as non-isolated( trusted).

 

Okay, thanks. On the first one... I thought GW was even more non-restrictive when it comes to other drives than the system-drive. I had an allow-rule in-place after some thinking previously, but this confuses me a little - could you please elaborate? Would that for example mean that, even if not on a completely different drive, if I for example create a new directory - let's say "Games" on C: (my system-drive) - will I not even be able to write to that custom-directory (from your message, that's what I understand as a non-default folder)?

To sum it up... I simply don't get this thing that you mention now.

 

I think we both are confused. lol

Can u tel me step by step what u mean by saving opera bookmarks and where u save them? spoon feeding.

 

Thanks. Very nice testing.

 

Okay, let's see... I'll try to take it step by step and then you can tell me what's happening and why.



1. Inside the latest stable Opera, I click File, then go down to Import and Export, then select to Export my bookmarks.


2. I browse through my system to my "file-drive" (which is an entirely different drive, and not just a partition of the very same drive even), which goes under the letter "G:".


3. I continue my browsing to a folder called "Saves", from there I go to a folder I've named "Opera" (convenient, huh? ).


4. Last thing is to overwrite my existing bookmark-file(s). I've two in that folder - one which is the "main-one", and one which I use as backup if I would accidentaly overwrite with no entries or something, where I've simply added "bak" to its name to easily keep track of which is which.


5. GW being enabled during this whole process, redirects what I'm trying to do, unless I specify an allow-rule for Opera to that folder - the folder which contains my backup of my bookmarks, in the form of a "bookmark file".





Hope that was spoon feeding enough.

 

Ok, here we go.

GesWall with default rules. No custom rules pls.

I can save my bookmarks in a non-OS hard drive( USB). Bookmarks file opera6.adr is marked isolated ofcourse.

I can save bookmarks again on top of it, overwriting it.

If I mark this file as trusted, it can,t be overwritten by Opera. Means I can,t save bookmarks on top of it.

Am I right? Infact u need to play a bit to know.

 

aigle, with regards to ThreatFire, what is the extent of the data files lost?

The files in user documents encrypted/compressed? (just reading the FireEye explanation)

 

My documents( not sure), program files, windows directory etc.

It encrypted a lot of files, I did not gave much attention because I did not expect TF to give pop up on data file encryption as it,s no way a malicious action. TF will protect if malware attacks system files( executables).

 

Thank you for the explanation.

 

Okay... so it's because isolated software should not be able to modify, e.g. overwrite a file for the sake of security, but can create new since then, for example, it's still not able to say overwrite a system file?

But by default the software has for example specified allow-rules for the locations where e.g. Opera keeps its bookmarks, so that it CAN overwrite the file in its original place.


Have I understood it correctly? Do I really need to un-isolate a bookmark file for it to work? Atleast it doesn't seem like it.

Just tell me if I should use spoon feeding again.

 

You are right. BTW bookmark file when saved will be marked untrusted automatically. Just leave it like that.

 

Understood. I've actually seen that the original was since that's the first directory you see everytime you export it, but I was still not completely sure for some reason.

 

Can System Safety Monitor (or EQSecure 3.41 or Real Time Defender) stop this malware?

 

I guess, they will, just like CIS.
However SSM i think lacks file protection, though i am not sure. Any way text, doc, zip etc type of file protection even by CIS is im-practical.

 

So the only practical way to protect files from being encrypted is sandboxing?

 

seems so.