Malware bypassed ShadowSurfer

Discussion in 'sandboxing & virtualization' started by aigle, Aug 30, 2009.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Not a suprise but i thought it might be of interest to some people here.
    I tried this under shadow mode of shadow surfer. Some parts of this malware survive the reboot and after reboot malware uses some applications on your system or your browsers to download loads of malware. It's nasty. Still i can't find the actual piece of malware that survives the reboot and manipulates browsers or trusted applications to download tons of malware.
    Wil post more about it later as i am out of my home now.
     
  2. mark.eleven

    mark.eleven Registered Member

    Joined:
    Oct 27, 2006
    Posts:
    81
    Location:
    Island of Sodor
    I'd be interested to know if this malware also bypass Sandboxie, DefenseWall, Shadow Defender, Returnil.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, I can confirm the bypass with ShadowSurfer.
    GesWall could not be bypassed.
    Will test CFP also. More i will not be able to do ATM. Any one if can try it pls with:

    ShadowDefender
    Returnil
    SBIE
    DW
    MD
    etc

    I have no VM. So difficult n time consuming with to do this testing with the help of imaging only. PM me for sample pls. Don,t ask it on forums.

    Thanks
     
  4. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    What you discovered sounds rather ominous. I look forward to your discovery (hopefully) of the malware that survived the reboot.
     
  5. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    What kind of malware? Do you have the name of it? Go ahead and PM me...I'll test Outpost.

    Thanks,
    Toby
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ha ha ... Toby u gave me that. Just run it via cmd.exe. :eek:
     
  7. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Are you gonna thank me for that?? Just Kiddin

    Toby
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Are you gonna thank me for testing it in this way? :D

    Thanks any way, Very clever piece of malware. I love it. :-*

    BTW it has more bypasses but of some different kind. In another thread. :eek:
     
  9. Toby75

    Toby75 Registered Member

    Joined:
    Mar 10, 2006
    Posts:
    480
    Of course - Thank You. We all appreciate the testing that you do!
     
  10. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    What thread? Any links?
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    That thread still to come. If i am true there is a malicious behavior bypassing CFP, GW and OA. But i can't be sure unless more people wil test and confirm my findings. I have done the testing and taken all the pictures to explain. I am too busy and might need a week or so to compile it and then, by Allah's will, i am going to post that thread.
     
  12. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Ok cool!
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Any one going to test this malware. Here is how you can reproduce this issue. Run the malware in shadow mode. Allow all prompts by your HIPS, if you have any. Malware wil make many registry changes, wil get debug privileges, wil copy some dlls. May be some service and driver install and direct disk ascess too. It wil try for outbound access too, just deny that.

    Most important it wil copy a hidden autorun.inf file and a hidden .pif executable on all partitions/ disks or attachede USB flash sticks. When it,s done, just reboot your system.

    After reboot you wil not find any visible files on your system as they wil be wiped away by the shadow surfer.

    Now just run your browser and browse the internet for few minutes. Keep your HIPS watching the system. If all goes well, soon you might see some trusted appliction trying for outbound access that it should never do. If allowed it wil download tons of malware and execute them. Also you might find your browser or some trusted application on system trying to make a lot of registry changes.

    Still i am puzzled and failed to understand that which malware component survives the reboot and after reboot manipulates browsers or some trusted applicatins to go outbound and download the crap. Sure it,s a root kit but i can't detect/ catch it.

    I wil post some screen shots later when i am home.
     
  14. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    If it has direct disk access then no wonder it can defeat your virtualiser. How exactly is OA bypassed if you allow all HIPS prompts?
     
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    As promised some of the pop up alerts by CFP.

    1.png 2.png
    3.png 4.png
    5.png
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    More from CFP.

    6.png 7.png
    8.png 9.png
    12.png
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Rootkit scan before a reboot in shadow mode.

    10.png
    11.png
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    And finally geswall, seems angry red. :D
     

    Attached Files:

  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Wait for my second thread pls. I am not so sure about that issue indeed.
     
  20. wat0114

    wat0114 Guest

    I attempted to run two of them sandboxed inside the VBox guest, that only resulted in error pop-ups. No damage done. So I ran the same two independently inside the VBox guest un-sandboxed and oh man the results were destructive :eek: The malware caused the VBox guest to shutdown. When I tried to re-start the current state I was greeted with an ominous "Invalid partition table" message (see screenshot). However, all I had to do was revert to the current snapshot (see screenshot) and all is well again, so VBox seems, so far anyways, to prove its worthiness :)
     

    Attached Files:

  21. wat0114

    wat0114 Guest

    I launched the .x and .z files from the desktop and they both crippled the VBox' partition table. it seems to me the malware did a pretty good job of destruction in these tests, although maybe the partition tables could be restored with a Windows disk. Should they have been run via cmd line?

    Anyways, I will try some more.

    *EDIT*

    I tried the same two from the desktop this time under my limited account. Both attempts resulted in errors with no subsequent damage. The virtues of a limited account seem to come through here.
     
  22. wat0114

    wat0114 Guest

    One of the others launched via cmd line: see screenshots. I chose "Ignore" even though that is something in reality (non testing) I might not have done. These are not even HIPS-triggered alerts. The second one should pretty obviously trigger a red alert. The system again shut down and once again upon trying to restart the current state of VBox I was greeted with "Invalid partition table" message. BTW, trying to run them via cmd line under lua results in nothing happening. Score another point for lua :)

    *EDIT*

    the ".C" malware was a little nastier under lua; the whole VBox guest desktop froze, although I was able to finally close the machine using Process explorer. The current state started up again, but just to be safe, I restored the current snapshot. This VBox is excellent for instantly restoring normalcy again :)
     

    Attached Files:

    Last edited by a moderator: Aug 31, 2009
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi wat, sorry sent u wrongle samples. Check ur PM. I am sorry again. Actually some one asked for killdisk too at the same time. So many PMs and I was in hurry.
     
  24. wat0114

    wat0114 Guest

    hey, no worries aigle :) This just gives something extra to test, but after this, I think that's it for me. I don't want to spend too much time at this (testing malware), nor make it a hobby. It's a bit too addictive - LOL!

    Thanks again!
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Actually that ShadowSurfer might be bypassed by some of the newer malware isn't really surprising. It's really not current, and I don't believe it's being updated.

    It's fine for somethings, but not for security purposes, in my opinion.

    Pete
     
Thread Status:
Not open for further replies.