Malware bypassed ShadowSurfer

Alright, thanks for this developrs!

So from this we can see that all virtualisers attempt to protect the mbr. However for whatever reason this protection is not complete and from time to time malware writers figure out how to bypass it. The virtualiser programmers then respond by coding to protect against the specific attack and so on and so forth.

Would a third party app independent of the virtualiser do a better job in protecting the mbr and prevent all access, hence ensuring that a virtualiser cannot be bypassed? Im talking of something like MBR Guard. Any ideas?

 

blueridge is developing a program for protecting the mbr i forgot the name of the program an i think they will implement it in coming appguard

 

This doesnt make sense wat. The guest itself is in admin so the malware should have no trouble getting to the guests mbr. I doubt the host OS being in LUA can help in anyway. The only two possibilities I can think of are that the malware doesnt show its true capabilities in a vm. Or perhaps snapshots in a vm work differently to snapshots on an isr in the host. Perhaps a snapshot in a vm is more akin to an image for the real system and everything is backed up including the mbr. Hence when you revert your snapshot the infected mbr is replaced and the infection is completely gone.

 

Yup that is exactly the app I was talking about. :smile:

 

also a hips program can do this but you have to pay the price and that is to deal with bunch of pop ups

 

Hi developers,
It is important to also report whether the AE in 2008 and/or the VG/targeted AE in 2010 provides protection against these as well. While I applaud and encourage consistency in testing, the reason these things were included in RVS was to provide protection against content that can bypass strict virtualization.

Without knowing whether the VG/Trust only existing files on the real system is doing its work properly, we can't get a complete picture of the overall effectiveness and whether we need to upgrade the code. Thanks in advance...

Mike

 

Exactly right and I even confirmed that in post #22 this thread.

For the above scenario, I'd agree with you. However, the question is whether or not the host running aas limited can protect itself against rewrire of the MBR, and I'd say it does.

It appeared the samples I tested were working as intended in the VM, but I can't be 100% certain. What I do know is I had no problems flushing the damage away with a revert to current snapshot, so that's what matters most to me

I have never use ISR software so I can't comment.

Yes, I believe this is true, including backup of the MBR.

Indeed, I believe that is exactly what happens with the infected mbr, but the reverting snapshot also brings the entire VM O/S to that exact previous state.

 

VirusGuard (Returnil 2010) has detected and blocked several malware downloaded by this trojan, and after the reboot system wasn't infected.

AntiExecute (Returnil 2008 ) has protected the OS. After the first "Allow" for executing the malware, all others popups was blocked (on-the-fly driver protection checked also), and after reboot the system resulted clean.

 

This could turn into a long, drawn out debate, so no comments here.

Sure, I’ve probably stated the bleeping obvious so sorry, but to elaborate, it (the HIPS) gave me the opportunity to stop the progress of the virus without freezing up or crashing. At least if the virus was real and I wanted to stop mid-stream in an effort to mitigate the damage, MD could have done so without buckling under the stress of handling the alerts. Believe me, I have enough experience testing these type products to know that some handle the numerous alerts better than others. Specifically, what I have seen with MD is it not only handles the alerts without labouring under the frequency of them, it also alerts instantly, without the delay that I have seen with some other products when they are met with a volley of attempted changes brought on by the unknown process’ installation.

Testing malware against security software and running a computer with the intent on denying unkown/intrusted at the gate are two different things Can you honestly say you installed Sanboxie with unconditional faith it will stop everything based only on other’s comments you’ve read, or have you not run some tests against it to bolster your convictions in its abilities?

Anyways, good thread. I've learned something I consider valuable from it

 

Absolutely you are right! It has been an eye-opener for me, of sorts. BTW, sorry if it seems I'm nit-picking in response to some of your comments. In truth, I read your posts - all of them - enthusiatically because you bring up a lot of interesting ideas and subject matter regarding security approaches

Thanks Pete, I wasn't sure. Indeed, the more I use VBox and discover its capabilities, the more I'm impressed with it, especially when the Guest additions are installed. And regarding the snapshot feature, I think I will take a bold step forward and re-test killdisk in VBox again, but this time on the Host's admin account just to see once and for all if the virus can infect the host's mbr. I better have a reliable backup plan in place Stay tuned!

 

I'm glad some one has seen the light and recognized the speed and how snappy MD is at intercepting and blocking certain activities. There is a lot of people here always complaining about popups, but with MD you can configure it to have Default Deny policy which blocks with ZERO POPUPS. default deny blocking all unknown executables and script executables from running. Just as good or even better than AE2 or AE3.

 

Its not just unknown executables that you can make default deny while in training mode its any thing, any app.

by having separate groups for apps you can have some programs in training mode while at the same time you can have other apps in normal mode. After each app has finished its training mode time I simply put it in the normal mode lock down group. The entire process from MD fresh install to everything going into normal mode = ZERO POPUPS. MD is the only HIPS which allows you to do this. This is another thing which makes MD more superior than others. So for updating programs like firefox etc I temporary pull it out of the normal group into the training mode group. so during the update process there is ZERO POPUPS. Its really no different than temporary running your browser outside of sandboxie to install updates.

 

As per post #71, I have conducted a test of the killdisk malware samples in VBox admin account running on the host admin account, in order to see if the MBR of the host's hard drive would get infected. Before I started testing, I had my doubts it would happen

Setup:

1. Host System: Vista SP 2 running as full admin
2. Security software on host: Outpost security suite with Host protection enabled
3. VBox Guest System: XP Pro SP3, running as admin
4. VBox security software: None
5. Test samples: Selection of 4 killdisk files run via cmd line on VBox

Results:

All four samples I ran infected, as I expected, the MBR of only the VBox MBR. The Host system's MBR was completely untouched. Outpost was on alert but of course detected nothing because nothing escaped the VBox guest. As with my earlier testing, all I had to do was initiate the simple formality of reverting to the current snapshot and I was back in business in mere seconds. Ho-hum, this is almost too easy Ahh, confidence in Virtualbox is running extraordinarily high

 

Here is how I instigate MD's "Default Deny policy". . . .

+Right-click MD's icon in the system tray to get pop-up menu.
+On pop-up menu, left-click "Silent Mode".
+While in Silent Mode, MD will silently deny all rules which have an ASK option.

To revert. . . .

+Right-click MD's icon in the system tray to get pop-up menu.
+On pop-up menu, left-click "Normal Mode".

Is there an easier way?

 

I second that

 

Ctrl + Shift + Alt + S toggles Silent Mode. Ctrl + Shift + Alt + N gets you back to Normal Mode. Hot keys can be easily customized via Tools > Options > Hot Keys.

 

Magnifique!

10 Q

 

how do u choose which group remains in NORMAL mode and which in LEARNING mode?

i see also peter ask for it , hope u can do a step by step explanation

cheers

 

Yea I will first write up some form of instructions and make a new thread soon, don't want to throw this thread any further off topic.

 

Looking forward to this VERY much. Like Pete I hadn't realised just how versatile MD seems to be. You very likely have another convert

 

Yes, it's very secure not only as a testing environment but also as a normal user environment. One caveat with VBox, however, is that it is necessary to allow virtualbox.exe Internet access on the Host system's application firewall, if applicable, as it is in my situation. The problem here is that virtualbox.exe acts as a proxy, of sorts, for any application, including browsers and email clients, running on the VBox guest system. So if you want to control Internet access for applications running on the VBox guest, you need to install an application firewall on it, meaning you basically have two software fiirewalls, guest and host, controlling network traffic for applications on the guest.