New sandbox/virtulization bypass under ring3

LOL @ RoboDog, the dog of RoboForm to make it look more trusty.

 

i was too chicken to try it out for myself when i got a hold of the file. but i post over on the comodo forums and it seems one of the their members there had the file already and tested it out. comodo passed.

 

How does CFP stands against it--

http://forums.comodo.com/leak_testi...doesnt_need_admin_rights_to_run-t17705.0.html

(thanks zopzop for the link)

 

Well, I got a sample <snipped>, but I´m not sure what to think of it. What is it supposed to do? When I let it do all its stuff, I can still reboot my machine, wasn´t it supposed to make it unbootable?

Btw, NG didn´t give me a single alert, but this may be because it malfunctions at the moment in my VM, not sure. SSM gave me alerts about PassDiskProtect_C.exe wanting to modify/take control of the second/duplicate process, you don´t see this normally, so it´s already a clue that it´s probably malicious. Of course I also got to see the alert about "low level disk access". The problem is that it doesn´t make any difference if I allow or block all of this, so again, what is it supposed to do?

 

Wonder what is the PM. If something about his Q why not here so all of us will know.

 

Huh? That´s not completely true Peter2150, after all, you did give me instructions on how to use the test. And sorry about my little mistake, I didn´t know that. But anyway, I followed your instructions (I clicked "enter" 3 times) but still no luck, I can still reboot my machine. Does it do anything else? Am I infected after executing this tool? I really don´t know why this tool refuses to wreck up my OS.

 

Generally, we consider this a good thing.

As for the state of your machine after the use of any "tool", you really need to appreciate that this is probably a path you shouldn't be walking down if you can't independently perform a detailed systems recheck and validation.

Blue

 

Yes of course, but for testing purposes I need to see what this tool is capable of, otherwise I can´t test if my HIPS can in fact stop it or not. And all testing is done inside a VM.

I´m not sure what you mean, but isn´t this a matter of knowing which tools to use to spot infections? Or do you mean that I better make sure that I can restore the machine to a certain point? This can be easily done inside a VM.

 

Make no assumptions and always consider the outcome of a worst case scenario - which, with this type of situation, could be your machine is rendered nonfunctional outside of the VM (How? nothing fancy - typically user error). Can you fix that situation on your own if it happened right now? Yes, I mean this minute - complete recovery of the machine. If so, you're fine. If not, perhaps some additional planning is in order.

Blue