ShadowUser,DeepFreeze and the MBR

Discussion in 'sandboxing & virtualization' started by poirot, Jul 6, 2007.

Thread Status:
Not open for further replies.
  1. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Following recent discoveries that PowerShadow wont protect the MBR from tampering i was just wondering what was the behaviour of
    ShadowUser
    and
    DeepFreeze
    in this respect.

    As a corollary,i'd like to know-provided that if one uses a serious HIPS it must be an unlikely occurrence-if and how a trojan or hacker could remotely manipulate one's MBR.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Shadowuser fails, and if I remember right Deepfreeze passes. Do a search on Killdisk.

    Ironically testing with Killdisk trojan, it was the AV's that were the stars. Using both KAV and F-prot, they refused to let Killdisk run. I had to disable both of them. Both ProSecurity, and SSM, do give you an alert to the direct disk activity, but if you accidently allow it, then bye bye.

    What killdisk does is corrupt the partition table. Don't know about remotely, but once on your machine it's not to hard.

    Pete
     
  3. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Thanks for your reply Peter2150, and also for your other thread about the Horus-HP Backup affair.
    I run PowerShadow in one pc and ShadowUser in the other one,so i should begin to worry,but,perhaps,i can rely on ProSecurity....some more reboots and just one more cup of coffee to be awake when alerts show up.
    If even AVs can cope i hope Antivir can/will stop it as well,and this makes the picture less fearsome.
    Moreover,using SU or PS ,depending on how long it takes for a Killdisk-like malware to bring about its deeds, i wonder if making frequent reboots,lets say one every couple of hours,can help in halting the threat.
    In addition to that i navigate the web with a limited account,which is ProSecurity protected,AV protected,ShadowUser protected,BOClean protected,firewall Application Behaviour protected,....i think i would receive at least one alert of it.......:D ...perhaps......
     
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Killdisk does it's work very quickly. Once you execute it, a little window with a chinese looking title pops up. Has an okay button on it. But at that point regardless what you do, the system reboots, and thats it. Deed done. And you can't just restore an image.

    Returnil, later versions of Power shadow, and Sandboxie, all stop most of this stuff.

    I would continue to use Shadowuser, and try running Sandboxie with it.

    Pete
     
  5. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    If killdisc goes after the partition table then how did powershadow 2.6 survive the test if powershadow doesn't protect the MBR?
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I am not sure if it was 2.6. It's been a while since i did those tests. Your going to have to search for my posts to check it out now. I honestly don't remember.
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I use ShadowSurfer -- a baby brother of ShadowUser. I never considered the possibility that it doesn't protect MBR.

    HOWEVER-- since MBR is so important, I have for some time been covering it with a 2nd layer of protection. Namely I periodically use the freebie HDHacker to back-up MBR to an external drive.
     
  8. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    I use ShadowUser without the Commit feature and dont save anything in it,so i have neutralized it into its baby brother Shadow Surfer....
    I've downloaded HDHacker,Bellgamin,thanks for letting us know about this programmer.
    Indeed it is a SECOND layer of protection,though,in the sense that if a killdisk- like malware gets going ,as Peter2150 says,its already too late to do anything.
    It is usefull for 'normal' unfortunate, events,though,but not for hard-core and lightning fast ones which deal with the MBR....
    We need something for that as i think its too risky to rely on a HIPS alert,be it ProSecurity or SSM,or even a BB.......... i had many,but i think a moment of stupidity can happen to anyone....

    What kind of sandboxing you think might be the answer for my set up Peter2150 ? (ltd Account,Boclean,ProSecurity,ShadowUser)
    Are you thinking about a Buffer-Zone type or a Defense-Wall one?
     
  9. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    If you don't want to change your setup, I try Sandboxie, and see if it plays well. You could use the commit function in SU to have a safe folder to move something you download into the sandbox to, for safe reboot keeping.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Downloaded HDhacker, but I am not sure how it would really help in the Killdisk attack.

    Bellgamin, you mentioned you use it, so I turn it to you. How would you use it to recover from a killdisk attack. Machine doesn't boot as partition table has been corrupted. What does HDhacker give you and how do you use it. I looked at it, and didn't see it helping.

    Pete
     
  11. Jo Ann

    Jo Ann Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    508
    Fwiw, I do know that Prevx stops the killdisk virus ever since Prevx1, and Prevx2 is better yet! ;)
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    A few neat solutions:

    MBR corruption is nothing serious. If you use Windows loader, then it's just fixmbr, if you are using GRUB, then it's find /boot/grub/stage1 and set it up again.

    How to salvage destroyed partition table? Well, I have mentioned if quite a few times, and the links are included in my lists of cool tools.

    TestDisk
    http://www.cgsecurity.org/wiki/TestDisk

    Comes on Knoppix or SystemRescueCD live CDs.

    http://www.knoppix.org/

    http://www.sysresccd.org/System-tools

    Then, don't forget other great tools like GParted, QTParted, Partimage, Grub, Lilo, sfdisk, which are more than useful, plus running from live CDs, so it's not really important if system is bootable or not.

    Most of these tools are included with the two live CDs.

    Mrk
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Hi MRk

    Thanks for the links. The catch22 I got into when I really messed up the partition table(made Killdisk look like a baby), I couldn't even boot the Windows XP CD. It BSOD'd. Many of the above tools wouldn't have worked as the couldn't have seen my disks, because of the nvidia raid drivers not being preseent. Disk drivers can be an issue.

    Pete
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    TestDisk would have worked. Trust me. It's a magnificent piece of tool.

    My brother had a disk that got its first sector moved to the last. Don't ask how. But TestDisk saved the comp like charm.

    BTW, you can try to break the system again and see how superbly powerful these tools are.

    Mrk
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    No doubt it would have done it's job if I could have run it. But the only recovery environments I've had any success in are Windows variants, such as BartePe or Winpe or VistaPe and of course the Windows CD. All of these were Blue screening. WD has a great DOS based utility also, but it couldn't see the disks. I am going to test DBAN, but what did work was BootitNG.

    And honestly this one test I'd prefer not to repeat.

    Pete
     
  16. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    I mentioned HDHacker only because, AFAIK, it's one of the few stand-alone apps that can back-up & restore MBR per se.

    Since I image often to an external drive, & retain copies going back several weeks, THAT (not HDHacker) is my *security* against killdisk, HD failure, tsunamis, jishins, & the heartbreak of psoriasis. :)

    For power users, I might mention Terabyte's free MBRWork. MBRWork is a DOS application. DOS is probably where you want to be when Windows is in bad straits, right? Yes, DOS is still available in XP & (AFAIK) in Vista.

    MBRWork can perform the following:
    1 - Backup the first track on a hard drive. || 2 - Restore the backup file.
    3 - Reset the EMBR area to all zeros. || 4 - Reset the MBR area to all zeros.
    5 - Install standard MBR Code || 6 - Set a partition active (avail on the command line too)
    7 - Work with multiple hard drives.
    8 - Edit MBR partition entry values.
    A - If no partitions exist in the MBR and no EMBR exists then this option
    will allow you to recover lost FAT, HPFS, NTFS, and Extended partitions.
    C - Capture up to 64 disk sectors to a file.
    R - Restore up to 64 disk sectors from a file. This feature should only
    be used by those* who completely understand what they are doing!
    T - Transfer/Copy sectors from disk to disk. This feature should only
    be used by those* who completely understand what they are doing!
    P - Compare sectors.

    * I am NOT one of "those." I have no idea of what I'm talking about.
     

    Attached Files:

Thread Status:
Not open for further replies.