SQL slammer worm and ShadowSurfer

Discussion in 'sandboxing & virtualization' started by aigle, Aug 16, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    Is it safe to play with SQL slammer worm in shadow mode of ShadowSurfer?
    Will Comodo stop its spread?

    Any ideas?

    Thanks
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    aigle, if i were you i'd either mess around with that worm on a test pc or use a virtualization app like the vmware one (or failing that returnil :D ).
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    Hi zopzop, Returnil is a bit similar to SS.
    U r right that best choice will be VM.
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    hey aigle. i think returnil is slightly safer than shadowsurfer. i don't have time now but i'll post a link to some tests someone ran on these boards.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    Ya, I know this but SS will protect all partitions of my HD that Returnil can,t.
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    ah i see. i only have 1 partition on my machine so i never noticed returnil only protects a single partiton. hmmm, i think using a virtualization program is your best bet aigle (unless you have a second pc). but i wouldn't risk it dude :D
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,796
    Location:
    Hawaii
    Virtualization? Don't need no steenkin virtualization. Just make an image & try anythiing what you wishes, mon.:cool:

    P.S. I use SS, too. Ergo, I'm interested to see if anyone can answer aigle's question based on substantive trial data. Truly I am.
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,097
    Location:
    Mountaineer Country
    Which version of Comodo are you going to test? 2.4 or beta 3? I'm just curious :cool:
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    I have 2.4.

    I noticed that many FW detect these sort of worm by sig based IDS( like Norton and Kaspersky) but I am not sure if Comodo has such functionality or not.

    Can anybody throw some light on this?
    Thanks
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    I would have used VM but I have no extra licence for XP.
     
    Last edited: Aug 17, 2007
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    I could not resist and run it anyway.

    First, tried in GW, nvdm.exe executed isolated and there was an error message and nothing happened.

    Executed outside GW.

    EQS gave two warnings:

    1- Explorer.exe executing ntvdm.exe- allowd
    2- Ceate file in C:\ - allowed

    I got a popup that windows is shutting down by NTauthority.
    Rebooted and everything seems normal. Seems SS saved from it.

    BTW no warnings from Comodo FW version 2 or Cyberhawk.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    Execution with GesWall.
    1.jpg
    1 (1).jpg
    1 (2).jpg
    1 (3).jpg
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,109
    Location:
    Saudi Arabia/ Pakistan
    For some strange reason, I am not able to run it again. It gives an error message. Anyway I guess GW, EQS and SS were all successful against it but i am not sure at all.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.