SQL slammer worm and ShadowSurfer

Discussion in 'sandboxing & virtualization' started by aigle, Aug 16, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Is it safe to play with SQL slammer worm in shadow mode of ShadowSurfer?
    Will Comodo stop its spread?

    Any ideas?

    Thanks
     
  2. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    aigle, if i were you i'd either mess around with that worm on a test pc or use a virtualization app like the vmware one (or failing that returnil :D ).
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi zopzop, Returnil is a bit similar to SS.
    U r right that best choice will be VM.
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    hey aigle. i think returnil is slightly safer than shadowsurfer. i don't have time now but i'll post a link to some tests someone ran on these boards.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ya, I know this but SS will protect all partitions of my HD that Returnil can,t.
     
  6. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    ah i see. i only have 1 partition on my machine so i never noticed returnil only protects a single partiton. hmmm, i think using a virtualization program is your best bet aigle (unless you have a second pc). but i wouldn't risk it dude :D
     
  7. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Virtualization? Don't need no steenkin virtualization. Just make an image & try anythiing what you wishes, mon.:cool:

    P.S. I use SS, too. Ergo, I'm interested to see if anyone can answer aigle's question based on substantive trial data. Truly I am.
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Which version of Comodo are you going to test? 2.4 or beta 3? I'm just curious :cool:
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have 2.4.

    I noticed that many FW detect these sort of worm by sig based IDS( like Norton and Kaspersky) but I am not sure if Comodo has such functionality or not.

    Can anybody throw some light on this?
    Thanks
     
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I would have used VM but I have no extra licence for XP.
     
    Last edited: Aug 17, 2007
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I could not resist and run it anyway.

    First, tried in GW, nvdm.exe executed isolated and there was an error message and nothing happened.

    Executed outside GW.

    EQS gave two warnings:

    1- Explorer.exe executing ntvdm.exe- allowd
    2- Ceate file in C:\ - allowed

    I got a popup that windows is shutting down by NTauthority.
    Rebooted and everything seems normal. Seems SS saved from it.

    BTW no warnings from Comodo FW version 2 or Cyberhawk.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Execution with GesWall.
    1.jpg
    1 (1).jpg
    1 (2).jpg
    1 (3).jpg
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    For some strange reason, I am not able to run it again. It gives an error message. Anyway I guess GW, EQS and SS were all successful against it but i am not sure at all.
     
Thread Status:
Not open for further replies.