TDL/TDSS trojan series bypassing isolation software

a TDL rootkit passed through time freeze

Hi:
I am disappointed at time freeze. I got it on the free giveaway and it failed for me to protect the pc I used it from malwares (eventhough I used optimum setting). I had to format to be sure all is clean and back to the shadow defender on that pc. In my openion time freeze is not worth it. I got infected with a TDL rootkit that passed through time freeze and deeply infected my windows xp sp2 pc.

P.S. I got infected with the malware also in my test pc with time freeze on and using malwaredomainlist malwares. It seems only rootkits made through??

 

Re: Wondershare Time Freeze - Giveaway

taleblou,

Thanks for warnings although I made a massive amount of tests since I installed it including malwarebytes domains. Possibly I haven't got the malware which could pass through WTF but any program can be bypassed sooner or later, Shadow Defender is not an exсeption, have a look at Deep Freeze thread. I would still use Shadow Defender but at the time I tested Defense Wall it had a conflict with SD - sporadic slowdowns on startup. WTF can make drives ReadOnly, a possibility which I find very usefull and haven't seen free. It suits me quite well - I use a clone of a real system more often than a fresh and clean VM installation. Besides it won't slow down the system at all which happens when you use VM or sandbox. Haven't seen any signs of vulnerabilities but I'll have a closer look into it.

 

Re: Wondershare Time Freeze - Giveaway

Hi:

Yeah I was shocked too. From all the positive reading I done and demos I seen I thought time-freeze was bullet proof and even has boot protection feature but I was surprised when I got infected and I only noticed it when I ran hitman pro 305 and it was the only one out of the 5 antimalware programs I used to scan that detected the TDL rootkit. By the way before installing the time freze I had scanned the pc with all 5 anti-mlawares incl. hitman pro and all was clean. Therefore the infection happened after time freeze was protecting.

If you want to test time freeze I suggest try malwaredomainlist links, specialy the TDL rootkits and see for yourself.

By the 5 anti-malwares I use for scanning are: a-square free, malwarebyte, superantispyware, hitman pro, Comodo.

P.S. I have e-mailed wondershare about this and waiting for their reply.

 

Re: Wondershare Time Freeze - Giveaway

Hi taleblou,

Made some research and got interesting results about TDSS TDL you mentioned. I got a bunch of critters of the TDSS serie
and tried them against Time Freeze v1.0.0.1 and then against Shadow Defender v1.1.0.325, both are configured to
reset the original state of the OS after reboot. XP sp3 x32 has been used installed on VirtualPC, the latest updates
applied. To check if the system is infected or not I used a special utility TDSSKiller by Kaspersky Lab. No antivirus were
installed, only shadowing systems and Delfi 7 with some libs.

The procedure is rather simple -
a) The system is checked with TDSSKiller and shadow mode is turned on
b) Samples are launched directly from the desktop one at a time to avoid "self false positive detection" of a rootkit and
thus refusing to install. Smart viruses are checking their presence in a system before trying to infect it.
c) After a short downtime the system is rebooted and checked with TDSSKiller again after a short downtime. A delay
is needed to let the rootkit initialize / start normally after reboot because some versions use a short delay after system
restart before initialising to avoid detection by anti-rootkit programs.

I have tested it twice to be sure and the results are identical. The fact is this sample of TDSS trojan is detected by AV
programs, two of them I used at least - MBAM and SuperAntiSpyware. You were right - WTF has been compromised,
and so was I - Shadow Defender is not an exception. The second sample has bypassed Time Freeze as well as Shadow
Defender later. In both cases the OS has been infected with a rootkit after reboot and the shadowing systems supposedly
cleaned OS.
Here are some screen shots:









Mods, Sorry, I didn't expect such a mess. Can it be cured?

 

Re: Wondershare Time Freeze - Giveaway

Hi;
Thanks for the test. I appreciate it. ALso can you test comodo time machine and returnil against these tdss tdk rootkits and please let me know if they pass the test or not. Please tell me so if any of them passes the test then I will use that software for protection. Thanks in advance.

Looking forward to your test result on comodo time-machine and returnil.

 

Re: Wondershare Time Freeze - Giveaway

Hi Leach, what version of ShadowDefender were you using and what is the md5 or sha1 hash of the tdl/tdss (dogma.exe) you were using, thanks.

latest
md5 : 55A16DB3018A69A7D27F0DEAF632273F
sha-1 : 1B1B5AF63CB048FCF47BDCE96CCFEA1301034137

 

Well i tried to get a new thread going MBR bypass thread https://www.wilderssecurity.com/showthread.php?t=276136 as i felt it would be useful in many ways.

As you can see it's been locked rather early on But the reasons for that, and why this one has been started in it's place, have been explained to me, and i understand and agree

So we're good to go

 

How does Cleanslate 6.5 fare against these rootkits?

 

Hi Leach,

Please test DefenseWall 3.03 against these rootkits. You can download it here:
DefenseWall_Personal_Firewall V 3.03

 

did it pass sandboxie?...since it did to sd and tf

 

Re: a TDL rootkit passed through time freeze

Can you explain how the infection occurred? Drive-by download? P2P?, etc.

Thanks,

-rich

 

I've tested hundreds of TDL/TDSS samples using Sandboxie and none have touched the real system.

 

Sandboxie doesn´t allow installing drivers, that´s why Sandboxie can not be bypassed that way.

Leach: You got a PM.

 

Indeed. Permitting driver install is a recipe for disaster.

 

The dogma.exes seem to be VM aware?

Tested Bufferzone, Sandboxie and Defensewall 3.03 against SafeSys.exe.

All three seemed to contain or cannot run fully and delete all dregs, or at least that's what TDSSKiller and Malwarebytes scans are showing.

 

great,thanks

 

Read this for more information....

https://www.wilderssecurity.com/showthread.php?t=276023

 

@Franklin I had to reboot the vm (vmware 7.0.1) to get it to work so could not test ShadowDefender in vmware.

dogma.exe md5 : 55A16DB3018A69A7D27F0DEAF632273F

retrieved config.ini from tdl3 rootkit

 

Thanks Meriadoc, will give it a go.

 

Whatever demonstrated Sandboxie bypasses that existed last year have been addressed. None of those bypasses had the ability to successfully install a driver on the real system.

 

Thanks for the testing Franklin.

 

Read it again...I am not talking about SandboxIE, i am talking about Avast Sandbox...

 

I know, but others were. I was just clarifying the situation regarding Sandboxie.

 

hey thanks for the link,,,good to know sbie is stronger.,effective.

 

Re: Wondershare Time Freeze - Giveaway

md5: 55a16db3018a69a7d27f0deaf632273f *dogma.exe

Good you found the sample - I just wanted to ask for a help.

Shadow Defender with full DEP enabled has been tested by request - no changes except the targeted .DLL, system remains infected.