TDL/TDSS trojan series bypassing isolation software

Discussion in 'sandboxing & virtualization' started by taleblou, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Comodo Time Machine is tested - fail. This time I just ignored all request to cure the system by TDSSKiller, just closed the window, except
    the case of retesting. I'll try to show in pictures, initial system state is clean of course:

    CTM_restored_snapshot.jpg

    CTM_restored_the_baseline.jpg

    CTM_baseline_delete_all_snapshots.jpg

    CTM_uninstall_to_baseline.jpg

    CTM2_uninstall_restore_to_currentstate.jpg


    Sorry, pictures just won't place right...
     
    Last edited by a moderator: Jul 1, 2010
  2. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Well, I wouldn't doubt in DW's abilities. Here we are:
    The critter just committed suicide in untrusted.
     

    Attached Files:

    Last edited: Jul 1, 2010
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Nice screenshots. :)

    Now that you're in a testing mood, here's an idea that might make for an interesting test: create yourself a limited user account in Windows, and execute dogma.exe when you're logged in to that limited user account.

    Absolutely right.
     
  4. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    The trojan won't bypass sandboxie, the result is the same as for DW - the malicious processes self-terminated after a few seconds.
     
  5. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    by sandboxie, do you also mean the x64 version?
     
  6. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Hi Serapis,

    I didn't test 64-bit versions.
     
  7. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    XP LUA and ran SafeSys.exe.

    Didnt seem to do much except drop a .tmp file within the LUA account.
    _mcvvd.tmp - Result: 39/41 (95.13%) - VirTool:WinNT/Rootkitdrv.LH

    TDSSKiller couldn't run in the LUA account.

    Funny thing is that Malwarebytes picked up the _mcvvd.tmp.tmp but missed the SafeSys.exe with both a right click and quick scans run within the LUA account but on rebooting into admin then a quickscan with Malwarebytes picks up both files?

    One.JPG

    Two.JPG
     
  8. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    771
    Has anyone tried these against Returnil 2010, with and without the Anti Execute function enabled.
     
  9. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,344
    Hi:

    Well I am for returnil and comodo time machine test aswell. But also I like to see the following application called " Fortres Grand Corporation: Virtual Sandbox Free Edition" to be tested aswell to see if it stops the tdl rootkits from by-passing it when it is downloaded. Also if possible to test "Bufferzone" as well.

    I know for a fact that sandboxie fails but if any of these sandbox types programs pass tests then having a good sandbox would put us more at ease. Thanks in advance.
     
  10. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    I would test it but I can't find a clear link - the page with a free version is all flooded with adware and the links I can see leads whereever but RVS. Can anyone give me a straight link?
     
  11. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    HeHe - me thinks you are infected :D
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
  13. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Ok, this link was especially hard one, thank you very much.

    RVS failed, sorry. Antivirus system was turned off - that was not the goal of the test. Other setting untouched.
     

    Attached Files:

  14. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Please repeat the test with the Virus guard and Anti-execute option active to test whether the user is protected using all the protections for a base line here.

    Thanks
    Mike
     
  15. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Looks like we win this time, the system is NOT infected after reboot!
     

    Attached Files:

  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Re: Wondershare Time Freeze - Giveaway

    Can you test Comodo Defense+ w/ SandBox? It should be included by default in all of the downloads here, although they don't advertise it.
     
  17. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,344
    Hi:

    So the TDSS/TDL rootkit did not passed sandboxie defenses then. hmm thats good news and so perhapse I should sandboxie then. Thanks for the tests. I was looking for a passing software and so far defense wall and sandboxie are the only one. Also can you try "Bufferzone free" and let me know if it is any good? Thanks in advance. I am trying to make effective security suites for the my windows pc that are good against TDL rootkits.

    Right now I am thinking of getting defense wall and sandboxie. Waiting for your other tests. By the way I have already made my host files read-only and am using MBRguard.
     
  18. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    575
    Location:
    Moon
  19. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Thanks for the link lunaticdreams, I have missed it. Alas:
     

    Attached Files:

    • wtf2.jpg
      wtf2.jpg
      File size:
      34.4 KB
      Views:
      1,180
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    If you get time, pls test GesWall, ThreatFire and EAz-Fix too. Did you use latest version of CTM?

    Thanks
     
  21. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Yes, used the latest version - CTM_2.7.150952.175 beta.

    There may be differences in results. We are discussing the methodology with Buster_BSA right now as there are some mismatches we discovered.
     
  22. ViVek

    ViVek Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    575
    Location:
    Moon

    Thanks Leach ;)
     
  23. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,344
    Her is something strange. Over at comodo forum they have tested a bunch of virtualization software aginst tdss/tdl rootkits and it seems something is at odd with results over here. The result for "shadow defender" I mean??. Here is the result. Look at the shadow defender result? This is confusing.

    C&P
    worm works on VPC.
    Test was performed on XP SP3 with no updates.
    you can also see the related articles on wilders security and prevx
    Virtualization/Rollback software test
    TDL/TDSS trojan series bypassing isolation software
    Deep Freeze 7 bypassed

    A puzzle called SafeSys

    =====================================================
    RESULT against SafeSys Worm:
    CTM 2.7 beta - INFECTED
    CTM 2.6 - INFECTED
    Shadow Defender 1.1.0.325 - Not infected
    Windwos Steadystate 2.5 - INFECTED
    Wondershare Time Freeze 2.0 rev674 - INFECTED
    Retrunil Virtual system 2010 (3.1.8774.5254) - INFECTED
    Deep Freeze 7.0.20.3172 - Evil INFECTED Evil
    Powershadow 2.2.2.21 - Evil INFECTED Evil
    Wondershare Time freeze 1.0 Free rev587 - INFECTED
    Rollback Rx Professional v9.1 - INFECTED
    EAZ-FIX -> INFECTED
    =====================================================

    =====================================================
    RESULT against TDSS infection:
    Shadow Defender 1.1.0.325 - Not infected*
    =====================================================

    (*: contradicts results from wilders security https://www.wilderssecurity.com/showpost.php?p=1704272&postcount=4
    Checked twice and found nothing. I'll test it under real environment for verification
    maybe his sample is stronger )

    The result is frustrating.
    but shadow defender shows good results.
    I think we would rather use disk imaging utility for security's sake
     
  24. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,098
    Location:
    USA
    This is what I have been thinking for quite some time. I do use Sandboxie and DefenseWall but have considered roll back or frozen state software to not be the thing for me. I didn't like the idea of always having to reboot to clean out the system, or not being able to defrag and on and on. Now we are learning they may not be bullet proof as often advertised. Unless something new shows up that radically changes the landscape, I think I'll stay where I am.. :)
     
  25. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    As yet I've not been able to bypass Shadow Defender with TDL/TDSS and I know my version of safesys does not either.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.