TDL/TDSS trojan series bypassing isolation software

Discussion in 'sandboxing & virtualization' started by taleblou, Jun 29, 2010.

Thread Status:
Not open for further replies.
  1. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Bump :p
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Perhaps the reason you've not received an answer is that not many have tested both products to see which is "better".

    I've tested every drive-by I can find using Faronics AE and nothing gets by. AE is Default-Deny.

    ----
    rich
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,152
    Location:
    UK / Pakistan
  4. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    Working here. They did take a long time to load up
     
  5. tlu

    tlu Guest

    Or, alternatively, a LUA/SRP combo.
     
  6. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,282
    Hi:

    No it was not sandboxie forced me to use linux. I just got pissed after loosing all my stuff with the sandboxie installation and all the headache I had with windows. Linux is so much problem free. lol. I always had issues with sandboxie in the past. It slowed my pc reboot time and took a long time for browsers to open, etc. and now the BSOD. Heck sandboxie is a heavy software. Anyway from now on I will stay away from sandboxie and will never buy or pay to microsoft products ever (since bill gate has joined the rank of ruling elite and bilderburgs (the illuminati) and has asked for the implementation of savage bilderburg and illuminati policies). Everyone should boycott MS.
     
  7. the_sly_dog

    the_sly_dog Registered Member

    Joined:
    Feb 28, 2006
    Posts:
    297
    Location:
    The Heart Of London
    Sandboxie for me is the hidden gem of the internet i purchased it 1-2 years ago and love it fantastic software//

    Is running defenswall like being in lua/srp Mode o_O? Or am i misunderstanding things
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    @ the sly dog

    Defensewall is for your computer what Sandboxie is for your browser.
     
  9. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    657
    Today I got someone to try a hardware based solution against TDSS. The hardware was a Custodius Enterprise:

    http://www.custodius.com/eng/html/enterprise.html

    The result is that TDSS was still installed on the system after rebooting.

    I´ld not be surprised to find out that all hardware solutions rely on software for doing the rollback part so they are vulnerable.
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    That is because these PCI hardware based rollback solutions need a SOFTWARE driver! I was totally flabbergasted when I discovered this a while ago. Only solutions like CoreRestore are 100% hardware. See this thread.
     
  11. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    657
    I´ld not call "solution" to something that can not be purchased and that will not work on actual PCs. ;) :p
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    boom boody-boom boody-boom boody-boom
    :) :cool:
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    657
    I don´t know that song, I only know "boom boom" by John Lee Hooker. :p
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
  15. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    15,302
    Location:
    UK
    I think I recognize that :)

    Is it ...Goodness gracious me by Peter Sellers?

    (sorry for going OT)
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    This may be an indication it's time to close this thread, but lets "sing" our way to back on topic.

    Pete
     
  17. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Guys I would recommend that threads like this one be archived in the forum section sticky in order to make sure that these bypasses are kept track of and the issue and method revisited in the future. This would be crucial in making sure which products are safe enough to recommend for people seeking a LV security solution.
     
  18. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    DefenseWall prvides an isolated environment for guarded programs and files downloaded by those programs. DefenseWall isolation goes beyond LUA/SRP.

    On XP processes and objects of a limited application can touch processes and objects of higher rights processes with the exception of data stored in Windows and Program Files directory and the HKLM hive of the registry. In Vista and Windows 7 lower rights objects can not touch higher rights objects, this still leaves open side by side infection (objects of simular rights). LUA/SRP can only be set on user/group level, while DefenseWall provides granular control on process level (which will be done automatically for you).

    In XP/Vista/Windows you also have something called ACL (Access Control Rights), these can only be evoked on a user or group level applying on files and directories. DefenseWall also captures files of guarded applications. Meaning the stronger than ACL protection is automatically set on a per program basis (applying on downloaded files, user defined directories).

    So yes can be compared in the sense that a Hummer and a tank both provide transport and safety to soldiers, but they are from a different league to defend against malware.

    Regards Kees
     
  19. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,760
    Location:
    Location Unknown
    I am interested to know anyone's thought on Returnil Light 2011, and whether it can be infected with this.
     
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    With the system guard enabled and any unknown.sys denied then no.
     
  21. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Can anyone test TDL/TDSS trojan against Kaspersky Internet Security 2011 CF1 (11.0.1.400)? KIS 2011 has "Safe Run for Applications" feature, which turns desktop to secure sandboxed desktop and don't allow installation of drivers. Moreover, any application can be started in its sandbox via right click on normal desktop. It would be interesting to know its resistant/capability against TDL/TDSS trojan.

    EDIT: According to my tests in Windows 7 x86 Virtual Machine (MS Virtual PC 2007 SP1) + Kaspersky Internet Security 2011 CF1 (11.0.1.400) with disabled File Anti-Virus , TDSS (Trojan.Win32.Tdss.bdmh) and other malwares requiring installation of driver in "Safe Run for Applications" mode, all of them failed. Moreover, exiting "Safe Run for Applications" recovered normal desktop.

    It would be nice to see tests by Leach.
     
    Last edited: Jul 29, 2010
  22. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi,

    This test are good to point out limits of security, especially if we consider that "Software as security" is a religion for most users
    I personally appreciate the post of Buster Bsa against pretentious marketing of some editors, but by experience i know that it is a lost game.
    It's currently difficult to find a soft editor that launch a defeating challenge to prove the effectiveness of their products.
    Some have done it in the past like Faronics/Deep Freeze but have been defeated of course.
    I'm wonder why talking about AE, because there is no need additional soft to prevent this accomplished (bravo) rootkit: give me an unpatched XP SP1 under admin account, without av/HIPS/firewall and this rootkit will not be able to install anything...because it won't be able to write on disk :)
    Testing under VM is not useful because many malwares uses armoring techniques to evade malware analysis (anti-vm and debugging), possible with packers as it is the case for this rootkit (but stealth debugging can be done with IDAStealth plugin).
    There is aklso hardware recovery solution alernative to deepfreeze and co designed for forensic purpose, but unfortunately too expensive.

    Well...many things to say without time...as Blue thread is closed as a sticky, and as some users might be interested in other choice (is freedom) or test, i mention here some similar products:

    PC Vaccine: http://www.fsn.com.my/
    SysFreezer: http://cafesuite.net/sysfreezer or http://sysfreezer.com/
    Magic Restore: http://eunisol.com/P_Magicrestore.htm
    SmartShield (Centurion technology like DriveVaccine): http://www.smart-shield.biz/Home/ (download http://www.codework-systems.com/products/centurion/smartshield/smart-shield-download-page/ )

    Instant Recovery: http://www.instantrecovery.net/overview.htm
    SafeSpace: http://www.artificialdynamics.com/content/products/register-personal.aspx
    Virtual Protect: http://download.cnet.com/VirtualProtect/3000-8022_4-10902410.html (free)
    Icore Virtual Account (security as a Service) : http://icoresoftware.com/
    magicure: http://www.magicuresoft.com/

    Regards
     
  23. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks for posting kareldjag. :)

    Didn't know about those applications.
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    @ kareldjag

    Nice to see you still popping in now and then ;)

    I'd only heard of 3 of them !

    Be interesting to see how they cope, or not :D
     
  25. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    657
    Thank you.

    It´s a lost game because I´m not living at USA. If I was there I´ld sue the companies. Sadly I´m in a country where I doubt anything can be done to stop editors from using pretentious marketing.

    Could you mention what hardware recovery solution is it, please? I got someone testing a Custodius card (www.custodius.com) and it was bypassed because the rollback is done by software, not hardware.

    Thanks for the list! As soon as I have time I will test them.

    I think it´s fair to put every vendor where it deserves.

    Regards.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.