Virtualization/Rollback software test

Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jul 1, 2010.

Thread Status:
Not open for further replies.
  1. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    okay :D
    I'm looking forward for your results.
     
  2. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Results will be presented on the first post as I get them.
     
  3. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I know on Leach´s tests TDSS is able to infect a system protected with Shadow Defender.

    I have used the very same sample he used in his tests but I was unable to reproduce the behaviour. In my tests TDSS is unable to survive the reboot when SD is protecting the partition.
     
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    TDL/TDSS can be a fickle beast sometimes due to build, unusual drivers on the system, software...

    I had someone test Shadow Defender and tdl3 for me and dogma needed a reboot in a vm and on the host. TDL3 could not get passed the initial drop to tmp file with SD meaning while there was reference to the hidden driver there was not an active 'infection.'

    Going back to an earlier sample and also using TDSS 4DW4R3 ShadowDefender protected just fine checked by WinHex.

    ShadowDefender v3.20

    edit : I have tested tdss and latest version of tdl3 with Shadow Defender and everything is gone after exiting shadow mode.
     
    Last edited: Jul 2, 2010
  5. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Question: Did anyone do recently a test like these ones we are doing right now? Let´s say on last 2 years.
     
  6. cruchot

    cruchot Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    126
    Location:
    Germany
    What we can see: the vendors didn't.
    Really embarrassing.
     
  7. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Check please if your system is really infected before you go into reboot in shadow mode.
     
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    As you can see on first post I had no problems with rest of products. So I´m not doing something wrong.
     
  9. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Actually some did and then upgraded their products in various ways to address the reported issues. I would suggest looking through the older threads from 2007 - 2009 where a bypass was reported and then a fix released to address it. An interesting starting point would be the bluezannetti Light virtualization threads and then exploring other, product specific threads from that same time period.

    Don't be so quick to lump all vendors and developers into the same leaky boat as there are dedicated people in this field that are not just interested in riding the popularity of virtualization, but instead are truly interested in designing solutions that will bring about the end of the malware war - once and for all...

    Mike
     
  10. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Nope, please, you understood me wrong. I'm not talking about your or mine errors. I've just noticed a strange behaviour of the virus on my newly installed system in VirtualBOX. The critter won't infect the system in shadow mode. Moreover in real mode it may disappear from system after checking with TDSSKiller. So the first pass - system is infected, the second - the utility shows the system is clean! That's why I wanted to know whether behaviour of your sample is the same as mine.
     
  11. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Ah, sorry, I didn´t understand you correctly.

    I will check later if system becomes infected while being in shadow mode.
     
  12. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    ALL virtualization software should prevent the installation of drivers, on the REAL system ? But not just drivers, anything and everything ! After all, that's their modus operandi ;)

    At least some vendors are not asleep at the wheel, and have made efforts to combat the leakthroughs :thumb: Still some way to go obviously for most but that's how it goes. As long as they are NOW taking these nasties Very seriously, that's good. Better late than never :p

    I agree, false advertising always gets them bit in the but, sooner or later :D Same as the AV etc vendors who do it. In the case of virtualization vendors, i imagine they never thought such nasties would be coded and released. Therefore up until a few years ago, they felt they were able to prevent ALL types of nasties from leakthroughs, and could rest on their laurels.

    Interesting times ahead, and not just for these nasties, but the ones to come, and they will no doubt :(
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Virtualization software must wake up from laurels.

    SafeSys remained pretty unknown and rarely found but TDSS came to stay and is kicking hard.
     
  14. guest

    guest Guest

    I am using CTM, Test results are not good for me.
    Thanks for excellent test.
    Do you still use deepfreze? :)
     
  15. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    No, that is execution or driver blocking, not virtualization. The focus of virtualization is to roll back the system to a specific state or to simulate an environment.
     
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I still use Deep Freeze, but not as anti-malware layer anymore, just to avoid system changes performed by "normal" applications.

    Certain things I used to do I will not do them anymore.

    My mind has changed after I discovered this issue.
     
  17. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    But seems like driver blocking while virtualizing a system is the only method to acquieve a true roll back to previous state. Isn´t it?
     
    Last edited: Jul 2, 2010
  18. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Yes and no. That would be a valid method for maintaining the purity of the state you are trying to roll back to but is not required as a definition or "modus operandi" of virtualization itself. You can also achieve a pure roll back by maintaining a clean image or snapshot and then restoring the system to that state when required.

    The real issue occurs when you cannot determine whether the state you are trying to roll back to is actually clean and this is why execution blocking and detection have a role to play, just not the role the traditional security industry would try to lead you to believe...

    Mike
     
  19. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    True, but then we would be talking about an imaging solution and not a virtualization solution. Right?
     
  20. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Sorry to chime in late; Buster thank you so much for your extensive testing session. I know that sandboxie is not LV software ofc, but I wanted to observe if the x64 version can do a good job at blocking drivers and also after tht, execution. again, apologizes for transgression, thought it would be interesting though.
     
  21. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I will try to test Sandboxie x64 but I don´t promise anything as actually I don´t have software to virtualize Windows x64.
     
  22. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I compared and they are the same.

    In fact the contradition you found when testing Shadow Defender with TDSS becomes the same result compared to my test.

    From your list I miss testing Powershadow.

    I completely agree with your comment:

    The result is not only frustrating. I feel fooled by Faronics and users from other software, except Shadow Defender users, should feel fooled by their respective vendors.

    With the exception of Shadow Defender, rest of virtualizing software is completely useless. We go naked when we run an executable.

    Conclusion: A disk imaging utility is secure. Almost all Rollback software is not.
     
  23. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    I didn´t know any of the software I was testing today except Deep Freeze. Anyway I was able to install and test everything fine... until I reached Clean Slate.

    I´m unable to configure it in a way that it will rollback changes made to system restoring it to a previous state.

    So I need further instructions to configure and perform the test properly.

    Would you be so kind to guide me, please?
     
  24. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    This is not an accurate conclusion to draw as SD's virtualization technology has the same vulnerabilities as any other type of light virtualization solution. The key is to look at how it and the other solutions work to address those vulnerabilities.

    Imaging is simply another tool in the chest, is not a stand-alone solution, and can be achieved using the same technology as is used in light virtualization (boot-to-restore). True security comes from how these tools are used and why they are used, not simply using them to create a backup now and then.

    The disconnect I see here is trying to find the perfect virtualization program that can simply replace all other existing security technologies and strategies. Just as you would use a variety of tools to protect yourself physically, there is a similarity to protecting your PC from infection and ensuring it stays that way over time. The true test is whether the strategies and technology you use are proactive as a whole rather than just pilling on in the hope you hit the target.

    Mike
     
  25. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    We must be careful to confirm any results and not rely on the tools used in the test to confirm or denign an existence.
     
    Last edited: Jul 2, 2010
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.