Virtualization/Rollback software test

Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jul 1, 2010.

Thread Status:
Not open for further replies.
  1. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Oh I'm sorry about that I haven't a clue as to how this feature works tbh. I am/was interested in how cleanslate fairs in a variety of tests becuase I was considering it as a legitimate replacement for SD if its abadoned. But I guess Ill stick with shadowdefnder for some time now :cautious: :D
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,983
    Location:
    California
    Same here -- I and others discovered this issue several years ago.

    Here is some background information which you might find useful:

    In June, 2008, Wilders member QQ2595 from China posted here about the cs.exe malware as being similar to the Robot Dog malware:

    https://www.wilderssecurity.com/showpost.php?p=1260887&postcount=62
    https://www.wilderssecurity.com/showpost.php?p=1234098&postcount=24
    https://www.wilderssecurity.com/showpost.php?p=1219502&postcount=12
    And from the same post, this prophetic statement:

    https://www.wilderssecurity.com/showpost.php?p=1167833&postcount=30
    [Deep Freeze uses these types of filters]

    https://www.wilderssecurity.com/showpost.php?p=1159409&postcount=63
    In January, 2008, I became aware of this MBR rootkit:

    Master Boot Record rootkit
    2008-01-08,
    http://isc.sans.edu/diary.html?storyid=3820
    I contacted Faronics and was told that they knew about this and it seemed similar to the Robot Dog malware which they had obtained.

    I requested to be notified about their test results, but never heard back.

    Meanwhile, I began my own research and after perusing some of the developer forums, I concluded that there was no fix for this vulnerability in this type of ISR rollback product. It would have to be redesigned. I also learned that Faronics had known about this since November, 2007.

    Evidently Returnil developers felt the same way about ISR as a standalone, and Coldmoon (Mike) of Returnil posted this in June, 2008:

    https://www.wilderssecurity.com/showpost.php?p=1260143&postcount=21

    In other words, the only protection for this type of ISR is to block the malware from executing in the first place.

    I had already been advising people to install Anti-Executable along side with Deep Freeze, and I discovered that many of my friends involved in computer security were also doing similar with different products.

    While I was sorry not to have heard anything back from Faronics, I left it as their problem, and I'm disappointed that they have continued to advertise Deep Freeze's robust protection.


    ----
    rich
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,726
    Very interesting, what about LUA, group policies (whitelist, like default-deny SRP), and other built-in system hardening?

    Is there anything that can bypass those?
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,983
    Location:
    California
    You might ask Buster to test in a LUA. My understanding of the malware that writes directly to the disk controller is that it needs Administrator privileges.

    See here for the analysis I quote about the TDSS rootkit tricking the user for Administrator privileges:

    https://www.wilderssecurity.com/showthread.php?p=1705163#post1705163

    ----
    rich
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,979
    Personally, i'm not in the slightest bit concerned about getting infected, as i have several good quality solutions in place. The main one is NOT electronic/software, but me. I don't allow things i'm not sure about to run. The main reason i would choose VS is for privacy, not security. Meaning, every time i shutdown/reboot, my previous unwanted work/session/s etc are permanently deleted :thumb:

    ***************

    @Coldmoon

    RVS 2010 Home Lux/Classic/Free and RVS 2010 Enterprise Premier/Classic

    http://www.returnilvirtualsystem.com/rvs-home-free

    So i'm trying to understand how the installation of drivers/anything/everything can happen to the REAL sytem, if it's the Cloned system that stuff is installed etc in ?

    TIA
     
  6. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    So wait, does restoring snapshots or system images wipe these types of viruses??

    Does returnil utilize and construct a system image of the underlying OS or does it utilize a buffer area on the dis to save changes?

    I think theres a big differenceo_O
     
  7. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Sorry if this is redundant, I'm really tired, but I read something about anti executable software to be used in conjunction with SD, Deepfreeze etc..
    I know of AE. Who else makes anti executable software?
    And do I need it if I'm using Sandboxie instead of SD?
    Thanks.
    Hugger
     
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    If we can not trust in Kaspersky´s tool and DrWeb CureIt (the tool I use to confirm SafeSys infection), what do you suggest then?
     
    Last edited: Jul 3, 2010
  9. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Thank you very much for putting all the information together.

    I´m astonished! I don´t understand how is possible that information of this importance has been ignored and remained unknown for the big majority for so long.

    Obviously, vendors like Faronics contributed to this situation ignoring the problem and acting like if everything was fine. Reading the publicity of the products nobody would think there is a vulnerability/weakness in the software that make them rubbish.

    Rmus: I think that users like you, that were aware of the problem, could have done much more to spread the word about the problem. e.g. there should exist a sticky post titled "The truth about virtualization software" where is explained the problem that this kind of software has.

    With who should we contact to get it posted?

    This problem has been ignored for too long and I think it´s time to address it properly.

    Regards.
     
  10. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    SafeSys is aware of VBOX and partial sandboxes (like sandboxie). it doesn't infect the system if it detects the sandbox.
    in under LUA, it removes itself.
    i don't know about TDSS but maybe they does, too. (i guess)
    VPC works.

    we should test these on real machines, not just on the virtual environment.
    actually, we can't totally trust the VPC result. we don't have a enough samples, too.
    I wish i can contact with virus author :p


    Well, we can contact LV authors again and see if they have a willingness to solve these problem.(or can it be solved)
     
  11. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,147

    can someone clarify
    Seems from this that Shadow Defender is the only roll back program that does not allow the installation of Drivers?
     
  12. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    SD hooks fsd / classpnp / atapi while others doesn't. maybe that can be the answer.
    and it doesn't mean SD prevented driver installation. the risk still exists.
    we can safely assume SD just prevented that kind of viruses. maybe other malware can bypass SD.

    anyway sandboxie is safer because it doesn't allow driver installation obviously.
     
  13. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    That´s only a guess. We need a technical explanation of why SD is able to stop these malwares on their tracks.

    Sadly SD´s author is MIA.
     
  14. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    and that makes me so sad. we need him.
     
  15. Leach

    Leach Registered Member

    Joined:
    May 5, 2010
    Posts:
    84
    Not sure if this is the case, on a Win7 real system it behaves the same way.
    You are right. I made a test against SD in a real environment yesterday to clarify differences in test results, here's why I'm not sure if your first guess is correct.

    And thus we have a question. From one hand SD prevented infection somehow on original XP, but we couldn't test the restore functions. From the other - if system is really infected SD behaves none better then the rest of the tested software.
     
    Last edited: Jul 3, 2010
  16. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    Somehow the system is not infected before rebooting.

    We don´t know how SD prevents the infection. I don´t think it´s a specific protection against the malwares we use for testing. I think that because the TDSS sample we use was released after the release of the SD version we are using if I´m not wrong.

    We also don´t know if a malware able to bypass that protection would survive after rebooting.

    It´s very sad that SD author is not available to give support. :(
     
  17. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,147
    but isn't it just a matter of testing to see if we can load drivers with SD?

    if SD does allow drivers to load and is able to block the malware then one would think that all the other Roll backs would be able to do the same.
     
  18. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    That was a good idea.

    I did next test:

    Installed SD and entered in shadow mode.

    Installed Sandboxie (which installs a driver)

    Sandboxie works fine. Applications can be sandboxed normally.

    So SD does allow drivers to load but it has some kind of mechanism to block the malwares.

    This is really interesting. How does SD know when to block a malware and when to allow a legit software? o_O
     
  19. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,147
    Yea I just tested sandboxie with SD and it does allow drivers.

    Maybe SD has just blocked these specific virus samples from loading driver?
     
  20. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    560
    As I told if I´m not wrong the TDSS variant we are using for testing was released after SD .325 was released. If it´s like that it could not be possible to have a specific detection for that sample. It could be possible that SD has a generic routine to detect TDSS variants.

    I would be surprised because many antivirus, like Kaspersky, doesn´t have it. If you read the first post you will see that KAV misses the sample we are using. It´s true that other av vendors detect it generically.

    We need the help of someone that knows the product in depth or the author to clarify what´s going on.
     
  21. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
    If you are willing to consider Comodo Firewall, D+ can be configured to function only as an AE with very few alerts by disabling the Sandbox, leaving Image Execution Control enabled, and unchecking all of the Monitoring settings.

    If Sandboxie is configured to apply Start/Run and Internet Access restrictions then, for sandboxed applications, Sandboxie provides sufficient protection on its own. If running Sandboxie on a 64-bit platform, the Drop Rights restriction should also be enabled. SD is still useful though for system-wide protection.
     
  22. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Wow! is Shadow Defender FREE? o_O
     
  23. pidbo

    pidbo Registered Member

    Joined:
    Dec 25, 2006
    Posts:
    198
    and Shadow Defender 1.1.0..326 exists

    http://www.shadowdefender.com/download/SD1.1.0.326_Setup.exe
    http://www.shadowdefender.com/download/SD1.1.0.326_Setup(x64).exe


     
  24. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,294
    Nope,one of the best programs a person can use though IMO :thumb:

    Glad I have it :D
     
  25. pegr

    pegr Registered Member

    Joined:
    Apr 8, 2008
    Posts:
    2,281
    Location:
    UK
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.