Virtualization/Rollback software test

Discussion in 'sandboxing & virtualization' started by Buster_BSA, Jul 1, 2010.

Thread Status:
Not open for further replies.
  1. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    I got a strange result. FarStone Snapshot™ 7 failed to recover from SafeSys infection, but TDSS results were clean. I properly checked the infection before rollback.
     
  2. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Added Custodius and SnapShot results.
     
  3. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Aran,
    This is not true as both lines of RVS contain driver blocking, just in different ways because of the antimalware component in the 3x line. In the Lite 2011 line the System Guard feature includes a "driver firewall" that will either simply block without any notice or will popup a prompt for action to temporarily allow an authorized user to allow/deny the content for troubleshooting. Be careful of what you allow however as this could be dangerous if you do not know exactly what you are allowing and why.

    Mike
     
  4. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    I´m testing Snapshot right now because I saw your results and I was stranged too.

    I will give my results in a while.
     
  5. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    How this will stop the TDSS variants? It doesn't install a driver (at least in the virtual pc) but modifies existing ones.

    Panagiotis
     
  6. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    dax123: My test confirms yours. With Snapshot 7.03.1 installed the TDSS variant will be inactive? / gone? after rebooting.

    The question is that when you launch dogma.exe and you verify with Kaspersky´s tool, the infection is active. Then if you reboot (without restoring a previous snapshot) the infection is gone or inactive.

    So it´s not a question that Snapshot is able to recover the system, it´s TDSS who has a stange behaviour.
     
  7. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    I didn't use Kaspersky tool to verify this. i used XueTr 0.34+
    the atapi hook that TDSS created just disappears after the rollback, while testing with other LV keeps the hook.
     
  8. Buster_BSA

    Buster_BSA Registered Member

    Joined:
    Nov 29, 2009
    Posts:
    748
    Don´t do the rollback, simply reboot. You will see that the hook is gone even without the rollback.
     
  9. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    No it doesn't disappear. only rolling back the system inactivates/removes the hook.
    so it's not just a TDSS's bug, it's something to do with Snapshot even if it's a TDSS bug.


    And the Kaspersky was clean, it's not deactivated but removed.
    recovering c: only or the entire drive, rolling back to a 'system snapshot' gives the same result.
    0.gif


    PS: did you wipe your system after the SafeSys infection? it seems that TDSS doesn't infect the system when safesys is installed.


    Snapshot™ 7 doesn't provide going forward. only rolling back to previous state is supported.
    thus snapshots taken after the snapshot to restore will be removed after a rollback.
    and it's different between the 'system snapshot' and a 'temporal snapshot'.
    after rolling back to a temporal snapshot(after the infection), my VPC started to reboot infinitely. (can you understand? worried about poor english)

    FarStone Snapshot™ 7 refuses to install when the system memory is less than 512MB. maybe it's something to do with this phenomenon.
    (my wild guess: it stores the temporal changes to the system memory(ramdisk method), so TDSS cannot infect in its way
    OR
    Snapshot™ 7 uses imaging technology to make a 'system snapshot' but it cannot explain why SafeSys can infect the system.)
     
    Last edited: Jul 5, 2010
  10. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    This may oversimplifying but wouldn't the "fixmbr" command work? Also, Acronis True Image has a restore mbr feature that might work as well to rid the infection.

    SourMilk out
     
  11. SourMilk

    SourMilk Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    630
    Location:
    Hawaii
    Sorry for posting twice but I would like to know if these mbr infectors will infect Windows 7 x64 with patchguard or are they mainly 32bit dangers.

    Thanks, SourMilk
     
  12. dax123

    dax123 Registered Member

    Joined:
    Jul 2, 2010
    Posts:
    58
    It doesn't infect the MBR. otherwise XueTr would have been informed me.
    likethis.gif
    like this :D
     
  13. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi Panagiotis,
    True, my reply was directed at the reference to "drivers" in arran's post so was slightly OT - sorry for any confusion that might have introduced...

    The blocking would be valid however for an altered driver...

    Mike
     
  14. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,976
    Hi Mike,

    thanks for the responce.
    In this case it will not prevent altering already existing drivers.
    Unless, you silentry drop requests for direct disk access and direct memory access, it will be impossible to prevent such attacks.

    Panagiotis
     
  15. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I was infected with safesys while trialing a RollbackRX clone.

    It reinfected my system rollbacks using chkdisk of Windows.
    I thought that safesys was using chkdisks bad sector recovery feature to restore itself.
    Maybe there was another feature of chkdisk I missed that would restore from some other area of the drive.

    No matter how far I rolled back it would reinfect the snapshot.
     
  17. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
  18. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Well this was disappointing!
    Even windows steadystate failed :(
    I would have expected steadystate to work.


    Anyone know if Sandboxie also fails?

    And yes, this info need to be put in a sticky!

    PS: What are ISR and RVS?
     
    Last edited: Aug 28, 2010
  19. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    From a security standpoint win steadystate is a joke. It simply doesnt possess the means to protect from low level hdd editing. steadystate alos fails against the older killdisk viruses that have been out for a while now too. I recommend you get with the times and join in using shadowdefender or returnil as the majority of users here.

    No sbie is not bypassed at all as it blocks sandboxed programs from loading drivers hence closing down this whole fiasco. As a precaution enable sbie drop rights as tld3 cannot install in lua mode either.:) The whole point of a LV is to enable full flexibility of installing driver software while erasing everything. unfortuneately its not going to be the case ever since there is an intrinsic weakness in this class of software, where a low level driver can take control of the disk controller and bypass the containing lv driver. This opens up the possibility of a new high level cat and mouse game where new variants have to be accounted for by vendors who need to update the software accordingly.
     
  20. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    What is it called when I want the virtualising system to erase everything, including driver software?
    Hard virtualisation?

    Any other virtualising software that does not allow installing of driver software?
     
  21. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,325
    Location:
    US
    Yes, all Lite VM programs should block that unless they are failing at what they were designed for. A simple reboot should dissolve everything. I have never used SteadyState so I cannot comment, but the very reason for the existence of any lite VM program is to kill EVERYTHING. If a particular program continues to fail in that respect, especially after knowing of a bug or weakness, then I would avoid that program like the plague. Please note, although you probably already know this, all programs, even the very best of them, will allow something thru from time to time, it's how fast they fix the bug that separates the men from the boys! :cool:

    Acadia
     
  22. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Well, it depends on the program. For example, SRP enforcement cannot be bypassed as far as I know. And the failures pointed in this thread, are not due to a simple bug, but rather they indicate a critical limitation of the tools themselves.

    There are some programs that I expect to work most of the time - AV/AM etc. There are some I expect to work ALL of the time. SRP enforcement is one of them. LUA enforcement is another. I was hoping Virtualisation would be one of them, but apparently not.
     
  23. acuariano

    acuariano Registered Member

    Joined:
    Nov 4, 2005
    Posts:
    786
    how does defensewall work against these infections?
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    SD passed this test without the assistance of AE / AM so the component technology (pure light virtualization) is capable of passing this test. I understand what you are saying though from a strategic stand point of view in that products are designed to work in unity as a whole. I also believe though this shows a weakness in that particular component that needs to be improved. Any mentioned products in this thread may have already fixed or improved such flaws taking into account i'm commenting on an old thread. I still hold firm though that this holds true no matter when such test were performed.
     
    Last edited: Jan 23, 2011
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.