Worm Allegedly Bypasses System Rollback Software

Discussion in 'malware problems & news' started by wembleyy, Jul 14, 2009.

Thread Status:
Not open for further replies.
  1. wembleyy

    wembleyy Registered Member

    Joined:
    Apr 21, 2009
    Posts:
    47
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I got a so called sample of it but who will give it a shot?
     
  4. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    @aigle

    I read a thread about this worm over at the RollbackRX forums. It seems that RollbackRX can stop this worm BUT.............if you attempt to run the worm on a system protected by RollbackRX you get a BSoD and the system crashes. On reboot nothing on your PC is harmed though.

    PS it should be worth noting that the person who ran the above test on the Rollback forums was a regular user so I can't confirm if nothing really was altered on his system by the worm.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes, same thread i read as well.
     
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Tested in a vm. The malware has some stealth, startup items, calls some data from a remote web server and disabled autoruns from Sysinternals. Could not replicate what was reported the malware did to DeepFreeze, on reboot everything was gone.
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You're absolutely right! People can't depend just on rollback software. Accidents do happen. Rollback software is just one of the security measures people should implement, but that's it. Not relying solely on it.

    Because, as you said, people need to bet on prevention, and rollback software isn't prevention, rather a go back in time, after damage has been done.
     
  8. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Whether it really affects DeepFreeze or any other virtualizer, usually any good AVs will eventually spot the nasty. Another case proving that no single application can be really trusted to protect your system on its own.
     
  9. wembleyy

    wembleyy Registered Member

    Joined:
    Apr 21, 2009
    Posts:
    47
    we cannot entirely depend on single security measure, we need to have multiple security app, and store the data externally
     
  10. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    No biggie, after all I have have kill disk trojans which bypass Returnil and FDISR RollbackRX.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    How are your kill disk trojans able to bypass returnil? Just curious about how they work?
     
  12. ypestis

    ypestis Guest

    Yeah,I would like to know about them rascals myself.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    There's been a lot of thrash in this thread, but has anyone seen any real evidence this thing does anything.

    I tested it an I'd conclude Faronic's is right. I ran it without any rollback anything, and it did a few minor things, but no damage I saw. No Direct Disk access at all. On reboot it did another couple of minor things, But if I hadn't been watching I'd have never known.

    Certainly did see anything that would affected the Returnil's Shadowdefenders, Deepfreezes, etc.

    I think we are discussing ghosts.

    Pete
     
  14. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    No, only...
    My DeepFreeze was unaffected. All hidden items were gone after a reboot, although I'd like to do a further test outside a vm.

    One of the tools it also disabled was the antirootkit IceSword.

    before and after, the after shot has an earlier time as that was the current snap shot, stealth files were gone.
     

    Attached Files:

    Last edited: Jul 17, 2009
  15. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  17. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
  18. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    Yea I dunno why they are making false claims about Deep Freeze. Deep Freeze Is very STRONG I also doubt it would bypass Faronics AntiExecutable.

    The kill Disk Trojan which bypasses returnil is from this thread https://www.wilderssecurity.com/showthread.php?t=243496&highlight=killdisk
    Returnil failed on 1. but I dunno if returnil has made a patch yet. its a nasty trojan only 7 out of 40 AV's detect it.

    and with W32.SafeSys.Worm there seems to be now quite a few malware bypassing returnil.

    Masterton was also saying in this thread
    https://www.wilderssecurity.com/showthread.php?t=242115&page=6
    I also witnessed Returnil being bypassed by a few KillDisk / Klone malware in other tests.

    So yea looks like returnil needs to have some improvements

    And It has been known for some time that kill disk trojans bypass FDISR
    https://www.wilderssecurity.com/showthread.php?t=148280&highlight=killdisk
     
    Last edited: Jul 17, 2009
  19. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Simply running as a limited user should prevent such attacks. They tend to rely on installing drivers to write directly into the disc, bypassing system rollback programs in the process - but limited user accounts do not have the SeLoadDriverPrivilege. So, yet another case of pointless, easy to prevent attacks scaring people.

    As for AVs, they might detect it, or might not. Any reasonable malware user would of course make sure the AVs don't detect it before spreading his crapware. It's easy to obfuscate an old malware to the point where AVs no longer detect it. So don't rely on AVs to catch anything. They might get lucky and detect the beast, or they might not even beep if the malware author has done his job right.

    I see no reason why it would bypass Faronics AntiExecutable. Typically the installers for these things are exes, and AntiExecutable certainly catches those.
     
  20. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    I have tested the malware with Deep Freze and Sandboxie also.
    Result:
    Deep Freez bypassed

    Sandboxie not bypassed
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, can u test some others if possible, like

    GesWall, CFP, TF etc

    Thanks
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Thank you for testing. Great to see that Sandboxie is not bypassed.

    I hope this is not asking too much, but would you be willing, if you can, to test Microsoft Windows SteadyState?


    Thank you
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Any of the disk killers would bypass FDISR. It's not designed to stop them, as it neither looks at files for content or intent, no does anything to prevent writes. It simply copies, and has code installed in the partition table.

    So testing against FDISR is pointless
     
  24. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi arran,
    RVS passed all the tests on the retest following that report. See the updated information on their site and the followup...

    Mike
     
  25. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Policy sandbox and HIPS can easly defeat this malware, because they limit privileges, process communication, hooking, injection, accesses, etc.
    This typology of threats (dog trojan) has the main objective to bypass instant recovery system technology that are very popular in eastern countries.

    SteadyState can be bypassed very easily with a simple hex editor with direct physical access, furthermore, it doesn't protect MBR.
    This test, performed by guest, highlights the lack of low level protection in Windows Steadystate (because it works only at file system level).
     
    Last edited: Jul 17, 2009
Loading...
Thread Status:
Not open for further replies.