Worm Allegedly Bypasses System Rollback Software

effective technique would be to use fresh image of your clone hard disk, which you store on dvd/usb, use new fresh image every couple of weeks.
i never relied on av, it takes anything from 24 hours to month for new malware to be added to your av database, soon as the malware signature's added to the database they updates it self, they can sit on your pc forever without being detected, i would say dont rely on your av, and dont try to clean malware infection, just use a fresh harddisk image

 

Are there many keylogger exploits out there? I search around from time to time, and the only one I've seen is the recent Microsoft DirectShow vulnerability:

This was easily blocked by both Anti-Executable and Software Restriction Policies:

​

----
rich

 

Most keyloggers use non-exploit techniques to log keystrokes by using legitimate Windows functions.

 

Please give an example.

thanks,

rich

 

For example: http://www.snapfiles.com/get/antikeyloggertester.html (and many others like "Through the eyes of a keylogger" which is currently a dead link from what I can see)

 

Well, that is just a test file to test the effectiveness of anti-keyloggers:

A more pertinent question, it seems to me, is: Does your security software prevent in the wild exploits from installing keyloggers?


----
rich

 

It also will show that it is possible to log keystrokes in a limited user account, not necessarily just designed for seeing if an antikeylogger protects the keystrokes.

All of the techniques it uses are various techniques which can be used by real-world keyloggers (delivered by exploits/other means) to log keystrokes in just a limited user account.

It is unnecessary to block the keylogger/exploit itself if you can block the damage (keylogging) which it does.

 

I understand. Thanks,

rich

 

For some users with the appropriate level of experience, this can be a valid alternative and allows for a more efficient working environment. In this however, notice that I said experience. The actual population of people that can do this and keep their systems clean consistently is small. This is why a layered strategy that seeks to compliment, rather than pile on is ever more essential as systems and malware evolve over time.

I will be the first to say that ISR is not a silver bullet in and of itself; just as is true for any stand-alone scanner, HIPS, sandbox, VM, or what have you. All have weaknesses that must be accounted for in your overall strategy. You still need a means to detect the presence of malware and to be able to remove that malware from both the real and virtual environments as quickly as possible.

Malware detection, as you have emphasized, is far from perfect and can't be relied upon most of the time no matter how effective the research and development teams are. Security companies must do their best to try to provide protection against all possible attack vectors regardless of the fact that some may not be known or even understood completely at the time of discovery. That discovery however always comes AFTER a new malware has entered the wild. Further, the more aggressive your detection attempts, the more likely it is that you will get a false positive that could end up being more dangerous than the potential malware infection when removed.

But when you use ISR with a select lineup in a strategy where each component part of the strategy covers the weakness in the other components, you have a more effective and efficient defense over time. This is exactly what we are trying to prove in RVS 3.

Mike

 

While keyloggers tend to use legit Windows functions to do the keylogging itself, like PrevxHelp already said, there are basically two ways in which they are actually installed on - or if you prefer, how they infect - a system. Number 1 is a user intentionally installs one: maybe to spy on the wife, or to try to steal passwords from other people that use a public computer, and similar goals - but this requires physical, local access. This is not something that most people should be worried about on their home computers - or they've got bigger problems than just that keylogger. Number 2 is the more traditional way: a malicious keylogger infects a system whose owner and users don't want it there, by way of social engineering or by using some exploit to install 'silently' like any drive-by malware infection or network worm and so on. So, number 2 is the problem, and there the usual methods work to protect against keyloggers.

Quite a lot of malware has some keylogging features these days, for obvious reasons. The problem for the keylogging malware is really twofold: how to get into the system, and how to get the data out. The latter has to be achieved before detection and removal. A keylogger in a limited user account can be handled much like any malware infection: one of the first things to do when there's any doubt at all is to check what has changed. To be able to survive reboots is something keyloggers will nearly always want to do, and to achieve that you need files on the drive and a method of autostarting. The latter, for example, is extremely easy to detect in any real case I have ever seen ITW. Log out of the infected account, log in as admin, discover that one user account has an autostart no other accounts have, and it points to a file that isn't quite right. Time to nuke. Sure, all kinds of sophisticated trickery could be performed by the keylogger. But in real life, almost invariably isn't.

Still, rather than detection and removal, prevention would be ideal. And let's face it, preventing limited users from getting keyloggers isn't too hard. The usual execution prevention stuff like SRP can do wonders there. It can't keylog if it can't install. This is when people say: but the users are so stupid they want to install unknown and untrusted code and can't live with not being able to do so. Sometimes that's perfectly correct. Now someone says that these people need signature-based anti-malware to protect them. Well, I'll say that such products can help. But I'll say more: anyone who is stupid enough to just go ahead and run untrusted code is quite often stupid enough to disregard any warning from an antivirus, too, and that pretty much leaves the AV almost as useless as the execution prevention that was not acceptable to the user.

The point here is that making it hard to get a keylogger without significant user interaction and user screwup is pretty easy. The problem is that users aren't always very careful or very smart. And that's a problem that is not solved by traditional anti-malwares, even though they try and do help some. The detections are always late, and the false positives erode user confidence like the boy who cried wolf. I guess the point, again, ends up being that we need better (=more educated) users.

I really like PrevxHelp's idea to prevent software running in limited user accounts from accessing the troublesome APIs keyloggers typically use. Every little bit does count...

 

I guess it comes back to the Importance of having a HIPS denying ALL unknown executables and rootkits from running and installing, and denying everything from having access to physical disk. I use DF mainly to prevent the build up of clutter to keep my OS at a "Fresh Install" status, and as second security layer.

EDIT by the way how does this worm get on peoples computers in the first place?

 

thats what i would like to know too.

and just to be clear, DefenceWall blocks this particular worm from getting kernel level access?!

 

Yes, it does

 

Yes, sure.

 

Thanks for the reply EraserHW and Ilya Rabinovich!
A LOT of people are going to be looking very closely and with great interest towards software like GeSWall and DefenseWall, because the news is spreadig like wildfire that worms like SafeSys and other rootkits CAN indeed successfully bypass Deep Freeze, Returnil perhaps even Sandboxie and others, but where Deep Freeze and Returnil have failed,
the 2 HIPS programs mentioned have defeated what has been thrown at them!
This i think is a huge deal, as it shows how robust GeSwall and DefenseWall really are.
I have gone thru the videos on youtube of both those HIPS programs successfully keeping the system clean, and they are very impressive.

I have a question though.
Will say DefenseWall protect me against a autorun.inf virus that executes via a removable usb flashdrive?

 

thanks Pete, so without VMware and in admin mode in Xp SP2 Pro, this worm dosent bypass Sandboxie?

 

Can worm bypass DefenseWall if at some point owner disables protection and exits program without deleting file and registry tracks first? That is SafeSys is initially trapped by DW, but owner exits program without dumping trapped items first.

 

From the consequences if flash drivers are untrusted- yes.

 

with regards to weather or not sandboxie will protect you from this worm all depends on how this worm gets onto your computer in the first place.

correct me if I am wrong but one way worms get in is by vulnerable open ports?
like that the sasser worm for example.

Now Sandboxie does not have system wide protection does it. so therefore you would get no protection from sandboxie.

you would be protected with defense wall because my understanding is that basically how defense wall works is that it catches all new running processes system wide and automatically makes them untrusted.

 

no, it's not like this.

 

nothing 100%. It, and as a matter of fact, most other have been bypassed at times in the past and then got the holes plugged.

 

When killdisk was tried first time, it bypassed sandboxie and defencewall, though it was long ago.

 

un-trusted application are pre-defined, there is i list by default and you can add more.

 

yes, geswall blocked that though it was bypassed by some other POCs. Point is that nothing is 100%.