ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Light virtualization software / Partial sandbox test

4 posters

Go down

Do you want to use shadow defender? do you think it's realible enough?

Light virtualization software / Partial sandbox test Vote_lcap33%Light virtualization software / Partial sandbox test Vote_rcap 33% 
[ 1 ]
Light virtualization software / Partial sandbox test Vote_lcap67%Light virtualization software / Partial sandbox test Vote_rcap 67% 
[ 2 ]
 
Total Votes : 3
 
 
Poll closed

Light virtualization software / Partial sandbox test Empty Light virtualization software / Partial sandbox test

Post by dax123 5/7/2010, 09:50

(I'll keep modifing this thread to inform)
Test index
  1. Light virtualization software test
  2. Partial sandbox software test
  3. Verdict
  4. Vendors' response
  5. Appendix


1. Light virtualization software test
Test environment: Microsoft Virtual PC 2007, Windows XP SP3, no critical updates.
Picture version of test results can be found here
=========================================================
NameVersion SafeSysTDSS-1TDSS-2 SysAnti(!)
Comodo Time Machine 2.82.8.155286.178FAILFAIL- FAIL
Comodo Time Machine 2.7 beta2.7.150952.175FAILFAIL- -
Comodo Time Machine 2.62.6.138262.166FAIL FAIL- -
Shadow Defender1.1.0.325PASSPASSPASSPASS
Shadow Defender1.1.0.326PASSPASS*PASS*-
Windows Steadystate 2.55.1.2600.4364FAILFAIL- -
Wondershare Time Freeze 2.02.0.674FAILFAIL- -
Windershare Time Freeze 1.01.0.587FAILFAIL- -
Returnil Virtual System 2010**3.1.8774.5254FAILFAIL- -
Rollback Rx Professional9.1.0.0FAILFAIL- -
EAZ_FIX 9.1.0.0FAILFAIL- -
HD Guard 8.08.0.0.6FAILFAIL- -
HD Guard 8.1 beta8.1.0.1FAILFAIL- -
Deep Freeze7.0.20.3172FAILFAIL- -
PowerShadow2.2.2.21FAILFAIL- -
FarStone Snapshot™️ 7***7.03.1FAILPASSPASSFAIL
ComBack IR Pro5.0FAILFAIL- -
HDD Sheriff****5.73.0.0 -- - -
=========================================================

* : Checked to my production machine. several samples tested but 1.1.0.325 successfully protected my system.
nonetheless you might want to see the result described here
** : Returnil provides additional AE layer. when I test it with AV enabled, Most of my samples were stopped by AV. but my TDSS-1 sample evaded detection and the system's still contaminated.
*** : I'm figuring out why this result was produced. see here
**** : It's a hardware solution. however driver version is shown above.
since I don't have the PCI chip now, it takes time. please be patient.


2. Partial sanfbox software test
Test environment:
=========================================================
NameVersion SafeSys TDSS-1TDSS-2
Comodo Sandbox*4.1.150349.920 - --
Sandboxie 3.463.46 -- -
Avast! Sandbox- -- -
Bufferzone free -- - -
GesWall - -- -
AppGuard - -- -
Sandbox RX - -- -
DefenseWall - -- -
=========================================================
(* : Defense+ is set to off )


3. Verdict
The result is frustrating. it doesn't make your system bullet-proof.
but shadow defender shows good results.
And, FarStone Snapshot™️ 7 protected some of those malware. it's strange though.
I think we would rather use a disk imaging utility for security's sake Sad


4. Vendors' response
From COMODO (Time Machine):

Hi guys.
Thanks for your good work.
Please relax. This is not big deal. We can detect/defend such as rootkit simply.
We will add the feature for CTM on next version.

Thanks,
Doskey.

Hi dax123, thank you very much for your feedbacks, we will fix this issue in future.

Regards

From Faronics (Deep Freeze):

Faronics is aware of the report that a worm called "W32.SafeSys.Worm" is able to
"bypass" Deep Freeze and other competing products. We are continuing to
investigate the issue to determine a possible resolution to the vulnerability.

As always, we continue to recommend that customers use an antivirus product in
combination with Deep Freeze. Please refer to the White Papers section of the
Faronics Content Library for information regarding how to use Deep Freeze with
many popular antivirus products.

Regards,

Adam Zilliax
Technical Support
Faronics Technologies Inc.
my response :
Light virtualization software / Partial sandbox test Faronics-1
you're lying, see here and here
and it's not a "bypass", but a bypass, definitely. please don't try to deceive by a transparent guile  :-\

From Wondershare (Time Freeze):
Thank you for the kind feedback. This is Sara from Wondershare Support Team. Nice to contact you.

Wondershare Time Freeze as a system restore software, but does not a anti-virus software. So it could not instead of anti-virus software. So we advise you use Wondershare Time Freeze with anti-virus software together, it will be better for protect your computer.

Since far as we know, most similar coud not defense all the rootkits. We are aware of this problem, and we are working hard to improve our program in future version.

Thank you again.

If you have any further question or suggestion, please contact us freely.

Best regards

Sara
Support Team
__________________________________
Wondershare Software
my response: it's okay, it certainly have a function that prevents a system from unwanted changes. But if you are not going to fix this issue, then you are not going to advertise your product like this.
Light virtualization software / Partial sandbox test Wondershare
PS. Microsoft advertises Windows steadystate a shared computer protection, not a 'virus-free'

From Horizon Datasys (Rollback Rx, EAZ-FIX):
We are aware of this virus. It’s a virus programmed by a former developer of Rollback type instantly recovery software. We don’t believe he/she is a former developer of Rollback Rx but he has to be someone who has insight knowledge of how instant recovery disk filter driver works.

This type of virus is very popular in Chinese market, in Internet cafes. Our software for Chinese market has a patch for dealing with this type of virus. But we have not implemented the patch in our general release outside of China.
Because the patch is not a one fix fits all type of solution, today’s patch is only good for yesterday’s version of the virus which changes very frequently. We didn’t want our Rollback users in North American markets to update Rollback every week because there is a new patch for the virus, as the virus is rare outside of Chinese market.

The virus is actually quite simple. It writes to the hard disk directly bypassing Rollback device drivers (or any other disk filter drivers) and write things to the hard disk.  And because it writes to the hard disk directly, what it does to the hard disk is outside of Rollback snapshots jurisdiction. It’s really a suicidal virus, it just  “shoots without asking any questions”. A logical software cannot deal with this type of problem. But it’s pretty easy to stop this virus, you just need to configure your antivirus software to prevent installing and loading of device drivers without your consent. (The virus does the direct disk write through a device driver).

Our proposed solution to this problem for customers outside of Chinese market is that we will develop a separate patch, outside of Rollback Rx, that will specifically deal with this type of virus. Basically we patch Windows O.S. to ban any direct write to the hard disk. The patch is still under development and we will provide it to customers as it’s needed. We won’t make it a wide open download because we don’t want to make the impression that we are in the business of patching systems.

From Microsoft(Windows Steadystate):
Thank you for your patience on this. After some investigation this is not something that we consider to be a security vulnerability.

Windows SteadyState 2.5 is intended to assist in providing a consistent environment on shared computers and reducing the potential for unintended alteration to the system. That being said, it definitely does not take the place of having a firewall and other appropriate anti-malware and security products installed.

From the SteadyState 2.5 Technical FAQ:
Q. Do I still need an antivirus program?
A. Yes, we recommend that you use antivirus and spyware prevention programs in addition to the protections provided by Windows SteadyState.

Additionally, SteadyState 2.5 only protects the partition that windows is installed on and Windows Disk Protection, which is the part of SteadyState that controls disk alteration does not load prior to certain files such as the master boot record which the samples provided appear to do.

Best Regards,
Nate



5. Appendix
you can also see the related articles on wilders security and prevx
Virtualization/Rollback software test
TDL/TDSS trojan series bypassing isolation software
Deep Freeze 7 bypassed
A puzzle called SafeSys
Kernelmode.info - RootKit TDL3

Any suggestions, sample giveaways (I need a stronger sample), critics are welcome ;D


Last edited by dax123 on 28/7/2010, 06:22; edited 6 times in total

dax123
New Member
New Member

Posts : 8
Join date : 2010-07-05

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by ssj100 5/7/2010, 11:33

Hi dax123, welcome to the forum! Great first post haha. Keep up the good work.

By the way, did you ever work out why the samples never seem to work in VirtualBox?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by dax123 5/7/2010, 12:13

ssj100 wrote:Hi dax123, welcome to the forum! Great first post haha. Keep up the good work.

By the way, did you ever work out why the samples never seem to work in VirtualBox?

Only SafeSys worm does not seem to work in VBox. some TDSS samples work.
and TDSS tries to infect the guest addition if detected. I think it's VM/Sandbox-aware, Vbox aware at least.

and i started multitasking so test result will be updated faster.

dax123
New Member
New Member

Posts : 8
Join date : 2010-07-05

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by ssj100 5/7/2010, 12:20

Could you PM me the specific samples (or tell me which ones specifically) work in VirtualBox? I think I've tried many (including the ones you sent me), and all that appeared to happen was the VM crashes and spontaneously restarts. For some samples, like "034_crypted.exe", it executes just fine, but it doesn't appear to drop a detectable rootkit. All that happens is on restart, my system is frozen and a web-site appears to have started with some forms to fill. And since the system is frozen, I can't run TDSSKiller to check for rootkits.

Every other time I run TDSSKiller, nothing ever comes up. It's really frustrating haha. Which version of VirtualBox have you tried?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by dax123 5/7/2010, 12:40

ssj100 wrote:Could you PM me the specific samples (or tell me which ones specifically) work in VirtualBox? I think I've tried many (including the ones you sent me), and all that appeared to happen was the VM crashes and spontaneously restarts. For some samples, like "034_crypted.exe", it executes just fine, but it doesn't appear to drop a detectable rootkit. All that happens is on restart, my system is frozen and a web-site appears to have started with some forms to fill. And since the system is frozen, I can't run TDSSKiller to check for rootkits.

Every other time I run TDSSKiller, nothing ever comes up. It's really frustrating haha. Which version of VirtualBox have you tried?
I PMed you. and i use vbox latest version installed. though i test it with VPC as some of TDSS seems to be aware of VBox.

dax123
New Member
New Member

Posts : 8
Join date : 2010-07-05

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by ssj100 5/7/2010, 12:58

Thanks, can you tell me exactly what happens after you execute dogma.exe? I've just run it in my VM and it spontaneously restarted again (?crashed). Running the TDSSKiller tool reveals no infection. I think this has something to do with my Windows XP version and associated drivers - perhaps the rootkits can't target it?
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by dax123 5/7/2010, 21:18

ssj100 wrote:Thanks, can you tell me exactly what happens after you execute dogma.exe? I've just run it in my VM and it spontaneously restarted again (?crashed). Running the TDSSKiller tool reveals no infection. I think this has something to do with my Windows XP version and associated drivers - perhaps the rootkits can't target it?
Try turning on "IO APIC enabled". see this page.
or maybe the guest addition makes it to work. Very Happy
( I asked Leach and he said he executed the "dogma.exe" that I've sent to you, so i suggested it )

dax123
New Member
New Member

Posts : 8
Join date : 2010-07-05

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by Ruhe 5/7/2010, 22:28

Thanks for organizing this test and sharing your results.
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by dax123 5/7/2010, 22:43

Ruhe wrote:Thanks for organizing this test and sharing your results.
Pleasure Very Happy
anyway ubuntu is a very cool OS, I'm using it too Laughing Laughing

dax123
New Member
New Member

Posts : 8
Join date : 2010-07-05

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by ssj100 6/7/2010, 15:20

dax123 wrote:
ssj100 wrote:Thanks, can you tell me exactly what happens after you execute dogma.exe? I've just run it in my VM and it spontaneously restarted again (?crashed). Running the TDSSKiller tool reveals no infection. I think this has something to do with my Windows XP version and associated drivers - perhaps the rootkits can't target it?
Try turning on "IO APIC enabled". see this page.
or maybe the guest addition makes it to work. Very Happy
( I asked Leach and he said he executed the "dogma.exe" that I've sent to you, so i suggested it )

Tried it, and it made no difference. TDSSKiller comes up clean after the system spontaneously crashes and reboots. I think I'm bored of these rootkits that can't infect anything haha. Thanks anyway.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by ssj100 12/7/2010, 10:51

Hi dax123, if you get a chance, can you test Clean Slate? Read about it here:
https://ssj100.forumotion.com/other-f6/has-anyone-tried-clean-slate-t144.htm#879
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by dax123 12/7/2010, 14:45

ssj100 wrote:Hi dax123, if you get a chance, can you test Clean Slate? Read about it here:
https://ssj100.forumotion.com/other-f6/has-anyone-tried-clean-slate-t144.htm#879

I'll check these viruses and cleanstate will include it to the test
Since I moved to win7ows pro (Very Happy), I've got to change my testing environment

dax123
New Member
New Member

Posts : 8
Join date : 2010-07-05

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by Buster_BSA 22/7/2010, 01:27

dax123: didn´t you have the chance to try a hardware solution yet?

I hope tomorrow I can get someone to make a test for me with one of them. In theory hardware rollback software can not be bypassed but we will see.
Buster_BSA
Buster_BSA
Member
Member

Posts : 87
Join date : 2010-07-21

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by dax123 22/7/2010, 03:35

Buster_BSA wrote:dax123: didn´t you have the chance to try a hardware solution yet?

I hope tomorrow I can get someone to make a test for me with one of them. In theory hardware rollback software can not be bypassed but we will see.
I was a little bit lazy doing my job Very Happy I'll do the test when I have a access to them.
It's good for you to test a hardware solution Razz

dax123
New Member
New Member

Posts : 8
Join date : 2010-07-05

Back to top Go down

Light virtualization software / Partial sandbox test Empty Re: Light virtualization software / Partial sandbox test

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum