Author Topic: does CTM protect against TDSS/TDL rootkits?  (Read 35994 times)

Offline Greg S

  • Comodo Family Member
  • ***
  • Posts: 89
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #30 on: July 02, 2010, 06:23:36 PM »
Sandboxie 3.442 (stable)
Sandboxie 3.445.24 (latest dev)
Comodo Sandbox
Avast! Sandbox
Bufferzone free
Geswall

any suggesstions are welcome.

Blue Ridge Networks AppGuard

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #31 on: July 02, 2010, 06:33:24 PM »
Blue Ridge Networks AppGuard

Wouldn't that simply stop execution?  Just like SRP/AppLocker.

By the way, thanks for this thread.  Unfortunately, I can't even (appear to) infect my VM system:

Using VirtualBox 3.2.6. My testing configuration is as follows:

1. Host system: Windows XP Pro SP3, 32-bit (fully patched)
2. Guest system: Windows XP Pro SP3, 32-bit (last patched September 2009)

After running the rootkits (including the "dogma.exe" one) the Guest system appears to restart spontaneously (crash?). After waiting a couple of minutes, I run Kaspersky's anti-rootkit tool ( http://support.kaspersky.com/downloads/utils/tdsskiller.zip  ) and nothing is found. I reboot the system and again wait a couple of minutes. Then I re-run the anti-rootkit tool and again nothing is found.

I've tested the above with at least 5 different TDL/TDSS rootkits and get the same result. After reading the web, it seems no one has used exactly the same configuration as me. Most people seem to be using VirtualPC to do their testing (instead of VirtualBox).

If someone could reproduce infection with the exact same setup as above, please do tell.  I've read somewhere that rootkits can behave differently on different systems with different drivers installed.  Maybe I don't have the right drivers to get infected?  Hilarious if you think about it though.  I'm (desperately haha) trying to get infected, but I can't.  How the heck do people actually get infected these days haha.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline Greg S

  • Comodo Family Member
  • ***
  • Posts: 89
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #32 on: July 02, 2010, 06:47:44 PM »
Wouldn't that simply stop execution?  Just like SRP/AppLocker.


Wouldn't the same be true then of GesWall? Granted it may begin it's process but couldn't it be killed/terminated? I do use SRP so if it can't execute... BTW, where have you been? I haven't seen you at Wilders in a while now. I hope all is well

Anyone here have sluggish typing effect in this reply box? Also, if the reply box has enough text to warrant scrollbars, typing in it at the bottom jumps into and out of view. Big pain in the butt.

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #33 on: July 02, 2010, 06:55:20 PM »
Wouldn't the same be true then of GesWall? Granted it may begin it's process but couldn't it be killed/terminated? I do use SRP so if it can't execute... BTW, where have you been? I haven't seen you at Wilders in a while now. I hope all is well

Anyone here have sluggish typing effect in this reply box? Also, if the reply box has enough text to warrant scrollbars, typing in it at the bottom jumps into and out of view. Big pain in the butt.

Hey mate, I've always been around!  Just not at Wilders (check your PM for further information, as I've posted about it on this forum already).  Also, I've got my own forum now.

I'm not really sure exactly how GesWall works, but I doubt it would be bypassed.  Light system virtualisation on the other hand has always made me think twice, particularly with my (and many others') experiences with Shadow Defender:
http://ssj100.fullsubject.com/shadow-defender-f3/shadow-defender-bypassed-by-tdl-rootkits-t147.htm#896

I've been told by reliable Chinese (hacker haha) sources that Shadow Defender (and most other similar programs) are not that strong at preventing malware infection.  Apparently PowerShadow is/was the strongest, but I'm not sure if that's being developed anymore.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline dax123

  • Comodo Loves me
  • ****
  • Posts: 160
  • Big Clucker
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #34 on: July 03, 2010, 02:11:07 AM »
Can you submit your samples to www.virustotal.com and post which antivirus do detect it?
Thanks.

TrojWare.Win32.TrojanDropper.TDSS.~F(Comodo)
Safesys: Heur.Packed.Unknown(comodo)
currently almost all AV vendor can detect those signature. it's ancient ;D
Safesys submitted to comodo for signature detection.

I have some more samples named TDSS. if you want, I'll check all those samples.

Can you test if Norman TDSS Cleaner could clean the infected machine?
http://www.norman.com/support/support_tools/77201/en-us
I'll check it.

Blue Ridge Networks AppGuard
Received  ;D

After running the rootkits (including the "dogma.exe" one) the Guest system appears to restart spontaneously (crash?).
It's same as i had experienced, i think it's Vbox-aware.
try again with Virtual PC. VPC can be infected as M$ does ;D.
I'm reinstalling XP in my VPC and suffering ;D it simply drains my time!  >:-D

I've been told by reliable Chinese (hacker haha) sources that Shadow Defender (and most other similar programs) are not that strong at preventing malware infection.  Apparently PowerShadow is/was the strongest, but I'm not sure if that's being developed anymore.
But currently in my test shadow defender rules  :P0l
and powershadow is infected by SafeSys.
:)

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #35 on: July 03, 2010, 02:36:16 AM »
TrojWare.Win32.TrojanDropper.TDSS.~F(Comodo)
Safesys: Heur.Packed.Unknown(comodo)
currently almost all AV vendor can detect those signature. it's ancient ;D
Safesys submitted to comodo for signature detection.

I have some more samples named TDSS. if you want, I'll check all those samples.
I'll check it.
Received  ;D
It's same as i had experienced, i think it's Vbox-aware.
try again with Virtual PC. VPC can be infected as M$ does ;D.
I'm reinstalling XP in my VPC and suffering ;D it simply drains my time!  >:-D
But currently in my test shadow defender rules  :P0l
and powershadow is infected by SafeSys.

Thanks mate.  I think I'll leave testing for you.  As for PowerShadow, as I said, I don't think it's being updated much anymore.  Therefore, it shouldn't be hard to bypass.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline dax123

  • Comodo Loves me
  • ****
  • Posts: 160
  • Big Clucker
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #36 on: July 03, 2010, 05:29:54 AM »
I get some fresh & stronger TDSS samples and will do the test again.
:)

Offline ssj100

  • Comodo's Hero
  • *****
  • Posts: 482
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #37 on: July 03, 2010, 07:21:50 AM »
I get some fresh & stronger TDSS samples and will do the test again.


Could you PM me the samples by any chance?  Thanks mate.
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3025
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #38 on: July 03, 2010, 08:28:07 AM »
I get some fresh & stronger TDSS samples and will do the test again.
Are they detected by www.virustotal.com ?
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline Greg S

  • Comodo Family Member
  • ***
  • Posts: 89
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #39 on: July 03, 2010, 12:07:27 PM »
Blue Ridge Networks AppGuard

Also try the latest Beta of SandboxRx
http://privateworkplace.com/sandboxrx.php

Offline taleblou

  • Comodo Loves me
  • ****
  • Posts: 104
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #40 on: July 03, 2010, 12:50:42 PM »
Hi:

The tdss/tdl rootkit that originaly infected my pc even with CIS set to highrest setting and even scanning with comodo and a-squares, malwarebyte, superantispyware all did not detect and time freeze failed and it infected the atapi.sys driver (hitman identified it as atapi.sys  rootkit) that was very new. Perhapse can anyone test this particular rootkit against these security softwares? I think I may have gotten it through malwaredomainlist site link testing.

So I think the atapi rootkit is a badass one.

Offline Greg S

  • Comodo Family Member
  • ***
  • Posts: 89
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #41 on: July 03, 2010, 01:58:55 PM »
Hi:
The tdss/tdl rootkit that originaly infected my pc even with CIS set to highrest setting and even scanning with comodo and a-squares, malwarebyte, superantispyware all did not detect and time freeze failed and it infected the atapi.sys driver (hitman identified it as atapi.sys  rootkit) that was very new. Perhapse can anyone test this particular rootkit against these security softwares? I think I may have gotten it through malwaredomainlist site link testing.

So I think the atapi rootkit is a badass one.
Sounds like you have already tested them with it. It's my understanding that Hitman Pro is the only one that can detect and clean these types

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3025
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #42 on: July 03, 2010, 02:03:34 PM »
So let's not lose the first (original) point of this thread: CTM protection and security. The ability to keep the snapshots clean.
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

Offline Greg S

  • Comodo Family Member
  • ***
  • Posts: 89
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #43 on: July 03, 2010, 02:19:36 PM »
So let's not lose the first (original) point of this thread: CTM protection and security. The ability to keep the snapshots clean.
I think dax123 nullified that here. Maybe split this testing request into another topic


Sandboxie 3.442 (stable)
Sandboxie 3.445.24 (latest dev)
Comodo Sandbox
Avast! Sandbox
Bufferzone free
Geswall
AppGuard

any suggesstions are welcome.

Offline Tech

  • Usability Study Member
  • Comodo's Hero
  • *****
  • Posts: 3025
Re: does CTM protect against TDSS/TDL rootkits?
« Reply #44 on: July 03, 2010, 02:35:35 PM »
I think dax123 nullified that here.
Well... Hope not.

Maybe split this testing request into another topic
Maybe. Because this is why the programmers do not follow the threads and things get lost...
avast! team member
Save freeware snapshot technology of Comodo Time Machine. Vote!

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek