Interesting article about a malware known as SafeSys

View previous topic View next topic Go down

Interesting article about a malware known as SafeSys

Post by Ruhe on 27/6/2010, 17:05

...
When a software tries to read or write a file on the disk, its request pass through a chain of drivers which handle it. Everytime a driver has finished its work, send the request to the next lower driver and so on until the request is satisfied and the software receive all the data it needed.
...
So, try to guess what would happen if a malware is able to communicate directly to atapi.sys, sending commands directly to this driver without following the usual chain of drivers.
This is what is doing the malware known as SafeSys, which is indeed able to directly overwrite a system file so that at next system restart, even if everything should be theoretically deleted, the malware is still loaded and can do its dirty job.


Full article at Prevx blog


Now test your Shadow Defender, Returnil, Deep Freeze...and even Sandboxie?
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Interesting article about a malware known as SafeSys

Post by Guest on 27/6/2010, 18:31

Thanks Ruhe, this too

and on the same blog

Guest
Guest


Back to top Go down

Re: Interesting article about a malware known as SafeSys

Post by Ruhe on 27/6/2010, 20:24

Oops, didn't notice that the above article about SafeSys is from July 2009.
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Interesting article about a malware known as SafeSys

Post by Ruhe on 27/6/2010, 22:24

Deep Freeze 7 bypassed
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Interesting article about a malware known as SafeSys

Post by ssj100 on 28/6/2010, 04:19

Sounds like simply running as a limited user would eliminate this threat completely. Of course, Prevx etc will never emphasise this, and no doubt forums like Wilders will be full of "install this and install that" and "why isn't Deep Freeze patching this and that".

I find it galling at the paranoia the Prevx article is trying to induce, and yet there is not a single mention of recommending running as a Limited/Restricted/Standard User as a completely free and extremely robust/strong layer of protection:

Even if you run protected by these kind of security softwares, if you run softwares with admin privileges you are giving malwares the key of ring0, the access to kernel mode. Now, in kernel mode, malware and security software are playing with exactly same rules, same advantages and disadvantages.

...what I've said should be enough to let people understand that trusting to only one security software doesn't really help you preventing infections.

What a great way of inducing people to purchase Prevx etc haha. I hope no one on these forums fell for it. To conclude, what Prevx should have written was "trusting to any security software doesn't really help you prevent infections if you don't have a good security approach":
http://ssj100.fullsubject.com/security-f7/discuss-security-setups-and-approaches-here-t6.htm#20

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Shadow Defender is not bypassed by SafeSys

Post by Guest on 28/6/2010, 21:41

Shadow Defender is not bypassed by SafeSys

Guest
Guest


Back to top Go down

Re: Interesting article about a malware known as SafeSys

Post by ssj100 on 29/6/2010, 09:36

patrick wrote:Shadow Defender is not bypassed by SafeSys

Thanks patrick. On skimming that thread, it seems Deep Freeze is the only program that is bypassed still? It goes to show how having a healthy forum (eg. Sandboxie) with fanatic followers (haha!) helps keep the program resistant to all known malware out there.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Interesting article about a malware known as SafeSys

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum