Shadow Defender bypassed by TDL rootkits???

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 6/7/2010, 17:17

Oh and by the way, you seem to imply that you are aware of a Shadow Defender bypass (since you said Shadow Defender is as prone to bypasses as Returnil). What I find interesting is that Shadow Defender hasn't been bypassed by these rootkits (some are quite new I think), and yet it was last updated several months ago.

Are you saying that without black-listing signature-based/heuristic mechanism updates, Shadow Defender would be easily bypassed by malware writers who know what they're doing? I can see no evidence of Shadow Defender having an anti-executable mechanism, and therefore according to your statements, Shadow Defender must be using some sort of black-listing signature-based /heuristic mechanism. But the question is how come it's still so effective despite the lack of updates?

You know what? It might be quicker if you could PM me a malware sample that can bypass Shadow Defender haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 6/7/2010, 17:40

ssj100 wrote:3. Yes I do understand what you're getting at - hence why I wrote "suite" in punctuation marks. Again, the similarity to my setup/approach is rather (I suppose) pleasing to me. I'm a big fan of default-deny. However, I have some further concerns/ramblings about your approach/philosophy below.

4. That wasn't really my point though. The point is that if a user wants to execute something on their REAL system, nothing can stop them (if they know the passwords etc). They can easily disable the Returnil system and execute the file. The same goes with LUA/SUA + SRP/AppLocker - if you know the admin password, you can execute anything with admin rights. Furthermore, the fact is that many users out there who do not have intelligent handling of newly introduced files (a good security approach) simply will ignore any security on one's system and endeavour to disable it etc. I guess what I'm saying is that there is simply no substitute for intelligent handling of newly introduced files and/or a good security approach/computer common sense/experience.

In 2010, the Virus Guard or a block from the AE (with appropriate message delivered) delivers a warning that the user will hopefully heed and at least be cautious. In Lite 2011 it is simply not allowed. I do however see your meaning here and think there is really nothing anyone can do if the authorized user is determined to do something that is against their best interests. The goal in that case is to try to make the user think a little before they force an action.

5. This sounds interesting, but as I said, it sounds more like what Rollback Rx/EAZ-FIX, Comodo Time Machine or FD-ISR are trying to do, rather than what Drive SnapShot or Macrium Reflect do. Am I right?

No if you mean using a similar methodology to achieve the intended results. Yes if you mean that providing some form of snapshot recovery as part of an overall security strategy. The question is whether security and not simple disaster recovery is the end goal of the vendors you mention. In my experience I would say their aim is more the latter than the former...

6. That is exactly what I'm saying. The weakness of default-deny is that if the user knows the administrator password (or equivalent), and has a poor security approach, no amount of software (the security setup) will stop them from getting infected. Take this example:
1. User with poor security approach downloads a dodgy executable file from a dodgy source.
2. Returnil 10000 is enabled on the system which employs clever technology to default-deny etc.
3. User tries to execute the file. Nothing happens (or the executable doesn't seem to install) and he gets frustrated.
4. User disables the Returnil system (as he knows the password)
5. User executes the dodgy file and gets owned.

Again, if the user is determined to do something unwise, it may not be possible to save them from themselves. The key is to find a level of warning they will pay attention to: not too intrusive to be ignored by default but not too light to be ineffective...

Again, the point is that (and I'm not saying you don't agree...I just feel it's important to repeat it because it's extremely important in my opinion) the security approach (eg. handling of newly introduced files) is arguably the most important aspect of computer security. My own approach is to generally handle dodgy files in a (sandboxed) full blown VM (particularly those that are executables) or to open them via a sandboxed explorer.exe.

The problem here is that sandboxing is not guaranteed to detect malicious content so the user may end up executing the malware regardless. In 2010 we see the detection or blocking of new content as being more important than worrying about scanning the hard drive or running processes as the system should already be clean before enabling the virtualization. This means that the real HDD should be clean and the threat is newly introduced content and the Virus Guard real-time protection is geared towards that specifically. While it can work as a traditional AV, it is most powerful when used in combo with the AE and virtualization.

As the focus of Lite 2011 is for use within public access and cafe scenarios, the goal is to simply block and not irritate the users with messages - just block and that is it.

I mentioned in another post on these forums that I think the poor handling of newly introduced files is perhaps the second most common way of getting infected (after web-browser-based attacks). Examples include downloading an infected e-mail attachment on to your REAL system and running it on your REAL system. This is why I feel it's so important to (also) promote and spread the habit of a good security approach to the average user out there. The fact is that having a good security approach is free for life haha. It also makes the user think intelligently when handling newly introduced files.

Encouraging good habits is part of education but I can tell you from experience that a user will do what a user does when the user wants to and no amount of telling them will be likely to persuade them until/unless they experience the consequences of their unwise actions at least once. In our approach, they at least get that warning and then it is up to them to make that final decision. We can only hope that it will be the right one, but in case it isn't we provide warnings.

I think for every person (on other forums) that says: Install this program or install that program and you're 99% covered, we should also have another person who describes the importance of a good security approach and/or intelligent handling of newly introduced files. Again, there is simply no substitute for good manual handling.

Again, the user may or may not even be competent to inspect a file or behavior so it is extremely important to at least try and block it before they jump off the cliff.

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 6/7/2010, 17:55

Are you saying that without black-listing signature-based/heuristic mechanism updates, Shadow Defender would be easily bypassed by malware writers who know what they're doing?

Not in those terms, but yes, there are dark communities that work on these things constantly and the posts by the QQ... member at Wilders made some good points back in 2008 regarding the goals of these communities and hackers.

The problem is that you do not have access to the most recent versions of these hacker tool based malware unless you have the ability to follow some of the more interesting Asian hacker forums. This is why we have a dedicated engineering and research team in China...

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 6/7/2010, 18:25

Coldmoon wrote:In 2010, the Virus Guard or a block from the AE (with appropriate message delivered) delivers a warning that the user will hopefully heed and at least be cautious. In Lite 2011 it is simply not allowed. I do however see your meaning here and think there is really nothing anyone can do if the authorized user is determined to do something that is against their best interests. The goal in that case is to try to make the user think a little before they force an action.
Coldmoon wrote:Again, if the user is determined to do something unwise, it may not be possible to save them from themselves. The key is to find a level of warning they will pay attention to: not too intrusive to be ignored by default but not too light to be ineffective...
Coldmoon wrote:The problem here is that sandboxing is not guaranteed to detect malicious content so the user may end up executing the malware regardless. In 2010 we see the detection or blocking of new content as being more important than worrying about scanning the hard drive or running processes as the system should already be clean before enabling the virtualization. This means that the real HDD should be clean and the threat is newly introduced content and the Virus Guard real-time protection is geared towards that specifically. While it can work as a traditional AV, it is most powerful when used in combo with the AE and virtualization.

As the focus of Lite 2011 is for use within public access and cafe scenarios, the goal is to simply block and not irritate the users with messages - just block and that is it.
Coldmoon wrote:Encouraging good habits is part of education but I can tell you from experience that a user will do what a user does when the user wants to and no amount of telling them will be likely to persuade them until/unless they experience the consequences of their unwise actions at least once. In our approach, they at least get that warning and then it is up to them to make that final decision. We can only hope that it will be the right one, but in case it isn't we provide warnings.

That is indeed the harsh reality - you simply cannot trust many people out there to handle newly introduced files intelligently. While I appreciate third party software companies attempts to mitigate this, I have some ramblings here that pretty much sum up what I personally feel about the matter:
http://ssj100.fullsubject.com/security-f7/what-is-the-actual-risk-of-getting-infected-t54.htm#252

Also, the idea of executing or running dodgy files sandboxed or in a VM is not (just) to see if they are safe or not. In fact, I personally don't rely on this method at all to analyse if a file is safe or not - as we know, there is simply far too many virtualisation-aware malware out there. The idea of executing or running dodgy files sandboxed or in a VM is instead to view its contents safely (one-off) or to try out the program safely. Before even thinking about executing or opening the file on the REAL system, the user should scan it with preferably more than one black-listing scanner. For example, uploading the questionable file to VirusTotal would be one way, or even submitting the file to be analysed by antivirus experts etc.

Furthermore (please correct me if I'm wrong), Returnil's Virus Guard really only gives an opinion on newly introduced files - generally, it is just as likely to give a false positive or false negative as any other black-list scanner. Therefore, it can also miss a lot of genuine malware. Hence the reason why I recommend to get more than one opinion (eg. VirusTotal gives 40-41 opinions) before running/executing a dodgy file on one's REAL system.

Coldmoon wrote:No if you mean using a similar methodology to achieve the intended results. Yes if you mean that providing some form of snapshot recovery as part of an overall security strategy. The question is whether security and not simple disaster recovery is the end goal of the vendors you mention. In my experience I would say their aim is more the latter than the former...

Sorry, but I am confused by your answer there (I'm no security expert, so please bear with me if you can haha). Basically what I am trying to ask is if Returnil is going to provide an Image back-up and restore system. My understanding of an Image back-up is that everything on the partition/drive is backed up to the last byte, including the MBR. My understanding of an Image restore is that the partition/drive is effectively formatted and the backed-up Image completely replaces it. Is this what Returnil is going to provide?

Coldmoon wrote:Again, the user may or may not even be competent to inspect a file or behavior so it is extremely important to at least try and block it before they jump off the cliff.

That's exactly right (see the link above on my ramblings on what I think is the best way to protect a "wife's PC"!).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 6/7/2010, 18:27

Coldmoon wrote:Not in those terms, but yes, there are dark communities that work on these things constantly and the posts by the QQ... member at Wilders made some good points back in 2008 regarding the goals of these communities and hackers.

The problem is that you do not have access to the most recent versions of these hacker tool based malware unless you have the ability to follow some of the more interesting Asian hacker forums. This is why we have a dedicated engineering and research team in China...

Mike

Yes, I know a few of them (who are capable of bypassing just about any security software out there)! Unfortunately, they don't always make their work public, so it's less "fun" for people like me who like to test out bypasses haha. I think you basically need to become a renowned hacker and join their ranks in order to see exactly what they get up to - sort of like an undercover cop!

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 6/7/2010, 20:05

Sorry, but I am confused by your answer there (I'm no security expert, so please bear with me if you can haha). Basically what I am trying to ask is if Returnil is going to provide an Image back-up and restore system. My understanding of an Image back-up is that everything on the partition/drive is backed up to the last byte, including the MBR. My understanding of an Image restore is that the partition/drive is effectively formatted and the backed-up Image completely replaces it. Is this what Returnil is going to provide?

The snapshot engine takes advantage of the virtualization technology we have developed and will restore the system to a specific period in time. It will also allow the restoration of specific files that may be in a different snapshot, a third party/Windows image, Windows installation disk, or only exist on the current (pre-restore) system.

It is not meant as a bare metal wipe > restore > clone solution; rather it is there to recover the system in case of damage and/or malware infection from an overall security focus while keeping the overhead to a minimum.

But as described above, this feature can grab required file replacements from the type of imaging you are thinking about; especially if that image is known to be clean. This saves a tremendous amount of time, efficiently uses available space, and maintains good user experience with the PC (IOW, minimizes user frustration and consequences that may arise from user impatience).

Look for this to be integrated in stages however and not to be included necessarily in the next release series (3.2) as there will be a period of time between the testing of the feature in a stand-alone approach (Ref: RMSE) and its full integration into the 3x line.

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Rico on 7/7/2010, 02:09

I still dont get how shadowdefender can stop future created malware... What you're implying is a time paradox -- shadowdefnder pre-emptively knows that a virus is running before it was created. The reason being is that is no ordinary malware we're talking about here. This stuff is tailored to bypass all LV solutions out there. Do you think that they didnt hear about SD??

Also if what you're saying is accurate then we would hear that the virii executable was silently blocked from executing but this doesnt seem the case. I am rather curious coldmoon, did you guys reverse this product to know that it works in a similar manner to yours Twisted Evil

Rico
Advanced Member
Advanced Member

Posts : 118
Join date : 2010-06-18

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Coldmoon on 7/7/2010, 04:50

Rico wrote:I still dont get how shadowdefender can stop future created malware... What you're implying is a time paradox -- shadowdefnder pre-emptively knows that a virus is running before it was created. The reason being is that is no ordinary malware we're talking about here. This stuff is tailored to bypass all LV solutions out there. Do you think that they didnt hear about SD??

This type of malware has variants as does any other on-going "concern" in the malware dev community so it is not a stretch of the imagination to assume some type of "fudge factor" or simple extension of existing definitions to account for those that still fall within a similar range. The test would be to find one that falls outside of that range and thus go unblocked because of that difference.

Also if what you're saying is accurate then we would hear that the virii executable was silently blocked from executing but this doesnt seem the case. I am rather curious coldmoon, did you guys reverse this product to know that it works in a similar manner to yours Twisted Evil

This assumes that you have a sample in hand that actually falls outside the range I mentioned previously. It also does not require reverse engineering of a product to understand what it does and how it does it. To be competitive, a company must be aware of what their competition is doing and what types of products and services they offer and it is guaranteed that they are also looking closely at our products and services for exactly the same reasons...

Mike

Coldmoon
Security Professional
Security Professional

Posts : 15
Join date : 2010-07-05

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by ssj100 on 7/7/2010, 05:18

Coldmoon wrote:The test would be to find one that falls outside of that range and thus go unblocked because of that difference.

Well, Shadow Defender appears to be bullet-proof despite having a 1Mb installation file. I have not seen any bypasses for it for at least 6-12 months, and this is in default configuration. The same cannot be said for Returnil. Now, all you need to do to completely prove me wrong and make me look like an idiot (haha) is to provide a malware sample or a POC that bypasses Shadow Defender. Otherwise, it's all just words.

Coldmoon wrote:It also does not require reverse engineering of a product to understand what it does and how it does it. To be competitive, a company must be aware of what their competition is doing and what types of products and services they offer and it is guaranteed that they are also looking closely at our products and services for exactly the same reasons...

Mike

Of course it requires reverse engineering. How else would you know exactly the mechanisms Shadow Defender is employing otherwise haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by noorismail on 7/7/2010, 06:07

Earlier I made the statement:
"ShadowDefender seems to certainly have done more with less,for the moment".

The only thing I have changed my view about,is that perhaps I should amend my statement to:
"ShadowDefender seems to certainly have done the SAME with less,for the moment".

I say that, because Returnil passed with AV on.

Even if there is hidden AV/AE present in ShadowDefender,it did the same with less overhead/updates/call outs,ect.

The only ShadowDefender process running on my system,is using 680k of memory,and 0 CPU.


noor
avatar
noorismail
Moderator
Moderator

Posts : 193
Join date : 2010-06-23

View user profile

Back to top Go down

Re: Shadow Defender bypassed by TDL rootkits???

Post by Sponsored content


Sponsored content


Back to top Go down

Page 3 of 3 Previous  1, 2, 3

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum