Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| Can a Kernel Level Rootkit survive Faronics DeepFreeze?
I have installed the 30 day evaluation version of Faronics Deep Freeze Standard on my lil sisters desktop,
as i have gotten tired of formatting and reinstalling the OS (Xp pro+sp2) almost every month as a result of adware/spyware/trojans and whatnot.
Its been a week, and so far, im VERY pleased with the result, as the desktop and the programs are EXACTLY the same way as they were a week ago!
Usually, by the first week,
she has all kinds of problems with ads popping up, Internet Explorer windows spontaneously closing,
(i told her to use Firefox that i have installed on the pc, but she dosent listen  )
and warnings of spyware from her anti-virus scanner..etc etc.
So, i know now, that viruses even if they are installed during a session, once the system reboots, they magically are erased, and the system is thus rid of all spyware upon reboot!
Thats the beauty of this program........
but i also wanted to be sure, that ALL such trojans and viruses are destroyed, including these kernel level rootkits that i keep reading are the latest headache for net users.
So, i would appreciate if anyone has any comments or answers to this question.
--
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| BTW, whats Deep Freeze?
»faronics.com/index.asp?reg=Asia
Deep Freeze instantly protects and preserves baseline computer configurations. No matter what changes a user makes to a workstation, simply restart to eradicate all changes and reset the computer to its original state - right down to the last byte. Expensive computer assets are kept running at 100% capacity and technical support time is reduced or eliminated completely. The result is consistent trouble-free computing on a truly protected and parallel network, completely free of harmful viruses and unwanted programs.
While Deep Freeze provides bulletproof protection, its non-restrictive approach also improves user productivity and satisfaction. Placing no restrictions on a user's ability to access all system resources, users avoid the frustration of downtime due to software conflicts, operating system corruption, virus attacks, and many other problems. Users are always assured of computers that are consistently operable and available. --
Alex Jones Bullhorning Bilderberg.
»www.jonesreport.com/articles/211···erg.html |
|
Elite
join:2002-10-03
Orange, CT
 ·Optimum Online
| reply to Shriyash
Honestly... I've used DF in the past but I've never bothered to try and figure out how it works.
I have however, tried removing it manually by hand. Fucking disaster.
I'll fire up a VM with DF and some popular RK's tonight for you.
--
QUAD!!!! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| reply to Shriyash
I have deep freeze installed in 21 heavily used public computers and working well for over 2 years. Nary a thing has been able to stick. ALL disk writes are hooked at the kernel level and diverted to temporary disk space. Deep Freeze cloaks the destination space that it writes to and the system honestly believes that the data went where it wanted to put it. There is literally nothing that can beat Deep Freeze. I am using it on my own home computer also. No more anti-malware subscriptions, false positives or zero day infections. You can move "My Documents" and Outlook Express files to an un-frozen partition. I unfreeze on an average of once a month for system changes. Formatting every 6 months or re-imaging are now obsolete. A read only OS is only about 25 years past due. You have won the malware battle. Do you need to install "Seekmo" to watch your favorite videos ? Go ahead. Enjoy ! |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to Shriyash
FS hooking eh?
I'm sure DF will end up defeating Rustock.B, but I'm going to be pretty damn surprised if MBRKit doesn't manage to bypass DF.
MBRKit, upon execution, loads a kernel driver to do it's dirty work (write new MBR, write loader, write driver).
We shall see...
--
QUAD!!!! |
|
Cudni
La Merma - Los De Aca
Premium,MVM
join:2003-12-20
Someshire | reply to Shriyash
maybe useful for public comps but not so much for home use
Cudni |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| reply to Elite
said by Elite  :We shall see... If it gets past it using your virtual machine testbed, I'll be happy to give it a real live test. I'm running an old junk hard drive in this machine and I need to replace it soon anyway. |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to Shriyash
Faronics Deep Freeze Standard (Eval) v6.30.021.1875 vs RKs:
Rustock.B - Pass!
MBRKit - Failed!
Results are as I'd imagined. Rustock.B simply attaches a driver to the System32 ADS, then hides it.
MBRKit on the other hand, was able to bypass Deep Freeze's mass IRP hooking by using it's own driver to write directly to the hard disk.
Nice try, Faronics.
--
QUAD!!!! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
edit:
April 10th, @05:29AM
| reply to Shriyash
So, after you re-booted, the viral code was still where you think it was put ?
How does the MBR work in a virtual machine ? Does the VM have it's own virtual MBR or did your kit write to the real MBR of the hard drive, which was not being protected by freeze ? |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to Shriyash
I installed MBRKit, rebooted, and MBRKit was active.
Rebooted again for the hell of it, same results.
In the VM, the VM is assigned a virtual hard disk/filesystem, which is actually like an 8GB file on my real machine.
MBRKit wrote to the virtual filesystem's MBR.
--
QUAD!!!! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| said by Elite :I installed MBRKit, rebooted, and MBRKit was active. Damn, that is some rough news. 
I suppose there are wild virii that use this technology ? |
|
Elite
join:2002-10-03
Orange, CT | reply to Shriyash
MBRKit is currently an ITW rootkit.
It's not very widespread though... yet.
--
QUAD!!!! |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
edit:
April 10th, @06:23AM
| reply to Elite
said by Elite :MBRKit on the other hand, was able to bypass Deep Freeze's mass IRP hooking by using it's own driver to write directly to the hard disk. Elite, first off, thanks for doing the test!
So, in layman terms( ) if i understand it correctly, MBRKit is still there installed even AFTER reboot?!!
And so this is a rootkit,right?
So that means it can infect the Deep Freeze installed pc, but can it actually do ALL the havoc-wrecking it can do on a normal machine?
Edit: Elite, please can you tell us what does this MBRKit thing actually DO? i tried googling it,but there just isint much information available, as to what this rootkit actually does.(like crash the pc,hijack the browser, keylogging maybe?  ) |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
edit:
April 10th, @06:18AM
| reply to Elite
Hi Elite, just wanted your thoughts on this.
Is this because the test is done on a VM,
or do you think this will be the same result,
on a normal machine too?!
Edit: and im wondering, does Faronics know about this (potential/real?) vulnerability?! |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| reply to Shriyash
said by Shriyash :...if i understand it correctly, MBRKit is still there installed even AFTER reboot?!! And so this is a rootkit,right? So that means it can infect the Deep Freeze installed pc, but can it actually do ALL the havoc-wrecking it can do on a normal machine? Looks like it is happening. BIOS viruses would also be exempt from Deep Freeze. Here is a rather deep and involved thread about a BIOS virus. D4v3 has some very interesting stuff going on.
»forum.sysinternals.com/forum_pos···079&PN=1 |
|
Elite
join:2002-10-03
Orange, CT
·Optimum Online
| reply to Shriyash
Don't pay any attention to the nonsense over at SysInternals. None of them have BIOS rootkits.
As far as Deep Freeze is concerned, the results would be the same on a live machine as they would a VM. Looks like Faronics needs to figure out a workaround for this one...
--
QUAD!!!! |
|
WhyNot
@inet.fi
|  If MBRKit can bypass DeepFreeze, have you tried if it can bypass running a limited user account? I think that would be a much simpler solution than running a complex program like DeepFreeze. I think MBRKit can't load its own driver to write to the hard disk on a limited user account because limtied users don't have the load driver privilege. Am I wrong? |
|
Shriyash
Sungazer
Premium
join:2005-02-23
PuNe, InDiA
| reply to Cudni
said by Cudni :maybe useful for public comps but not so much for home use Yeah, but hey its not that hard to install new programs and whatnot on a machine that has DF installed.
Simply open DF and tell it to boot 'thawed' insted of 'frozen' on next reboot.
The rebooting will take a minute, then install whatever new programs you want, make any other changes to desktop, and then simply tell DF to boot frozen from then onwards!
Its easier than it sounds  |
|
SipSizzurp
Fo' Shizzle
Premium
join:2005-12-28
Hilo, HI
·RoadRunner Cable
| reply to Elite
said by Elite : Don't pay any attention to the nonsense over at SysInternals. None of them have BIOS rootkits. You were strangely quiet in that thread concerning what our friend from Mexico was showing about his BIOS discoveries. SysInternals is a bunch of nonsense ? |
|
Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
clubs:
| reply to Elite
said by Elite :I installed MBRKit, rebooted, and MBRKit was active. Rebooted again for the hell of it, same results. In the VM, the VM is assigned a virtual hard disk/filesystem, which is actually like an 8GB file on my real machine. MBRKit wrote to the virtual filesystem's MBR. You should try the Hardware version of HDD Sheriff. 
HDD Sheriff Easy Recovery PCI 2005
»www.hdd-sheriff.com/products.htm
I'd be curious if it were better.
They also have a software only solution.
HDD Sheriff Easy Recovery software 2005
HDD Sheriff Downloads (updated June 1/05)
»www.hdd-sheriff.com/downloads.htm
--
What’s the point of owning a supercar if you can’t scare yourself stupid from time to time? |
|
