dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
22428

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

4 edits

1 recommendation

Smokey Bear

Premium Member

Worm bypasses Software like DeepFreeze?

Softpedia | 9th of June 2009
Security researchers from Bach Khoa Internetwork Security (Bkis) warn of a new worm that is able to bypass the protections enforced on the file system by software such as Deep Freeze. The malware was discovered in early March and has already made thousands of victims in Asia.

Deep Freeze is an application developed by Faronics to help administrators restore computers to a secure state after being used by untrusted parties. Such software is very popular in environments with many casual users such as cybercafés, libraries, or computer labs in schools.

"The software can monitor any change in sectors (data storage area) in hard disk partitions and save the changes in another area (buffer). When normal programs retrieve these sectors, they will reach the data in the buffer rather than in the original sectors," Vu Ngoc Son, senior malware researcher at Vietnam-based Bkis, explains.

This allows administrators to easily restore the computer to the previous state by simply rebooting the machine. Mr. Vu Ngoc Son believes that, because of this, the computer administrator can get a false sense of security, which is particularly reflected by this latest threat.
Source: »news.softpedia.com/news/ ··· 77.shtml

See also: hxxp://blog.bkis.com/?p=707

Edit 2009-06-11: topic subject altered for reason of actual received information
Edit 2009-06-12: topic subject altered temporary 'till full clarification of topic issue

HailTheLUA
@dhcp.inet.fi

HailTheLUA

Anon

Re: New worm bypasses System Rollback Software like DeepFreeze

quote:
In order to bypass the Deep Freeze restrictions at the operating system level, W32.SafeSys.Worm "employs a technique that enables it to write data directly on hard disk’s sectors by sending request for direct interaction with disk Controller."
Sounds to me like that requires admin privs to succeed, but I've been wrong before.

Still, giving admin rights to people using some internet cafe computer or similar is just plain crazy, Deep Freeze or no. Interesting to see malware like this in the wild though.

so what stops it
@Level3.net

so what stops it to Smokey Bear

Anon

to Smokey Bear
So what stops the worm then? Will the popular AVs detect it? How 'bout programs like Prevx or Threatfire? Anything else? HIPS maybe?

Blue2
Premium Member
join:2004-04-14
France

Blue2 to Smokey Bear

Premium Member

to Smokey Bear
Faronics states:

"Once Deep Freeze is installed on a workstation, any changes made to the computer—regardless of whether they are accidental or malicious—are never permanent. Deep Freeze provides immediate immunity from many of the problems that plague computers today—inevitable configuration drift, accidental system misconfiguration, malicious software activity, and incidental system degradation.

Deep Freeze ensures computers are absolutely bulletproof, even when users have full access to system software and settings. (emphasis added) »www.faronics.com/html/de ··· eeze.asp

So it would be nice if the press contacted Faronics to get their response to Bkis. Does this suggest that all software of this type is vulnerable by design (Sandboxie, etc.) and it's only a matter of time before they can be bypassed and therefore of little value?

Grimm43
You Never Hear The One That Kills You
Premium Member
join:2000-11-02
Largo, FL

Grimm43 to Smokey Bear

Premium Member

to Smokey Bear
I just spoke to Faronics by phone and they assured me that this article is bogus and that NO cases have been reported in the wild.

They knew about the worm claiming to breach Deep Freezes security and informed me that it is NOT an issue.

I suggested they respond to this thread and I hope they do so this can all be straightened out.

Grimm

Sir Meowmix III
@windstream.net

Sir Meowmix III to Smokey Bear

Anon

to Smokey Bear
Seems to reek of FUD + profit, from the »blog.bkis.com/?p=707 website (emphasis added):
quote:
A number of Internet shops which put too much trust in DeepFreeze and not employ any other protection method have become W32.SafeSys.Worm’s victims. According to Bkis’ statistics, as many as 46.000 computers in Vietnam have been infected with this virus.

If your Internet shop experiences the same problem involving this virus, you should update the latest Bkav version at here to deal with the problem.

Little actual information, broad "access the Controller" (note the capitalization) assertions, number of infections computed by them and only a local demographic, and the solution is to install their software.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear to Grimm43

Premium Member

to Grimm43
said by Grimm43:

I just spoke to Faronics by phone and they assured me that this article is bogus and that NO cases have been reported in the wild.

I suggested they respond to this thread and I hope they do so this can all be straightened out.
Let's wait on an official Faronics reaction.

Grimm43
You Never Hear The One That Kills You
Premium Member
join:2000-11-02
Largo, FL

Grimm43

Premium Member

said by Smokey Bear:
said by Grimm43:

I just spoke to Faronics by phone and they assured me that this article is bogus and that NO cases have been reported in the wild.

I suggested they respond to this thread and I hope they do so this can all be straightened out.
Let's wait on an official Faronics reaction.
I was just called back by Faronics and told that as to date no reports of compromised computers have come from Vietnam or any other country.

I agree that a statement from Faronics is the best way to settle this.

I realize just my word is not likely enough for some readers.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

Please see my IM.

Grimm43
You Never Hear The One That Kills You
Premium Member
join:2000-11-02
Largo, FL

Grimm43

Premium Member

said by Smokey Bear:

Please see my IM.
Just got it....

Thanks smokey Bear.

Blue2
Premium Member
join:2004-04-14
France

1 edit

Blue2 to Smokey Bear

Premium Member

to Smokey Bear

Re: [FUDGE] Worm bypasses Software like DeepFreeze

I'm always suspicious when some company I've never heard of makes some spectacular claim without providing specifics. Particularly when they get media attention for doing it.

If the media who reported this was really doing their job, they would NEVER have printed an assertion about any company or product, without first contacting the company and asking for their response. That's just journalism 101.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

Actual information, just offered me privately by acknowledged AV-Experts, forced me to alter topic subject.

ATM it is clear that the source of the article I quoted from, Softpedia, have produced a fudge article regarding Bach Khoa Internetwork Security (Bkis) and System Rollback Software DeepFreeze.

1- Bach Khoa Internetwork Security (Bkis) is directly involved in the distribution of a rogue AV, threat name is FraudTool.Win32.BachKhoa.av »www.sunbeltsecurity.com/ ··· B3F8BBA4

2- NO cases of the mentioned worm have been reported in the wild.

3- I will ask Softpedia for an explanation.

I am waiting on confirmation of the vendor of DeepFreeze, Faronics, ATM I receive their confirmation I will make her a statement on behalf of them.

Regards,

Smokey Bear

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ to Smokey Bear

Premium Member

to Smokey Bear
You know, you could not make this stuff up if you tried.

Thanks Smokey. Yet another non-event. At least they didn't say 'using magic pixie dust' or some such BS.

I'll tell you one thing, all this crap is making Apple some money. Hey, wait a second... maybe the haxxor is that apple dude?

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

said by JohnInSJ:

Thanks Smokey. Yet another non-event. At least they didn't say 'using magic pixie dust' or some such BS.
Just discovered that PCWorld produced the same BS regarding a "worm" and an alert again provided by "Security researchers" from Bach Khoa Internetwork Security (Bkis), the very same name mentioned in the Softpedia article regarding DeepFreeze: »www.pcworld.com/business ··· nts.html

PCW article date: April 24, 2009

I have emailed PCW a link to this DSLR post.

Grimm43
You Never Hear The One That Kills You
Premium Member
join:2000-11-02
Largo, FL

1 edit

Grimm43 to JohnInSJ

Premium Member

to JohnInSJ
Self Moderated to remove picture of Dell Dude.
mysec
Premium Member
join:2005-11-29

1 edit

1 recommendation

mysec to Smokey Bear

Premium Member

to Smokey Bear
Thanks, Smokey.
1- Bach Khoa Internetwork Security (Bkis) is directly involved in the distribution of a rogue AV, threat name is FraudTool.Win32.BachKhoa.av

I wonder if that is the same product mentioned in the BKIS blog, and also being pushed here:

»tips-reviews-how-to.blog ··· pot.com/
System Restore Worm Poses New Threat

The worm is called W32.SafeSys.Worm and attacks a particular program called Deep Freeze.

There are over 140 variants of the W32.SafeSys.Worm thus far.

The best protection at this point is to Download the latest BKAV.

»www.bkav.com.vn/home/Dow ··· adE.aspx
© Ghi rõ ngun 'Trung tâm An ninh mng Bkis




From a Wilders thread, Dec/2008

Re: BKAV anti-virus from VietNam
»www.wilderssecurity.com/ ··· t=226833
said by Stefan Kurtzhals :

Did some very quick tests, which showed catastrophic detection capabilities, even on very old malware from the ITW list. No way there are 300 people working on this - or they are playing Tetris all day.


----
rich

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

Follow up: I received an email from the writer of the Softpedia article. Till I have checked all mentioned facts in it I will not react in public. Parts of the Softpedia email have private character and will remain private.

Regrettably till yet I didn't received the promised Faronics email confirmation and POV. Such is an absolute must to come to a well-matured opinion regarding the issue and what Softpedia wrote. ATM Faronics lack of (promised) response is not helpful for clarification.
Smokey Bear

Smokey Bear

Premium Member

Follow up: Faronics have contacted me.

Official Statement on behalf of Faronics Corporation

11th of June 2009

Faronics is aware of the report that a worm called "W32.SafeSys.Worm" is able to "bypass" Deep Freeze and other competing products. However, we have not been able to confirm the accuracy of the report and at this time have been unable to reproduce these results in our lab. We will continue to investigate the issue. As always, we continue to recommend that customers use an antivirus product in combination with Deep Freeze. Please refer to the White Papers section of the Faronics Content Library for information regarding how to use Deep Freeze with many popular antivirus products.

Brent Smithurst
Vice President, Technical Operations
Faronics Corporation

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

1 edit

Vampirefo

Premium Member

It may not be fud, I remember a few years ago, one could get around Deep freeze. eg disable Deep Freeze.

The only way to know for sure is to get the worm and test it against Deep Freeze.

This is just one example »www.ethicalhacker.net/co ··· c,658.0/ I am sure you could find more via google.

Grimm43
You Never Hear The One That Kills You
Premium Member
join:2000-11-02
Largo, FL

Grimm43 to Smokey Bear

Premium Member

to Smokey Bear
said by Smokey Bear:

Follow up: Faronics have contacted me.

Official Statement on behalf of Faronics Corporation

11th of June 2009

Faronics is aware of the report that a worm called "W32.SafeSys.Worm" is able to "bypass" Deep Freeze and other competing products. However, we have not been able to confirm the accuracy of the report and at this time have been unable to reproduce these results in our lab. We will continue to investigate the issue. As always, we continue to recommend that customers use an antivirus product in combination with Deep Freeze. Please refer to the White Papers section of the Faronics Content Library for information regarding how to use Deep Freeze with many popular antivirus products.

Brent Smithurst
Vice President, Technical Operations
Faronics Corporation
This is a much more diplomatic response than I got but I am glad they emailed you as I asked.

So I guess we wait and see, I mean with over 100 variants they should be able to find a sample to test with.

I did a search myself and could find no mention of it that did not directly or indirectly come from Bkav.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

Smokey Bear

Premium Member

said by Grimm43:

This is a much more diplomatic response than I got but I am glad they emailed you as I asked.

So I guess we wait and see, I mean with over 100 variants they should be able to find a sample to test with.

I did a search myself and could find no mention of it that did not directly or indirectly come from Bkav.
In public, diplomacy is a must. BTW, I am still in contact with Faronics and Softpedia, when there is news to report I will let you know.

Blue2
Premium Member
join:2004-04-14
France

Blue2 to Smokey Bear

Premium Member

to Smokey Bear
Until someone proves or disproves this vulnerability, it might be a good idea not to assume anything. The "FUDGE" in your headline will be misleading if this turns out to be true, and make people ignore a real issue.

I am skeptical of unverified claims, and there appears to be only one press release which is being picked up in the press, without any new information.

But until Faronics states that this is FUD, we shouldn't be the ones to judge its authenticity.

Smokey Bear
veritas odium parit
Premium Member
join:2008-03-15
Annie's Pub

1 edit

Smokey Bear

Premium Member

said by Blue2:

Until someone proves or disproves this vulnerability, it might be a good idea not to assume anything. The "FUDGE" in your headline will be misleading if this turns out to be true, and make people ignore a real issue.
At your service, till there is full clearance I have altered the headline temporary into interrogatory phrase.
Smokey Bear

Smokey Bear

Premium Member

Re: [FUDGE??] Worm bypasses Software like DeepFreeze

FWIW, I will not join this discussion anymore, and have definitive ceased all investigations to find out the truth regarding the possibility to bypass system rollback software.

Subject of the discussion is interesting and informative, nevertheless I have no inducement anymore to continue.

My gratitude to all posters for participating this thread.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to HailTheLUA

MVM

to HailTheLUA

Re: New worm bypasses System Rollback Software like DeepFreeze

said by HailTheLUA :
quote:
In order to bypass the Deep Freeze restrictions at the operating system level, W32.SafeSys.Worm "employs a technique that enables it to write data directly on hard disk’s sectors by sending request for direct interaction with disk Controller."
Correct me if I'm wrong, but wouldn't this require different code for different controllers? To get that level of access to the disk through the controller you would need to know what controller you're writing for. That's what pegged my BS meter.
salahx
join:2001-12-03
Saint Louis, MO

salahx

Member

Well, depending on the context, I think they mean the worm operates at the block device level, rather than the filesystem level. Essentially, the worm would have its own filesystem driver (much like the Linux FUSE NTFS driver). If Deep Freeze works at the filesystem level, rather than at the block device level, then it WOULD be able to bypass it this way.

However this would be a lot of work (one would need to implement a userpace NTFS driver), and pretty dangerous too, and would probably corrupt the filesystem due to race conditions inherent in this.

Blue2
Premium Member
join:2004-04-14
France

Blue2 to Smokey Bear

Premium Member

to Smokey Bear

Re: [FUDGE??] Worm bypasses Software like DeepFreeze

That's over my level of understanding. But if this is possible, then shouldn't Deep Freeze or products like it operate at the block device level because it will only be a matter of time before someone finds a way to crack the filesystem?

I'm kind of suprised that since this supposed issue was reported in the press, that Faronics would not challenge the company who reported it for proof or make a public statement.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to Smokey Bear

MVM

to Smokey Bear
When I was at SecurityFocus many years ago we would actually validate vulnerabilities that were submitted to us (or at least I would see the major ones) and while I don't know if that is their current practice, when I see attacks like this published by companies or organizations that I've never heard of, and not published by reputable organizations who have some demonstrated some real security expertise, I must admit that I blow them off pretty quickly. The noise ratio can get pretty high in this business, but one of my litmus tests is still, is it published/discussed at SecurityFocus?

Sometimes in the security business there is a whole pile of crap going on behind the scenes which most people wouldn't never guess, some of it 'almost' bordering on extortion, which makes me a little more wary of 'unknown' players doing press releases etc. There are tons of 'security researchers' whom I gladly tip my hat too for their abilities and expertise and when those guys speak, I pay attention.

Blake
uglyhax
join:2009-07-16

uglyhax

Member

Hi,

This thread has not been active so this post might not be very useful, but I was researching this malware, and found the claims to be true. Probably the [Fudge] in the title should be revisited.

A sample is available from another forum (might I add try it at your own risk):

»www.horizondatasys-forum ··· rus.html

I used the 30 day evaluation version of DeepFreeze and confirmed the malware survived the reboot process: the process explorer (Sysinternals) still shows the binary being loaded.

It installs and loads a device driver which is used to write directly onto the disk - probably why deep freeze is unable to detect the change. However, this requires admin privileges. So I tried to run the sample as a regular user. Turns out, its unable to infect the machine unless you're logged in as an administrator.

Grimm43
You Never Hear The One That Kills You
Premium Member
join:2000-11-02
Largo, FL

Grimm43

Premium Member

said by uglyhax:

Hi,

This thread has not been active so this post might not be very useful, but I was researching this malware, and found the claims to be true. Probably the [Fudge] in the title should be revisited.

A sample is available from another forum (might I add try it at your own risk):

»www.horizondatasys-forum ··· rus.html

I used the 30 day evaluation version of DeepFreeze and confirmed the malware survived the reboot process: the process explorer (Sysinternals) still shows the binary being loaded.

It installs and loads a device driver which is used to write directly onto the disk - probably why deep freeze is unable to detect the change. However, this requires admin privileges. So I tried to run the sample as a regular user. Turns out, its unable to infect the machine unless you're logged in as an administrator.
I have emailed this post to Faronics for their evaluation and am awaiting their reply.

I am quite interested in this as I spoke to Faronics a few days ago regarding this subject and their recent upgrade to the program.

They said that this exploit had not yet been reproduced in their labs.

Grimm