Broadband Tech > Security > Security > Worm bypasses Software like DeepFreeze?

Worm bypasses Software like DeepFreeze?

Re: New worm bypasses System Rollback Software like DeepFreeze

quote:

---

In order to bypass the Deep Freeze restrictions at the operating system level, W32.SafeSys.Worm "employs a technique that enables it to write data directly on hard disk’s sectors by sending request for direct interaction with disk Controller."

---

reply to Smokey Bear
So what stops the worm then? Will the popular AVs detect it? How 'bout programs like Prevx or Threatfire? Anything else? HIPS maybe?

reply to Smokey Bear
Faronics states:

"Once Deep Freeze is installed on a workstation, any changes made to the computer—regardless of whether they are accidental or malicious—are never permanent. Deep Freeze provides immediate immunity from many of the problems that plague computers today—inevitable configuration drift, accidental system misconfiguration, malicious software activity, and incidental system degradation.

Deep Freeze ensures computers are absolutely bulletproof, even when users have full access to system software and settings. (emphasis added) »www.faronics.com/html/deepfreeze.asp

So it would be nice if the press contacted Faronics to get their response to Bkis. Does this suggest that all software of this type is vulnerable by design (Sandboxie, etc.) and it's only a matter of time before they can be bypassed and therefore of little value?

reply to Smokey Bear
I just spoke to Faronics by phone and they assured me that this article is bogus and that NO cases have been reported in the wild.

They knew about the worm claiming to breach Deep Freezes security and informed me that it is NOT an issue.

I suggested they respond to this thread and I hope they do so this can all be straightened out.

Grimm
--
We the few, following the unknowing to do the seemingly impossible...Have done this so long we can now do anything with nothing!... Quote By Anonymous Marine

reply to Smokey Bear
Seems to reek of FUD + profit, from the »blog.bkis.com/?p=707 website (emphasis added):

quote:

---

A number of Internet shops which put too much trust in DeepFreeze and not employ any other protection method have become W32.SafeSys.Worm’s victims. According to Bkis’ statistics, as many as 46.000 computers in Vietnam have been infected with this virus.

If your Internet shop experiences the same problem involving this virus, you should update the latest Bkav version at here to deal with the problem.

---

reply to Grimm43

Please see my IM.

reply to Smokey Bear

Re: [FUDGE] Worm bypasses Software like DeepFreeze

reply to Smokey Bear
Actual information, just offered me privately by acknowledged AV-Experts, forced me to alter topic subject.

ATM it is clear that the source of the article I quoted from, Softpedia, have produced a fudge article regarding Bach Khoa Internetwork Security (Bkis) and System Rollback Software DeepFreeze.

1- Bach Khoa Internetwork Security (Bkis) is directly involved in the distribution of a rogue AV, threat name is FraudTool.Win32.BachKhoa.av »www.sunbeltsecurity.com/threatdi···B3F8BBA4

2- NO cases of the mentioned worm have been reported in the wild.

3- I will ask Softpedia for an explanation.

I am waiting on confirmation of the vendor of DeepFreeze, Faronics, ATM I receive their confirmation I will make her a statement on behalf of them.

Regards,

Smokey Bear
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
Site Member ASAP - Alliance of Security Analysis Professionals

reply to Smokey Bear
You know, you could not make this stuff up if you tried.

Thanks Smokey. Yet another non-event. At least they didn't say 'using magic pixie dust' or some such BS.

I'll tell you one thing, all this crap is making Apple some money. Hey, wait a second... maybe the haxxor is that apple dude?
--
My place : »www.schettino.us

reply to JohnInSJ
Self Moderated to remove picture of Dell Dude.

reply to Smokey Bear
Thanks, Smokey.

reply to Smokey Bear
Follow up: I received an email from the writer of the Softpedia article. Till I have checked all mentioned facts in it I will not react in public. Parts of the Softpedia email have private character and will remain private.

Regrettably till yet I didn't received the promised Faronics email confirmation and POV. Such is an absolute must to come to a well-matured opinion regarding the issue and what Softpedia wrote. ATM Faronics lack of (promised) response is not helpful for clarification.
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
Site Member ASAP - Alliance of Security Analysis Professionals

reply to Smokey Bear
Follow up: Faronics have contacted me.

Official Statement on behalf of Faronics Corporation

11th of June 2009

Faronics is aware of the report that a worm called "W32.SafeSys.Worm" is able to "bypass" Deep Freeze and other competing products. However, we have not been able to confirm the accuracy of the report and at this time have been unable to reproduce these results in our lab. We will continue to investigate the issue. As always, we continue to recommend that customers use an antivirus product in combination with Deep Freeze. Please refer to the White Papers section of the Faronics Content Library for information regarding how to use Deep Freeze with many popular antivirus products.

Brent Smithurst
Vice President, Technical Operations
Faronics Corporation
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
Site Member ASAP - Alliance of Security Analysis Professionals

It may not be fud, I remember a few years ago, one could get around Deep freeze. eg disable Deep Freeze.

The only way to know for sure is to get the worm and test it against Deep Freeze.

This is just one example »www.ethicalhacker.net/component/···c,658.0/ I am sure you could find more via google.
--
Best Regards
Vampirefo

reply to Smokey Bear