App Review Diskshot@Home 3.7.970 vs 5 MBR/VBR Rootkits

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
D

dax123

New Member
May 11, 2013
2
First of all, I must say there are some misunderstandings, for the test was not based on proper technical background.
Actually both SD and Diskshot passed the test, and the thing TDSSKiller detects is only leftover.

To Understand this, we need to know the way the 'Sinowal' code works.
The head developer (of the Diskshot) said that malware is very 'stupid'
because the infection code runs only on ring3, and is not technically sophiscated at all(in a point of rootkit infection).

there's an analysis of the rootkit Sinowal:
http://stoned-vienna.com/html/index.php?page=analysis-of-sinowal
The first thing I see is that there is no import for CloseHandle function, which leads me to say that this is filthy written code.

...

It uses the common used WriteFile interface for writing the sectors onto hard disk.

...

Sinowal is a Bootkit, which means it overwrites the Master Boot Record and later then hooks and bypasses every Windows System function. So, the first thing Sinowal for infection does is, to read the Master Boot Record and copying the Partition Table from it. Then it takes its own Master Boot Record, which is included in the infector binary file, and copies the new Partition Table into it. But not only the Partition Table should be preserved, also the Microsofts original Master Boot Record. For this, the infector copies the first sector of the original Master Boot Record into the last sector of the new malicious Boot Record. Then it's ready to write the new malicious Master Boot Record to disk. The functions and parts of the new malicious Master Boot Record will be discussed later.

Money is not the total, so infecting just a Master Boot Record is not enough, it's just the at-runtime infecting/hooking part but not the executive. Sinowal copies also a malicious kernel driver onto the disk, at the end of the disk, offset is ~ -10 MB from end. This is the place where no partition is, the space is and should be reserved, Microsoft Software will never allow it to be used by any partition. This hidden 10 MB contain some Microsoft -only information and system restore information.

That's it! That is the execution of the Sinowals infector file.
Click to expand...

According to this, Sinowal exploits some remaining sectors(that every windows-installed HDD has to have), and locates their main code to the end of HDD sector, like TDLFS filesystem.
Basically, Diskshot and Shadow defnder only prevents the system drive(and MBR) from modification, so any remaining partition is left behind.
to describe the problem, let me show this picture...

[attachment=4404]

so like a gun without a trigger, the remaining code (at the end of the HDD) will never be executed..
But TDSSKiller detects the (neutralised)remainings and warns it to user..
He(who tested these software) didn't know that fact and just relied on what TDSSkiller says, so he could say there were failures..

above all, your system is still safe while you are using SD / Diskshot.
if you want to erase the remaings, you could use TDSSKiller or bcwipe or ccleaner etc.

PS: The developer told me that to get around the misunderstandings shown above, Diskshot will apply whitelist protection mechanism as of DS@Home 3.8.
(which prevents any modification of the entire HDD partitions except specified)
And DS@home could have some AV engine (especially for password-stealing trojans/sophiscated rootkits), trying to prevent online system infection (like returnil)

Regards ;D
 

Attachments

  • sample.gif
    sample.gif
    31.7 KB · Views: 681
D

dax123

New Member
May 11, 2013
2
First of all, I must say there are some misunderstandings, for the test was not based on proper technical background.
Actually both SD and Diskshot passed the test, and the thing TDSSKiller detects is only leftover.

To Understand this, we need to know the way the 'Sinowal' code works.
The head developer (of the Diskshot) said that malware is very 'stupid'
because the infection code runs only on ring3, and is not technically sophiscated at all(in a point of rootkit infection).

there's an analysis of the rootkit Sinowal:
http://stoned-vienna.com/html/index.php?page=analysis-of-sinowal
The first thing I see is that there is no import for CloseHandle function, which leads me to say that this is filthy written code.

...

It uses the common used WriteFile interface for writing the sectors onto hard disk.

...

Sinowal is a Bootkit, which means it overwrites the Master Boot Record and later then hooks and bypasses every Windows System function. So, the first thing Sinowal for infection does is, to read the Master Boot Record and copying the Partition Table from it. Then it takes its own Master Boot Record, which is included in the infector binary file, and copies the new Partition Table into it. But not only the Partition Table should be preserved, also the Microsofts original Master Boot Record. For this, the infector copies the first sector of the original Master Boot Record into the last sector of the new malicious Boot Record. Then it's ready to write the new malicious Master Boot Record to disk. The functions and parts of the new malicious Master Boot Record will be discussed later.

Money is not the total, so infecting just a Master Boot Record is not enough, it's just the at-runtime infecting/hooking part but not the executive. Sinowal copies also a malicious kernel driver onto the disk, at the end of the disk, offset is ~ -10 MB from end. This is the place where no partition is, the space is and should be reserved, Microsoft Software will never allow it to be used by any partition. This hidden 10 MB contain some Microsoft -only information and system restore information.

That's it! That is the execution of the Sinowals infector file.
Click to expand...

According to this, Sinowal exploits some remaining sectors(that every windows-installed HDD has to have), and locates their main code to the end of HDD sector, like TDLFS filesystem.
Basically, Diskshot and Shadow defnder only prevents the system drive(and MBR) from modification, so any remaining partition is left behind.
to describe the problem, let me show this picture...

[attachment=4405]

so like a gun without a trigger, the remaining code (at the end of the HDD) will never be executed..
But TDSSKiller detects the (neutralised)remainings and warns it to user..
He(who tested these software) didn't know that fact and just relied on what TDSSkiller says, so he could say there were failures..

above all, your system is still safe while you are using SD / Diskshot.
if you want to erase the remaings, you could use TDSSKiller or bcwipe or ccleaner etc.

PS: The developer told me that to get around the misunderstandings shown above, Diskshot will apply whitelist protection mechanism as of DS@Home 3.8.
(which prevents any modification of the entire HDD partitions except specified)
And DS@home could have some AV engine (especially for password-stealing trojans/sophiscated rootkits), trying to prevent online system infection (like returnil)

Regards ;D
 

Attachments

  • sample.gif
    sample.gif
    31.7 KB · Views: 529
jamescv7

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Diskshot provides MBR protection than SD as I've saw from somewhere post. But if its in the kernel then really difficult to remove it.

They were design to prevent any modification from a system based only.
 

Similar threads

NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
407
Video Reviews - Security and Privacy
bazang
bazang
NB InfoTech
    • Like
App Review PC Matic Home Review | PC Matic Home Security Antivirus vs Ransomware | 2024
Replies
4
Views
750
Video Reviews - Security and Privacy
Dave Russo
Dave Russo
NB InfoTech
    • Like
App Review Is it worth to use G Data Antivirus? | G Data Antivirus Review | G Data Antivirus Test | 2024
Replies
4
Views
480
Video Reviews - Security and Privacy
mlnevese
mlnevese

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top