6 Replies Latest reply on May 3, 2011 1:58 AM by Attila Polinger

    Does Access Protection prevent operation on physical hard drive?

      Hey guys,

       

      I recently came across a special virus which only operated physical harddrive to destroy MBR. As a consequence, all the user data were completely lost. What should we do to prevent this from happening again if VSE could not detect a threat in the first place? Can Access Protection help to prevent a program from direct operation on physical hard drive?

       

      You can access the following links for the online analysis of the virus behavior and see if VSE can help preveting that.

       

      http://www.sunbeltsecurity.com/cwsandboxreport.aspx?id=79910819&cs=BE4F03DBA2153 619EFEF3189915A20E9

      http://camas.comodo.com/cgi-bin/submit?file=145ff00c2ca2c0bc2740d74c82fced7526f9 a2c8bbb30301014348007e2e317b

       

       

      Thank you for your help.

        • 2. Re: Does Access Protection prevent operation on physical hard drive?
          Attila Polinger

          Hi,

           

          I saw from the second analysis that svchost.exe was affected by this threat. I would advise that you enable "Prevent programs registering to autorun" rule, since this also prevents programs from injecting themselves under svchost.exe process. Once they are not there chances are they cannot access harddisk directly.

           

          Attila

          • 3. Re: Does Access Protection prevent operation on physical hard drive?

            Dear Attila

             

            Thank you very much for your reply. I have tested this rule and it seems to work not quite well. This virus doesn't make use of svchost.exe to operate raw disk. It operates the raw disk itself. I even set a rule for this virus not to create, write, and delete any file or registry, but it doesn't work either.

             

            Alex

            • 4. Re: Does Access Protection prevent operation on physical hard drive?
              Attila Polinger

              Dear Alex,

               

              my intention was to highlight the fact that the virus might succeed in accessing the raw disk operation because I assume it to be running as a child process under svchost.exe (I may err, though). By preventing the virus to load under svchost.exe using the said Access Protection rule, I would say the .DLL of the virus cannot perform direct disk access (because it won't have the necessary process rights).

              Of course, I based this assumption on the second analysis in which I saw svchost.exe as affected process.

               

              Attila

               

              Message was edited by: apoling on 02/05/11 13:23:39 CEST
              • 5. Re: Does Access Protection prevent operation on physical hard drive?

                Dear Attila,

                 

                Thanks for your reply. As far as I am concerned, the virus does not release any other file. It just operates itself after loading some essential system DLLs. That's why I am a little worried about the protection of AP, as it does not react to direct access of physical drive. The virus cannot operate in Windows 7 with UAC enabled, because it does not have the sufficient previledge to do so. But in Windows XP, the system which does not have strict control over previledge and access right, this kind of virus will have no difficulty in operating user's physical drive.

                 

                Alex

                • 6. Re: Does Access Protection prevent operation on physical hard drive?
                  Attila Polinger

                  Dear Alex,

                   

                  you and I are pointing out the same thing as I see here although somewhat differently :-).

                  There is the virus main file and there are one or more .DLLs of the virus. The main virus file injects these .DLLs under a reg key that svchost reads upon start and therefore loads all these files under its own process context. So the virus this way succeeded in putting its .DLL files under the svchost.exe process context.

                  Main virus file then calls some direct disk access functions that are in one of its .DLLs loaded under svchost process and because svchost is a system process, the call most likely will succeed because operating system will see as the call was issued by svchost.exe.

                   

                  This is my speculation.

                   

                  By using Access Protection rule "Prevent programs registering to autorun" the virus will be prevented from successfully injecting its .DLLs under the svchost process, therefore the chain will break. There may be a possibility that the main virus executable could issue direct disk access calls without these own .DLLs but I doubt that they'd succeed.

                   

                  I keep mentioning this svchost.exe, because in the second analysis of yours this was also mentioned and that rang a bell how these viruses use this file to perform their tasks.

                   

                  And I'm talking about prevention not disinfection should that be the case.

                   

                  Attila