 |
||
Does Rollback Rx prevent Safesys virus ?
|
||
|
|||||||
This is a discussion on Does Rollback Rx prevent Safesys virus ? within the RollBack Rx forums, part of the Disaster Recovery Programs category; Netstar, PVsurfer, Tubby, et al... back from yet another attack by the Windows Security Virus. I've seen this virus in ...
 |
|
|
LinkBack | Thread Tools | Display Modes |
10-27-2010, 12:03 PM
|
|||
|
|||
Netstar, PVsurfer, Tubby, et al... back from yet another attack by the Windows Security Virus. I've seen this virus in three instances and two of them attacked the MBR (which this one did). Of the two MBR attacks, one was running Rollback (today's), the other not.
The "Black Screen" fix did not correct the situation. I was able to rebuild the MBR which allowed the system to REBOOT finally, although Rollback is no longer active at the moment. The more interesting thing is the fact that the Rollback SUB-console always appeared to work during this problem, it just wouldn't continue on to the VBR (Volume Boot Record) and do its thing to get to Windows. Based on that, I assumed we could use the SUB-consiole to restore a wanted snapshot (it did go through all the motions of restoring the snapshot), then re-write the MBR and attempt a boot. This worked just fine... except for one big thing. The snapshot requested in the Rollback process, yesterday's at 8:21am, wound up being 13-days ago... which was the oldest snapshot he had in his inventory prior to the infection, that was really wierd. Since I did the SUB-console Rolback, I know I selected the proper snapshot. How it wound up at the oldest (2-week old) I'll never know, and won't speculate without definitive knowledge of the virus, which I do not have. The system is running well (albeit 2-weeks old) and he now has an image backup of the current 2-week old system (he didn't have any backups at all prior  )Also installed MBRguard at the suggestion of the group in another thread... just trying to keep this drive-by trojan from wrecking the system once again. Ya got me... 
|
|
10-27-2010, 12:54 PM
|
|||
|
|||
|
Nexstar... that was NOT the baseline, that was the oldest saved unlocked snapshot. I had him snapshotting (is that a word?) once per day and keeping them around for 13-days.
He did not have Rollback running during the previous infection. The only way to recover from the previous infection was via a Windows REPAIR. Following the repair, we Malwarebyted the system and got rid of the stuff laying around associated with the trojan. When the trojan was active, MalwareBytes, any well know AV program and Task Manager would not run... and that included in SAFE MODE also. It was a system module that was infected... I believe it was SVHOST. The so-called RKILL fix did not remove the active portion of the virus. Sorry... didn't wanna polute this forum with virii probs 
|
|
10-27-2010, 01:47 PM
|
|||
|
|||
|
Quote:
I even tried to SAVE a copy of the BAD MBR (to try and possibly use later for investigation) but my SAVE tool refused saying that the BIOS was reporting a different disk configuration that what the disks were showing. I found this really odd (I've never seen it on any system and I've run these tools beacoup times). That made me think that the VOL and Partition tables had been "tweaked" and I didn't wanna get in that deep. I found another tool that looked only at the disk for Vol/Part info and described what it would do to recreate the MBR. I was happy with what it showed me so I ran it. Following that the system booted just fine, albeit without ROLLBACK. Early next week I will try and reconstruct ROLLBACK and see if I can get back what I think it knew about before the virus hit. For the time being he's been banned from all P-O-R-N sites... a place I know he got his drive-by from. I'll keep you posted... privately if you guys feel this isn't the best place for the chat. Wish me luck! 
|
|
10-27-2010, 02:21 PM
|
|||
|
|||
|
Quote:
This incident is very interesting and goes to further show that rolling-back to a prior snapshot to recover from malware infection cannot and should not be depended upon at this time! I'm sure that several of us would like to be updated with whatever additional info you come up with (re this incident), but I believe you should start a new thread because I'm fairly certain the offending malware was not Safesys. pv
|
|
10-27-2010, 02:21 PM
|
|||
|
|||
|
Froggie, for the record, I personally feel that your investigations are pertinent to the topic as they concern Rollback's ability to protect itself as well as the system.
It's a pity you didn't try the baseline snapshot as that's the one which you should always be able to boot to if RB is doing its job. The subsequent snapshots may simply have been infected and put into a non-bootable state. Also, if you boot into the baseline then you should still be able to explore and recover files from even non-booting snapshots, which can be useful. I'm not sure how you plan to reconstruct RollBack as I presume the system is back in use again with fresh data being written. Were you using your MBR tool inside or outside of Windows? My tests a few years ago with similar tools found that they didn't get the correct information when used within Windows which, I assumed at the time, was one way RB protected its MBR. Good luck with the mission .Graham
|
|
10-27-2010, 04:15 PM
|
|||
|
|||
|
Quote:
---<ribbit>
|
|
10-27-2010, 04:38 PM
|
|||
|
|||
|
messed up time machine
How utterly bizzare...
Time travel itself was possible, but the destination was unpredictable and out of control. You know, the very first thought I had went back to that Poker player who claims to have lost 6 months of his "treasured" data. -I know the "gymnastics" were (seemingly) all-together different however it made me pause. Is it at all possible malware is a component in his story? In this case, Froggie said PC traveled back to the first UNLOCKED snapshot if I understand correctly. It is as if the time "libraries" were "scrambled" yet (at least some) time travel capabilities existed. I wonder how far removed the baseline was from the "2 week-old" snapshot. (24 hours?) Is it possible more than one piece of malware can "dance" together? (a real longshot I know..... ) Can malware "lurk" around un-detected by our antivirus/malware programs day after day suddenly "coming to life" via some trigger? Good lord! You guys and this software really grab my brain! .......... it just that Rollback Rx is so wonderfully clever. It fits my life so well. I want it to suceed.. I have teens in the house and with Rollback Rx, no longer do I have to stay up 'til 1:30 AM to un-tangle "God-knows-what" they did to the family PC ! tubby
|
|
10-27-2010, 04:58 PM
|
|||
|
|||
|
Quote:
Some of these virii are pretty nasty. Like I mentioned earlier, one form of this Windows Security Virus definitely goes after the MBR, and the one in TX I worked on remotely also went after the NTLDR in XP. It can be a real deal to try and get rid of it.
|
|
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
