Tuesday, June 9, 2009

Exploit against Deep Freeze in the wild

There is a Chinese worm family called W32.SafeSys.Worm floating around the Internet, with over 46,000 infected machines in Vietnam alone according to the Bkis Security Research Blog. It supposedly gets access directly to the disk controller buffer, allowing it to directly modify the hard disk on the targeted machine. This allows it to circumvent system rollback tools such as DeepFreeze.

DeepFreeze has proven to be an effective defensive tool mitigating the damage an attacker can cause on the system, as it allows the owner to roll back to a "known good state". Of course, these states often don't include the latest patches and could always be re-infected at a later state, but it at least makes life difficult for someone trying to maintain a persistent presence on the system to collect passwords, act as part of a bot-net, etc.

Don't have a copy myself, but I'd be interested in examining it to see what it was designed for. According to Bkis it includes a number of various payloads, including "stealing online games passwords, faking gateway, inserting iframe exploiting software flaws to spread via LAN, spreading via USB and automatically updating new variants".