14 DAY TRIAL // Security researchers from Bach Khoa Internetwork Security (Bkis) warn of a new worm that is able to bypass the protections enforced on the file system by software such as Deep Freeze. The malware was discovered in early March and has already made thousands of victims in Asia.
Deep Freeze is an application developed by Faronics to help administrators restore computers to a secure state after being used by untrusted parties. Such software is very popular in environments with many casual users such as cybercafés, libraries, or computer labs in schools.
"The software can monitor any change in sectors (data storage area) in hard disk partitions and save the changes in another area (buffer). When normal programs retrieve these sectors, they will reach the data in the buffer rather than in the original sectors," Vu Ngoc Son, senior malware researcher at Vietnam-based Bkis, explains.
This allows administrators to easily restore the computer to the previous state by simply rebooting the machine. Mr. Vu Ngoc Son believes that, because of this, the computer administrator can get a false sense of security, which is particularly reflected by this latest threat.
While Internet cafés have pretty much disappeared from Western countries in the late '90s, when broadband Internet started being available and affordable to home users, in Vietnam or other Asian nations they are still popular, because of the prohibitive prices of fast connections. Therefore, it is understandable that such a worm would originate in the region, in this particular case, China.
"According to Bkis’ statistics, as many as 46.000 computers in Vietnam have been infected with this virus," the researcher warns. In order to bypass the Deep Freeze restrictions at the operating system level, W32.SafeSys.Worm "employs a technique that enables it to write data directly on hard disk’s sectors by sending request for direct interaction with disk Controller."
Once it compromises a system, the worm proceeds with its normal payload, which involves stealing online gaming accounts, setting a malicious gateway record, spreading via the local network by exploiting vulnerabilities, propagating via USB drives and updating itself.
Update: In response to the Bkis alert, Faronics has announced that it is still investigating the alleged threat. "Faronics is aware of the report that a worm called 'W32.SafeSys.Worm' is able to 'bypass' Deep Freeze and other competing products," a company representative says. "However, we have not been able to confirm the accuracy of the report and at this time have been unable to reproduce these results in our lab," he also notes.
"We will continue to investigate the issue. As always, we continue to recommend that customers use an antivirus product in combination with Deep Freeze. Please refer to the White Papers section of the Faronics Content Library for information regarding how to use Deep Freeze with many popular antivirus products," the complete statement reads.