BKIS – Deep Freeze Application Fails to Detect New Chinese Worm

Security researchers at Bach Khoa International Security (BKIS) have warned computer users about a new worm called W32.SafeSys.Worm that has an ability to bypass security applications such as Deep Freeze.

The worm was first detected in early March 2009, and since then, around 174 new variants of this Chinese born virus have been discovered on the Internet. Faronics has developed Deep Freeze application to facilitate administrators to restore their systems after being used by unauthorized parties.

Cybercafés, school computer labs and libraries are increasingly using this application to protect their systems from hackers' attacks.

Deep Freeze prime function is to monitor changes in sectors (like data storage area) within hard disk partitions and save changes in another area (like buffer). When a normal program retrieves anyone of these sectors, it collects data from the buffer sector instead of the original sectors. As the system initiates the rebooting process, temporary data saved in the buffer gets deleted and the system is restored to its previous state.

Hence, online shops often believe that their systems are safe from virus attacks as they have installed Deep Freeze application.

However, W32.SafeSys.Worm utilizes a new technique in which it directly writes on sectors of hard disk by requesting for direct link with the disk controller. Interestingly, the worm does not leave any scope for its identification by frozen system programs such as Deep Freeze while writing on hard disk.

After entering the system undetected, W32.SafeSys.Worm performs a number of malicious operations from the infected system - such as seizing online game passwords, displaying fake gateways, automatic upgradation of new variants and insertion of iframe exploiting application that circulate through USB and LAN.

It has been found that online shops solely depends on the abovementioned software and do not have other protections installed fall to W32.SafeSys.Worm. As per the figures given by BKIS, nearly 45,000 computers across Vietnam have been discovered with this virus.

With the spreading of broadband Internet in homes at affordable price range, the trend of cybercafés has almost diminished in the western countries after late 90's. However, the trend is quite popular in Vietnam and other Asian countries on account of high prices for fast connections.

Hence, it is obvious that worms (like W32.SafeSys.Worm) will originate in countries where cybercafés are still very popular.

Related article: Bugs Swell In Browsers in 2006

» SPAMfighter News - 6/18/2009