App Review More Fun with Ransomware Part 6

[cruelsister]

Jack posted an article earlier today about the CrySIS ransomware. Although the original form has been around for a couple of months, a new variant is now seen.

Just wanted to show how UAC will deal with this threat.

 

[marzametal]

Wow, UAC is crap in this situation. Is it bypassing UAC altogether, or just executing during the "stalemate period" where user has to click on Yes/No? Could that file be downloaded intentionally if the user applies "common sense techniques"?

 

[SHvFl]

I might be missing something so i will write what i believe and you correct me if you can.
Can't it be that the ransomware is coded to just encode stuff, not in locations protected from UAC, when you click no?
UAC did what is designed to do. Block elevation. No?
Did they actually get elevation?

 

[cruelsister]

My original intent for this video was to run it against my normal stable of AntiRansomware apps, but just as I finished a beta of HMPA came out, so as including a fresh beta would have been extreme poor form I scrapped it and did this one.

The reason for the UAC topic is to attempt to dispel false impressions regarding UAC that many hold (I've received a number of comments privately about this). Actually it isn't really a big deal to totally bypass UAC once a few coding methods are known (curiously enough, TrendMicro products will also change the UAC level to what they deem appropriate- which is default- without a user prompt).

 

[Der.Reisende]

Great vid as always, thank you for sharing!

 

[Duotone]

What false impression?!

More interested on the RAT video.

 

[Noxx]

What false impression?!

More interested on the RAT video.

That even if prompted by UAC to allow or disallow a file, that ransomware or other forms of malware won't execute anyway.

 

[DJ Panda]

If you have UAC at max and some good security software you should be ok. I always make sure UAC is always notify.

 

[jamescv7]

Honestly Microsoft must improve and revise the functionality of UAC, considering that the flow of concept is already expose hence its an easy bypass.

3rd party programs goes here.

 

[marzametal]

Can ransomware encrypt raw unallocated space? eg: a 2gb chunk sitting between C drive and D drive.

 

[hjlbx]

UAC can be bypassed. There is a lot of mis-information about UAC. Plus, M$ has a wishy-washy history of fixing UAC bugs and vulnerabilities.

 

[_CyberGhosT_]

UAC can be bypassed. There is a lot of mis-information about UAC. Plus, M$ has a wishy-washy history of fixing UAC bugs and vulnerabilities.

Agreed hjlbx, that's where VooDooShield shines as a UAC surrogate.
Thanks CruelSis, Awesome Vid as usual.
Now maybe some will be less critical of those who use VooDoo & other UAC alternatives and disable the lacking and unimpressive UAC.
PeAcE

 

[Duotone]

UAC max setting suggestion is flawed?! NVTERP is my UAC alternative

 

[DardiM]

UACMe v2.3 should bypass UAC from Windows 7 up to Windows 10 RS1 14367 build, am I wrong ?
=> Builds 14361, 14366, 14367 seem to have zero UAC related changes

UAC can be bypassed. There is a lot of mis-information about UAC. Plus, M$ has a wishy-washy history of fixing UAC bugs and vulnerabilities.

Honestly Microsoft must improve and revise the functionality of UAC, considering that the flow of concept is already expose hence its an easy bypass.
3rd party programs goes here.

I fully agree (but we might let UAC at max)

Can ransomware encrypt raw unallocated space? eg: a 2gb chunk sitting between C drive and D drive.

I Never read about a ransomware that does this.
They often only encrypt files that can have some sort of value or importance (with predefined extension), or all data on a drive (C: , D: , etc) , on cloud (if accessible) - without take care of file extension - to ask a ransom after the encyption.
But this is almost any time the same thing : loop on drives/files/folders and encrypt them (write on MBR for some ransomware).
On a "raw unloccated space", no name of drives/files/folders to put as parameter to their encrypting procedure.
That's only my point of view, I can be Wrong

 

[marzametal]

Hmmmm, I wonder if there is a way to implement a block on sector level that uses raw unallocated space as a "cement" firewall... eg: trying to cross a creek that contains 3 large stones, but the gap between 2nd and 3rd stone is too large for a leap/jump... can't cross, so it stalls.

EDIT: maybe I am clutching at straws...

 

[DJ Panda]

Just because UAC can be bypassed by malware is no excuse for having it disabled. It works at kernal level and if think before clicking "yes" or "accept" (for anything in general) there would be a lot less tears and sweat trying to clean a computer from someone who fell victim.

 

[DardiM]

Hmmmm, I wonder if there is a way to implement a block on sector level that uses raw unallocated space as a "cement" firewall... eg: trying to cross a creek that contains 3 large stones, but the gap between 2nd and 3rd stone is too large for a leap/jump... can't cross, so it stalls.
EDIT: maybe I am clutching at straws...

It doesn't work this way. A ransomware just can encrypt all files on a partition after "asking" to your OS the list, and making a loop in a procedure with each name to encrypt them (if these files are not protected). As soon as you OS has access to a file (folder) / knows a file (folder), the ransomware can have the list.
Why don't you use Bitlocker to protect the most Drive you can ? Or another similar tool ?
That's only my point of view, I can be Wrong

 

[AlphaBeta]

Well it wasn't given administrator permissions so the system folders should be safe. As a regular program, I think it can encrypt the files in user folder and other partitions.

 

[DardiM]

UACMe v2.3 should bypass UAC from Windows 7 up to Windows 10 RS1 14367 build, am I wrong ?
=> Builds 14361, 14366, 14367 seem to have zero UAC related changes

Windows 14371 unexpectedly bring another fixes to UAC (against several UACMe methods) . Some tweaking in 14376 build seems fixed dll search order for InetMgr.exe when it was possible to load your own mscoree.dll from inetsrv directory. Now InetMgr.exe executed via ShellExecute(Ex) API lookups dlls in the system32 folder. So to make it load malicious dll it is now required launch it from already admin process, which makes it nonsense. Nice work. Why this wasn't here since beginning ?