Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Protecting Host Machine from Malware escaping a VM.
Message
<blockquote data-quote="Der.Reisende" data-source="post: 745766" data-attributes="member: 32430"><p>Those Adwinds are quite common, they appear on Hybrid quite often, some days more, some days less.</p><p>They will not only drop lot's of .vbs which might carry out actions described below, but javaw.exe also will end up in AutoRuns linking to a dropped .jar (somewhere in AppData/Roaming as far as I remember).</p><p></p><p>Not sure if all .jar variants have the ability, but some of which we had in the Malware HUB in the past did not only set up multiple remote connections (via javaw.exe), will target quite a bunch of Anti-Malware / Anti-Virus softwares and try to disable (Malwarebytes, Windows Defender, BullGuard - last one was completely unusable when I ran a few few tests against, and with such malware in the pack). You will notice by the registry hijack entries shown in HitmanPro / Norton Power Eraser.</p><p></p><p>It's interesting that some vendors manage to detect the dropped .vbs, like as if they are recycled, but do nothing when you first launch the .jar.</p><p>From the vendors I tried, I know Q360 will manage to clean up the infection but not stop it in first place, F-Secure will instantly block via DeepGuard (or BD signatures). Kaspersky will for sure block it instantly (ask [USER=36043]@harlan4096[/USER]).</p><p></p><p>Not sure about Tencent, they have BD signatures, so most of the time the .jar is detected by signatures, might clean up like @ Q360.</p><p>Norton does detect some of the malware, but will have the registry hijacked and the .jar being active in memory, AutoRun and calling out.</p><p>BullGuard: Cannot tell about, when I tested it half an year ago or more, it was shut down by the RAT.</p><p>Judging from my experiences 3 months or more ago, QuickHeal will act like Norton.</p><p></p><p>Many firewalls have the javaw.exe process whitelisted, so they won't alert when it calls out (it might be used for legit services, too).</p><p></p><p>Watch that .jar, I bet it will stay low detected for days.</p><p></p><p></p><p></p><p>Agree, VM (+VPN!!!) is probably the best call, because of full isolation of personal data.</p><p>Easy to set up (you can find good guides via Google), easy to restore.</p><p></p><p>Would not keep a lot of personal data on the host either, you don't know if a malware manages it's way there, either out of VM or trough the net.</p><p>Even more if I use ShadowDefender (me likes it better than an VM, too).</p><p></p><p></p><p>It will probably sandbox it completely, and it might not be able to do any harm outside the sandbox.</p><p>Maybe [USER=7463]@cruelsister[/USER] can help?</p><p>Not sure what happens if you use it in stock settings (haven't used it for some time, so I cannot tell), if it allows javaw.exe outside containment, AFAIK it has a big list of trusted vendors, Oracle is for sure one of them.</p></blockquote><p></p>
[QUOTE="Der.Reisende, post: 745766, member: 32430"] Those Adwinds are quite common, they appear on Hybrid quite often, some days more, some days less. They will not only drop lot's of .vbs which might carry out actions described below, but javaw.exe also will end up in AutoRuns linking to a dropped .jar (somewhere in AppData/Roaming as far as I remember). Not sure if all .jar variants have the ability, but some of which we had in the Malware HUB in the past did not only set up multiple remote connections (via javaw.exe), will target quite a bunch of Anti-Malware / Anti-Virus softwares and try to disable (Malwarebytes, Windows Defender, BullGuard - last one was completely unusable when I ran a few few tests against, and with such malware in the pack). You will notice by the registry hijack entries shown in HitmanPro / Norton Power Eraser. It's interesting that some vendors manage to detect the dropped .vbs, like as if they are recycled, but do nothing when you first launch the .jar. From the vendors I tried, I know Q360 will manage to clean up the infection but not stop it in first place, F-Secure will instantly block via DeepGuard (or BD signatures). Kaspersky will for sure block it instantly (ask [USER=36043]@harlan4096[/USER]). Not sure about Tencent, they have BD signatures, so most of the time the .jar is detected by signatures, might clean up like @ Q360. Norton does detect some of the malware, but will have the registry hijacked and the .jar being active in memory, AutoRun and calling out. BullGuard: Cannot tell about, when I tested it half an year ago or more, it was shut down by the RAT. Judging from my experiences 3 months or more ago, QuickHeal will act like Norton. Many firewalls have the javaw.exe process whitelisted, so they won't alert when it calls out (it might be used for legit services, too). Watch that .jar, I bet it will stay low detected for days. Agree, VM (+VPN!!!) is probably the best call, because of full isolation of personal data. Easy to set up (you can find good guides via Google), easy to restore. Would not keep a lot of personal data on the host either, you don't know if a malware manages it's way there, either out of VM or trough the net. Even more if I use ShadowDefender (me likes it better than an VM, too). It will probably sandbox it completely, and it might not be able to do any harm outside the sandbox. Maybe [USER=7463]@cruelsister[/USER] can help? Not sure what happens if you use it in stock settings (haven't used it for some time, so I cannot tell), if it allows javaw.exe outside containment, AFAIK it has a big list of trusted vendors, Oracle is for sure one of them. [/QUOTE]
Insert quotes…
Verification
Post reply
Top