App Review Scriptor Infection Who You Gonna Call?

[cruelsister]

The last few Videos showed how AMSI on Windows 10 is beneficial in preventing infection by a common Scriptor class. But if you don't use Win10 and your system is infected by them what exactly are your options?

This Video reviews how common second party stack up, as well as a non-scanner solution.

(This Video is heavily edited to cut 60 minutes down to 10. I'm sure you understand).

 

[frogboy]

Ghostbusters!!! Sorry i might have had one to many.

 

[Deleted member 178]

I call Dban

 

[Av Gurus]

Cleaning in Safe Mode?

 

[Terry Ganzi]

BAIDU SYSTEM REPAIR TOOL seem to clean script inflections very well.

 

[security.paranoid]

@Umbra with x2 gutmann just to be sure then make sure that your hdd firmware is not infected , @cruelsister what do you think about umbra's config he uses SEP beacause i'm doing the same in my pc and what is your config ? and thanks for the video

 

[Deleted member 178]

@cruelsister what do you think about umbra's config he uses SEP beacause i'm doing the same in my pc and what is your config ? and thanks for the video

I was using SEP, not anymore.

 

[done]

One of the best video\tutorial I've seen

Thanks for all the work\teach that you are providing to us

 

[cruelsister]

First off, thank you for your kind words! Presenting the Videos is my pleasure, and Jack should get the main Thanks for having this forum and allowing me to do so.

Regarding SEP- It's curious that SEP was mentioned as I've been giving it much thought recently. Norton/Symantec is the one product line that would benefit the most from the Windows 10 AMSI module since they have horrid Scriptor detection ability. This actually makes sense when you consider that on the corporate level scripts are commonly used to automate processes across the Network; and i order to avoid false positives, Symantec made a decision to allow just about any Script to run without any further thought.

This decision has led to a number of severe breaches (those at Home Depot, Target, and a few other places not made public I was personally involved in) caused by simple (although elegantly) coded Scriptors. There are some that may say SEP wasn't set up properly, but as Symantec personnel set up the software themselves this argument is certainly not valid.

But as to using SEP on a Home system, it is a grave mistake to be using an Unmanaged installation, and I'm not at all surprised that Umbra has moved on. There are just too many Tricks and Tweaks to be done to make the protection passable, and even with these SEP falls short. Also, as both Norton and Symantec share essentially the same definition database the Norton Home user also is prone to Scriptor infection.

I'm in the process of coding a Scriptor that I mentioned in passing previously (a worm that that targets files on Removable drives), so perhaps I should run it on a Norton protected system.

 

[Deleted member 178]

The only thing i miss in SEP is its Firewall, it was pretty good.

 

[FleischmannTV]

It doesn't speak for the industry that instead of implementing proper AMSI support in their products, the next generation is just going to get more useless crap.

 

[Deleted member 2913]

Those scriptors doesn't show up as unknown/malicious/suspicious in KillSwitch?
If Yes... then those could be deleted, right?

CCE - AutoRunAnalyzer - would also show unknown/malicious/suspicious entries & could be deleted, right?

CCE - QuickRepair could detect system modifications & repair them.

I mean... would like to know from you... did you test how effective KillSwitch/QuickRepair/AutoRunAnalyzer i.e CCE cleans the system?

 

[cruelsister]

YN- The issue with these Scriptors and Killswitch is that the actually Scriptor works through wscript.exe which is a legitimate process, so there are no unknowns as far as KS is concerned (nothing will show up). The same is true with AutoRunAnalyzer and Quick repair. Even running a CCE scan doesn't do very much.

As you know I'm partial to Comodo, but highlighting CCE is pointless in this case.

Umbra- Yes, the SEP firewall is very good, but was helpless in this case. The issue with the Breaches was that the Outbound connections by the Scriptor weren't considered to be malicious, so they were just logged among the hundreds of thousands of other Outbound connections.

 

[kiric96]

good video, personally i was infected by a vbs worm that i got via usb (the main infection started at my university lab)... the worse part of it was the fact that some vendors (eset, bitdefender & norton) refused to add the worm to it database (thet did it after several days later), the amazing part comes from norton, as i was a norton user, i contacted tech support, who told me that file was indeed clean, then i showed the virustotal report, until then they said will analize the sample... to end this norton took 15 days to add the sample, eset 3 days and bitdefender 1 week

 

[Tony Cole]

May I ask, being the dumb one. What is a Buckshot trojan - I only ask as I've never heard of scriptor attacks, nor how to stop/defend against them? I am cruelsister watching all your video's and think they are amazing, only wish I had such IT knowledge. Thanks

 

[Rod McCarthy]

OK so I concur with you...So what do we use to protect our PC's at home....Is there something or possible 2 or 3 things to install that will protect PC's?

Thanks

 

[hjlbx]

May I ask, being the dumb one. What is a Buckshot trojan - I only ask as I've never heard of scriptor attacks, nor how to stop/defend against them? I am cruelsister watching all your video's and think they are amazing, only wish I had such IT knowledge. Thanks

How to stop\defend against scriptors ? = Don't install the interpreter and use an anti-executable (e.g. NVT ERP).

You can use Comodo products - which will sandbox Unrecognized script files, but be forwarned that there are scripts that can "reach outside" the sandbox and make permanent changes to the system - like deleting files (I just submitted one to Comodo Engineering).

Of course, you can set the Comodo sandbox to Block any Unrecognized file - and that will include scripts.

Unless you are an indiscriminate downloader\installer I wouldn't worry about it too much. Plus, you won't be installing Python, perl, AutoIT interpreters and running those type scripts, so the issue really is moot.

You are much more likely to experience a drive-by download of the javascript (.js) variety than anything else - which Comodo will handle either with via the sandbox or HIPS (I use HIPS - but it causes novices more mistakes than anything else since rule creation is not clear in some CIS HIPS alerts).

Comodo does much better at protecting against scriptors than all other suites I have tested. The user can just go with the default sandbox settings = Fully Virtualized or for maximum security set it to Block (all Unrecognized files).

Comodo isn't absolutely perfect, but then, nothing IT ever is... it's got you covered in the vast majority of scriptor cases.

Anti-executable configuration settings are included in CIS because that is an option for the user - as part of the Comodo default-deny protection model.

I can tell you from a lot of testing that it really does work.

 

[cruelsister]

Tony- not a bad question at all. A Buckshot trojan is really easy to visualize. Consider a typical trojan- once you run it, it will normally spawn a payload or two in a certain directory (normally somewhere is Users\App Data).

A Buckshot will spawn 10 or 12 separate daughters (usually different stuff like downloaders, keyloggers, etc) into random directories throughout the system before suiciding (self-deletion), and all of the daughters will have auto-run functionality. These aren't very common and essentially are the lazy persons way of bypassing traditional AV detection (hoping that one or two will be undetectable). Kind of like flinging slop against a wall and hoping something sticks.

But if the Blackhat wasn't lazy and confirmed all of the daughters were FUD, it is a real pain to remediate.

 

[Deleted member 178]

But if the Blackhat wasn't lazy and confirmed all of the daughters were FUD, it is a real pain to remediate.

It is why i like anti-execs like Appguard or ERP in lockdowm mode; you get notified when any processes try to launch, so manual removal of those malwares is easy.

 

[Tony Cole]

Thank you cruelsister, makes more sense know. Is that similar to Agent.btz the cyber attack on the United States 2008? I wish I could use software like Appguard but it would brake my system as I wouldn't know what to allow/deny.

Other than Comodo, which antivirus software would you say offers the best protection?

P.S. I've now watched 6 of your video's keep them coming, very interesting, and most important easy to understand. I can hardly email on a train, let alone do a video. Reminds me, my mum loves Jimmy Choo - brought a pair for her birthday in November - so no telling!