App Review A Fileless Malware Primer

[cruelsister]

Note that this video was condensed from 30 min to 5 minutes so as not to waste your time. The malware actually had lag time built in.

 

[erreale]

Wow, wow and still wow. The most interesting video ever seen. Thank you.

 

[The paranoid one]

Thank you, great video as usual

 

[Daniel Keller]

Great Video
Great Song
Thank you very much! Looking forward watching part 2.

 

[EASTER]

Simply beautiful! Excellent video (and music).

The part where the Anti Malware's display Your system is clean? LoL

 

[Peter2150]

Yep, download an email with an attachment, open the attachement, and allow the content. But this puppy is still easy to defeat.

 

[hd35]

Thanks .
Very interesting video.

 

[EASTER]

Yep, download an email with an attachment, open the attachement, and allow the content. But this puppy is still easy to defeat.

I bet your thinking like me that ERP would have rapidly snatched up powershell and wscript launches.

 

[509322]

Simply beautiful! Excellent video (and music).

The part where the Anti Malware's display Your system is clean? LoL

Security solutions do not scan Scheduled Tasks. Once a task is created, they do not know if it is safe or malicious.

This attack is called fileless, but technically it is not. There are scheduled tasks created and the files that are executed by the tasks are created in c:\users\<user>.

 

[509322]

I bet your thinking like me that ERP would have rapidly snatched up powershell and wscript launches.

ERP would have generated launch alerts for cmd.exe, powershell.exe, and wscript.exe

 

[509322]

Yep, download an email with an attachment, open the attachement, and allow the content. But this puppy is still easy to defeat.

Yes. Quite.

 

[EASTER]

ERP would have generated launch alerts for cmd.exe, powershell.exe, and wscript.exe

ThumbsUp.

I suppose I should have also mentioned there are certainly others which would/could do the same but ERP was the first anti-exe that came to mind.

 

[509322]

ThumbsUp.

I suppose I should have also mentioned there are certainly others which would/could do the same but ERP was the first anti-exe that came to mind.

• Anti-executables that monitor cmd\powershell\wscript
• SRP in which a user has manually created deny policies for cmd\powershell\schtasks\wscript (e.g. AppGuard > User Space - YES)
• Emsisoft's behavior blocker (when WinWord.exe attempts to access cmd.exe (launch of unprotected document), the exploit protection will terminate WinWord.exe)
• A security soft in which a user has manually created deny or restricted policies for cmd\powershell\schtasks\wscript (e.g. Kaspersky's Application Control > Untrusted)
• Run such documents sandboxed\virtualized
• HIPS - do not create permanent rules for interpreters; the HIPS will alert when an interpreter is launched; a user might have to move interpreters to certain file groups in certain products to generate alerts for their launch - for example Unrecognized in COMODO or low\high restricted in Kaspersky

Most typical AppGuard users would know that if it blocks an interpreter launch while opening and working with a document that something is not right and investigate.

 

[jamescv7]

With so many different vectors, those secondary components like HIPS, BB and even Anti-exe should be more aggressive on possible exploit holes.

Powershell and other common programs that known for security holes must act seriously from the business enterprise, cause it will just kill the system easily.

Today's security strategy should not rely on one tool only.

 

[EASTER]

With so many different vectors, those secondary components like HIPS, BB and even Anti-exe should be more aggressive on possible exploit holes.

Powershell and other common programs that known for security holes must act seriously from the business enterprise, cause it will just kill the system easily.

Today's security strategy should not rely on one tool only.

It's almost dizzying the multiple curves that Microsoft continues to cram into each new release when most folks haven't finished quite yet charting the previous ones all the way.

It's a cover the basics strategy for most users. Anti-Malware along with a dedicated AV or vice versa/together etc.

This video is yet another example of just what CAN and DOES happen and without much of a peep for most.

With so much and so many ways to disrupt your good machine you have to admonish the efforts of Cruelsister in showcasing Comodo FW for those many people who just want a safer way to get around the block (so to speak) without running into time wasting "easy avenue malwares" coming at them.

Anxiously awaiting that next follow-up to this.

 

[509322]

It's almost dizzying the multiple curves that Microsoft continues to cram into each new release when most folks haven't finished quite yet charting the previous ones all the way.

It's a cover the basics strategy for most users. Anti-Malware along with a dedicated AV or vice versa/together etc.

This video is yet another example of just what CAN and DOES happen and without much of a peep for most.

With so much and so many ways to disrupt your good machine you have to admonish the efforts of Cruelsister in showcasing Comodo FW for those many people who just want a safer way to get around the block (so to speak) without running into time wasting "easy avenue malwares" coming at them.

Anxiously awaiting that next follow-up to this.

Attacks are fundamentally the same. Protecting a system against an attack is not that difficult. For home use protection scenarios, the real limitation - or hindrance if you will - is the user - on so many levels.

 

[EASTER]

Attacks are fundamentally the same. Protecting a system against an attack is not that difficult. For home use protection scenarios, the real limitation - or hindrance if you will - is the user - on so many levels.

Almost always so, which begs for a little push in the right direction which can go a long way in a short amount of time in reducing the limitations.

And to that end, and specifically geared to the newest of people/users not anywhere near having a handle on their systems yet, the results of CS's ComodoFW videos (per CS settings) seems a really reasonable and immensely helpful starting point for any of them.

Let's hope some of them catch on soon enough and then gain that confidence to look over all the other available programs and prevention methods they can see clearer in which to choose from.

 

[509322]

Almost always so, which begs for a little push in the right direction which can go a long way in a short amount of time in reducing the limitations.

And to that end, and specifically geared to the newest of people/users not anywhere near having a handle on their systems yet, the results of CS's ComodoFW videos (per CS settings) seems a really reasonable and immensely helpful starting point for any of them.

Let's hope some of them catch on soon enough and then gain that confidence to look over all the other available programs and prevention methods they can see clearer in which to choose from.

Even if you paid some people to protect their systems, they still would not do it.

 

[erreale]

It would be interesting to know if the same scanners would detect something with real-time active protection.

 

[509322]

It would be interesting to know if the same scanners would detect something with real-time active protection.

Kaspersky and a few others detect menu.rtf upon extraction from the archive or upon opening the document, while others detect it only during a scan.

menu.rtf has been around for a while so there are signatures for it.

If it were newly released within the past hour, then you would need something that blocks it from executing wscript.exe, which in turn attempts to launch cmd.exe. Prevent WinWord.exe from launching wscript.exe and the infection run is broken.