App Review A Fileless Malware Primer

[cruelsister]

Although this prelude video just showed the gross effects (that which can be seen via TaskManager), the one later today will show the cascade of processes that results in the final infection. But with regard to AV detection, even though this guy has been out for 2 weeks, for something that has been around for so long the detection rate (like 21) is relatively small and are mostly dumb (via definitions) detection. I was actually surprised that none of the 2nd opinion scanners picked up on the rtf when it was just hanging out on the Desktop.

But the AV detection's of the initial rtf file are still a high point for the traditional AV- of the spawned txt and ps1 files that will actually do the damage the AV detection is horrendous (to be fair, Symantec and Mcafee were the only vendors to stop the cascade by detection of one of the spawn). As to blocking cmd.exe from running, a more elegant and viable solution would have been to block the initial spawn, jl.txt.

A popular stand on stuff like this is: "You gotta shut off wscript" and/or "Disable PowerShell!!!!". By extension, this is like saying "Never Turn On your computer!!!!". Whenever I see drivel like that it reminds me of the old joke:

Man walks in to the Doctors office and says: "Doctor, Doctor- my arm hurts when I do this!"
Doctor says "Well, then don't do that".

I would think that Geeks Like Us should demand a better solution.

 

[askmark]

ThumbsUp.

I suppose I should have also mentioned there are certainly others which would/could do the same but ERP was the first anti-exe that came to mind.

Voodooshield would be just as effective in preventing this infection and that's without having to lock down your system so Windows' scripting engines can't run legitimate code

 

[509322]

A popular stand on stuff like this is: "You gotta shut off wscript" and/or "Disable PowerShell!!!!". By extension, this is like saying "Never Turn On your computer!!!!". Whenever I see drivel like that it reminds me of the old joke:

LOL

Drivel ?

"To render a gun safe, all one need do is to remove the bullets."

The implied comparison of Windows to a loaded gun might seem dramatic, but I think it is figuratively appropriate.

You can take it up with Microsoft, but this is what they have been advising Windows users from the beginning:

• "If something shipped with Windows is not used routinely nor needed, then disable it."

Why do you suppose COMODO recommends its enterprise clients to disable "stuff" that is never used or used infrequently ?

Why do you suppose COMODO gives its product users the ability to disable processes shipped with Windows ?

Because disabling "stuff" is a sound protection strategy and has proven over time to be notoriously difficult to bypass.

LOL... I recall the keylogger.js trivial bypass of Bitdefender video that you made. What is the real underlying problem ? - that Bitdefender's default configuration has firewall alerts turned off or is it the fact that an interpreter that is not needed by 99 % of all users and is heavily abused by malc0ders was whitelisted by Bitdefender ?

It's food for thought... but arriving at an answer that everyone will accept - well, that's an entirely different matter since everyone has their own perspective.

I would think that Geeks Like Us should demand a better solution.

Microsoft's solution:

• "Use a Standard User Account."
• "Don't do that...ahwww, nobody listens."

If the simple, "silver bullet" is ever discovered, then the security geeks will complain bitterly that it is not complicated enough.

 

[Peter2150]

I bet your thinking like me that ERP would have rapidly snatched up powershell and wscript launches.

Yep and Appguard also would have shut it down also

 

[cruelsister]

Lockdown- What you say about the need to shut down various things to make the 'infective footprint" smaller is totally valid and I in no way disagree. However, I prefer in taking a broader view:

1). Frequently (and indeed the case with respect to this particular malware) malware will be targeted to an Organization where disabling of scripting engines and Macros just is not acceptable as these things can and are used for High and Noble purposes like the automation of some tasks and increased efficiency in others.

2). For the Home User, following your advice is indeed wise. But sadly the bulk of Home users have neither the knowledge or ability to disable things that they probably do not know even exist. Frequently in the past I have seen any number of Traditional Security products attempt to shift the burden of protection on to the user (their client!) by suggesting that they do this and this and that to increase protection. Instead the burden should be on THEM to up the quality of their products to the point where they can fully protect those that can't protect themselves. Microsoft has caught on to this need with the development of Win10's AMSI, finally giving their clients a fighting chance against scriptors.

ps- As a developer of a fine product, you flatter me by actually remembering a video (actually if memory serves the logger was written in Python) I made a few years ago . And I mean that sincerely!

 

[mekelek]

Out of curiosity, can anyone tell me an example of a legitimate reason for wscript.exe to run?

 

[509322]

Out of curiosity, can anyone tell me an example of a legitimate reason for wscript.exe to run?

I have seen it once used by Windows Update.

It is used by utilities - something like Win10Privacy.

Logon scripts, automation, administration (via scripts).

 

[509322]

ps- As a developer of a fine product, you flatter me by actually remembering a video (actually if memory serves the logger was written in Python) I made a few years ago . And I mean that sincerely!

When I saw it, I thought "Oh please, that couldn't have just happened... ?" That's why I recall it so well.

these things [scripts] can and are used for High and Noble purposes like the automation of some tasks and increased efficiency in others.

They don't implement usage with any semblance of sanity - let alone security. One guy just grabs what he thinks is useful and can easily find online - and doesn't audit the scripts that he grabs. Pastebin, GitHub, someone's download link... LOL... and puts them on both servers and workstations without thought.

2). For the Home User, following your advice is indeed wise. But sadly the bulk of Home users have neither the knowledge or ability to disable things that they probably do not know even exist. Frequently in the past I have seen any number of Traditional Security products attempt to shift the burden of protection on to the user (their client!) by suggesting that they do this and this and that to increase protection. Instead the burden should be on THEM to up the quality of their products to the point where they can fully protect those that can't protect themselves. Microsoft has caught on to this need with the development of Windows 10's AMSI, finally giving their clients a fighting chance against scriptors.

We have at least one home user here who thought the real Windows Defender was actually rogue antivirus.

And with that I just throw my hands in the air... Awwwhhhhhh !?

 

[Peter2150]

Although this prelude video just showed the gross effects (that which can be seen via TaskManager), the one later today will show the cascade of processes that results in the final infection. But with regard to AV detection, even though this guy has been out for 2 weeks, for something that has been around for so long the detection rate (like 21) is relatively small and are mostly dumb (via definitions) detection. I was actually surprised that none of the 2nd opinion scanners picked up on the rtf when it was just hanging out on the Desktop.

But the AV detection's of the initial rtf file are still a high point for the traditional AV- of the spawned txt and ps1 files that will actually do the damage the AV detection is horrendous (to be fair, Symantec and Mcafee were the only vendors to stop the cascade by detection of one of the spawn). As to blocking cmd.exe from running, a more elegant and viable solution would have been to block the initial spawn, jl.txt.

A popular stand on stuff like this is: "You gotta shut off wscript" and/or "Disable PowerShell!!!!". By extension, this is like saying "Never Turn On your computer!!!!". Whenever I see drivel like that it reminds me of the old joke:

Man walks in to the Doctors office and says: "Doctor, Doctor- my arm hurts when I do this!"
Doctor says "Well, then don't do that".

I would think that Geeks Like Us should demand a better solution.

Sometime the most eloquent solution is the simplest. Lets expand on your joke. The man walks in and says Doctor my always hurts when I rub my arm against a grinding machine. Then in this case the most obvious answer from the doctor would be don't do it.

I have a better real life example that tought me a great lesson. I was in the Air Force working in a System Program Office. It involve system procurement, and we were between an air force unit that was changing it's requirements every day and a contractor who underbid the contract to get it. One day a 2 page letter came in full of convoluted requests. Our Colonel's response was one word NO. We asked if maybe something more was needed. He said if you made it a 2 word response they would twist it to mean yes. He said simple is best. I've never forgotten this lesson.

So the question here is how many people here need Powershell or scripting. I'd bet not that many. So in this case the most elequent solution is simply turn them off.

Pete

 

[cruelsister]

Peter- Turning stuff off will definitely protect (I even did a video on this way back when), but I personally would prefer a more generalized solution for those who for whatever reason disabling script engines is not an option. I guess it's because I'm super picky (and my parents wonder why I'm not married...).

 

[Peter2150]

Peter- Turning stuff off will definitely protect (I even did a video on this way back when), but I personally would prefer a more generalized solution for those who for whatever reason disabling script engines is not an option. I guess it's because I'm super picky (and my parents wonder why I'm not married...).

ROFL. On the software, super picky maybe overkill. On the not married, picky is good.

 

[shmu26]

Out of curiosity, can anyone tell me an example of a legitimate reason for wscript.exe to run?

Yes and no. I did find a legit program that runs a VBS script on installation and at startup, however, the program works fine even without the script.