- Apr 13, 2013
- 3,147
- Content source
- https://youtu.be/kG0c6_aBCDk
A Malicious LNK Stealer Part 2
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Aug 2, 2020
- 542
Will blocking C2 traffic using either software or hardware based firewall help with this type of data theft?
Can Comodo be used to blocked C2 traffic?
Can Comodo be used to blocked C2 traffic?
- Apr 13, 2013
- 3,147
Blocking outbound connections to Command and Control servers (by whatever means) is of paramount importance. C2 servers exist- one must ensure that potential victim's system does not come to their attention.
Regarding Comodo, I have a video (more or less) completed pitting it against the malware used here as well as a few other diverse stealers that just popped up. Really just have to pick the music (I'm in a flamenco mood...).
- May 29, 2018
- 2,607
i suppose avast premium firewall protects against data thiefing as ARP protection?
Should one use ask mode with the avast firewall? Or do i simply just install comodo firewall along with avast?
Should one use ask mode with the avast firewall? Or do i simply just install comodo firewall along with avast?
- Mar 2, 2023
- 794
@cruelsister What I appreciate about your videos is the ability to track what you're doing, including your text that you let sit there long enough for us to read (without pausing).
Some of the other malware-testing videos (not any of the other members from this forum) seem to be more about how many widows can I have open and running at the same time, and how fast can I dart my mouse across and around the screen. At times, I need a Dramamine just to watch those before I stop and move on. Let alone your fantastic taste in the background music on your videos
And yes, I did Subscribe
Some of the other malware-testing videos (not any of the other members from this forum) seem to be more about how many widows can I have open and running at the same time, and how fast can I dart my mouse across and around the screen. At times, I need a Dramamine just to watch those before I stop and move on. Let alone your fantastic taste in the background music on your videos
And yes, I did Subscribe
Last edited:
- Feb 7, 2023
- 1,737
You can use Ask Mode but it won’t help when code injection is involved, as it will be a trusted and already whitelisted process doing the malicious actions (via process hollowing, doppelgänging, dll sideloading and other techniques of such). Any firewall (without containment, HIPS and other layers) is useless in such cases.
To protect against these attacks, you will have to rely on Avast’s detection abilities (antivirus, behavioural blocking) which are not bad. To protect against theft of passwords saved in Chrome and Edge, Avast has the password protection feature.
In the cases when no code injection is performed and malware is not signed (in which case it may be allowed without a prompt depending on the settings), blocking the connection will prevent a lot of headaches coming your way. But then Avast also terminates connections to known CnCs (which in many cases can be helpful as well) and uses reputation, and a host of other methods to block unknown executables. Comodo doesn’t — it’s just you, yourself and your sandbox.
So in a nutshell - Comodo is great if you are looking to answer prompts and alerts, and you believe you will answer them correctly. If not, then other solutions are better. What’s displayed in this video is not Comodo’s protection abilities, but @cruelsister ’s knowledge of the threat landscape. And she will be able to protect herself against this malware even without Comodo, as she will not execute a malicious shortcut from an email in the first place.
Last edited:
- Apr 13, 2013
- 3,147
A valid point and one that will be discussed in the next video.
- Apr 5, 2021
- 571
Nice demo video, thanks!
Indeed, Outbound application firewalls are still a worthy security tool in one's security setup, especially if they are set to Default-deny
Great cover of the Willie Nelson original by Linda Ronstadt, although I do prefer the Patsy Cline version released in 1961
Fwiw, Ronstadt was ranked #47 and Cline #13 on Rolling Stone's Top 200 Greatest Singers list
Indeed, Outbound application firewalls are still a worthy security tool in one's security setup, especially if they are set to Default-deny
Great cover of the Willie Nelson original by Linda Ronstadt, although I do prefer the Patsy Cline version released in 1961
Fwiw, Ronstadt was ranked #47 and Cline #13 on Rolling Stone's Top 200 Greatest Singers list
- Mar 2, 2023
- 794
Winner, for the great trifecta linkingGreat cover of the Willie Nelson original by Linda Ronstadt, although I do prefer the Patsy Cline version released in 1961
- Apr 5, 2021
- 571
- Feb 7, 2023
- 1,737
Of course it’s commonly used. It’s one of the great ways to evade detection, turning a trusted process into a puppet. Other ways like obtaining certificates are short-term solution and iffy. Even this malicious lnk stealer, what’s the point of using builders (perhaps the Quantum shortcut builder) to create FUDs and then drop the final payload as an executable, where antiviruses have reputation and petabytes of training?
Last edited:
- Apr 5, 2021
- 571
Okay thanks. This is more common on server side isn't it, such as XSS? And yes I understand a browser connecting to a compromised server could be exploited.
- Feb 7, 2023
- 1,737
LOLBin abuse or LOtLBins as they call them now (Living off the Land attacks) are common amongst all attackers that have knowledge of how antivirus products work. It can be against businesses and servers, but it may as well be against home users using weaponised documents to initiate the attack (one example). It all depends on the attackers. There are many of them and growing (specially with the current difficult economics), and their creativity knows no end.
- Apr 5, 2021
- 571
Regrding LOLBins being exploited in the Home environment, this is interesting:
Hard_Configurator - Windows Hardening Configurator
Yes please give the user always the choice to use SRP (maybe off be default). On my win 11 MS decided to disable SAC. SAC was for me the reason to try 11 at all (so I'm quite disappointed). So if there is no SRP and MS disables SAC for you you got "nothing" otherwise. It is improbable that...
malwaretips.com
Btw, I've been running Linux as Home user with basic needs for the last four months (finally, I think for real, ditching Windows for good except for Work purposes), so I'm starting to lose sight of these Windows exploits.
- Feb 7, 2023
- 1,737
The tool is helpful, yes.
Mac and Chrome OS user here. Windows is just a playground for me — I would never rely on this platform to do my work. Many do… I don’t.
- Apr 5, 2021
- 571
No choice for me. It's a COE-issued laptop from my employer, as one of my essential tools for doing my job. It is, afaik, locked down by the IT team like Fort Knox.
Last edited:
Linux has a list of LOLBins that is larger than Windows.
As long as a user is not downloading and executing code on their system -- either by choice or blocked from doing so by policy, then LOLBin blocking is not necessary except if you fear exploits (e.g. you are running Windows with unpatched software). If they user is downloading stuff and executing it, then to protect the system LOLBins can be blocked to break the kill chain.
If you want case-hardened security against the greatest number of potential eventualities of rogue code execution, then there is no other localhost protection that beats SRP global blocking.
Blocking LOLBins can create corner case issues, but virtually all of them are manageable. It is based upon SRP with the purpose of configuring a known-clean system, enabling and configuring policies, and then modifying that system carefully only once in a while.
If users want to use stuff, then default deny really isn't for them. If a user never wants to look at a log, then default deny definitely is not for them.
It all comes down to what a user wants. Do they want ballistic nuclear armor security or are they a "user that wants to use stuff."
- Apr 5, 2021
- 571
That's okay, I'm not alarmed or concerned by how many LOLBins or exploits a Linux home environment might have.
Truth be told, I'm not alarmed or concerned about the LOLBins or exploits Windows has. I just don't like the direction Microsoft is going with the OS since Windows 10.
Last edited:
- Feb 7, 2023
- 1,737
I am not concerned myself, but I’ve invested a lot of time studying attacks with LOtLbins involved and coverage from AV vendors is a bit patchy (unless blocks or emulation is used). At the same time AMSI bypasses have been documented thousands of times on security forums and a relatively low-skilled attacker can make use of them.
Whilst it doesn’t necessarily affect many of us here on MalwareTips, it is definitely a vector that calls to be overseen and acted on.
Similar threads
