Video A Microsoft Defender Follow-up

Source
https://www.youtube.com/watch?v=YQwKeYcF39I
Video created by
cruelsister
Dec 12, 2021
206
What i learned from the video:
  1. Block at First Sight is just a marketing term from MS and it doesn't work in real world.
  2. WD is buggy and should be used with caution.
The problem is that Windows Defender relies too much on its cloud and not local defenses (with its abysmal local Behavior Blocker), which is made even worse in that local detection methods doesnt work without access to the cloud.

Another problem is that its sample submission ignores much of the more exotic malware (MSI, CPL, etc)
 
  • Like
Reactions: Nevi and roger_m

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
The Magniber sample that I found has got an interesting info on VirusTotal:

1659702717295.png

---------------------------------------------------------------------------------------------------------------------------------
Is it possible that this can fool the local AI and cloud check is not triggered?
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
Dec 12, 2021
206

cruelsister

Level 39
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,871
I guess it is time for an explanation of why I made the Defender vs Magniber videos. Although I can determine HOW it occurred only Microsoft itself can explain WHY it occurs. And please forgive in advance if the reader of this post already knows this stuff, but as there may be malware newbies here that want to understand (please god let it be so!!) I'll be as basic as possible:

It starts with the malware author (we'll call her Ophelia). Ophelia has just developed a new mechanism for encrypting files that bypasses all known security applications. As Ophelia's motive is to cash in on this discovery (ransomware) she could just distribute it herself, wait for victims to have their data trashed, and wait for ransom payment and collect all the cash herself.

But as she is just a single individual with limited access to victims, even better may be to sell the ransomware to others on the Darkweb, this pocketing a bit more cash for herself. But EVEN BETTER is to sell a ransomware builder to folks. Now the pool of potential victims gets larger, Blackhats that can't code for themselves can infect others and collect the ransom, and Ophelia has made it so that SHE would get a piece of the action (usually ~25%) for any ransom paid by the victim of her affiliate.

So with that as a given, let's see how this will work- say we have 2 per-pubesent Blackhats named Frodo and Sam. Both Frodo and Sam gt on the Darkweb and purchase the new Magniber Builder application from Ophelia the main page of which will look something like this (actually a bit more complicated with encrypt and Decrypt key entries, but I won't go overboard):

builder.png



Now Frodo will run this compiler on his Win7 system and Sam does the same on his win11 system, each inserting their own individual Bitcoin information, No both hit on the generate button and quick as a bunny they each have unique samples of Magniber, each of which are only a few bytes different in size. Both release them on the same day to victims and wait. The victims have their data encrypted and get presented with the Ransomware page (like in my video). For Frodo, his victims will have an extension placed on their files and also see this:

077.png

For Sam, his victims will see that their files also have an extension on them and will be presented with this ransom page:

5cw.png
Notice the difference? the file extension will differ for Frodo and Sam's particular Magniber as well as the addy to send the bitcoin. But the result is the same- they profit individually for every victim while Ophelia gets a piece of the action from everyone! Smart Kitty, yes?

But an issue occurs- Frodo notices that he stopped making any money in 2 week after malware release, whereas Sam is still raking it in! What happened?

Well it turns out that Microsoft Defender (on which every victim seems to exclusively rely) actually detected Frodo's Magniber while Sam's is still undetected and going strong. The question is why?

Discussion- Malware as a service such as what is seen by Magniber is increasing in popularity. Not only ransomware but also stuff like Qbot are so offered. And although a majority of the variants created are detected by various anti-malware applications, many are not EVEN THOUGH THEY ARE ESSENTIALLY IDENTICAL. With the Magniber we are discussing the undetected sample seen in my video was in no way MAGIC, just Slightly different, so analysis is really pointless as the fault here is in how Defender aspires to defend, and Lord alone knows why it does what it does.

So to sum up- This was the rationale behind the Defender videos, published because no one seems to want to acknowledge this is what is occurring.

(ps- I verified last night after the Wine wore off that the Frodo and Sam variant detection difference is still valid)

m
 
Last edited:

wat0114

Level 7
Verified
Well-known
Apr 5, 2021
321
Many MT members keep saying this for many years in relation to any AV. Strict protection at home is required for children and casual users. It is not required for others except if one likes such protection or wants to learn how security layers work.
For example, you used H_C and OSA. If you can predict that your actions will trigger the H_C or OSA blocks, then neither H_C nor OSA is necessary.

Yes, for me it's fun and a kind of hobby to use the security layers you mention. However, it's also partly because of the way malware is constantly evolving, almost by the day, where maybe these additional layers might come in handy, even if only once, even though I doubt it in my case, and of course because I maintain fairly recent backup images, so this latter measure essentially eliminates any worry at all.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
...
So to sum up- This was the rationale behind the Defender videos, published because no one seems to want to acknowledge this is what is occurring.
...

That is true. The MSI infection vector is usually depreciated (not only for ransomware), probably because it is relatively rare. A similar problem was with scripting attacks a few years ago.

In Defender, the ASR rules mostly ignore MSI files and I am not sure if the cloud-delivered protection even supports MSI files. The Microsoft documentation mentioned the support for:
  1. Automatic file submission: files like .bat, .scr, .dll, .exe.
  2. BAFS: files such as .js, .vbs, or macros and executable files.
But I have nowhere seen clearly enumerated MSI files. Also, the ISG reputation feature in Microsoft Application Control does not support MSI files.
I noticed that MSI files are supported by Smart Application Control on Windows 11. Of course, SmartScreen for Explorer supports MSI too.

I am afraid that the problem is more general than Microsoft's approach. For example, the Avast CyberCapture and Hardened mode do not support MSI files too. From several posts on other forums, it follows that Bitdefender detected Magniber for a few weeks only via signatures, etc.
So, the most popular free AVs have got rather poor support for MSI files.
Let's hope that AV vendors will face seriously this problem soon.
 

cruelsister

Level 39
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,871
Who exactly is the "no one"?
I haven't seen anyone that was aware of this flaw in Defender- I certainly was not. There seems to be some issue in how Defender detects what are essentially the same malware, and I haven't seen anyone run 25 samples of a malware strain that varied by a trifling bit (or should I say byte) with any expectation that a non-trivial amount would lead to infection (~25% for me). Normally any testing that is done will be done on a wide range of unique samples which is useful and justified.
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
The way of detecting by Defender the MSI samples is kinda weird.
Some samples are automatically quarantined (detected by offline signatures).
Some samples are detected later on-execution.

Some samples are detected when using Windows built-in unpacker, but are not detected when using 3rd-party unpacker (like 7-Zip). These samples can be detected after unpacking via a manual scan. But, some of them are not auto-quarantined so the user must click the Defender alert and allow to do the cleaning actions. In the meantime, the file is not locked and can be run.

So, after downloading the file (and unpacking) it is good to perform a manual scan and if the file is detected, then it is recommendable to click the Defender alert and allow the cleaning.
Users should avoid running the file just after the download.

Edit.

This can be a nightmare when testing many files. It is probable, that some EXE files can behave in a similar way. If so, then most tests with automatic file execution are made improperly.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
After performing the procedure noted in my previous post, all Magniber samples (except 1) from the period 1.06 - 4.08.2022 (76 samples) that were downloaded from Malware Bazaar, were also detected and quarantined on my machine with Windows 10.

Edit.
I edited my post, because I missed one sample in the test.
 
Last edited:

Anthony Qian

Level 7
Verified
Well-known
Apr 17, 2021
343
After performing the procedure noted in my previous post, all Magniber samples (except 1) from the period 1.06 - 4.08.2022 (76 samples) that were downloaded from Malware Bazaar, were also detected and quarantined on my machine with Windows 10.

Edit.
I edited my post, because I missed one sample in the test.
Magniber ransomware is now being distributed in CPL format.


29/69 detection rate. Microsoft: undetected.
 
Last edited:

Furyo

Level 1
Jun 5, 2022
31
So to sum up- This was the rationale behind the Defender videos, published because no one seems to want to acknowledge this is what is occurring.

m
Microsoft Security is already aware and has been regarding this infection mechanism for years. The reason(s) they have not fixed it is known only to them, but a storyline that Microsoft is screwing over users deliberately or otherwise makes for great clickbait.

Yes, I do not worry about Magniber - the attackers do not currently use MSI but rather CPL files. I worry that the method used by it can be adopted in the future also for other malware types. For now, Microsoft seems to ignore this danger.
How often does the home user execute .cpl or .msi files? Microsoft cares primarily about enterprise, and with wsus and manual Windows updates via SCCM and other methods rampant in enterprise, Microsoft is not about to do something that interferes with .msi (or .msp) file installs, even if that means some infections are going to happen. Perhaps the fact that enterprise can block .msi via Group Policy or other methods is good enough for Microsoft. People forget that Microsoft develops Windows as a one-fits-all-image where considerations for enterprise always take top priority. There could be some other off-the-wall reason Microsoft won't do anything about it after all these years. So unless someone at Microsoft steps forward and gives the reason(s) for its inactions, then it is guesswork.
 
  • +Reputation
  • Applause
Reactions: Nevi and oldschool

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,082
Magniber ransomware is now being distributed in CPL format.


29/69 detection rate. Microsoft: undetected.

The initial CPL malware drops a DLL payload:
C:\Antivirus.System.Update.KB16889415-_.cpl.dll
and uses a Regsvr32 LOLBin to execute it.

This is a well-known attack vector, so the AVs (not only Defender) have more chances to detect it behaviorally compared to the MSI attacks with a side loading method.
The payload is a DLL so can be in theory detected by Defender's cloud-delivered protection - this is clearly stated in Microsoft's documentation (the support for MSI is not mentioned).
Finally, the CPL vector is extremely rare, even compared to MSI. I could find on Malware Bazaar hundreds of MSI malware, and 0 CPL samples.

So, even if we could find some samples undetected on VirusTotal or samples that could compromise Defender, the attacks via CPL files will not be as dangerous as in the case of MSI.
Anyway, if someone has access to this sample it would be good to check how efficiently Microsoft can fight it.
 
Last edited:
Dec 12, 2021
206
The initial CPL malware drops a DLL payload:
C:\Antivirus.System.Update.KB16889415-_.cpl.dll
and uses a Regsvr32 LOLBin to execute it.

This is a well-known attack vector, so the AVs (not only Defender) have more chances to detect it behaviorally compared to the MSI attacks with a side loading method.
The payload is a DLL so can be in theory detected by Defender's cloud-delivered protection - this is clearly stated in Microsoft's documentation (the support for MSI is not mentioned).
Finally, the CPL vector is extremely rare, even compared to MSI. I could find on Malware Bazaar hundreds of MSI malware, and 0 CPL samples.

So, even if we could find some samples undetected on VirusTotal or samples that could compromise Defender, the attacks via CPL files will not be as dangerous as in the case of MSI.
Anyway, if someone has access to this sample it would be good to check how efficiently Microsoft can fight it.
But why would they switch to an attack vector thats easier for AV's to detect?
 
  • Like
Reactions: SeriousHoax