Advice Request Bitdefender Internet Security 2018 vs. Ransomware?

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.

itssaulgoodman

Level 1
Thread author
Dec 17, 2017
9
Hello all,

I have recently been wondering about how well Bitdefender Internet Security 2018 stacks up against ransomware. The 2017 version of Bitdefender IS failed entirely when challenged with ransomware like Jigsaw and Fantom (source: ), and now the 2018 version of Bitdefender caught a zero-day ransomware attack (source: ).

However, I have seen no formal and solid test of Bitdefender's 2018 solutions vs. Ransomware. Does anyone know or have tested Bitdefender IS or Total Security 2018 against Petya/NotPetya, Satana, Cerber, Shade, Globe/GlobeImposter, BadRabbit, Locky, Jigsaw, Fantom, WannaCry, AdamLocker, etc?

I am extremely interested to know if the Bitdefender 2018 can handle these ransomware attacks.

Thank you so much!
 
Last edited by a moderator:

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Not specifically talking about BitDefender detection of these ransomware but generally, the detection of new malware versions can vary, being difficult, for a few reasons.

Some ransomware/malware use crypter and binder but above all, they inject code into another process (migration), and by doing so, they prevent some antivirus may detect an unauthorized process.

To inject a process into another one, the ransomware may use dll injection and remote thread creation.
In the first case, the malware injects a dll into the process, where the code in it, is executed, while in the second case, it creates a thread in the process that will execute the code.
For example: "rnsm" must inject a dll in the process svhost.exe, so it is created rnsm.dll, loaded together with the code that it must execute. Then it inserts the PID (process identifier, used to uniquely identify a process) in the process where it is necessary to inject the stuff and therefore opening the process and creating a process handle. Then the space is allocated, and it will enter the process. So in the process it creates a new thread where the code will be loaded.

With regard to the crypter/binder, a ransomware may use techniques like extension spoofing which can make itself like a not malicious program, and another method would be to modify the executable of a program and then switch on it also the code of the malware, so as to increase the chance of not being detected.
 

itssaulgoodman

Level 1
Thread author
Dec 17, 2017
9
Not specifically talking about BitDefender detection of these ransomware but generally, the detection of new malware versions can vary, being difficult, for a few reasons.

Some ransomware/malware use crypter and binder but above all, they inject code into another process (migration), and by doing so, they prevent some antivirus may detect an unauthorized process.

To inject a process into another one, the ransomware may use dll injection and remote thread creation.
In the first case, the malware injects a dll into the process, where the code in it, is executed, while in the second case, it creates a thread in the process that will execute the code.
For example: "rnsm" must inject a dll in the process svhost.exe, so it is created rnsm.dll, loaded together with the code that it must execute. Then it inserts the PID (process identifier, used to uniquely identify a process) in the process where it is necessary to inject the stuff and therefore opening the process and creating a process handle. Then the space is allocated, and it will enter the process. So in the process it creates a new thread where the code will be loaded.

With regard to the crypter/binder, a ransomware may use techniques like extension spoofing which can make itself like a not malicious program, and another method would be to modify the executable of a program and then switch on it also the code of the malware, so as to increase the chance of not being detected.
Thank you for your response.

I completely understand your explanation. I'm not one of those people who assume "Ah, just because I have protection, no ransomware can infect my system and I can do whatever." Additionally, as some malware enthusiasts have noted, that they can create a ransomware that won't be caught by any anti-malware/virus solution immediately. Indeed, ransomware isn't simply black and white, and no solution is 100% perfect - common sense and good practices come first.

However, malware testers and researchers like MalwareBlockerYT (Malware Blocker), MalwareGeek (Malware Geek), and ThePCSecruityChannel (The PC Security Channel [TPSC]) always do tests of, for example, "Avast vs. Ransomware", or "Comodo vs. Ransomware" and unleash the samples on them, then start saying "Well, Solution XYZ did well against ransomware. I'm impressed, etc.." or, if the ransomware is able to encrypt the files... "Product X did a bad job at protecting our files as RansomwareY was able to take over the system, I would not suggest this product". I think they do this to see if popular samples will be detected. For example, this video:



In regards to Bitdefender, they did well against a zero-day attack that ThePCSecruityChannel tested, but would it do the same against known, yet vicious samples? Simply interesting to see if it passes these researcher's "regular" tests that they do for other anti-malware/virus solutions.
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top