Can Anti-Viruses stop RATS that have their connection established?
- Thread starter Xeno1234
- Start date
- Feb 25, 2017
- 2,597
But that doesn't have anything to do with a sandbox if it requires minecraft to be installed on the system?
- Jun 12, 2023
- 684
No, it requires minecraft to run. By default they do nothing, you need minecraft modded for them to actually do stuff which is why alot of heuristics fail against it.
- Feb 7, 2023
- 2,349
You need to learn to read the behaviour. Try Any.run maybe s there you can clearly see any malicious process spawned. Don’t rely just on the detections. The attackers use VT’s 0 as advertisement.
They shouldn’t need Minecraft to start, they are most likely repacked executables. It extracts the mod and the rat (or injects it) and.
- Feb 25, 2017
- 2,597
Still it doesn't have anything to do with VM-aware malware. So if you install modded minecraft on a Virutal Machine it will probably run.
- Feb 7, 2023
- 2,349
- Sep 2, 2021
- 2,630
You have several techniques for bypassing behavioral protection, but I won't go into them here.
I recommend 3 things:
- Learn about antimalware defenses (HIPS, IDS, Process Hollowing and more) to learn how malware works and how to block it.
- Create a virtual machine if you can with some tools or use Any run or Hybrid Analyses and read the reports when you post a suspicious file on it. You'll learn
- Take a look at the Malware Hub, where you'll find tests against specific malware against some antivirus programs
- Jun 12, 2023
- 684
- Feb 7, 2023
- 2,349
If you are really curious how behavioural blocking works, there are a lot of resources. In general you always have 3 steps.
Step 1 is sensing and recording. To sense, behavioural blocking attaches hooks (a small module added to every program in user mode) and kernel driver.
Windows is like a lego. It provides developers with a vast number of Applicable Programme Interfaces and functions. These interfaces (as well as various third-party ones) are called with parameters and that’s how the program works. For example creating a file doesn’t require you to write code from the scratch, you can just use CreateFile() function. By monitoring these calls you observe the behaviour. Not all calls can be monitored at all times as that will be a noisy and will degrade performance.
Step 2 is classifying. To detect malicious processes, you must know how they act. Usually various classifiers are used and frequently deep learning classifiers run on the cloud side as well.
Classifiers must be effective and accurate. They should not produce false positives.
And step 3 is processing — once a process is convicted, remediation must be performed.
By understanding how it all works you can easily see where attackers can play around.
Step 1 is sensing and recording. To sense, behavioural blocking attaches hooks (a small module added to every program in user mode) and kernel driver.
Windows is like a lego. It provides developers with a vast number of Applicable Programme Interfaces and functions. These interfaces (as well as various third-party ones) are called with parameters and that’s how the program works. For example creating a file doesn’t require you to write code from the scratch, you can just use CreateFile() function. By monitoring these calls you observe the behaviour. Not all calls can be monitored at all times as that will be a noisy and will degrade performance.
Step 2 is classifying. To detect malicious processes, you must know how they act. Usually various classifiers are used and frequently deep learning classifiers run on the cloud side as well.
Classifiers must be effective and accurate. They should not produce false positives.
And step 3 is processing — once a process is convicted, remediation must be performed.
By understanding how it all works you can easily see where attackers can play around.
- Apr 13, 2013
- 3,224
One must not clump RAT’s and Stealers together. A RAT (Remote Access Trojan) must first connect out to malware Command and then be acted upon by the person on the other end. A stealer is much more widespread (especially now, where they are EVERYWHERE) and insidious as they will either collect and send sensitive browser data (like logins and passwords- some specifically will only go after financial thingies), then just send them out to Command without any need for the Blackhat to connect to the victim’s computer herself. Also recently popular are stealers that will package the contents of the Documents and Photos folders for transmission outward. Neither of these mechanisms will lead to an optimal result.
As long as the malware itself is known and the precise mechanism of data theft is also known, both traditional and non-traditional anti-malware applications should have no issue in preventing infection. However, for anything novel it can be that both the malware file itself as well as the remote malware Command IP are both unknown; in this case you would be screwed.
Best is a product that would both contain unknown files even if signed (and not previously vetted) as well as blocking any outbound connection of that file by default. A stealer can’t steal if it can’t communicate. But in the absence of installing such an application, in general an Outbound altering Firewall is essential in the extreme.
Finally, it is important to note that Ransomware for the most part is a thing of the past. Stealers are much more lucrative and thus a whole lot more popular.
- Jun 12, 2023
- 684
I generalize RATS as something that can do pretty much everything if the connection is established. Take files, take cookies, screenshot, screenshare, etc, all that.
- Feb 7, 2023
- 2,349
Yeah, and most RATs contain stealing functionalities as well that can be triggered with a few clicks. But RATs in general are much more difficult to develop, they require more complex architecture and backend, and maintaining evasion over time is more difficult (not impossible, specially when there is paying clientele).
Stealers have very little to do, so it is possible to change the way you do it much more frequently (playing with API calls, directories, fragmenting the functionality amongst others), thus escaping behavioural blocking much easier. All pre-execution blocks can easily be evaded by using a custom or unusual packer and cloud-based analysis can be evaded via packing junk together with the malicious executable.
On runtime, because everything happens too quick as pointed out earlier by @Kongo , by the time blocking and remediation are initiated, data may have already been sent over. When that happens, you are screwed.
- Aug 22, 2013
- 892
You call a system "secure" when it has multiple layers of security software/hardware. Having an antivirus solution is one layer, software firewall another, hips/sandbox is again one of the layer. All these can be provided by one security software, like the one you uses. You can also add system wide DNS firewall ( doH) with solutions like NextDns as an another layer of security. You can also have a Doh enabled router ( like Mikrotik) and forward unencrypted port 53 traffic to encrypted port 443 by using firewall rules. If you setup NextDns with "block bypass methods" under parental control settings and use nextdns in Mikrotik, you can effectively block RAT communication even if it has doh enabled tunnel to C&C. If you want to go further you can have a Hardware Firewall with pfsense or opnsense with Suricata or Squid proxy and analyse encrypted traffic effectively.
How about if I create a 'Paper' and 'Cartoon' folders in my external drive and have my documents/photos stored there? My Documents and Photos folders will thus be ALWAYS empty.
Will stealers know to look for documents and photos in my external drive? I can always password-protect the folders...........
- Feb 7, 2023
- 2,349
They normally look for specific formats everywhere, unless attacker specifies some custom rules such as masks (e.g 4xxx-xxxx-xxxx-xxxx for a visa card). Professional attackers will specify such rules but amateurs looking for few pennies per victim, to buy the dreamed Gucci belt will not. They will not touch your files. Just the passwords and cookies will do. They will try to break in to your email first, as this is the central point for everything.How about if I create a 'Paper' and 'Cartoon' folders in my external drive and each time I download documents/photos they will be stored there externally? My Documents and Photos folders will thus be ALWAYS empty.
Will stealers know to look for documents and photos in my external drive? I can always password-protect the folders...........
Documents and Photos folders in C: drive are good targets for stealers and ransomware
If you can store the items externally under different folder names and leave the Documents and Photos folders empty there will be nothing to steal or encrypt.
And stealers are more stupid than ransomware. Ransomware will encrypt even if you have password protection or encryption applied. It'll just walk over you and cover you up.
Whereas when stealers approach a password-protected file/folder they will just stop there because they are not programmed to break passwords............I doubt they break password. Yah, they can carry the Documents and Photos folders home but those are empty.
Last edited:
- Feb 7, 2023
- 2,349
They take your passwords from your browser (most of them) and some more sophisticated stealers will also exfiltrate and decrypt what’s stored in third-party password managers. StealC for example harvests passwords from about 50 programmes in total and that includes large variety of browsers, password managers, email clients, gaming clients, etc.
They don’t need your files, they care about the cookies, autofill, password and payment information, and you don’t keep that in files.
Only the most professional attackers will put great effort to go deep within your files. Who knows, you may have some payment information in PDF and word documents.
They don’t need your files, they care about the cookies, autofill, password and payment information, and you don’t keep that in files.
Only the most professional attackers will put great effort to go deep within your files. Who knows, you may have some payment information in PDF and word documents.
- Jun 12, 2023
- 684
I use Kaspersky which has HIPS, a Firewall, and also is a good anti-virus. Is that a secure setup?
Just don't store passwords in browsers. Store them in your PW manager............a good one. And if you use a weak PW manager.........then you had it
