cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Can the HitMan squish a Worm?
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Out of curiosity was the sample uploaded to VT yet? I'm curious to see how Zemana Anti-Malware/Logger can detect this. 
Great video btw!
-JGamez
Great video btw!
-JGamez
The video would mean that the worm is currently laughing at these four engines: Kaspersky's, Bitdefender's, Sophos', and HitmanPro's own engine. 
It is ok to get a joke here and there off an engine but it is another thing when it come to they defence system where with Kaspersky's or Bitdefender's whole package the joke ends.
cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
JG- Really no need to upload this one anywhere- I coded it only to have very basic worm functions:
a. Get into memory,
b. set itself up for persistence,
c. the ability to infect external drives when plugged in to the infected system,
d. and the ability to listen/receive on the Network.
So this is a really Bargain Basement type of malware (when I got home tonight I saw a number of emails from former colleagues mocking me for being a Script-Kiddie at heart). Also, I do have a Part 3 already done which will feature Zemana (to be published soon).
Terry- Yes, it is a joke and a very bad one. I did a Worm series like 2 years ago and seemingly nothing has been done about it. Strange thing is that Home products will do better against Worms than Enterprise applications! The latter are too afraid of creating FP's so are very prone to script-kiddie malware such as those used in the retail breaches at Home Depot and Target; also much more elaborate scriptors are being directed at governments and God alone knows how many are still active and undetected.
I've been railing about this for years, and is the main reason I left the Security field and Fled to Wall Street: now I am not constantly depressed by the ignorance of those that should know better (mostly State University products).
a. Get into memory,
b. set itself up for persistence,
c. the ability to infect external drives when plugged in to the infected system,
d. and the ability to listen/receive on the Network.
So this is a really Bargain Basement type of malware (when I got home tonight I saw a number of emails from former colleagues mocking me for being a Script-Kiddie at heart). Also, I do have a Part 3 already done which will feature Zemana (to be published soon).
Terry- Yes, it is a joke and a very bad one. I did a Worm series like 2 years ago and seemingly nothing has been done about it. Strange thing is that Home products will do better against Worms than Enterprise applications! The latter are too afraid of creating FP's so are very prone to script-kiddie malware such as those used in the retail breaches at Home Depot and Target; also much more elaborate scriptors are being directed at governments and God alone knows how many are still active and undetected.
I've been railing about this for years, and is the main reason I left the Security field and Fled to Wall Street: now I am not constantly depressed by the ignorance of those that should know better (mostly State University products).
Thanks for the video @cruelsister.
I'm just glad I have a multi-layered security setup that would prevent this type of malware ever being able to execute in the first place.
I'm just glad I have a multi-layered security setup that would prevent this type of malware ever being able to execute in the first place.
Interesting as usual. Thanks for sharing. As for Enterprises, will AppGuard or Windows built-in SRP, stop this worm?
Seems lame where a basic symptoms of worms should recognized because of usual behavior, unfortunately the changes brought by engines where usually ineffective on other hand.
At the end of the day, detection based algorithm is not a solution.
At the end of the day, detection based algorithm is not a solution.
@cruelsister thnaks for the review , can you please review the endpoint software they claim that next gen endpoint protection with AI are more accurate than old signature based product take a look to symantec or officescan trend micro
Those type of worms are the easiest to remove manually but can give some AV/AM a hard time
cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
SP- Sorry but I can't. I'm precluded from commenting on any Enterprise software due to my current employment, because of potential Conflicts of Interest.
@cruelsister
Windows 10 built-in security is considered by many forum members as sufficient to protect them against malware (including ransomware). But, there are few valid tests, that can prove/disprove such claims. Could you, please test against ransomware & scriptors the below configuration:
1. SRP default deny.
2. Blocked Windows Script Host and Powershell.
3. Windows Defender + Forced Smartscreen.
I noticed that in malware tests most testers use malware samples without 'Mark of the Web', so those samples cannot be checked by SmartScreen Application reputation cloud. Forced SmartScreen can check files without 'Mark of the Web'.
If you want, you can use Hard_Configurator to quickly apply the above config.
If the file is blocked by SRP, it is possible in the test to run the malware sample using Forced SmartScreen (<Run As SmartScreen> = Administrator, option in Hard_Configurator). In the above config, Forced SmartScreen is an additional protection, applied when installing files with active default deny SRP.
Windows 10 built-in security is considered by many forum members as sufficient to protect them against malware (including ransomware). But, there are few valid tests, that can prove/disprove such claims. Could you, please test against ransomware & scriptors the below configuration:
1. SRP default deny.
2. Blocked Windows Script Host and Powershell.
3. Windows Defender + Forced Smartscreen.
I noticed that in malware tests most testers use malware samples without 'Mark of the Web', so those samples cannot be checked by SmartScreen Application reputation cloud. Forced SmartScreen can check files without 'Mark of the Web'.
If you want, you can use Hard_Configurator to quickly apply the above config.
If the file is blocked by SRP, it is possible in the test to run the malware sample using Forced SmartScreen (<Run As SmartScreen> = Administrator, option in Hard_Configurator). In the above config, Forced SmartScreen is an additional protection, applied when installing files with active default deny SRP.
Last edited:
cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Andy- Although I understand your point I will never do such a test for a variety of reasons:
1). My videos are targeted at two groups- Developers and the Total Noob. The Developer will want to see how their product failed without any extraneous stuff being involved, and the Total Noob will have absolutely no idea how to implement the changes you suggest. So (please, please understand there is NO insult intended!) a setup as you suggest would have so limited a practical appeal that it would not be worth doing. It normally takes me about 20-30 hours of preliminary work to make a 3 minute video (I know my videos seem to be half-assed, but they are really not), so I really have to pick and choose my topics carefully.
2). You will also note that I only run malware from my desktop. The reason for this is that it is the "lowest common denominator" is used; as a Web threat must still react locally on your system, and running stuff from the Desktop will also include things like a malware threat from a USB as well as an saved email attachment. So concentrating on something like Web Threats alone would be like testing something that will only work on Wednesdays. I never will do a "Wednesday Rules" video. never, ever.
3). Finally I feel that the computer should be used for High and Noble things (for a Woman to seek out and absorb recent topics in the Arts and Sciences; for the Male to watch Porn and play Video games). Wouldn't it be easier and more efficient to use something like CF or Umbra's love, AppGuard, and not worry about arcane Windows settings that most cannot understand, no less implement?
But I thank you for your comment- it speaks highly of your computer knowledge. But I just don't think the Game would be worth the Candle for the majority of computer users.
M
1). My videos are targeted at two groups- Developers and the Total Noob. The Developer will want to see how their product failed without any extraneous stuff being involved, and the Total Noob will have absolutely no idea how to implement the changes you suggest. So (please, please understand there is NO insult intended!) a setup as you suggest would have so limited a practical appeal that it would not be worth doing. It normally takes me about 20-30 hours of preliminary work to make a 3 minute video (I know my videos seem to be half-assed, but they are really not), so I really have to pick and choose my topics carefully.
2). You will also note that I only run malware from my desktop. The reason for this is that it is the "lowest common denominator" is used; as a Web threat must still react locally on your system, and running stuff from the Desktop will also include things like a malware threat from a USB as well as an saved email attachment. So concentrating on something like Web Threats alone would be like testing something that will only work on Wednesdays. I never will do a "Wednesday Rules" video. never, ever.
3). Finally I feel that the computer should be used for High and Noble things (for a Woman to seek out and absorb recent topics in the Arts and Sciences; for the Male to watch Porn and play Video games). Wouldn't it be easier and more efficient to use something like CF or Umbra's love, AppGuard, and not worry about arcane Windows settings that most cannot understand, no less implement?
But I thank you for your comment- it speaks highly of your computer knowledge. But I just don't think the Game would be worth the Candle for the majority of computer users.
M
Last edited:
Awesome video as always, thanks.
I think this kind of worm is common here where I live, frecuently I help my friends and family with that, some AV's really fail protecting the pc. I'm not saying names but is hard to reccomend AV/AM to protect with 100% (I know is impossible, but that's what my friends and family ask for)
I think this kind of worm is common here where I live, frecuently I help my friends and family with that, some AV's really fail protecting the pc. I'm not saying names but is hard to reccomend AV/AM to protect with 100% (I know is impossible, but that's what my friends and family ask for)
cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Huchim- You may see that the prevalence of new worms is down to about 7% of all malware, but that's only because of the increase in ransomware. However most of the current computers currently infected will be infected by worms. As to the best way of determining infection by this class of malware tune in this weekend.
A byte of prevention is better than a megabyte of cure. My suggestion is to block wscript.exe if your friends don't use vbs scripts. That's one way to prevent vbs class worms from running.
True, worm are still prevalent here (Philippines). Never had any experience with ransomware except from MT's malware packs.
D
Deleted member 178
damn, she gots me...
I agree, use Appguard !
btw, CS are you French? seems someone said you are living in Paris?
5
509322
cruelsister
Level 43
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
I was assigned to Paris station for a few years. Still go back for the end of the Tour and to do some shopping, otherwise have to content myself with NYC.
You may also like...
-
Massive npm infection: the Shai-Hulud worm and patient zero- Started by Khushal
- Replies: 2
-
iDefender Pro (Présentation & Reviews)- Started by Shadowra
- Replies: 8
-
Kaspersky Premium vs McAfee Advanced
- Started by Shadowra
- Replies: 87
-
-
iDefender Free (Presentation & Reviews)
- Started by Shadowra
- Replies: 14