- Apr 13, 2013
- 3,224
Can the HitMan squish a Worm?
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Aug 30, 2015
- 1,928
Out of curiosity was the sample uploaded to VT yet? I'm curious to see how Zemana Anti-Malware/Logger can detect this. 
Great video btw!
-JGamez
Great video btw!
-JGamez
- Mar 1, 2014
- 1,708
The video would mean that the worm is currently laughing at these four engines: Kaspersky's, Bitdefender's, Sophos', and HitmanPro's own engine.
- Feb 7, 2014
- 1,540
It is ok to get a joke here and there off an engine but it is another thing when it come to they defence system where with Kaspersky's or Bitdefender's whole package the joke ends.
- Apr 13, 2013
- 3,224
JG- Really no need to upload this one anywhere- I coded it only to have very basic worm functions:
a. Get into memory,
b. set itself up for persistence,
c. the ability to infect external drives when plugged in to the infected system,
d. and the ability to listen/receive on the Network.
So this is a really Bargain Basement type of malware (when I got home tonight I saw a number of emails from former colleagues mocking me for being a Script-Kiddie at heart). Also, I do have a Part 3 already done which will feature Zemana (to be published soon).
Terry- Yes, it is a joke and a very bad one. I did a Worm series like 2 years ago and seemingly nothing has been done about it. Strange thing is that Home products will do better against Worms than Enterprise applications! The latter are too afraid of creating FP's so are very prone to script-kiddie malware such as those used in the retail breaches at Home Depot and Target; also much more elaborate scriptors are being directed at governments and God alone knows how many are still active and undetected.
I've been railing about this for years, and is the main reason I left the Security field and Fled to Wall Street: now I am not constantly depressed by the ignorance of those that should know better (mostly State University products).
a. Get into memory,
b. set itself up for persistence,
c. the ability to infect external drives when plugged in to the infected system,
d. and the ability to listen/receive on the Network.
So this is a really Bargain Basement type of malware (when I got home tonight I saw a number of emails from former colleagues mocking me for being a Script-Kiddie at heart). Also, I do have a Part 3 already done which will feature Zemana (to be published soon).
Terry- Yes, it is a joke and a very bad one. I did a Worm series like 2 years ago and seemingly nothing has been done about it. Strange thing is that Home products will do better against Worms than Enterprise applications! The latter are too afraid of creating FP's so are very prone to script-kiddie malware such as those used in the retail breaches at Home Depot and Target; also much more elaborate scriptors are being directed at governments and God alone knows how many are still active and undetected.
I've been railing about this for years, and is the main reason I left the Security field and Fled to Wall Street: now I am not constantly depressed by the ignorance of those that should know better (mostly State University products).
- Aug 31, 2016
- 578
Thanks for the video @cruelsister.
I'm just glad I have a multi-layered security setup that would prevent this type of malware ever being able to execute in the first place.
I'm just glad I have a multi-layered security setup that would prevent this type of malware ever being able to execute in the first place.
- Dec 23, 2014
- 8,513
Interesting as usual. Thanks for sharing. As for Enterprises, will AppGuard or Windows built-in SRP, stop this worm?
- Mar 15, 2011
- 13,070
Seems lame where a basic symptoms of worms should recognized because of usual behavior, unfortunately the changes brought by engines where usually ineffective on other hand.
At the end of the day, detection based algorithm is not a solution.
At the end of the day, detection based algorithm is not a solution.
@cruelsister thnaks for the review , can you please review the endpoint software they claim that next gen endpoint protection with AI are more accurate than old signature based product take a look to symantec or officescan trend micro
- Jan 9, 2013
- 1,457
Those type of worms are the easiest to remove manually but can give some AV/AM a hard time
- Apr 13, 2013
- 3,224
SP- Sorry but I can't. I'm precluded from commenting on any Enterprise software due to my current employment, because of potential Conflicts of Interest.
- Dec 23, 2014
- 8,513
@cruelsister
Windows 10 built-in security is considered by many forum members as sufficient to protect them against malware (including ransomware). But, there are few valid tests, that can prove/disprove such claims. Could you, please test against ransomware & scriptors the below configuration:
1. SRP default deny.
2. Blocked Windows Script Host and Powershell.
3. Windows Defender + Forced Smartscreen.
I noticed that in malware tests most testers use malware samples without 'Mark of the Web', so those samples cannot be checked by SmartScreen Application reputation cloud. Forced SmartScreen can check files without 'Mark of the Web'.
If you want, you can use Hard_Configurator to quickly apply the above config.
If the file is blocked by SRP, it is possible in the test to run the malware sample using Forced SmartScreen (<Run As SmartScreen> = Administrator, option in Hard_Configurator). In the above config, Forced SmartScreen is an additional protection, applied when installing files with active default deny SRP.
Windows 10 built-in security is considered by many forum members as sufficient to protect them against malware (including ransomware). But, there are few valid tests, that can prove/disprove such claims. Could you, please test against ransomware & scriptors the below configuration:
1. SRP default deny.
2. Blocked Windows Script Host and Powershell.
3. Windows Defender + Forced Smartscreen.
I noticed that in malware tests most testers use malware samples without 'Mark of the Web', so those samples cannot be checked by SmartScreen Application reputation cloud. Forced SmartScreen can check files without 'Mark of the Web'.
If you want, you can use Hard_Configurator to quickly apply the above config.
If the file is blocked by SRP, it is possible in the test to run the malware sample using Forced SmartScreen (<Run As SmartScreen> = Administrator, option in Hard_Configurator). In the above config, Forced SmartScreen is an additional protection, applied when installing files with active default deny SRP.
Last edited:
- Apr 13, 2013
- 3,224
Andy- Although I understand your point I will never do such a test for a variety of reasons:
1). My videos are targeted at two groups- Developers and the Total Noob. The Developer will want to see how their product failed without any extraneous stuff being involved, and the Total Noob will have absolutely no idea how to implement the changes you suggest. So (please, please understand there is NO insult intended!) a setup as you suggest would have so limited a practical appeal that it would not be worth doing. It normally takes me about 20-30 hours of preliminary work to make a 3 minute video (I know my videos seem to be half-assed, but they are really not), so I really have to pick and choose my topics carefully.
2). You will also note that I only run malware from my desktop. The reason for this is that it is the "lowest common denominator" is used; as a Web threat must still react locally on your system, and running stuff from the Desktop will also include things like a malware threat from a USB as well as an saved email attachment. So concentrating on something like Web Threats alone would be like testing something that will only work on Wednesdays. I never will do a "Wednesday Rules" video. never, ever.
3). Finally I feel that the computer should be used for High and Noble things (for a Woman to seek out and absorb recent topics in the Arts and Sciences; for the Male to watch Porn and play Video games). Wouldn't it be easier and more efficient to use something like CF or Umbra's love, AppGuard, and not worry about arcane Windows settings that most cannot understand, no less implement?
But I thank you for your comment- it speaks highly of your computer knowledge. But I just don't think the Game would be worth the Candle for the majority of computer users.
M
1). My videos are targeted at two groups- Developers and the Total Noob. The Developer will want to see how their product failed without any extraneous stuff being involved, and the Total Noob will have absolutely no idea how to implement the changes you suggest. So (please, please understand there is NO insult intended!) a setup as you suggest would have so limited a practical appeal that it would not be worth doing. It normally takes me about 20-30 hours of preliminary work to make a 3 minute video (I know my videos seem to be half-assed, but they are really not), so I really have to pick and choose my topics carefully.
2). You will also note that I only run malware from my desktop. The reason for this is that it is the "lowest common denominator" is used; as a Web threat must still react locally on your system, and running stuff from the Desktop will also include things like a malware threat from a USB as well as an saved email attachment. So concentrating on something like Web Threats alone would be like testing something that will only work on Wednesdays. I never will do a "Wednesday Rules" video. never, ever.
3). Finally I feel that the computer should be used for High and Noble things (for a Woman to seek out and absorb recent topics in the Arts and Sciences; for the Male to watch Porn and play Video games). Wouldn't it be easier and more efficient to use something like CF or Umbra's love, AppGuard, and not worry about arcane Windows settings that most cannot understand, no less implement?
But I thank you for your comment- it speaks highly of your computer knowledge. But I just don't think the Game would be worth the Candle for the majority of computer users.
M
Last edited:
- Oct 17, 2015
- 240
Awesome video as always, thanks.
I think this kind of worm is common here where I live, frecuently I help my friends and family with that, some AV's really fail protecting the pc. I'm not saying names but is hard to reccomend AV/AM to protect with 100% (I know is impossible, but that's what my friends and family ask for)
I think this kind of worm is common here where I live, frecuently I help my friends and family with that, some AV's really fail protecting the pc. I'm not saying names but is hard to reccomend AV/AM to protect with 100% (I know is impossible, but that's what my friends and family ask for)
- Apr 13, 2013
- 3,224
Huchim- You may see that the prevalence of new worms is down to about 7% of all malware, but that's only because of the increase in ransomware. However most of the current computers currently infected will be infected by worms. As to the best way of determining infection by this class of malware tune in this weekend.
- Jan 9, 2013
- 1,457
A byte of prevention is better than a megabyte of cure. My suggestion is to block wscript.exe if your friends don't use vbs scripts. That's one way to prevent vbs class worms from running.
True, worm are still prevalent here (Philippines). Never had any experience with ransomware except from MT's malware packs.
damn, she gots me...
I agree, use Appguard !
btw, CS are you French? seems someone said you are living in Paris?
- Apr 13, 2013
- 3,224
I was assigned to Paris station for a few years. Still go back for the end of the Tour and to do some shopping, otherwise have to content myself with NYC.
Similar threads
