App Review Comodo Firewall vs Fileless Malware

[cruelsister]

 

[EASTER]

Oh this is going to be good. Being up all night finally finishing up touches on another system and in overdrive mode so just taking a seat after those hours of mods (with a little MI Motor Speedway NASCAR thrown in today) only to see this surface already.

Thanks as always Cruelsister, you are truly a darling and master of discovery & details with these.

Would love to see one sometime and your take on a recently fileless ransomeware showing up named Fileless SOREBRECT Discovered with Code Injection Capability

 

[FrFc1908]

thanks again sis for yet another illuminating video! comodo really is the master when it comes to crushing malware to bad I keep having problems with them and windows updates I hope you have a great relaxing holiday and blackhats will not disturb you during sunbathing

 

[mekelek]

for a fileless malware i see a lot of things that get executed from files..
starting with an execution right after you click the picture.

 

[cruelsister]

As I still had energy tonight I actually completed another fileless malware video (where Comodo is not mentioned once); either I or a friend will post that one next week. A surprising result for a product I've shamelessly mocked in the past!

And was Alice Coltrane a bit too much?

 

[ZeroDay]

As I still had energy tonight I actually completed another fileless malware video (where Comodo is not mentioned once); either I or a friend will post that one next week. A surprising result for a product I've shamelessly mocked in the past!

And was Alice Coltrane a bit too much?

Would Said product be Avast? Thank you for the video, CS.

 

[mekelek]

after testing this myself, the actual malicious payload seems to be only coming out of powershell, the rest is just a smoke screen and a way to deliver that payload on the computer in a file.

 

[erreale]

The first two or three requests would be enough to make it clear that it is best to block everything ...

 

[abdou17]

nice Show
thank you

 

[AtlBo]

Just to show how strange communication is on this "fileless" type of malware, here are some stats:

FILES created (and 100% detectable) for it to be running on the system: 8
jl.txt
59301fecd6aca16.41438751.txt
59301fecd6ab61.06573335.txt
59301fecd6ab73.89307919.txt
59301fecd6ac99.92981850.txt
C_powershell.exe_950222ACB58D17766C7B4FDD001734894843F47F.ps
C_powershell.exe_3OC6BDF282E13C2E54BAC21793EOAD6D45D45DEB88.ps
59301fecd6abb4.43763376.txt

Total HIPs alerts based on the presence of these files: 29

I guess it's called fileless because it works via network vulnerabilities once it is on a network someplace. However, I feel like "fileless" would even in that case be a misnomer, considering how many files were required for the malware to be fully operational. Wannacry was a bad deal that apparently could spread via the network without files , but I suspect CFW would have blocked it from being injected onto a vulnerable machine via the network.

Attached is the entire HIPs sequence in the video if anyone would like to see it.

 

[codswollip]

So CF HIPS alone would have nailed this?

Enjoy your time away... if you need a "lotion boy", PM me

 

[cruelsister]

The term "fileless", which I'm really getting to hate is used quite loosely recently. In the case of this particular malware the usage is that the usual suspects (exe's js's, etc) are never used or dropped onto the Disk. Instead we have a bunch of text files. Now I'm not diminishing this in any way- if you knew a system was infected and where doing analysis on it would you really suspect that an innocuous text file was the culprit? A case of hiding in plain site.

Previously fileless was considered something like a Rootkit (on the kernel level- they can be detected without that much issue but the problem is with the persistence mechanism), a memory-resident thingy which is essentially an injector into stuff like svchost, or registry malware which would still need some file to be executed first prior to infection.

So basically all of the so-called fileless malware can be detected on a gross basis to some extent, and NONE SHOULD BE CONSIDERED MAGIC. And keeping magic out of malware is important- there are discussions ongoing (thankfully) elsewhere where none of the participants realizes that the arguments are based on a magical first cause.

But anyway, concerning the file I used in the video- when I did my initial pre-production malware analysis it was found that for the original file used (the one on the Desktop) there were something like 22 detections. Of these, 12 were dumb (only for that specific file), and the rest were detecting "how" the file was opened ( my cat proved this to me by a bit or re-coding). And of the txt and ps spawn, at that time only Symantec and Mcafee detected one of the text files. All the others were FUD.

Also please note that the only reason I used the HIPS and allowed everything was to demonstrate the infective cascade of processes. I hope that any students out there remember this- it's almost like having a cheat-sheet when going over code.


ps- Atlbo- malware injecting into a process is no issue for CF. With HIPS on alone one will get an alert that the malware wants Unlimited Control over a valid process. With Cruel Comodo the malware would be totally prevented from this injection, for the simple fact that the true legitimate process is not available to it- no HIPS alerts needed.

 

[cruelsister]

Hi telos- just saw your post. Yeah the HIPS alsone would have alerted you at the get-go. Terminate at the first prompt or Terminate and Reverse afterwards would have been adequate for protection. But even nicer is just letting the Sandbox do the work for you!

 

[AtlBo]

The term "fileless", which I'm really getting to hate is used quite loosely recently. In the case of this particular malware the usage is that the usual suspects (exe's js's, etc) are never used or dropped onto the Disk. Instead we have a bunch of text files.

@cruelsister, so is this a case where a macro (in standardly allowed/unmonitored WINWORD.exe) creates a text file and then uses the contents to request use of wscript.exe (starting the episode)? If so, I guess some vendors are saying fileless because neither the macro nor the text file are considered monitorable (companies require macros so that's out and then text isn't an executable).

I feel like the clever terminology "fileless" hides a simple truth in this instance. Comodo monitors .txt file contents as potentially useful by a program/malware and can in cases like this consider it an executable while some apparently do not if I understand correctly. I wouldn't either consider this fileless.

BTW, it would be fascinating to know if Avast in hardened would have blocked this malware.

 

[mekelek]

@cruelsister, so is this a case where a macro (in standardly allowed/unmonitored WINWORD.exe) creates a text file and then uses the contents to request use of wscript.exe (starting the episode)? If so, I guess some vendors are saying fileless because neither the macro nor the text file are considered monitorable (companies require macros so that's out and then text isn't an executable).

I feel like the clever terminology "fileless" hides a simple truth in this instance. Comodo monitors .txt file contents as potentially useful by a program/malware and can in cases like this consider it an executable while some apparently do not if I understand correctly. I wouldn't either consider this fileless.

BTW, it would be fascinating to know if Avast in hardened would have blocked this malware.

I don't think anyone tests Avast on the hub and the AVG tester @Der.Reisende didn't have Office to execute the macro in.

 

[AtlBo]

I don't think anyone tests Avast on the hub and the AVG tester @Der.Reisende didn't have Office to execute the macro in.

Thanks for the info . I am scared siamese about testing, or I might try this myself, although I only have Office 2007 on another PC. The part that gets me the most is the potential for infecting someone somewhere via the network. I know, VPN, but there is alot to think about even then I fear. The experienced testers here have instincts that I would want to develop before even starting.

 

[Windows Defender Shill]

D***, Comodo really does not want this to run.

 

[Evjl's Rain]

@cruelsister, so is this a case where a macro (in standardly allowed/unmonitored WINWORD.exe) creates a text file and then uses the contents to request use of wscript.exe (starting the episode)? If so, I guess some vendors are saying fileless because neither the macro nor the text file are considered monitorable (companies require macros so that's out and then text isn't an executable).

I feel like the clever terminology "fileless" hides a simple truth in this instance. Comodo monitors .txt file contents as potentially useful by a program/malware and can in cases like this consider it an executable while some apparently do not if I understand correctly. I wouldn't either consider this fileless.

BTW, it would be fascinating to know if Avast in hardened would have blocked this malware.

I don't think anyone tests Avast on the hub and the AVG tester @Der.Reisende didn't have Office to execute the macro in.

I will test avast with and without hardened mode when I get home. Now I'm in the airport. The result would properly be uploaded on 20 or 21/6

 

[Anker_by]

Nice test, i cant test it because i dont have other router but the video is enough.

 

[kiric96]

as always a great video, i wonder what would happen with CCAV

Anyway @cruelsister have you noticed that comodo used your video to promote itself on FB