Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Comodo Firewall vs Fileless Malware
Message
<blockquote data-quote="cruelsister" data-source="post: 642766" data-attributes="member: 7463"><p>The term "fileless", which I'm really getting to hate is used quite loosely recently. In the case of this particular malware the usage is that the usual suspects (exe's js's, etc) are never used or dropped onto the Disk. Instead we have a bunch of text files. Now I'm not diminishing this in any way- if you knew a system was infected and where doing analysis on it would you really suspect that an innocuous text file was the culprit? A case of hiding in plain site.</p><p></p><p>Previously fileless was considered something like a Rootkit (on the kernel level- they can be detected without that much issue but the problem is with the persistence mechanism), a memory-resident thingy which is essentially an injector into stuff like svchost, or registry malware which would still need some file to be executed first prior to infection.</p><p></p><p>So basically all of the so-called fileless malware can be detected on a gross basis to some extent, and NONE SHOULD BE CONSIDERED MAGIC. And keeping magic out of malware is important- there are discussions ongoing (thankfully) elsewhere where none of the participants realizes that the arguments are based on a magical first cause.</p><p></p><p>But anyway, concerning the file I used in the video- when I did my initial pre-production malware analysis it was found that for the original file used (the one on the Desktop) there were something like 22 detections. Of these, 12 were dumb (only for that specific file), and the rest were detecting "how" the file was opened ( my cat proved this to me by a bit or re-coding). And of the txt and ps spawn, at that time only Symantec and Mcafee detected one of the text files. All the others were FUD.</p><p></p><p>Also please note that the only reason I used the HIPS and allowed everything was to demonstrate the infective cascade of processes. I hope that any students out there remember this- it's almost like having a cheat-sheet when going over code.</p><p></p><p></p><p>ps- Atlbo- malware injecting into a process is no issue for CF. With HIPS on alone one will get an alert that the malware wants Unlimited Control over a valid process. With Cruel Comodo the malware would be totally prevented from this injection, for the simple fact that the true legitimate process is not available to it- no HIPS alerts needed.</p></blockquote><p></p>
[QUOTE="cruelsister, post: 642766, member: 7463"] The term "fileless", which I'm really getting to hate is used quite loosely recently. In the case of this particular malware the usage is that the usual suspects (exe's js's, etc) are never used or dropped onto the Disk. Instead we have a bunch of text files. Now I'm not diminishing this in any way- if you knew a system was infected and where doing analysis on it would you really suspect that an innocuous text file was the culprit? A case of hiding in plain site. Previously fileless was considered something like a Rootkit (on the kernel level- they can be detected without that much issue but the problem is with the persistence mechanism), a memory-resident thingy which is essentially an injector into stuff like svchost, or registry malware which would still need some file to be executed first prior to infection. So basically all of the so-called fileless malware can be detected on a gross basis to some extent, and NONE SHOULD BE CONSIDERED MAGIC. And keeping magic out of malware is important- there are discussions ongoing (thankfully) elsewhere where none of the participants realizes that the arguments are based on a magical first cause. But anyway, concerning the file I used in the video- when I did my initial pre-production malware analysis it was found that for the original file used (the one on the Desktop) there were something like 22 detections. Of these, 12 were dumb (only for that specific file), and the rest were detecting "how" the file was opened ( my cat proved this to me by a bit or re-coding). And of the txt and ps spawn, at that time only Symantec and Mcafee detected one of the text files. All the others were FUD. Also please note that the only reason I used the HIPS and allowed everything was to demonstrate the infective cascade of processes. I hope that any students out there remember this- it's almost like having a cheat-sheet when going over code. ps- Atlbo- malware injecting into a process is no issue for CF. With HIPS on alone one will get an alert that the malware wants Unlimited Control over a valid process. With Cruel Comodo the malware would be totally prevented from this injection, for the simple fact that the true legitimate process is not available to it- no HIPS alerts needed. [/QUOTE]
Insert quotes…
Verification
Post reply
Top