Malware News Erebus Ransomware Utilizes a UAC Bypass and Request a $90 Ransom Payment

[Handsome Recluse]

@DracusNarcrym Maybe it could then be a question of security+usability of UAC vs security+usability of other products without UAC.
Also, some applications may not prompt for UAC in standard user. Have you tried that?

 

[spaceoctopus]

once i heard from one of Dr.Web staffs, Virustotal will share the samples with vendors, so why this sample still undetected by many vendors ? its an important one by the way !

It's interesting what you said. I was reading an article from Panda Labs last time, which explains that even if there is no detection from VirusTotal, it doesn't mean that your security software will not detect it.It concerned the Spora Ransomware at the time:

"A few days ago, our colleagues at G-Data published an interesting analysis of Spora, a new ransomware that appeared in January. It had first been spotted by the people at ID Ransomware, and is mainly affecting Russia. A link was published in a forum detailing the analysis results of one of the samples sent by way of spam in VirusTotal. It is an HTA file that none of the engines present there detected, neither Panda Security, nor G-Data, nor any other.

Does this mean that the 53 participants in VirusTotal are unable to detect and block this new threat? Not at all. It means that at the time of the analysis nobody had bothered to write a signature to detect a file that, besides, is actually ephemeral. The important thing is to protect users and prevent them from becoming infected. If there is no other way to accomplish this than by creating signature, there’s not much you can do about it. But at least for some of us this is seems to be completely unnecessary in most cases, as in the present one.

Taking a look at the information in our cloud, we have observed and blocked Spora detections from the first moment, without having to create signatures for it. We can confirm that indeed most of the cases are in Russia, although we have also seen cases in Japan.

These are the different hashes that we’ve seen:

312445d2cca1cf82406af567596b9d8c

acc895318408a212b46bda7ec5944653"

c1f37759c607f4448103a24561127f2e

c270cf1f2cfeb96d42ced4eeb26bb936

Spora, a Sophisticated New Ransomware, Detected in January

 

[Deleted member 178]

One of the reasons I have disabled UAC is that it has been disproved

by who? Microsoft ? or by some Average Joes or pseudo-security experts?

If you were to test the effectiveness of UAC alone, you'd make sure that no other factor would interfere with the execution of the exploits.
It should be UAC vs its threats. Perhaps the developers should make a move at acknowledging the exploits and patching them. UAC is too much of a core security measure for such bypasses to be leniently misprioritized.
As for using as standard user account, that is indeed a measure of mitigation for such threats.

And some people still believe UAC is supposed to be a stand-alone security feature...

UAC is just an elevation blocker (not a security-oriented feature) and block whatever the file is legit or not, nothing more, nothing less , and obviously like everything it is not perfect.

UAC was made to allow SUA accounts to install software easily without the need to shift to an admin account. Not to block malwares. it was assimilated by some poeple as a security features because many malwares ask for elevation. M$ relaying this to promote the benefits of UAC (which was decried by ignorant people whining about its annoyance factor.)

UAC Whitelist was expended since Vista because of those people, hence reducing its potential.

UAC is now part of the native security of windows, demonstrating its failure by testing it alone is nonsense, because it means you have ignored Smartscreen & WinDef alerts (if any). Only fools may do this.

And let say the ransomware bypass silently ALL native security of Windows; how it was able to be executed? you carelessly excecuted it yourself? from an unknown file sent by unknown person? blame yourself.

Security is about having safe habits, security apps are made to backup your safe habits not your careless behaviors. Then if after you get infected, then you can blame the product.

 

[Handsome Recluse]

I think there should also be more talk about the other aspects of security, or the products behind it. Usability, efficiency, stability, availability, ease of implementation, etc. Would've liked to see that instead of just raw security numbers that always changes or what enterprises (although interesting) do. This is OUR computers after all and not some tools by businesses. We're ultimately responsible for it and are therefore the ones who have authority over it. We're also not targeted so deviations from enterprises should be expected. These deviations are what I want to be able to rest in peace.