geminis3

Level 15
Verified
Malware Tester

After recording I manually submitted the sample to ESET since I'm currently using EIS on my host šŸ™ƒ , I know it would have been manually blocked with interactive HIPS but it's just too annoying for most people.

This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
We encourage you to compare these results with others and take informed decisions on what security products to use.
Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.
 
Last edited:

MacDefender

Level 11
Verified
I don't think since this was a homemade sample, for real life scenarios, you should use samples seen on the wild that are way more sophisticated than mine, which just limits to call 7zip to do the dirty job.

I agree, the answer is kind of complicated. No, real ransomware tends to have a mechanism for phoning home, a mechanism for uploading/escrowing some sort of key (if not your entire data), and are likely based off some existing form of ransomware.

With that said, we've seen real world ransomware that uses WinZip, 7Zip, and other archivers to do the encrypting. And we've seen the recent CertUtil.exe based ransomware that defeats many AV software because it uses a built in system binary to do the dirty work.

One can argue that if your AV cannot detect this threat, you're vulnerable to this class of attacks. After all, scripts and fileless malware can bypass static inspection, leaving it up to the behavior blocker to save your files. If it cannot detect this attack, your files could very well have been encrypted and lost, even if another component of your AV software detects the attempt to phone home or subsequent suspicious behavior.

Very very few have the ability to roll back harmful actions -- KSW is one of them, but in one of the tests conducted against my sample, it also failed to completely roll everything back.
 

cruelsister

Level 37
Verified
Trusted
Content Creator
The issue seen here is that many AV products have issues with clever batch files. This is due primarily to the fact that they can be readily tweaked to make them zero day as well as the logical path may have not been previously utilized in a widespread way (obviously I'm beating around the bush). Net result is the malware (which can be coded as a batch, VBS, Powershell) will be undetected by AV definition and blown off as inconsequential by HIPS (cmd is legit but still powerful).

However Script Analysis in conjunction with Sandboxing (CF) will find such as these rather trivial.
 

blackice

Level 28
Verified
The issue seen here is that many AV products have issues with clever batch files. This is due primarily to the fact that they can be readily tweaked to make them zero day as well as the logical path may have not been previously utilized in a widespread way (obviously I'm beating around the bush). Net result is the malware (which can be coded as a batch, VBS, Powershell) will be undetected by AV definition and blown off as inconsequential by HIPS (cmd is legit but still powerful).

However Script Analysis in conjunction with Sandboxing (CF) will find such as these rather trivial.
Would blocking execution of cmd and powershell (and disabling VBS) with HIPS or OSArmor when not needed help mitigate this risk? I know some threats bring along powershell in tow, but many donā€™t if I understand correctly.
 

cruelsister

Level 37
Verified
Trusted
Content Creator
Geminis3- Don't give away the family jewels!

Blackice- Yeah, one COULD make a bunch of exclusions like disabling Powershell, vbs, python, cmd, etc, etc. But with each exclusion you are restricting many benign scripts from running, some of which are needed by either Windows or some other application in order to run fully. For instance (if memory serves) the AV product FortiClient uses certutil for its updating function. Better to use a product that makes such blanket exclusions not necessary.

Ebocious- Yeah, CruelCF protects
 

Parsh

Level 25
Verified
Trusted
Malware Hunter
@cruelsister can all the AVs missing this sample possibly be attributed to the sample being a bonafide one?
@geminis3 mentioned earlier that the sample was compiled on the same VM he has been testing on.
Do you think that can be a premise (user creating the sample for intentional use using a legit app), following which the AVs are not flagging it OR would it simply be a whitelisted app doing the dirty job in a less pronounced manner?
The sample is also labelled as Hoax.Win64.FakeRansom.a by Kaspersky.
 

ebocious

Level 4
Blackice- Yeah, one COULD make a bunch of exclusions like disabling Powershell, vbs, python, cmd, etc, etc. But with each exclusion you are restricting many benign scripts from running, some of which are needed by either Windows or some other application in order to run fully. For instance (if memory serves) the AV product FortiClient uses certutil for its updating function. Better to use a product that makes such blanket exclusions not necessary.

Ebocious- Yeah, CruelCF protects
Now, if only someone would make a Mac equivalent to CF. :(
 
Top