5

509322

In the home environment, the fileless attack can start mostly when the user opens something with embedded malicious content (web page, document, etc.). So, the first defense line should not be Anti-Exe, memory monitoring, and some other advanced security features but rather reducing the attack vectors:
  1. Safe web browser with sandboxing.
  2. Anti-spam software.
  3. Safe DNS (anti-phishing, anti-malware, anti-adware URL blocking) or web filtering via web browser extension.
  4. Avoiding the commonly abused software (MS Office, Adobe Acrobat Reader, etc.) or blocking the active content (at least) for viewing documents.
  5. Blocking script engines.
  6. Updating the system and software.
  7. Using trusted software portals to install applications.
There are surely some more. The stronger is using default-deny solution. The Enterprises have to use something like ATP, because they cannot adopt such solutions like points 4, 5 and 6. and they are much more vulnerable via network attacks and generally via targetted attacks.

Enterprises certainly can do 4, 5 and 6 - more or less. Microsoft has given them ways to do it and they have options other than Microsoft available to them. Some just don't or refuse to do it. I see it all the time.

There is no reason to allow script engines to run full-time in most commercial settings.

The objections are invariably... "We don't want to change", "It will cost money", "It will be inconvenient", "It is too much work", etc, etc. For the exceptional cases, these objections are just objecting for objection's sake. It is all about willingness - as opposed to what will work without major inconvenience.

Just remember... these enterprises that object so much have your personal data on their systems.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
..
The objections are invariably... "We don't want to change", "It will cost money", "It will be inconvenient", "It is too much work", etc, etc. For the exceptional cases, these objections are just objecting for objection's sake. It is all about willingness - as opposed to what will work without major inconvenience.

Just remember... these enterprises that object so much have your personal data on their systems.
That is why I wrote that they cannot or rather they think that they cannot. They are afraid to upgrade / update the system because they are not sure if the old soft will work flawlessly. They do not want to buy the new soft because of additional costs and problems with training the staff. They are afraid to block scripts, because a lot of old hardware (printers, etc.) and some network administrative software uses scripts, etc. The worst situation is in the Public Institutions.
On the contrary, the home users usually can adopt the simple precautions to avoid most malware, including the fileless ones.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Even if you use MS Office or Adobe Reader, and you don't have the latest patches, and you enable macros etc, the typical malicious doc will be a classic living-off-the-land attack that can be blocked by most default/deny solutions.

But I agree it is a probability game. If we compare it to bullets, most people will not be comforted by the assurance that most bullets will miss them. So the digital equivalent of wearing a bulletproof vest in a dangerous environment would be something like ReHIPS.
 
5

509322

That is why I wrote that they cannot or rather they think that they cannot. They are afraid to upgrade / update the system because they are not sure if the old soft will work flawlessly. They do not want to buy the new soft because of additional costs and problems with training the staff. They are afraid to block scripts, because a lot of old hardware (printers, etc.) and some network administrative software uses scripts, etc. The worst situation is in the Public Institutions.
On the contrary, the home users usually can adopt the simple precautions to avoid most malware, including the fileless ones.

The people who object are "stuck." They refuse to even consider anything different than what they know.

The vast majority of enterprises are medium\small businesses that barely have what could be called an IT security division or even an IT department. Most use Windows Home.

Meanwhile..when your data gets compromised on their insecure system and you lose your identity or worse, they will reply "not our problem... we did our best." And there is nothing anyone can do about it.
 

cruelsister

Level 37
Verified
Trusted
Content Creator
From their point of view, default Windows security isn't sufficient.

Just saw this one- Lockdown- are you saying that WF at the default settings is adequate to alert to a true zero-day malware file for which WD has no definition from connecting out?

I truly wish that it was, but the security protection at baseline for Windows is not in any way sufficient. If it was I would never have done ANY videos.
 
5

509322

Just saw this one- Lockdown- are you saying that WF at the default settings is adequate to alert to a true zero-day malware file for which WD has no definition from connecting out?

I truly wish that it was, but the security protection at baseline for Windows is not in any way sufficient. If it was I would never have done ANY videos.

Some people maintain that default Windows security is sufficient on the basis that infections are probabilistic. The argument is that true "zero-day" malware is comparatively few and far in-between. What most people run into are run-of-the-mill, days old malware.

To be perfectly honest, AV vendors are simply not going to go to extraordinary measures to address new, "zero-day" malware (although some will certainly argue that they have taken extraordinary measures). They analyze real-world infection data, and that data tells them that "new" malware are the least of users' problems. More or less, the thinking is that the further they go along the spectrum to cope with new malware, the more inconvenience, complexity, interaction they are going to place on the user - and they certainly don't want to do that because users can't handle it or plainly don't want to deal with it (stubborness, unwillingness to change, the face of stupidity by those who do know better but just won't do it).

Coping with true "zero-day" malware is a best effort measure - which is exactly what all security softs are - best effort measures.
 
Last edited by a moderator:

Andy Ful

Level 63
Verified
Trusted
Content Creator
[QUOTE="Lockdown, post: 768126, member: 56349"
...
More or less, the thinking is that the further they go along the spectrum to cope with new malware, the more inconvenience, complexity, interaction they are going to place on the user.
...
[/QUOTE]
In theory, they could solve the problem by adopting default-deny, but in practice, they know that most customers would not buy it. The situation is similar to the health care. Most serious health problems in the wealthy countries (overweight, diabetic or cardiovascular disease, spine disorders, etc.) could be solved by adopting the healthy diet and healthy habits. But in fact, we have the gigantic pharmaceutic industry and most people seem to prefer unhealthy diet and unhealthy habits, cured by medicaments.
The AV industry goes the same way, because they know that most people prefer unsafe activities and unsafe habits and do not like any restrictions.
 
5

509322

[QUOTE="Lockdown, post: 768126, member: 56349"
...
More or less, the thinking is that the further they go along the spectrum to cope with new malware, the more inconvenience, complexity, interaction they are going to place on the user.
...
In theory, they could solve the problem by adopting default-deny, but in practice, they know that most customers would not buy it. The situation is similar to the health care. Most serious health problems in the wealthy countries (overweight, diabetic or cardiovascular disease, spine disorders, etc.) could be solved by adopting the healthy diet and healthy habits. But in fact, we have the gigantic pharmaceutic industry and most people seem to prefer unhealthy diet and unhealthy habits, cured by medicaments.
The AV industry goes the same way, because they know that most people prefer unsafe activities and unsafe habits and do not like any restrictions.[/QUOTE]

So adopt and implement measures based upon what people are willing to do versus making them do what is necessary.

So in that regard, IT security is very much like environmental politics - which is essentially all money-driven.

Good grief.

The terminators and the sun are going to kill us all.
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 63
Verified
Trusted
Content Creator
Back to fileless malware.
Nowadays the mac0ders can easily run filelessly the shellcode via scriptlets and weaponized documents. The shellcode is embedded directly in the script and run from the memory. They do not even need the PowerShell for that but simply the well known Jscript files.
The defense line adopted by AV industry is completely inefficient from the home users' point of view. The AV uses complex modules to fight fileless malware executed by scripts which consume system resources, when the problem can be solved for most home consumers by simply blocking the execution of scripts.:notworthy:

Post edited.
 
Last edited:
5

509322

Back to fileless malware.
Nowadays the mac0ders can easily run filelessly the shellcode via scriptlets and weaponized documents. The shellcode is embedded directly in the script and run from the memory. They do not even need the PowerShell for that but simply the well known Jscript files.
The defense line adopted by AV industry is completely inefficient from the point of the home users. The AV uses several complex modules that consume system resources, when the problem can be solved for most home consumers by simply blocking the execution of scripts.:notworthy:

There is absolutely no common sense reason for interpreters to be enabled by default on Windows Home. That they are enabled by default is entirely Microsoft's own doing. It is the equivalent of, and makes about as much sense as, putting a firearm on every street corner in every city on the face of the Earth. Microsoft violates their own best security practices by enabling interpreters by default. Average person does not use them. If they don't use them, then they don't need them. There should be a warning to enable them, just like with Office macros. At least some type of common sense measure... that Microsoft decided to do on 10S, but for whatever reason won't do it on the one OS that is the most vulnerable out of all OSes... Windows Home. Instead, Microsoft puts up a big show trying to make everyone believe that Windows Defender, AMSI, Exploit Guard... are all the answers to the problems that Microsoft caused in the first place. And they just keep making it worse. Now they've added Linux. It's just a matter of time before that is used to attack. Good luck with all of that garbage.
 

ticklemefeet

Level 23
CS I remember you doing a video on Appguard and bypassing it. I think you were using protected mode which allows trusted certs and you used one of them. I was wondering if you would be willing to do another in lockdown mode with modified settings of user mode? Blocking all powershell and scripts.
 
5

509322

CS I remember you doing a video on Appguard and bypassing it. I think you were using protected mode which allows trusted certs and you used one of them. I was wondering if you would be willing to do another in lockdown mode with modified settings of user mode? Blocking all powershell and scripts.

Nice try.

Such a policy blocks script execution - both on disk and in-memory. Most of the people who know how to use AppGuard have been crafting such a policy for years.

A setting was added to prevent the blocking of signed files, except those on the Trusted Publisher (certificate) list. Besides, the user is expected to know what they're doing and manage the list so that it is even more difficult.

The whole point of AppGuard is that the user has to create compensating rules. It is SRP. And SRP requires configuration and policy creation. The responsibility is on the user to know what they're doing - and that isn't difficult. It isn't a default-allow security soft. There is no such thing as install-and-forget SRP. It doesn't exist.

If CS wants to waste her time with such policy, then it is her prerogative.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
The interesting question will be if CF sandbox can stop the execution of the shellcode (from memory) by JScript malware, when the malware will run sandboxed (it should in theory)?
Another interesting question: what can happen if the script will run unsandboxed?
 
Last edited:

ticklemefeet

Level 23
" A setting was added to prevent the blocking of signed files, except those on the Trusted Publisher (certificate) list. Besides, the user is expected to know what they're doing and manage the list so that it is even more difficult."
Yes that was the point. If you use a trusted cert in protected mode with a malware, Appguard will let it by. That is my understanding. In other words, if the malware uses a trusted signed cert in protected mode, Appguard allows it, am I wrong? BTW I an not bashing Appguard. I use it a love it.
 
5

509322

" A setting was added to prevent the blocking of signed files, except those on the Trusted Publisher (certificate) list. Besides, the user is expected to know what they're doing and manage the list so that it is even more difficult."
Yes that was the point. If you use a trusted cert in protected mode with a malware, Appguard will let it by. That is my understanding. In other words, if the malware uses a trusted signed cert in protected mode, Appguard allows it, am I wrong? BTW I an not bashing Appguard. I use it a love it.

LOL...I think you tricked me.

There is now a setting that allows certificates from only Trusted Publishers and blocks all others. It is more or less strict TPL enforcement versus the old AppGuard that allowed a legitimately signed file to run in Protected Mode.

If I recall correctly, the cert that CS used in the video you are referring to was a cert from a Trusted Publisher. The malware ran, invoked UAC (it wasn't displayed because CS disables UAC for viewing purposes), it attempted to load an unsigned DLL which was blocked, but it still accessed the Windows Service Manager via cmd.exe > sc.exe to disable or create\enable a service (I can't remember which one). After a system reboot the service was changed.

The issue of TPL certs is solved by removing all Trusted Publishers. You can leave Microsoft in the list as it would be extremely rare for high-signed malware using a legit Microsoft cert. The same could be argued for others. It all depends upon how paranoid you are.

The more simple alternative is simply to use Locked Down mode which disables the Trusted Publisher List. This is what most serious AppGuard users do. And use Protected Mode to update softs that update from User Space. Or you can simply create the explicit exceptions needed for files to update in Locked Down mode. In other words, there are multiple options to make it work. It is up to the user to decide which one they wish to use.

There is always a workaround with AppGuard - because it is SRP.

@ticklemefeet if you wish you can PM me and I will explain and provide tips.
 

cruelsister

Level 37
Verified
Trusted
Content Creator
I was wondering if you would be willing to do another in lockdown mode with modified settings of user mode?

The malware I used in that video was signed with an exceptionally High certificate (which I choose not disclose). At the time I was working for someone (in the Dept of Dirty Tricks) which had an unlimited budget for bribery as well as a carte blanche for blackmail. This credential has expired and I have no reasonable expectation that I will ever acquire another. But I will say that something like this (which you will never ever see in another Utube video) would never have been wasted on the Great Unwashed, but instead would have been targeted for a high profile Corporation (or Government).

Nothing would have stopped this one.


and a ps to Lockdown- UAC would have had absolutely nothing to do with anything.
 
5

509322

The malware I used in that video was signed with an exceptionally High certificate (which I choose not disclose). At the time I was working for someone (in the Dept of Dirty Tricks) which had an unlimited budget for bribery as well as a carte blanche for blackmail. This credential has expired and I have no reasonable expectation that I will ever acquire another. But I will say that something like this (which you will never ever see in another Utube video) would never have been wasted on the Great Unwashed, but instead would have been targeted for a high profile Corporation (or Government).

Nothing would have stopped this one.


and a ps to Lockdown- UAC would have had absolutely nothing to do with anything.

Unless you used a UAC bypass, UAC does matter. I am not of the school of thought that UAC is utterly useless, because it just ain't true. Just like a Limited User\Guest account isn't utterly useless. I expect a user to pay heed to a UAC alert. If they don't, then it is on them. Sorry... but I have little sympathy except for those that are children and\or blind. It is high time that users be made to bear some responsibility instead of creating products that neither can nor do compensate for people just being people. It just isn't acceptable not to include the people who operate the system. They are fundamentally the problem. Not directly including people as a part (the primary part) of the malware problem does a great disservice to everyone.

However, I will admit in the case of the cert you used, paying any attention to the UAC alert would have been pointless. It would only have substantiated what an user who paid attention would have expected. Bad ju-ju. Really bad ju-ju if hack with the junior G-man badge or nuclear device key holding terrorist got their hands on the Harry Winston emerald bracelet cert. I suppose this is the argument you would make.

And it is people who constantly look to, want, expect and demand that technology and software provide them with an easier, softer way to security. It just ain't ever gonna happen. Ever. There are people who do and those that do not. Those that do can craft good security for themselves. They shall inherit the Earth. Those that do not, will be terminator fodder.
 
Last edited by a moderator:
D

Deleted member 178

Fileless malware aren't new, some researchers even crafted stagers with embedded python/powershell so they don't even need to access them from the target machines.
Like all malware, what matters is what we call the "entry point", if you secure all of them, there is few chances to be infected.
 
Top