Hard_Configurator - February 2019 Report

[AlanOstaszewski]

1. Containment: VirtualBox 5.1.38
2. Windows: 10 LTSB
3. VPN: CyberGhost
4. Product: Windows SmartScreen (activated by Hard_Configurator with recommended SRP and restrictions)
5. Office: LibreOffice (standard settings)

Disclaimer: Experimental setup for testing effectiveness of Windows SmartScreen and script restrictions against 0-day malware samples. This test is suitable for users with above-average knowledge of Windows' built-in security features.

February 2019	Amount of samples	Samples that have harmed the system/ changed system configuration	Files aren't touched/encrypted	Thread link
Mixed Threats #13 (01/02/2019)	13	0	yes	link
#CDC Ransomware (almost FUD) - 02/02/2019	1	0	yes	link
#Exploit (03/02/2019)	1	0	yes	link
4/02/2019 #18	18	0	yes	link
AZORult (5/02/2019)	1	0	yes	link
#Buhtrap Ransomware (signed) - 07/02/2019	1	1	no	link
8/02/2019 #15	15	0	yes	link
#FCrypt Ransomware	1	0	yes	link
AgentTesla (11/02/2019)	1	0	yes	link
12/02/2019 #23	23	0	yes	link
Malware Big Pack #24 (13/02/2019)	24	0	yes	link
Remcos RAT (14/02/2019)	1	0	yes	link
Malware x4 (16/02/2019)	4	0	yes	link
18/02/2019 #17	17	0	yes	link
Rietspoof Malware	1	0	yes	link
#LockerGoga Ransomware (signed)	1	0	yes	link

Hard_Configurator by @Andy Ful

 

[Andy Ful]

Nice to see you back again.
I truly appreciate your efforts, put in those tests and H_C website.:emoji_ok_hand:

 

[Andy Ful]

The ransomware from MH https://malwaretips.com/threads/buhtrap-ransomware-signed-07-02-2019.90379/ is signed, so it will be a challenge for SmartScreen Application Reputation. The malware should be mitigated by SRP, even if it would bypass SmartScreen, because it uses Windows Script Host (CScript).

Edit
I had to edit my post, because of my evident error - SRP (in H_C recommended settings) is set to allow the processes with Admin rights, and the tested malware was run with Admin rights.
It could be mitigated If the option <Disable Win. Script Host> was set to ON. Maybe I should add it to recommended settings alongside SRP script mitigations?

 

[Gandalf_The_Grey]

The ransomware from MH https://malwaretips.com/threads/buhtrap-ransomware-signed-07-02-2019.90379/ is signed, so it will be a challenge for SmartScreen Application Reputation. The malware should be mitigated by SRP, even if it would bypass SmartScreen, because it uses Windows Script Host (CScript).

It is detected by 36/66 according to VirusTotal. So this seems to be the case for leaving WD enabled (or another AV) when using HC.
VirusTotal

 

[imuade]

The ransomware from MH https://malwaretips.com/threads/buhtrap-ransomware-signed-07-02-2019.90379/ is signed, so it will be a challenge for SmartScreen Application Reputation. The malware should be mitigated by SRP, even if it would bypass SmartScreen, because it uses Windows Script Host (CScript).

Would have it made any difference if the test had been done with tighter (enhanced) settings instead of default ones?

 

[Andy Ful]

I have just seen the [S]@askalan video, and it seems that the trojan part of the malware was mitigated by H_C, because the CScript payload was blocked and remote features were disabled. But, the ransomware part (no elevation) was successful.[/S]
That malware is an example of what I wrote in the January report. In some cases, the signed malware can bypass the SmartScreen even some days after detecting by many AVs. So, it is good to have also a real-time AV alongside H_C.
Anyway, this malware will be delivered in the wild mostly via malicious spam attachments (scripts, documents), and this will be prevented by H_C settings.

Post edited - the malware was not mitigated by H_C, because it was allowed to run with Admin rights via "Run As SmartScreen".

 

[Andy Ful]

Would have it made any difference if the test had been done with tighter (enhanced) settings instead of default ones?

Yes, but not for preventing encryption in this case - it is done by the main executable which was allowed to run. Yet, this malware can also use cmd.exe to run some sponsors: attrib.exe, bcedit.exe, cscript.exe (already blocked), chcp.exe, net.exe ('net view' command blocked), reg.exe, vssadmin.exe, wbadmin.exe, wmic.exe.
https://www.hybrid-analysis.com/sam...7d239d5a45faf3e0cdf6b0ebd20?environmentId=100

Most of the above sponsors will require admin rights, SMB1, etc. to do something important - accessing Admin rights is hard with H_C settings and SMB1 is blocked. But, even without Admin rights the sponsor reg.exe can change the Registry keys in the HKCU Hive and wmic.exe can be used for gathering information about the system, so they are blocked in H_C enhanced settings.

I am sorry, I had to be very sleepy to overlook that the malware was run with Admin rights, so could not be mitigated by SRP and H_C recommended or enhanced settings.
That is the con of usability of "Run As SmartScreen" which is intended to bypass SRP.
The only H_C setting that could mitigate this malware is <Disable Win. Script Host> set to ON.

 

[Andy Ful]

I had to edit my previous posts. I forgot that in the recommended settings the option <Disable Win. Script Host> is set to OFF. That means that Windows Script Host is protected only by SRP, and will be bypassed by design, when the malware is run with Admin rights. That is the case of the malware run via "Run As SmartScreen", if the SmartScreen failed to stop it.
The malware could be probably mitigated if <Disable Win. Script Host> was set to ON.
@askalan, could you please test it also with this setting ON, to see the difference?

 

[shmu26]

Who was the signer for this one?
I am curious if Comodo Firewall would have allowed it? If the signer is on the TVL, then I am assuming it would be allowed, until it is manually blacklisted.

 

[imuade]

Yes, but not for preventing encryption in this case - it is done by the main executable which was allowed to run. Yet, this malware can also use cmd.exe to run some sponsors: attrib.exe, bcedit.exe, cscript.exe (already blocked), chcp.exe, net.exe ('net view' command blocked), reg.exe, vssadmin.exe, wbadmin.exe, wmic.exe.
https://www.hybrid-analysis.com/sam...7d239d5a45faf3e0cdf6b0ebd20?environmentId=100

Most of the above sponsors will require admin rights, SMB1, etc. to do something important - accessing Admin rights is hard with H_C settings and SMB1 is blocked. But, even without Admin rights the sponsor reg.exe can change the Registry keys in the HKCU Hive and wmic.exe can be used for gathering information about the system, so they are blocked in H_C enhanced settings.

I am sorry, I had to be very sleepy to overlook that the malware was run with Admin rights, so could not be mitigated by SRP and H_C recommended or enhanced settings.
That is the con of usability of "Run As SmartScreen" which is intended to bypass SRP.
The only H_C setting that could mitigate this malware is <Disable Win. Script Host> set to ON.

Ah, OK, so I was correct to set <Disable Win. Script Host> to ON :emoji_v:

 

[Andy Ful]

Ah, OK, so I was correct to set <Disable Win. Script Host> to ON :emoji_v:

Please, look after some time into the log of blocked events, for event Id = 1000 with Provider = Windows Script Host. This event means that Windows Script Host script was blocked with Admin rights. There are some administrative&troubleshooting scripts in Windows folder, which will be blocked by this setting, but they are not important in the healthy system.

In the first versions of H_C the <Disable Win. Script Host> was set to ON by default, but now it is set to OFF. When set to ON, it could mitigate some malware which bypassed SmartScreen. But anyway, such mitigation will be usually insufficient because the malware is already running with Admin rights. Furthermore, such event will be very improbable in the home user environment, because the infection chain in the wild will start not from EXE file (like in the test), but from the weaponized document or script started without admin rights. Such files will be blocked by recommended H_C settings and cannot bypass SmartScreen (automatically blocked when "Run As SmartScreen").
The different scenario is probable only when the user is going to download cracks and pirated software.
But, setting <Disable Win. Script Host> = ON will not hurt - the user has to only remember that scripts are blocked by two independent settings and that blocked events cannot be whitelisted.

 

[AlanOstaszewski]

In my future tests you will find the screenshots of the al-khaser test.
LordNoteworthy/al-khaser

This program is supposed to determine if a virtual machine solution is hidden enough. I hope that the other testers will also publish the screenshots of this test in the future. It is very important to know how well the virtual machine has been configured.

(For information: if you want to run this test on your own VM it usually takes an hour. So don't be confused and let the test take its time.)

Video - Why a good VM configuration is important

 

[Moonhorse]

So, it is good to have also a real-time AV alongside H_C.

Would the windows defender enabled on high settings, stopped it if the signatures detect it? Since WD has behaviour monitoring, but is that as effective as behaviour blocker

Is there anything that would make WD+ H_C stronger, something like appcheck or ransomoff? Anything to add on that combo, i know that i would probably be alright running wd alone, but is there anything that can still harden that setup? Custom settings of H_C? If the malware werent signed by comodo TVL, wouldnt something like comodo firewall be alright to add into that WD+H_C combo

 

[oldschool]

… … Is there anything that would make WD+ H_C stronger, something like appcheck or ransomoff? Anything to add on that combo, i know that i would probably be alright running wd alone, but is there anything that can still harden that setup? Custom settings of H_C? If the malware werent signed by comodo TVL, wouldnt something like comodo firewall be alright to add into that WD+H_C combo

More is not the answer. You are already secure.

 

[Moonhorse]

More is not the answer. You are already secure.

Well thats true, only way i could have access to such ransomware is throught malware hub, id have to search with 101 dalmatians for one throught internet to get infected

 

[Andy Ful]

WD and any other AV can sometimes detect such malware, and sometimes not. This sample was initially detected by 5 AVs (Avast, AVG, DrWeb, Eset, VB32). In other cases, it could be detected by Microsoft, Kaspersky, Avira, and BitDefender. Defender High settings can detect much more than WD on defaults.

One could strengthen the setup in many ways, but that would be unreasonable. Let's look at the below scenario:

1. I have a very strong setup, which is also pretty much usable, but not so easy anyway.
2. It can be even stronger by blocking many sponsors, adding the sandbox application or anti-ransomware protection, using Application Guard to block sponsors as administrator, blocking the Internet connection to vulnerable applications in the firewall, adding HIPS and Exploit Protection, etc.
3. Wow, I have extremely strong protection.
4. But, wait. Why my system is so unusable and I do not understand what disturbs the functionality of my applications?
5. I give up. The default-deny protection sucks. I rather go back to AV only.
6. Wow, I have so usable setup now. But, wait. Why it cannot detect everything on Malware Hub?
7. I can make it stronger by adding .... (and so on).

I would rather recommend to think through this fact:
If default-deny protection is not simple, then it is unusable for most users, including the reader of this post.
:emoji_pray:

 

[shmu26]

1. It can be even stronger by blocking many sponsors, adding the sandbox application or anti-ransomware protection, using Application Guard to block sponsors as administrator, blocking the Internet connection to vulnerable applications in the firewall, adding HIPS and Exploit Protection, etc.
2. Wow, I have extremely strong protection.
3. But, wait. Why my system is so unusable and I do not understand what disturbs the functionality of my applications?

Very funny, and very true. Such a setup is good for people who enjoy and make a hobby out of creating a paranoid security setup.

 

[oldschool]

Very funny, and very true. Such a setup is good for people who enjoy and make a hobby out of creating a paranoid security setup.

Very funny indeed. @Andy Ful 's humor is right on, and English his 2nd language. His humor originates in the mind, which "speaks" in the universal language.

 

[Andy Ful]

Thanks guys. You will see my poor English soon, because I am going to write the H_C FAQ.

 

[oldschool]

Thanks guys. You will see my poor English soon, because I am going to write the H_C FAQ.

Yes, but @shmu26 can help smooth out any rough edges! Carry on!