Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 755162" data-attributes="member: 32260"><p><span style="font-family: 'Arial'">When malware is too smart. </span></p><p><span style="font-family: 'Arial'">[USER=26718]@silversurfer[/USER] included one interesting malware sample <span style="color: rgb(184, 49, 47)">Facture_23100.31.07.2018.exe</span><strong> :</strong></span></p><p><span style="font-family: 'Arial'"><a href="https://malwaretips.com/threads/3-08-2018-21.85688/#post-754757" target="_blank">https://malwaretips.com/threads/3-08-2018-21.85688/#post-754757</a></span></p><p><span style="font-family: 'Arial'">The malware had embedded the icon of </span><strong><span style="color: rgb(85, 57, 130)"><span style="font-family: 'Tahoma'">DOCX</span></span></strong><span style="font-family: 'Arial'"><strong><span style="color: rgb(85, 57, 130)"> file</span></strong> to fool the potential victims. It was probably delivered via spam with the social engineering info --> why the user should open such interesting document. It had the stolen & valid Authenticode Signature with a good reputation, so it even could bypass SmartScreen. </span></p><p><span style="font-family: 'Arial'">Could the Hard_Configurator Recommended settings stop such dangerous malware? </span></p><p><span style="font-family: 'Arial'">The answer is yes (mostly). But, how it is possible when the malware could bypass SmartScreen?</span></p><p><span style="font-family: 'Arial'">Because it was too smart. The user knows from e-mail that the attachment is a document and the file icon confirms this belief. So, after downloading, the file will be open by the user as a document by left mouse-click or by pressing the Enter key. This will fail and the file will be blocked by SRP.</span></p><p><span style="font-family: 'Arial'">The user will not open the malware via "Run As SmartScreen" because the malc0der successfully convinced him that the file is an innocent document.</span></p><p><span style="font-family: 'Arial'">.</span></p><p><span style="font-family: 'Arial'">In my personal opinion, the danger of such malware for the home users is close to 0, because the files with stolen certificates are mostly used in attacks on institutions and enterprises. After some days, the malware can be reused to attack the home users, but then, the fingerprint/signature is already available in the cloud, so the malware will be blocked via the cloud AV service.</span></p><p><span style="font-family: 'Arial'">The exception can be the event similar to CCleaner, because in this case the installer executable was infected. The installer of CCleaner is digitally signed and very popular (good SmartScreen reputation), so it can bypass SmartScreen check. The user can only depend on the AV protection and has a pretty good chance to be infected.</span></p></blockquote><p></p>
[QUOTE="Andy Ful, post: 755162, member: 32260"] [FONT=Arial]When malware is too smart. [USER=26718]@silversurfer[/USER] included one interesting malware sample [COLOR=rgb(184, 49, 47)]Facture_23100.31.07.2018.exe[/COLOR][B] :[/B] [URL]https://malwaretips.com/threads/3-08-2018-21.85688/#post-754757[/URL] The malware had embedded the icon of [/FONT][B][COLOR=rgb(85, 57, 130)][FONT=Tahoma]DOCX[/FONT][/COLOR][/B][FONT=Arial][B][COLOR=rgb(85, 57, 130)] file[/COLOR][/B][COLOR=rgb(85, 57, 130)] [/COLOR]to fool the potential victims. It was probably delivered via spam with the social engineering info --> why the user should open such interesting document. It had the stolen & valid Authenticode Signature with a good reputation, so it even could bypass SmartScreen. Could the Hard_Configurator Recommended settings stop such dangerous malware? The answer is yes (mostly). But, how it is possible when the malware could bypass SmartScreen? Because it was too smart. The user knows from e-mail that the attachment is a document and the file icon confirms this belief. So, after downloading, the file will be open by the user as a document by left mouse-click or by pressing the Enter key. This will fail and the file will be blocked by SRP. The user will not open the malware via "Run As SmartScreen" because the malc0der successfully convinced him that the file is an innocent document. . In my personal opinion, the danger of such malware for the home users is close to 0, because the files with stolen certificates are mostly used in attacks on institutions and enterprises. After some days, the malware can be reused to attack the home users, but then, the fingerprint/signature is already available in the cloud, so the malware will be blocked via the cloud AV service. The exception can be the event similar to CCleaner, because in this case the installer executable was infected. The installer of CCleaner is digitally signed and very popular (good SmartScreen reputation), so it can bypass SmartScreen check. The user can only depend on the AV protection and has a pretty good chance to be infected.[/FONT] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
