Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 926676" data-attributes="member: 32260"><p><strong>Hard_Configurator and IOBIT malware.</strong></p><p><a href="https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/" target="_blank">IObit forums hacked to spread ransomware to its members (bleepingcomputer.com)</a></p><p></p><p>This malware cannot run with H_C Recommended Settings enabled. After unpacking the archive in UserSpace the user has to use the InstallBySmartscreen feature to run the executable. InstallBySmartscreen will detect the DLLs in the current directory and will show the alert:</p><p></p><p>[ATTACH=full]253238[/ATTACH]</p><p></p><p>The user should choose <CANCEL> and examine the installation DLLs. If not, then the executable will be run in the random temporary location without DLLs - in this case, the malicious DLL will not be executed. This will protect the inexperienced user from being infected.</p><p>In such cases when the installation is blocked by SmartScreen (EXE and MSI files) or the installation fails due to the above alert (protection against DLL hijacking), the simplest method is waiting one day before turning off the H_C settings to run the installation. After one day the AV will usually detect the malware (some other people will be infected).</p><p>But, the real danger of the IOBIT attack follows from the convincing and personalized scam. So, above-average users will probably ignore the potential danger and many of them will turn off the AV protection to run the malicious installation without checking the DLLs thoroughly.</p><p></p><p>I also checked the method of running the final payload (in the case of turning off H_C settings and keeping ConfigureDefender settings) - it will be blocked by the ASR rule <strong>"</strong>Block executable files from running unless they meet a prevalence, age, or trusted list criteria<strong>". </strong>The iobit.dll (final payload) is run via rundll32 - this method triggers the mentioned ASR rule which uses Microsoft file reputation to block executables (EXE, DLL, etc.). It is also possible that such a payload can be detected by the Cloud Block Level in ConfigureDefender HIGH preset or the ASR rule "Use advanced protection against ransomware".</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 926676, member: 32260"] [B]Hard_Configurator and IOBIT malware.[/B] [URL='https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/']IObit forums hacked to spread ransomware to its members (bleepingcomputer.com)[/URL] This malware cannot run with H_C Recommended Settings enabled. After unpacking the archive in UserSpace the user has to use the InstallBySmartscreen feature to run the executable. InstallBySmartscreen will detect the DLLs in the current directory and will show the alert: [ATTACH type="full" alt="1611330388691.png"]253238[/ATTACH] The user should choose <CANCEL> and examine the installation DLLs. If not, then the executable will be run in the random temporary location without DLLs - in this case, the malicious DLL will not be executed. This will protect the inexperienced user from being infected. In such cases when the installation is blocked by SmartScreen (EXE and MSI files) or the installation fails due to the above alert (protection against DLL hijacking), the simplest method is waiting one day before turning off the H_C settings to run the installation. After one day the AV will usually detect the malware (some other people will be infected). But, the real danger of the IOBIT attack follows from the convincing and personalized scam. So, above-average users will probably ignore the potential danger and many of them will turn off the AV protection to run the malicious installation without checking the DLLs thoroughly. I also checked the method of running the final payload (in the case of turning off H_C settings and keeping ConfigureDefender settings) - it will be blocked by the ASR rule [B]"[/B]Block executable files from running unless they meet a prevalence, age, or trusted list criteria[B]". [/B]The iobit.dll (final payload) is run via rundll32 - this method triggers the mentioned ASR rule which uses Microsoft file reputation to block executables (EXE, DLL, etc.). It is also possible that such a payload can be detected by the Cloud Block Level in ConfigureDefender HIGH preset or the ASR rule "Use advanced protection against ransomware". [/QUOTE]
Insert quotes…
Verification
Post reply
Top
