Updates HitmanPro.Alert still being developed with new novel mitigations and a beta release soon

Gandalf_The_Grey

Level 47
Verified
Trusted
Content Creator
Apr 24, 2016
3,606
Good news over at Wilders:
No worries guys, we're still alive and kicking. We've been working on several projects and are planning to release a new BETA version of HitmanPro.Alert soon. It will contain several new protections as well as an updated CryptoGuard 5 engine. Stay tuned!
I have some information to share, about a protection that we've been working on over the last two years (and Wilder Security members have been enjoying it for that long too). It's about our Heap Heap Protect mitigation - called Dynamic Shellcode Protection in Sophos's flagship endpoint product Intercept X.
If you haven't read it yet and have 10 minutes, be sure to read my blog about it: Covert code faces a Heap of trouble in memory – Sophos News
Below a relatively short primer about why it's actually pretty bold.

Heap Heap Protect is unique in the world. It basically puts a hard limit on any application to what memory they can allocate. It impacts every process on the box, even Windows’ own processes.

How this works? Applications can ‘loan’ an extra memory region from the system for the purpose to run added code. But when the added code requests an additional ‘loan’ for the purpose to introduce and run even more code, we say NO.

The ‘freedom’ to use memory whenever an application sees fit has been a fundamental function of a computer since the invention of dynamic random-access memory in 1968. And thanks to segregation of data and code (enforced by the CPU hardware) we can now literally say NO MORE!

We initially crafted Heap Heap Protect to counter unknown supply-chain attacks like CCleaner APT. So, although it's completely signature-less, you may notice it is especially effective against remote access agents like Cobalt Strike and Meterpreter, as these are typically loaded into memory by a ‘loader’ or ‘stager’. Particularly in human-operated ransomware attacks, these agents are a mainstay.
To our surprise, when we tested the mitigation in the wild, it notably caught a lot of multi-packed malware too – including adware. This is because, before packed malware really works, the unpacker needs to allocate a region that can run the unpacked code. And multi-packed (layer over layer) malware will ‘loan’ such a region upon region – it unpacks like a matryoshka doll.

Perhaps the most interesting part of our protection is that our discovery is highly compatible with legitimate applications. Simply because regular applications are not loaded in a staged manner and they are not packed either.

If you want to know more, check out my blog. If you have, we'd like to hear your thoughts on this. Thanks!
Sophos blog post:
 

SecureKongo

Level 21
Verified
Malware Tester
Feb 25, 2017
1,006
Hope they integrate the new version in Sophos Home soon. Somehow SUMo detects an outdated HitmanPro.Alert version in my updated version of Sophos Home Premium at the moment. Does anybody else face the problem or knows what the cause is?
Unbenannt.PNG
 

Gandalf_The_Grey

Level 47
Verified
Trusted
Content Creator
Apr 24, 2016
3,606
Hope they integrate the new version in Sophos Home soon. Somehow SUMo detects an outdated HitmanPro.Alert version in my updated version of Sophos Home Premium at the moment. Does anybody else face the problem or knows what the cause is?View attachment 255520
I saw that posted somewhere here on MT or on Wilders.
If I remember correctly HitmanPro.Alert is the testing ground for Sophos Home Premium.
So, it's always on purpose a version behind to be more stable.
 
Top