Video HitManPro vs a Zero-Day Botnet

Peter2150

Level 7
Verified
Joined
Oct 24, 2015
Messages
300
OS
Windows 7
Antivirus
Emsisoft
#3
Great video, cruelsister! :)

I guess HitmanPro.Alert would detect the botnet because of the mitigation against process hollowing, but not the scanner. :)

It probably would have, except she tested it against Hitman Pro. Test was this side of being pointless. Test it again against the latest beta of hitman pro alert and see what happens.
 

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
#7
Mwahh somewhere in between the point of view of Peter2150 and Cruel Sister.

HitmanPro was launched as an heuristics/forensics scanner using cloud blacklist data base. Svchost connects out all the time. So HitmanPro is simply not designed to catch a botnet using the credentials of a legit application, when this application (svchost) behaves like a botnet itself.So I am with Peter2150 on this video: it shows me that water is wet.

When you look at the Sophos website for HitmanPro it is the has emerged from heuristics/forensics to "advanced behavioral technology with deep scanning to find and eliminate zero-day, next-gen malware that has avoided detection." Using this marketing claim HitmanPro should detect the detection avoiding trick using the credentials of a legitimate process. So I am with Cruel Sister on this video: it shows me that the Sophos take over of Surfright injected a lot of hot air into HitmanPro's capabilites.

So for me a draw: what is your take on this?
 
Last edited:

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
#9
A test is a test, but the intended use should be in the scope of the test.

A quarter mile drag test between 450 HP Chevrolet Camaro SS and 450 HP John Deer Scraper Tractor will have a certain outcome, contrary a two ton pull test between the same two contenders will have completely different outcome.
 

Peter2150

Level 7
Verified
Joined
Oct 24, 2015
Messages
300
OS
Windows 7
Antivirus
Emsisoft
#10
I ignore marketing hype. Hitman Pro can be accessed from alert and to me it is nothing more then a Secondary scanner. The latest beta of HMPA also now detects malware on the fly, and it is pretty good against it. That is what should be tested, beta verson 712.

Note it now has protection against credential theft, but that should be off if you use imaging programs live. It will cause them to fail.
 
Joined
Apr 16, 2017
Messages
308
OS
Windows 7
#12
It probably would have, except she tested it against Hitman Pro. Test was this side of being pointless. Test it again against the latest beta of hitman pro alert and see what happens.
I have used hmp.a but always seem to develop a hiccup, and uninstall it. So CS showed that hmp does not detect hallowed process, you suggest hmp.a would block in real time, ok, I believe you, but what other security apps are excellent at blocking or detecting hallowed processes?
 

cruelsister

Level 36
Content Creator
Verified
Joined
Apr 13, 2013
Messages
2,577
#14
Hi Guys! A number of things should be explained:

1). Zemana AM is excellent at detecting hollowed processes, even when used as a second opinion scanner (also really good against Worms, whereas both MB and HMP are most certainly not).
2). I did not state it (not that it was needed), but in the video WF was active. But as WF has no intrinsic Outbound protection the malware blew right past it. A simple solution would have been just to have some Outbound protection in place like WFC or Tinywall. A Botnet, Keylogger, or info stealer that is prevented from connecting out is really nothing more than a piece of junk waiting for the AV to catch up to it and delete it.

That being said, I used HMP and not HMP.A for a couple of reasons- the first reason is a common theme of mine- that running a 2nd opinion scanner, getting a clean result and thus assuming that the system is without infection may not be correct. The second reason is that the initial malware run was part of something larger that I coded in order to embarrass and disgrace some Governmental IT "Pros" that should know better at a Show and Tell last week (I am really mean). As it is not released in the Wild there is no way that I would allow it to be uploaded into any Cloud by anyone (my mama didn't make no stupid children). Also running it against traditional protection as it is an actual zero-day would be like beating a puppy.
 

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
#15
@cruelsister

Mhh, you reply feeds further speculation. Since I can't find a video of MB failing this botnet Sample (or ZAM blocking/finding this same sample), There must have been a reason to single out HMP for this test. So the Governmental IT "Pros" were probably advertising the benefits of HMP in relation to bot nets. A pity you don't mention "man and horse" as we say in Dutch.
 

Azure Phoenix

Level 22
Verified
Joined
Oct 23, 2014
Messages
1,146
#16
@cruelsister

Mhh, you reply feeds further speculation. Since I can't find a video of MB failing this botnet Sample (or ZAM blocking/finding this same sample), There must have been a reason to single out HMP for this test. So the Governmental IT "Pros" were probably advertising the benefits of HMP in relation to bot nets. A pity you don't mention "man and horse" as we say in Dutch.
Well, CS mentioned both Malwarebytes and HMP aren't that good at detecting worms. You can see her worm video series for that. I don't recall Malwarebytes being tested against this botnet (not yet).
 
Likes: XhenEd
Joined
Feb 14, 2013
Messages
113
OS
Windows 10
Antivirus
ESET
#17
The second reason is that the initial malware run was part of something larger that I coded in order to embarrass and disgrace some Governmental IT "Pros" that should know better at a Show and Tell last week (I am really mean).
Unless SOPHOS also supported this claim then it's like bashing a product based on the ignorance of someone that has nothing to do with the product. Did any of the people making these claims work for SOPHOS? People will watch your video, and think HMP failed the test, when in fact it was the wrong product to test.

You mentioned Zemana AM being good at detecting process hollowing when used as a second opinion scanner, but you point out that HMP is not. Well, HMPA is the equivalent option to Zemana AM, and not HMP. What are the test results when using HMPA against process hollowing? Just because HMPA detects process hollowing in a different way does not mean it should fail the test.

EDITED 8/22/17 @ 2:59:
I think the best solution is to test your sample against HMP, and HMPA. Then you can prove those wrong that made the claim that HMP will detect this type of threat, while also being fair to SOPHOS since HMPA is the product designed to protect against this threat.
 
Last edited:
Likes: XhenEd

Anker_by

Level 4
Verified
Joined
Jun 23, 2015
Messages
187
OS
Windows 10
Antivirus
Kaspersky
#19
Excellent video, I'm pretty sure Zemana AM could be detect this.
 

Similar Threads

Similar Threads