How Advanced Persistent Threat works?

How to protect from APT?

  • Antivirus

    Votes: 1 3.2%

  • Antivirus + Firewall

    Votes: 19 61.3%

  • No way out

    Votes: 11 35.5%
  • Total voters
    31
Tony Cole

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Thanks kram7750, I wish I had your knowledge, may be one day you could work for Kaspersky, or have your own AV Company! My friend uses Dr. Web, how doe they fare against such attacks? Hope your hand is better.
 
Last edited:
  • Like
Reactions: WinXPert
D

Deleted member 21043

Thread author
Tony Cole said:
Thanks kram7750, I wish I had your knowledge, may be one day you could work for Kaspersky, or have your own AV Company! My friend uses Dr. Web, how doe they fare against such attacks? Hope your hand is better.
Click to expand...
Probably off-topic, but I'll never work for Kaspersky... Or any other AV vendor I am not in charge of. But don't worry, I'm currently in the process of starting my own security company to provide security software such as Antivirus, Internet Security.

As for the question regarding Dr. Web, I cannot actually answer your question. However, I will try to estimate how some things work for e.g. a web filter. But not aimed directly at Dr. Web.

A web filter can be made via many different methods.
- Hosts file
- Hooking functions (user-mode/kernel-mode)
- Driver to sniff the network

The first method I mentioned, the Hosts file, is a file stored in the windows directory/system32/drivers/etc. It's responsible for holding hosts to block. If you use the format: 127.0.0.1 <host domain> in the hosts file, it will block these hosts from successfully connecting. You can also use this as a basic adblocker, if you add the hosts to the advertisements in the Windows Hosts file. Hence, why it's called the "Hosts" file.

This method is especially insecure because if you wrote to the Hosts file to remove the entries added by the product, then it won't work as the entries would have been removed. If you use this, set hooks to prevent modifications to the Hosts file at the least.

The second method I mentioned, hooking functions, can be used for many things related to networking. You can even make a firewall out of hooking specific functions. For Internet Explorer, you could hook functions like HttpSendRequest/Ex. It's called when a request to HTTP server is done in Internet Explorer, it's located in WinInet.dll (HttpSendRequest!WinInet / same with Ex version).

Another function to hook could be InternetConnect().

But, the issue with this is you'd have to hook a lot of functions, other browsers/processes may use other libraries for other functions.

The last method would be the best in my opinion. From kernel-mode, you have access to the hardware and all software running (you can access all the memory on the system). You can monitor and sniff the network and you can block requests as well.

Just a very short and not very detailed reply, I apologize this post of mine lacks interest and detail. I should really extend it.

Cheers. ;)
 
  • Like
Reactions: Tony Cole and frogboy
Tony Cole

Tony Cole

Level 27
Verified
May 11, 2014
1,639
Wow, I never knew there was so many ways AV software could function, re: ability to block attacks and changes to their files/registry keys. So, Comodo you can right click the icon and it's disabled, no warning, nothing. Does that suggest it's an easy target, or impossible as the user made the changes and malware cannot do it?
 
D

Deleted member 21043

Thread author
Tony Cole said:
Wow, I never knew there was so many ways AV software could function, re: ability to block attacks and changes to their files/registry keys. So, Comodo you can right click the icon and it's disabled, no warning, nothing. Does that suggest it's an easy target, or impossible as the user made the changes and malware cannot do it?
Click to expand...
Could you possibly re-write your question? I do not understand the question/what you are speaking about? :(
 
D

Deleted member 178

Thread author
i think he asks if a malware can disable the components like a user may do via right-clicking the system tray icon of CIS
 
Tony Cole

Tony Cole

Level 27
Verified
May 11, 2014
1,639
With Comodo, you can right click the icon in the toolbar and it will shut Comodo down, with Kaspersky it will issue a warning before hand. Can malware easily do the same, i.e., Comodo requires no other user input it shuts the whole program down. Before in version 5 users were unable to disable Comodo via task manager, now you can. Bitdefender, Kaspersky blocks such attempts, as accessed denied, does this mean Comodo's ability to protect their files and registry keys against attacks are weaker than Kaspersky? That's a crap explanation, but hope you understand what I mean.... :)
 
  • Like
Reactions: Deleted member 178
D

Deleted member 178

Thread author
Tony , to answer your question , a malware can potentially disable any AV, but for that it just have to change the registry (means the AV has been bypassed silently by the malware or let be bypassed by the user's happy clicking) , i remember a malware that disabled totally all components of Avast IS and replaced the tray icon by a fake one , so the user still think that avast was protecting.
 
  • Like
Reactions: Deleted member 21043 and Tony Cole
D

Deleted member 21043

Thread author
Tony Cole said:
With Comodo, you can right click the icon in the toolbar and it will shut Comodo down, with Kaspersky it will issue a warning before hand. Can malware easily do the same, i.e., Comodo requires no other user input it shuts the whole program down. Before in version 5 users were unable to disable Comodo via task manager, now you can. Bitdefender, Kaspersky blocks such attempts, as accessed denied, does this mean Comodo's ability to protect their files and registry keys against attacks are weaker than Kaspersky? That's a crap explanation, but hope you understand what I mean.... :)
Click to expand...

Both BitDefender and Kaspersky blocks process attack attempts via a kernel-mode driver, they return STATUS_ACCESS_DENIED from kernel-mode, which generates the Access Denied error message. It blocks Task Manager as well because it's done in kernel-mode, they don't make exceptions for any programs other than the main to terminate (they must allow the own process otherwise it won't be able to close when user wants, because when you close a program, it calls ZwTerminateProcess at a point in time).

Even the big vendors, some products can be easily manipulated, others not so easily. You can try making a driver, then make it boot before the others and from kernel-mode in that driver, clean out the drivers belonging to the installed security software (and the files, etc). Then remove the entries via registry of them to auto-start on boot also. As another example.

Yes, Comodo is more vulnerable if they do not protect their process, registry keys, files, etc. Each vendor may have different techniques. Avast use ObRegisterCallback for self protection, for example.

Cheers. ;)
 
  • Like
Reactions: Secondmineboy
Secondmineboy

Secondmineboy

Level 26
Verified
May 25, 2014
1,559
A bit Off-topic:
Big guns like Kaspersky (i dont know any other, put might be the case), are still using .NET for their AV Softwares.

Try to install Kaspersky on a machine without :NET and you get an error, the installer gives an option to install .NET, but funnily enough it never worked for me :D
 
D

Deleted member 21043

Thread author
Secondmineboy said:
A bit Off-topic:
Big guns like Kaspersky (i dont know any other, put might be the case), are still using .NET for their AV Softwares.

Try to install Kaspersky on a machine without :NET and you get an error, the installer gives an option to install .NET, but funnily enough it never worked for me :D
Click to expand...
Even if they are using .NET, they are doing important things such as self defence via kernel-mode drivers, which does not involve .NET. (and I highly doubt they use any .NET components to involve in any action of hooking).

Although, what is possible, is they have a driver and talk back to the .NET process. That's possible, and reasonable.
 
Last edited by a moderator:
  • Like
Reactions: Secondmineboy
You must log in or register to reply here.

Similar threads

silversurfer
    • +Reputation
    • Like
  • Sticky
Serious Discussion The Necessity of Simulating the Full Malware Infection Chain for Security Suite Testing
Replies
3
Views
681
General Security Discussions
harlan4096
harlan4096
lokamoka820
    • Like
New Update APT 3.0 Debian Package Manager Released with Revamped Command-Line Interface
Replies
3
Views
466
ChromeOS & Linux
Zero Knowledge
Z
nicolaasjan
    • Like
    • +Reputation
Malware News Malvertising campaign leads to info stealers hosted on GitHub
Replies
6
Views
1,134
Security News
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top