Raiden

Level 12
Verified
Content Creator
With all due respect, I have access to a lot of intelligence services which provide me with samples recently found in the wild - collected through numerous sources such as their own connections, honey-pots and manual hunting - and the 1,000,000+ samples I receive monthly as part of having the resources I have claim otherwise. A majority of them are targeted towards people irrespective of whether they are a home or business consumer.

The sample collections are not always completely unique. Normally, uniqueness ranges between 100,000-300,000 samples. However, that's still a lot of unique samples being recently found in the wild.

VirusTotal Intelligence is one of my favorite because of the YARA rules feature - it allows me to setup a collection of YARA rules which will be applied on VirusTotal files with real-time scanning support. In layman's terms, it allows me to find fresh samples of a particular malware family/variant if the signature still matches once that sample finds its way onto VirusTotal. Furthermore, this can be used to setup "heuristic" signatures so you can find new files which are likely going to be malicious.
No offense taken!:)(y)

Your points are valid and correct. Just to clarify my point, as I may not have made it clear and I apologize for that.

It is not to say that home users do not get infected, nor is it to say that hackers don't create malware for general purposes with no specific target, it was more to highlight that home users aren't the subject of advanced targeted attacks that businesses and governments are. With impromvents to the overall security of Windows, browsers, etc... home users are far better off than what it use to be like. More often than not home users are infected because of what they were doing (ie: opening email attachments, downloading cracks/pirated software, clicking on ads, etc...), not because hackers decided to imploy an advanced attack on them. So when I say that the landscape is changing, it is because hackers save their best tools for business and governments, not home users as it will be found far more quickly if they did. Also if you look at it, hackers wanting to steal someone's CC info probably wont waste their time trying to infect hone users one by one, instead they will either break into the vendor's network and steal it, or they will hijack the website, thus stealing the info as the user types it in, meanwhile no security product on the home user's computer can stop/prevent this. It's why I said its all about efficiency for them.

In light of the topic of this thread I do believe that for the most part home users practicing safe habits will probably never get infected. Doesn't mean it still cannot happen, but the chances will be very low IMO. Therefore yes I do think that it's still better to be safe than sorry to have an AV for home users, but one may not need those massive suites, or 100 security programs/extensions to keep them safe, as they will never be subject to the same type of malware attacks that businesses are, well at least that's how I feel.;)
 
Last edited:

Andy Ful

Level 44
Verified
Trusted
Content Creator
With all due respect, I have access to a lot of intelligence services which provide me with samples recently found in the wild - collected through numerous sources such as their own connections, honey-pots and manual hunting - and the 1,000,000+ samples I receive monthly as part of having the resources I have claim otherwise. A majority of them are targeted towards people irrespective of whether they are a home or business consumer.
...
The target mostly depends on the attacker intentions and may be independent of the concrete malware. Most malware can be used both in attacks against home and business consumers, but from this does not follow that they will be used in this way. The more important is the payload delivery method - if it is widespread (massive and not targetted spam attack) then the payload will finally attack the home users. If not, then the payload will be used in the targetted attack.
Do the intelligence services provide you with information on how often the samples were used in targetted attacks or widespread attacks?
 

SearchLight

Level 8
Verified
I have understood you well, but these three buttons are prepared to apply only the initial setup, and the users can adjust some settings in many ways. If you have DEFAULT setup and will set to ON one ASR rule, that will also make your setup not DEFAULT, not HIGH, and not MAX. The same will happen with HIGH or MAX if the user will change any single setting.
Your idea would make sense if there will be only those three buttons without the possibility to tweak the options. (y)
[/QUOTE

Being more of a newbie with CWD, I am comfortable just using HIGH settings button whatever that configures. I would leave the granular adjustments to the more advanced people here:).
Imo HIGH alone makes a difference based on your expert selections which I trust.
 

Opcode

Level 1
Do the intelligence services provide you with information on how often the samples were used in targetted attacks or widespread attacks?
No, however we have our own intelligence which allows us to know more about such statistics. Not always, but sometimes.

We also have our own in-house techniques - we did not invent the techniques obviously but I am referring to the act of applying them - and three examples would be: e-mail accounts intentionally setup to be targeted by campaigns; tracking uploads on file sharing services; and honey-pots which attackers inevitably locate and then try to infect without knowing it's a trap (we use Linux as well as Windows for this).
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
No, however we have our own intelligence which allows us to know more about such statistics. Not always, but sometimes.

We also have our own in-house techniques - we did not invent the techniques obviously but I am referring to the act of applying them - and three examples would be: e-mail accounts intentionally setup to be targeted by campaigns; tracking uploads on file sharing services; and honey-pots which attackers inevitably locate and then try to infect without knowing it's a trap (we use Linux as well as Windows for this).
Yes, these are the common malware sources. But, such malware samples are usually nothing new from the viewpoint of advanced techniques applied by modern AVs. Most of them are reused & modified malware samples which were used already in targetted attacks in the past. The best method of bypassing AV protection is using scripts & exploits:
216659



But, new exploits are rarely used in the widespread attacks (see the above article about software exploits) up to one month from disclosing the vulnerability. So, exploits are not so dangerous for home users who update system/software regularly. The opposite is true for organizations and enterprises because they avoid frequent updates.
Still, the problem of scripts remains because they are commonly used also in the widespread attacks and they are not well detected by AVs. Many people on MT forum recommend to block/restrict scripts by using SysHardener, OSA, H_C (Windows built-in SRP), or installing/configuring the AV which can block/restrict scripting.
In Windows Defender the Windows native scripts can be restricted by enabling ASR rules - yet, this will not restrict scripts introduced via Java or Python engines.
 
Last edited:

Opcode

Level 1
But, such malware samples are usually nothing new from the viewpoint of advanced techniques applied by modern AVs. Most of them are reused & modified malware samples which were used already in targetted attacks in the past.
But, new exploits are rarely used in the widespread attacks (see the above article about software exploits) up to one month from disclosing the vulnerability. So, exploits are not so dangerous for home users who update system/software regularly. The opposite is true for organizations and enterprises because they avoid frequent updates.
This isn't about whether the techniques applied in the malware samples are new or rarely used and whether the attack chain involves a zero-day exploit. My comment was in regards to @Raiden who later clarified what they were intending to say and then the confusion was cleared up.

Whether malware samples are using new or old techniques is irrelevant. The matter of the fact is that there is a lot of malware out there aimed at home users in 2019, even if people do not want to believe it.

Malware authors know that home users go on the internet looking to download pirated software/cracks, many will interact with "free download" advertisements when they aren't using an ad-blocker and that mass-email campaigns for spreading malicious documents is still successful in spreading malware to home users.

We should go back to the original topic of the thread because we've gone off-topic too much now.
 

Andy Ful

Level 44
Verified
Trusted
Content Creator
...
3. Hackers in general have changed their approach. Home users really aren't the target anymore. Hackers IMO are being more selective and their primary focus is to attack and infect businesses and governments. While home users can still get infected, its largely due more to poor habits than anything.
...
This isn't about whether the techniques applied in the malware samples are new or rarely used and whether the attack chain involves a zero-day exploit. My comment was in regards to @Raiden who later clarified what they were intending to say and then the confusion was cleared up.
....
We should go back to the original topic of the thread because we've gone off-topic too much now.
Our posts are not in contradiction but show a more complete picture. Your posts were focused on clarifying that home users can be still targets in widespread attacks. My posts were focused on showing why these widespread attacks will not be so dangerous for home users who installed a good AV, but can be still dangerous for enterprises and organizations.
Our posts are not off-topic because they support the conclusion of the usefulness of AVs. (y)
 

Local Host

Level 17
Verified
This isn't about whether the techniques applied in the malware samples are new or rarely used and whether the attack chain involves a zero-day exploit. My comment was in regards to @Raiden who later clarified what they were intending to say and then the confusion was cleared up.

Whether malware samples are using new or old techniques is irrelevant. The matter of the fact is that there is a lot of malware out there aimed at home users in 2019, even if people do not want to believe it.

Malware authors know that home users go on the internet looking to download pirated software/cracks, many will interact with "free download" advertisements when they aren't using an ad-blocker and that mass-email campaigns for spreading malicious documents is still successful in spreading malware to home users.

We should go back to the original topic of the thread because we've gone off-topic too much now.
The malware you speak off is basic, compared to the malware that is targetted at organizations, no one is going to waste 0-day and signed malware on Home Users (is a waste of resources, for an attack that will be successful a limited number of times before being detected, especially with all the cloud tech).

Is safe to say the malware Home Users run into (even in pirated software) is not only basic, but weeks/months old (in most cases years old), so any basic AV will protect them (just having software updated is enough to mitigate most exploits).

Scripts can only do so much as well, their payloads tend to be easily detected, and behaviour blockers (like the ones in Kaspersky) can detect the malicious changes and revert them (just have a look at a malware hub if you want a live example, despite everyone trying to scare you about script attacks).
 
Last edited:

Opcode

Level 1
The malware you speak off is basic, compared to the malware that is targetted at organizations
You do not have access to the sample set therefore you cannot comment on the quality of the samples.

Ran into a win32k.sys kernel exploit a few months ago which was being actively used as part of a malware campaign targeting business consumers. This is irrelevant to home consumers, but thought I'd drop this here. I see more Adobe and Microsoft Office exploits for business campaigns.

My job evolves around implementing protection mechanisms to defend against malware attacks (behavioral-based technology is an example), reverse-engineering malicious software - irrespective of home or business targeting - and tracking APT groups.
 
Last edited:
  • Like
Reactions: Andy Ful

Local Host

Level 17
Verified
You do not have access to the sample set therefore you cannot comment on the quality of the samples.

Ran into a win32k.sys kernel exploit a few months ago which was being actively used as part of a malware campaign targeting business consumers. This is irrelevant to home consumers, but thought I'd drop this here. I see more Adobe and Microsoft Office exploits for business campaigns.

My job evolves around implementing protection mechanisms to defend against malware attacks (behavioral-based technology is an example), reverse-engineering malicious software - irrespective of home or business targeting - and tracking APT groups.
You just proving my point further, read the whole quote next time.
 
  • Like
Reactions: JB007

Opcode

Level 1
(just have a look at a malware hub if you want a live example, despite everyone trying to scare you about script attacks)
I do not need to use the malware hub. I already have the samples found in the malware hub. They are uploaded to VirusTotal which means I have access to them.

You just proving my point further, read the whole quote next time.
Anything you mention about the quality of my sample set is pure speculation because you do not have access to it, period.

As for my comment about the win32k.sys exploit, I thought it'd be interesting to you given you're referring to zero-day exploits. In itself, it isn't a response to anything you've previously said.

I thought I'd clarify for you.
 
Last edited:

Andy Ful

Level 44
Verified
Trusted
Content Creator
Still, it is interesting to ask:
Does a user without AV have a good chance to be uninfected for some years?
I think that the answer can be positive for a reasonable and cautious user. Why?
Because in fact, she/he is protected by AVs of people around.
  1. If your friend has installed any AV, the files on the shared USB drive were checked by her/his AV.
  2. If you download from the Internet some installers of the popular applications, you are protected by Google website ranking which shows the popular (pretty much safe) websites. Furthermore, you usually land on the website like Softpedia, Majorgeeks, etc., which checks the installers by AVs.
  3. If you browse the Internet, you are protected by Google website ranking and anti-phishing web browser feature (for example SmartScreen in Edge).
  4. etc.
This can work as long most people use AVs and the user does not perform risky/unsafe tasks. (y):giggle:

Edit.
An important amount of luck is welcome too.
 
Last edited:

Opcode

Level 1
Does a user without AV have a good chance to be uninfected for some years?
It depends on the user operating the machine.

Click-happy users will inevitably become infected sooner or later and no AV will be able to detect 100% of malware (whether statically or dynamically) so if you put enough samples up against a default-allow AV, the AV will eventually miss samples.

Home users could be much safer if more agreed to learn about how to keep themselves safe but more often than not, they aren't going to spend the necessary time becoming educated. Many are simply uninterested in learning about cyber-security. As a result of this, many remain vulnerable to malicious downloads from untrustworthy websites and malicious e-mail attachments, which I would say are the two biggest entry-points a home user should be concerned about these days (and depending on your location, infected removable media).

People spreading malware can spread through e-mails very quickly because there are very large leak dumps online of people's e-mail addresses and most of them are going to still be valid. Many people who's e-mail addresses have been leaked in leak dumps available on torrent websites are not even going to be aware that it has been leaked.

Unrelated to malicious software, money extortion is a relatively common attack against home users nowadays. When an attacker has a large collection of e-mail addresses, they can mass-spam warnings to innocent home users claiming that they have some sort of "dirt" on them and will leak it unless a payment is made. Even though many people catch onto it being fake or ask about it on online forums, many are still going to believe that they have been recorded through their web-cam and will pay the extortion money.

Your AV might have an anti-spam module which might be able to thwart the aforementioned money extortion attempt through e-mail, or similar scams.