Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
MacDefender Test #2, "Trojan" Ransomware
Message
<blockquote data-quote="MacDefender" data-source="post: 857972" data-attributes="member: 83059"><p>As we talked about over in the Emsi vs F-Secure thread (<a href="https://malwaretips.com/threads/emsisoft-vs-eset-internet-security-vs-bitdefender-total-security-vs-f-secure-safe-2020.98083/page-2#post-857716" target="_blank">Help Me Decide - Emsisoft vs. Eset Internet Security vs. BitDefender Total Security vs. F-Secure Safe (2020)</a> ), one weakness I've found in F-Secure and other Behavior Blockers is that the most common way to escape the behavior blocker is by using a trusted (but not super well known) process to do your dirty work.</p><p></p><p>If you use something too popular like Powershell or cmd.exe, behavior blockers are smart, especially thanks to AMSI. However, if you use something just mildly popular like a Node.JS runtime, a copy of Cygwin/MinGW, or in this case, 7-Zip, it seems to be blanket whitelisted by behavior blockers.</p><p></p><p>This piece of fake "malware", which I'm calling TrojanZipperPOC, does this:</p><ol> <li data-xf-list-type="ol">Find a copy of 7-zip. It prefers "C:\Program Files\7-Zip\7z.exe", as long as you have installed a native copy of 7-zip (e.g. 64-bit on 64-bit Windows). Otherwise it uses a 7z.exe in your current folder, which I've bundled as simply a copy of my 7-zip folder on my development machine. Both copies of 7-zip are official shipping versions which means they're both signed as well as considered high-reputation by cloud lookup.</li> <li data-xf-list-type="ol">Looks for "My Documents\test" (to restrict it from being ACTUAL ransomware), loops through every file in there.</li> <li data-xf-list-type="ol">Runs "7z.exe a -tzip -pransom -sdel FOO.encrypted FOO" for each file you have. This puts it in a zip file with password "ransom" and instructs 7zip to delete the original file.</li> </ol><p></p><p>So far it's worked against both AVs I primarily use. Ouch! I'll spin up additional VMs to test more, but if this is worth testing in the Malware Hub as a special sample, please PM me for the binaries <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p></p><table style='width: 100%'><tr><td>Antimalware Program</td><td>Files in My Documents\test</td><td>Comments</td><td>Tester</td></tr><tr><td>ESET NOD32 (all heuristics set to highest, HIPS set to Smart)</td><td>ENCRYPTED</td><td></td><td>[USER=83059]@MacDefender[/USER]</td></tr><tr><td>F-Secure SAFE 17.8 Beta</td><td>ENCRYPTED</td><td>Ransomware protection is even enabled</td><td>[USER=83059]@MacDefender[/USER]</td></tr><tr><td>Symantec Endpoint Protection 14.x (latest)</td><td>ENCRYPTED</td><td></td><td>[USER=83059]@MacDefender[/USER]</td></tr><tr><td>Windows Defender Controlled Folder Access</td><td>intact!</td><td>CFA blocked anything from happening</td><td>[USER=83059]@MacDefender[/USER]</td></tr><tr><td>Emsisoft AM 2020.2</td><td>ENCRYPTED</td><td></td><td>[USER=83059]@MacDefender[/USER]</td></tr><tr><td></td><td></td><td></td><td></td></tr></table><p></p><p>Conclusions:</p><p></p><p>This is a really really trivial way of commandeering a known process to do your dirty work. It's not hard to trace the fact that 7z.exe was launched directly by an untrusted process, so I consider this to be a solvable vulnerability.</p><p></p><p>It wouldn't be impossible to distance the untrusted process further from 7z.exe. For example, scheduled tasks or startup items, or using a process to launch a process, etc etc etc. So consider this a dumb "5 minute" approach (that's literally how long it took for me to write this) to replicate a in-the-wild ransomware strategy.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 857972, member: 83059"] As we talked about over in the Emsi vs F-Secure thread ([URL='https://malwaretips.com/threads/emsisoft-vs-eset-internet-security-vs-bitdefender-total-security-vs-f-secure-safe-2020.98083/page-2#post-857716']Help Me Decide - Emsisoft vs. Eset Internet Security vs. BitDefender Total Security vs. F-Secure Safe (2020)[/URL] ), one weakness I've found in F-Secure and other Behavior Blockers is that the most common way to escape the behavior blocker is by using a trusted (but not super well known) process to do your dirty work. If you use something too popular like Powershell or cmd.exe, behavior blockers are smart, especially thanks to AMSI. However, if you use something just mildly popular like a Node.JS runtime, a copy of Cygwin/MinGW, or in this case, 7-Zip, it seems to be blanket whitelisted by behavior blockers. This piece of fake "malware", which I'm calling TrojanZipperPOC, does this: [LIST=1] [*]Find a copy of 7-zip. It prefers "C:\Program Files\7-Zip\7z.exe", as long as you have installed a native copy of 7-zip (e.g. 64-bit on 64-bit Windows). Otherwise it uses a 7z.exe in your current folder, which I've bundled as simply a copy of my 7-zip folder on my development machine. Both copies of 7-zip are official shipping versions which means they're both signed as well as considered high-reputation by cloud lookup. [*]Looks for "My Documents\test" (to restrict it from being ACTUAL ransomware), loops through every file in there. [*]Runs "7z.exe a -tzip -pransom -sdel FOO.encrypted FOO" for each file you have. This puts it in a zip file with password "ransom" and instructs 7zip to delete the original file. [/LIST] So far it's worked against both AVs I primarily use. Ouch! I'll spin up additional VMs to test more, but if this is worth testing in the Malware Hub as a special sample, please PM me for the binaries :) [TABLE] [TR] [TD]Antimalware Program[/TD] [TD]Files in My Documents\test[/TD] [TD]Comments[/TD] [TD]Tester[/TD] [/TR] [TR] [TD]ESET NOD32 (all heuristics set to highest, HIPS set to Smart)[/TD] [TD]ENCRYPTED[/TD] [TD][/TD] [TD][USER=83059]@MacDefender[/USER][/TD] [/TR] [TR] [TD]F-Secure SAFE 17.8 Beta[/TD] [TD]ENCRYPTED[/TD] [TD]Ransomware protection is even enabled[/TD] [TD][USER=83059]@MacDefender[/USER][/TD] [/TR] [TR] [TD]Symantec Endpoint Protection 14.x (latest)[/TD] [TD]ENCRYPTED[/TD] [TD][/TD] [TD][USER=83059]@MacDefender[/USER][/TD] [/TR] [TR] [TD]Windows Defender Controlled Folder Access[/TD] [TD]intact![/TD] [TD]CFA blocked anything from happening[/TD] [TD][USER=83059]@MacDefender[/USER][/TD] [/TR] [TR] [TD]Emsisoft AM 2020.2[/TD] [TD]ENCRYPTED[/TD] [TD][/TD] [TD][USER=83059]@MacDefender[/USER][/TD] [/TR] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [/TABLE] Conclusions: This is a really really trivial way of commandeering a known process to do your dirty work. It's not hard to trace the fact that 7z.exe was launched directly by an untrusted process, so I consider this to be a solvable vulnerability. It wouldn't be impossible to distance the untrusted process further from 7z.exe. For example, scheduled tasks or startup items, or using a process to launch a process, etc etc etc. So consider this a dumb "5 minute" approach (that's literally how long it took for me to write this) to replicate a in-the-wild ransomware strategy. [/QUOTE]
Insert quotes…
Verification
Post reply
Top