App Review Microsoft Defender vs Magniber

[Andy Ful]

I think that will defeat the point of having "Real-time protection".

Yes, it can fail for some files. To be sure, one has to always perform a manual scan on the MSI sample and if detected then allow Defender to make actions. I noticed, that this can be sometimes necessary also after unpacking the MSI sample with Windows built-in unpacker.

 

[Andy Ful]

The Defender's horror of testing many MSI samples.

I tried to test 76 MSI samples packed in one archive.

1. Unpacking the archive with enabled real-time protection failed.
2. I disabled real-time protection and unpacked the archive into a separate folder. After enabling the real-time protection and performing the manual scan of this folder, Defender worked hard for many minutes. I saw several alerts and started the Defender actions without much progress.
3. After half an hour, I restarted the system, but this did not help too.
4. Finally, I gave up.

In the real world, Defender is OK when one remembers to do a manual scan of the MSI file before executing it. But, testing many samples located in one folder is probably impossible.

Edit (no subfolders).
There is a kinda solution:

1. Disable real-time protection and unpack samples to the folder (no subfolders).
2. Upload this folder to OneDrive.
3. Download the folder from OneDrive (online) to the disk.

You will see a ZIP archive that contains the folder. There will be some undetected samples and many .txt files (every txt file includes info about the detection event).
When downloading files from OneDrive, they are checked by the online service (not by Defender installed on the computer).

 

[wat0114]

The Defender's horror of testing many MSI samples.



Edit.
There is a kinda solution:

1. Disable real-time protection and unpack samples to the folder.
2. Upload this folder to OneDrive.
3. Download the folder from OneDrive (online) to the disk.

Good grief, I'd be too lazy to embark on this kind of song and dance. Good thing I'm not a malware tester

 

[SeriousHoax]

I was talking to former MT member "McMcBrad" about it, and he told me that this behavior of MD related to MSI files is nothing new, and it's been like this since the days of Microsoft Security Essentials.
He said:

So yes, that's how it is and may not change unless Microsoft sees a lot of MSI malware hurting their Enterprise customers.
So, as Andy said, if you're suspicious of a MSI file, then scan it prior to running to make sure it's safe.

 

[Andy Ful]

I would like to notice that the tested samples were probably actively distributed in a short time and replaced by other samples after a few hours or maybe a day. We do not know the protection of most AVs against the Magniber in this period (active period) - there were signals from other sources that protection was generally poor (with a few exceptions).

By using VirusTotal we can usually know the detections from the period when most of these samples were already dead (replaced in the wild by other samples). In other words, we know how the United States in XXI century is protected against the Persian army of Darius the Great. But, this can give us only a little information on how the United States is protected against ISIS.

 

[ForgottenSeer 94943]

With this quality you don't even need to post, in full 2022 at 480p?

Well, it is not a movie. I believe the video achieved its purpose.

 

[Kiss]

This has already turned into a war between the defenders of WD and the haters, time to change the personal disk

 

[oldschool]

This has already turned into a war between the defenders of WD and the haters, time to change the personal disk

All of these discussions must be seen in not only in terms of specifics of the subject at hand, e.g. Magniber, other specific malware cases, etc. but also in the much broader context, i.e. how likely is an encounter with one of these for the home user? In the end, it doesn't matter since most people won't.

I just sit back and enjoy the back and forth, taking what I find valuable and leaving the rest.

 

[Andy Ful]

This has already turned into a war between the defenders of WD and the haters, time to change the personal disk

I did not notice any haters.
Most of the objections are valid for Defender and some for many AVs too.
The differences in opinions are related to the impact on users' security. There is no available data to confirm who is closer to the truth.

 

[oldschool]

I did not notice any haters.

Nor did I.

 

[Andy Ful]

Some more information about the CPL variant (translated from the Korean language):

The ESRC has on several occasions called for caution against Magniber ransomware, which is being circulated through typosquatting. Typosquatting is when a user enters a domain address incorrectly or misspelles, registers the relevant domain in advance, and then uses that domain to attack with relatively few targets.

And recently, Magniber ransomware has been circulating to a large number of unspecified users by hacking into ad servers, requiring the extra attention of users. The attack was primarily carried out through ad servers embedded in websites that provide services such as watching videos or downloading files in an unlawful manner. Homepages that operate in an unlawful manner are exposed in a variety of ways because they earn income from illegal advertising.

In the course of using the services on these websites, users may intentionally or inadvertently click on advertisements to access the ad server. Every time a user clicks on an ad, the ad page is randomly accessed, and if the user connects to a hacked ad server, a file with the name Antivirus.Upgrade.Database.Cloud in the user's browser is automatically downloaded.

See more (use the translate feature):

해킹된 광고 서버를 통해 불특정 다수에게 유포중인 매그니베르 랜섬웨어 주의!

안녕하세요? 이스트시큐리티 시큐리티대응센터(이하 ESRC)입니다. ESRC는 여러차례 타이포스쿼팅 방식을 통해 유포되는 매그니베르 랜섬웨어에 대해 주의를 당부한 바 있습니다. 타이포스쿼팅이란 사용자가 도..

blog.alyac.co.kr

 

[Andy Ful]

Giwisin - a more sophisticated and more targeted brother of Magniber MSI ransomware.

The cases of Gwisin ransomware attacking Korean companies are recently on the rise. It is being distributed to target specific companies. It is similar to Magniber in that it operates in the MSI installer form. Yet unlike Magniber which targets random individuals, Gwisin does not perform malicious behaviors on its own, requiring a special value for the execution argument. The value is used as key information to run the DLL file included in the MSI.

As such, the file alone does not perform ransomware activities on security products of various sandbox environments, making it difficult to detect Gwisin. The ransomware’s internal DLL operates by being injected into a normal Windows process. The process is different for each infected company.

https://asec.ahnlab.com/en/37483/

For now, the Magniber and Giwisin target mostly the countries around Korea, but this can change in the future due to the high efficiency of the MSI attack vector.

 

[Andy Ful]

@cruelsister,

Do you recall if Controlled Folder Access blocked Magniber from deleting shadow volume copies? The video can suggest that it protected shadow copies, but we cannot be sure:

 

[wat0114]

So, as Andy said, if you're suspicious of a MSI file, then scan it prior to running to make sure it's safe.

Makes sense, I guess using Andy's suggested method from his post #73?

Simply after downloading/unpacking the sample, one has to manually perform Defender's scan on this sample and follow the Defender alert to clean the threat.
You can use another sample that is undetected even with this manual scan:
33211a8202f4ad33f01cd90c6b1f51068a84ace5dd85a891efe5e6c210b0e7ef.msi

 

[cruelsister]

Controlled Folder is shown to be active at 2:14. As to Shadow copies, a similar variant was shown to delete (vssadmin) them at the 1:30 mark of the AppCheck Overview video (and at 2:08 of that same video WF was shown to be disabled by the malware). And although it wasn't asked, at 1:16 of the Defender and VirusTotal video UAC alerted to Task manager starting which is only done with UAC at Max. UAC did not, however alert to the malware.

 

[ForgottenSeer 95367]

This has already turned into a war between the defenders of WD and the haters, time to change the personal disk

There is always the notion that Microsoft does not do enough to secure Windows users. Incompetence? Negligence? Willful disregard? Disorganization? Or whatever other negative terminology one wishes to apply to a situation like TrustedInstaller and Magniber. There are similar cases or instances where the same can be said of any security software provider.

I'm just surprised that so many people think the security problems associated with msiexec are new ones.

I did not notice any haters.

The words bashing and hating are two of the most abused words online. When people feel strongly about a product, when any criticism of that product is levied, the claims of hating and bashing soon follow. Unfortunately, such behavior is part of the online territory.

 

[wat0114]

I just sit back and enjoy the back and forth, taking what I find valuable and leaving the rest.

oldschool,

you are an esteemed member of this forum, and I for one would like to see you post more of your opinions rather than just just sitting back

Edit

please don't take this as a demand, it's just I value your opinions

 

[franz]

This has already turned into a war between the defenders of WD and the haters, time to change the personal disk

I do not see any haters. Different opinions and approaches are important, it brings us forward.

 

[oldschool]

oldschool,

you are an esteemed member of this forum, and I for one would like to see you post more of your opinions rather than just just sitting back

Edit

please don't take this as a demand, it's just I value your opinions

Very kind of you to say, but the reason I don't post more in these more technical malware threads is that I don't test malware nor do I possess much of the tech knowledge that goes with it.

 

[vtqhtr413]

I believe this question has been asked and answered somewhere in this forum but I'll ask it again as my memory betrays me, an individual would not be attacked by multiple malware as in the test presented by cruelsister I assume, that is probably done for expediency but if they were taken on one at a time would the security soft and the machine have a better chance at success?