App Review More Fun with Ransomware Part 2

[Deleted member 2913]

cruelsister,

On Wilders you mentioned, CIS on autosandbox keyloggers automatically blocks keyloggers connection. Is it something new? Never heard or read this about CIS.

 

[cruelsister]

No- that was about CCAV where the default level of the sandbox is elevated above the default level seen in CIS and CF (partially Limited). With CF (or CIS) a person would need the Firewall tweak (stop SB's apps from connecting out- similar to the Sandboxie tweak) or else just increase the SB level to untrusted to stop it cold (like what an anti-exe will do for you).

 

[Deleted member 2913]

So you mean CCAV automatically blocks connection for autosandboxed keyloggers?

Would love to see a test on this by you.

 

[Tony Cole]

Thanks cruelsister for bringing this up/attention. Do you think all typical AV's 'need' to up their ante in order to stop true zero-day malware i.e., employ virtualization? I think the issue is usability, i.e., how many home users just install an AV and scan. When something happens they don't have a clue, that's why Kaspersky leave trust digitally signed applications checked.

 

[thehunter]

Thanks a lot cruelsister for the sample. On top of the ransomware activity there is network activity to us.clevermining.com and also traffic to ad networks which indicates it is also a bitcoin miner and clickfraud bot.

 

[Dirk41]

Guys , may I ask a question? Since tesla is a .js file ( I think ) , if I uninstalled Java, it can't run right ? And not do damage , right ? Thank you

 

[cruelsister]

Dirk- Although Tesla may be carried by a Java script (as in an exploit) the malware itself is just a regular exe without needing any scripting engine to work. So if you run Tesla on a system without Java you will still be screwed.

 

[Dirk41]

thank you very much .
but it wouldn't be downloaded?thank you

 

[XhenEd]

Lock-Down Mode - block execution of any ransomware

Protected (Medium) Mode - block execution of all unsigned ransomware; digitally signed ransomware will execute and encrypt C:\ProgramData and C:\Users\User directories. Ransom file can perform other actions in those directories dependent upon what is was coded to do.

I am still searching for digitally signed ransomware to verify.

Bumping this thread!

Basing on BRN's whitepaper, Medium Mode (earlier version of AppGuard 4) would still not allow ransomware (or CryptoLocker in the whitepaper) to encrypt any files because AppGuard would prevent its operation in the registry and other areas.

I tried looking for the link of this whitepaper, but I cannot find it anymore. Fortunately, I saved a copy of it.

"Figure 2 below shows AppGuard allowing CryptoLocker to run in a simulated digital signature-stolen scenario.
Even though CryptoLocker is running, AppGuard contains it so that it cannot make changes to harm the system.
AppGuard’s containment prevents CryptoLocker and other malware from harming the system no matter what
privileges the user has on the computer. Since AppGuard contains and isolates CryptoLocker in runtime, it
cannot continue to operate; it is crippled, and no longer will be an effective threat to the computer." - AppGuard® From Blue Ridge® Stops CryptoLocker

 

[hjlbx]

Bumping this thread!

Basing on BRN's whitepaper, Medium Mode (earlier version of AppGuard 4) would still not allow ransomware (or CryptoLocker in the whitepaper) to encrypt any files because AppGuard would prevent its operation in the registry and other areas.

I tried looking for the link of this whitepaper, but I cannot find it anymore. Fortunately, I saved a copy of it.

"Figure 2 below shows AppGuard allowing CryptoLocker to run in a simulated digital signature-stolen scenario.
Even though CryptoLocker is running, AppGuard contains it so that it cannot make changes to harm the system.
AppGuard’s containment prevents CryptoLocker and other malware from harming the system no matter what
privileges the user has on the computer. Since AppGuard contains and isolates CryptoLocker in runtime, it
cannot continue to operate; it is crippled, and no longer will be an effective threat to the computer." - AppGuard® From Blue Ridge® Stops CryptoLocker

Yes. You are correct. I will delete my post because of incorrect infos.