App Review My own "ransomware" vs Windows Defender

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
There has been ransomware using zip archives and LOLbins before. E.g. Bart ransomware (creates zip archives), CrypVault (uses GnuPG.exe). Those are not more or less difficult in regards of detection. It being newly written from scratch plays probably the biggest role in bypassing AV. There is still code that calls the LOLbins. There is still behaviour that can be detected as suspicious. Using clean software doesn't suddenly taint everything else as clean too.
 
  • Like
  • +Reputation
Reactions: Nevi, CyberTech, Protomartyr and 8 others
bayasdev

bayasdev

Level 19
Thread author
Verified
Top Poster
Well-known
Sep 10, 2015
901
struppigel said:
There has been ransomware using zip archives and LOLbins before. E.g. Bart ransomware (creates zip archives), CrypVault (uses GnuPG.exe). Those are not more or less difficult in regards of detection. There is still code that calls the LOLbins. There is still behaviour that can be detected as suspicious. Using clean software doesn't suddenly taint everything else as clean too. It being newly written from scratch plays probably the biggest role in bypassing AV, not the means how it encrypts.
Click to expand...
The first victim will probably get infected but the AV's cloud system will probably flag a suspicious activity from the parent process and get it blocked by signatures, a software solution that prevents changes to userspace folders will block it at the cost of the user getting lots of popups every time he edits or creates a file legitimately.
 
  • Like
Reactions: Nevi, Protomartyr, DDE_Server and 2 others
Vitali Ortzi

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,148
struppigel said:
There has been ransomware using zip archives and LOLbins before. E.g. Bart ransomware (creates zip archives), CrypVault (uses GnuPG.exe). Those are not more or less difficult in regards of detection. It being newly written from scratch plays probably the biggest role in bypassing AV. There is still code that calls the LOLbins. There is still behaviour that can be detected as suspicious. Using clean software doesn't suddenly taint everything else as clean too.
Click to expand...
Malware has been using lolbins since forever !
But every sample is welcome
 
  • Like
Reactions: Nevi, Protomartyr, DDE_Server and 1 other person
bayasdev

bayasdev

Level 19
Thread author
Verified
Top Poster
Well-known
Sep 10, 2015
901
struppigel said:
That's not how it works ;)
Click to expand...
I know an AV has kernel hooks/drivers to monitor everything that's going on the system and some even use W10 AMSI for script/powershell malware but most of them by default are lowered down to lower the FP rate (ESET IS) and others lack a proper implementation AKA behavior blocker technology. I remember Emsisoft behavior blocked getting bypassed calling a legitimate file present in the system and then it got updated.
 
  • Like
Reactions: Protomartyr, DDE_Server, Parsh and 4 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
geminis3 said:
I know an AV has kernel hooks/drivers to monitor everything that's going on the system and some even use W10 AMSI for script/powershell malware but most of them by default are lowered down to lower the FP rate (ESET IS) and others lack a proper implementation AKA behavior blocker technology. I remember Emsisoft behavior blocked getting bypassed calling a legitimate file present in the system and then it got updated.
Click to expand...

I believe we use terminology differently and that's the actual misunderstanding here (regarding cloud and signatures). Yes, I agree, certain heuristics can be more prone to false positives and may need a higher threshold to flag this as malware. The ability to monitor behaviour is also probably very different for every AV product, so some will see more events than others. That may give this ransomware a head start with certain products in regards to behaviour monitoring.
 
Last edited:
  • Like
Reactions: Nevi, Protomartyr, DDE_Server and 8 others
M

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
malwaretips.com

MacDefender Test #2, "Trojan" Ransomware

As we talked about over in the Emsi vs F-Secure thread (Help Me Decide - Emsisoft vs. Eset Internet Security vs. BitDefender Total Security vs. F-Secure Safe (2020) ), one weakness I've found in F-Secure and other Behavior Blockers is that the most common way to escape the behavior blocker is by...
malwaretips.com malwaretips.com

I did something very similar. Other than Kaspersky (partial protection), almost every other AV had difficulties with this sample. Zero day ransomware's best chance at success is by leveraging a whitelisted runtime or encrypting tool.

It is a technique we've seen in the wild throughout history, but worth remembering that even state of the art behavior blockers struggle with it.
 
  • Like
Reactions: Protomartyr, DDE_Server, oldschool and 9 others
struppigel

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Heuristics have the issue that ransomware behaviour is not distinguishable from e.g. backup software that saves space by compressing files. Compression looks just like encryption, it raises the entropy. Renaming lots of files at once is not malicious, nor is encryption or compression. These actions only become malicious in context. So most of the time there needs to be something additional like anti-AV features, UAC bypass features, shadow copy deletion, certain ransom note keywords, code injection.

If you create a bare ransomware from scratch just using the encryption portion and no additional features, there is no way to detect it with heuristics without also flagging legitimate software.
 
  • Like
  • +Reputation
Reactions: Nevi, Azure, Protomartyr and 14 others
M

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
struppigel said:
Heuristics have the issue that ransomware behaviour is not distinguishable from e.g. backup software that saves space by compressing files. Compression looks just like encryption, it raises the entropy. Renaming lots of files at once is not malicious, nor is encryption or compression. These actions only become malicious in context. So most of the time there needs to be something additional like anti-AV features, UAC bypass features, shadow copy deletion, certain ransom note keywords, code injection.

If you create a bare ransomware from scratch just using the encryption portion and no additional features, there is no way to detect it with heuristics without also flagging legitimate software.
Click to expand...

Yeah really the main thing you can go by is the idea of a low reputation binary modifying files, especially in My Documents and other user-valuable paths. This is how most behavior blocker identify ransomware and when a low-reputation EXE is doing that work themselves, that is an easy rule to write. Kaspersky and Emsisoft simply halt such an application mid-act and give you a few seconds to answer whether or not you expected them to be doing this. Others automatically terminate the application but give you an option to whitelist and try it again.

This proactive technique breaks down for scripts (difficult to measure reputation) and when you use another binary that's well-trusted to do your dirty work for you.

For the latter, I think the right answer is enhancing behavior blockers to account for "who started this application?" and if it's an untrusted process, consider the child process untrustworthy too.
 
  • Like
  • +Reputation
Reactions: roger_m, struppigel, Protomartyr and 5 others
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,165
  • Like
  • +Reputation
  • Applause
Reactions: roger_m, bayasdev, Protomartyr and 4 others
stefanos

stefanos

Level 28
Verified
Top Poster
Well-known
Oct 31, 2014
1,712
  • Like
  • HaHa
Reactions: Nevi, roger_m, bayasdev and 4 others

Similar threads

Shadowra
    • +Reputation
    • Like
Malware News StopCrypt: Most widely distributed ransomware evolves to evade detection
Replies
3
Views
993
Security News
Victor M
Victor M
ebocious
    • Like
Advanced Plus Security Ebocious's Yoga 6 Security Config
Replies
18
Views
1,197
PC Setup Configuration Help & Showcase
ebocious
ebocious
jv16
    • Like
    • Thanks
    • Applause
Serious Discussion Uninstalr: Or how I tested all the Windows uninstallers and ended up making a new one
Replies
158
Views
14,041
System utilities
upnorth
upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top