Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
New powerful malware obfuscation technique
Message
<blockquote data-quote="MacDefender" data-source="post: 906645" data-attributes="member: 83059"><p>Yeah these classes of techniques (including things like opening a VNC or RDP session to oneself or using virtualization software on the device to present a keyboard/mouse to the host that mimics user actions) are really hard for antimalware to detect because they all tend to have an anti-false-positive measure that attempts to allow either the user or trusted applications do the dirty deed.</p><p></p><p>In terms of exploiting the target machine, one attack I've previously demonstrated here is that you can add malware to Python libraries for legitimate apps that use Python like machine learning / AI python IDEs, and a very small subset of antimalware software was able to detect those apps directly going after My Documents "through the front door" so to speak, but stacked with better techniques for encrypting user data, it can be really hard to detect.</p><p></p><p></p><p>FWIW, one thing I learned months after my POC attacks is that even though initially they were undetected on VT, after a few months about half of the engines detected some aspect of my attack. Trying to defeat all of them was really hard without going back to the drawing board and fundamentally designing a new attack. It's yet another cat and mouse game -- what gets demonstrated today as a viable technique, if it actually takes off, quickly results in a myriad of detection methods by different AV vendors, and in my experience as soon as any vendor's AV engine automatically detects the threat, most other vendors are quick to follow suit.</p><p></p><p>Note that some OS'es do try to provide hardened protection against pretending to be the user. For example, on macOS there is an "accessibility" permission required to inject keyboard/mouse events to apps. The permissions dialogs that pop up on macOS for things like accessing your Documents folder cannot be easily clicked over VNC using automation. On Windows, UAC dialogs have modest protection by default against manufactured clicks. I really think these need to be a lot better but it's certainly a start.</p></blockquote><p></p>
[QUOTE="MacDefender, post: 906645, member: 83059"] Yeah these classes of techniques (including things like opening a VNC or RDP session to oneself or using virtualization software on the device to present a keyboard/mouse to the host that mimics user actions) are really hard for antimalware to detect because they all tend to have an anti-false-positive measure that attempts to allow either the user or trusted applications do the dirty deed. In terms of exploiting the target machine, one attack I've previously demonstrated here is that you can add malware to Python libraries for legitimate apps that use Python like machine learning / AI python IDEs, and a very small subset of antimalware software was able to detect those apps directly going after My Documents "through the front door" so to speak, but stacked with better techniques for encrypting user data, it can be really hard to detect. FWIW, one thing I learned months after my POC attacks is that even though initially they were undetected on VT, after a few months about half of the engines detected some aspect of my attack. Trying to defeat all of them was really hard without going back to the drawing board and fundamentally designing a new attack. It's yet another cat and mouse game -- what gets demonstrated today as a viable technique, if it actually takes off, quickly results in a myriad of detection methods by different AV vendors, and in my experience as soon as any vendor's AV engine automatically detects the threat, most other vendors are quick to follow suit. Note that some OS'es do try to provide hardened protection against pretending to be the user. For example, on macOS there is an "accessibility" permission required to inject keyboard/mouse events to apps. The permissions dialogs that pop up on macOS for things like accessing your Documents folder cannot be easily clicked over VNC using automation. On Windows, UAC dialogs have modest protection by default against manufactured clicks. I really think these need to be a lot better but it's certainly a start. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
