- Feb 4, 2016
- 2,520
New RIPlace Bypass Evades Windows 10, AV Ransomware Protection
- Thread starter LASER_oneXM
- Start date
- Mar 16, 2019
- 3,862
New Ransomware POC example coming right up for MacDefender test #2 
This is a great idea. I was going to try self file sharing and other evasion techniques...
This is a great idea. I was going to try self file sharing and other evasion techniques...
WOW I can't believe that works....
Windows Defender and CFA don't recognize this at all! You can see from that screen shot above that I mapped a drive "Q" aliased into a subdirectory of My Documents. It's amazing Windows allows unprivileged programs to do this.
Just a quick test:
F-Secure: BLOCKED (W32/CryptoRansomwareBehavor.B!DeepGuard) (.B is different from my naive ransomware)
Emsisoft: BLOCKED (Cryptoransomware behavior)
KIS: Sorta blocked. KSW thought it was malicious but that was after all the files have been encrypted. Did not offer a rollback (!!)
SEP and Symantec: No reaction
ESET: No reaction
As an aside: The first attempt to do this, F-Secure on my host actually blocked the compiled binary with a HEUR/APC detection from the cloud. I was able to make some subtle modifications to bypass that
Windows Defender and CFA don't recognize this at all! You can see from that screen shot above that I mapped a drive "Q" aliased into a subdirectory of My Documents. It's amazing Windows allows unprivileged programs to do this.
Just a quick test:
F-Secure: BLOCKED (W32/CryptoRansomwareBehavor.B!DeepGuard) (.B is different from my naive ransomware)
Emsisoft: BLOCKED (Cryptoransomware behavior)
KIS: Sorta blocked. KSW thought it was malicious but that was after all the files have been encrypted. Did not offer a rollback (!!)
SEP and Symantec: No reaction
ESET: No reaction
As an aside: The first attempt to do this, F-Secure on my host actually blocked the compiled binary with a HEUR/APC detection from the cloud. I was able to make some subtle modifications to bypass that
- Mar 29, 2018
- 7,613
"The technique described is not a security vulnerability and does not satisfy our Security Servicing Criteria. Controlled folder access is a defense-in-depth feature and the reported technique requires elevated permissions on the target machine." (my italics)
So this vulnerability is still user-dependent and requires social engineering to gain elevated permission (I assume) like so many threats these days.
So this vulnerability is still user-dependent and requires social engineering to gain elevated permission (I assume) like so many threats these days.
"The technique described is not a security vulnerability and does not satisfy our Security Servicing Criteria. Controlled folder access is a defense-in-depth feature and the reported technique requires elevated permissions on the target machine." (my italics)
So this vulnerability is still user-dependent and requires social engineering to gain elevated permission (I assume) like so many threats these days.
I’m kind of confused by that actually — I had also assumed this would require UAC elevation but it did not on any of my test VMs. Unless I misunderstood and came up with yet another ransomware zero day!
EDIT: the video also does not show a UAC prompt. I feel that part of the analysis is in error. I agree that features like CFA are defense in depth but having them be defeatable simply means malware will shift to these techniques.
Even hypothetical UAC requirements aren’t super reassuring. Basically every installer requests UAC elevation.... even Rufus for creating USB sticks asks for it and surely we’ve all used that here!
Last edited:
- Dec 23, 2014
- 8,510
The POC cannot do anything on my Windows 10 Pro 64-bit ver. 1903 (updated 13.11.2019).
I tested it with native Windows security (default settings and no additional security - Controlled Folder Access not enabled).
Did anyone test this POC recently?
Attachments
Last edited:
did you set SONAR to intense/aggresive ??WOW I can't believe that works....
View attachment 230116
Windows Defender and CFA don't recognize this at all! You can see from that screen shot above that I mapped a drive "Q" aliased into a subdirectory of My Documents. It's amazing Windows allows unprivileged programs to do this.
Just a quick test:
F-Secure: BLOCKED (W32/CryptoRansomwareBehavor.B!DeepGuard) (.B is different from my naive ransomware)
Emsisoft: BLOCKED (Cryptoransomware behavior)
KIS: Sorta blocked. KSW thought it was malicious but that was after all the files have been encrypted. Did not offer a rollback (!!)
SEP and Symantec: No reaction
ESET: No reaction
As an aside: The first attempt to do this, F-Secure on my host actually blocked the compiled binary with a HEUR/APC detection from the cloud. I was able to make some subtle modifications to bypass that
Runs successfully on Windows Insider Fast ring. Does not run on a non beta Windows build. I suspect Microsoft patched something recently
Their exploit very explicitly uses "MoveFileExA" with a mapped UNC (like \\.\Something) and certain versions of Windows will not allow renaming files where either the source or destination is a UNC URI.
My modified exploit uses the same API but instead of an UNC path it simply maps a drive letter into My Documents, Q in this case. This is sufficient to bypass some forms of antiransomware, which has my jaw dropped. I'll double check against CFA on both regular and beta Windows builds. It never fails to rename for me -- drive letters seem accepted but theoretically any non stupid anti-malware should be able to map Q: back to the original My Documents location.
As an aside, DeepGuard static heuristics refuse to allow their POC to run at all, W32/Malware. I disabled F-Secure to try their POC on this machine.
EDIT: Forgot about the SONAR question. Yes, in my testing, SONAR and static heuristics were set to their maximum settings. Quite honestly Norton is not good at (zero day) ransomware protection -- it does not mind unknown executables tampering with My Documents contents, but it is highly sensitive to behaviors like phoning home, registering for startup, containing code that looks for antivirus process names, etc. I kind of sympathize with their approach because protecting My Documents from modifications tends to result in false positives without careful whitelists -- Steam and Blizzard games often receive daily updates and those games love to mess with My Documents subdirectories
EDIT 2: Clarified my critique of Norton above applies specifically to true unknown ransomware. For variants of existing malware, I found that their heuristic detection "AdvML.C" frequently trips on things they don't yet have signatures for.
Last edited:
- Dec 23, 2014
- 8,510
If your POC works with standard rights then you should send it to Microsoft (they pay for such exploits).
I tested more this morning and here's a rough summary of my findings. It's kind of surprising actually ....
"RIPlace using a non drive letter": this configuration, if successful, defeats CFA as well as any antiransomware protection that relies on protecting specific folders. It basically causes the "is this file inside this folder?" check to fail, and it also causes the API to move the file (MoveFileExA) to report it failed but it actually succeeds. This seems like a Windows bug to me -- MoveFileExA is being inconsistent in its behavior by allowing a path spec that almost no other Windows API thinks is valid. You can't even use Windows Explorer to look at the \\.\RIPlace\ location. With that said, some builds of Windows 10 are not susceptible: MoveFileExA doesn't cause the file to become renamed.
"RIPlace using a drive letter": this technique works on every build of Windows I've tried. Basically you can use the CreateDOSDevice API to map a drive letter on to any path. It is the same underlying API that is used by the SUBST command in DOS. This defeats CFA's ability to protect subfolders. For example if you have a "My Documents\test\" directory, CFA should protect the "test" directory if you protect My Documents. However, if you map the test directory as a DOS drive letter, CFA won't protect accesses through the DOS drive unless you add the test subdirectory explicitly to CFA protected folders. IMO this is not very exploitable because CFA does not allow you to read protected folders at all so an attacker has to know that the folder exists by that name.
F-Secure and Emsisoft both did really well in these tests and blocked all forms of this attack that I found. They do so by having ransomware protection not care about what directories are protected. Unknown reputation processes that open any file and then later delete it are considered ransomware behavior.
Using this DOS device technique with a drive letter eventually got Symantec Endpoint Protection 14.2 to trigger for the first time. SONAR flagged my binary as suspicious with high confidence but it failed to block it! Every time it encrypted a file, the program paused for about 5 seconds, and SEP event logs say that it quarantined the offending binary (which was true) but it did not kill the binary from running. It also deleted the ".encrypted" ransom file but did not block the binary from deleting the original so you end up losing both the document and the encrypted version of it (!!!). Note that if I don't use a DOS device and directly start encrypting My Documents, SEP never reacts. Consumer Norton 360 does not react to either attack vector. I found this super interesting, seems like SONAR is tuned differently on their consumer vs business products. On SEP I put Sonar to the maximum settings.
One thing cool about SONAR is that as soon as the binary got flagged as malicious, SONAR stopped allowing me to execute it again to retest. I had to recompile the binary to change the hash. No other cloud service reacted so quickly to one endpoint flagging a test binary.
Overall this is kind of neat but I don't think this is a doomsday exploit. Most AVs seem to understand that DefineDOSDevice is a suspicious API call and it is really hard to mask the fact that you're calling that. There are many ways for ransomware to cleverly gain read and write access to user documents and this is just yet another of those techniques.
My observations still stand that Emsi and F-Secure lead the industry on ransomware protection through behavior blocking.
"RIPlace using a non drive letter": this configuration, if successful, defeats CFA as well as any antiransomware protection that relies on protecting specific folders. It basically causes the "is this file inside this folder?" check to fail, and it also causes the API to move the file (MoveFileExA) to report it failed but it actually succeeds. This seems like a Windows bug to me -- MoveFileExA is being inconsistent in its behavior by allowing a path spec that almost no other Windows API thinks is valid. You can't even use Windows Explorer to look at the \\.\RIPlace\ location. With that said, some builds of Windows 10 are not susceptible: MoveFileExA doesn't cause the file to become renamed.
"RIPlace using a drive letter": this technique works on every build of Windows I've tried. Basically you can use the CreateDOSDevice API to map a drive letter on to any path. It is the same underlying API that is used by the SUBST command in DOS. This defeats CFA's ability to protect subfolders. For example if you have a "My Documents\test\" directory, CFA should protect the "test" directory if you protect My Documents. However, if you map the test directory as a DOS drive letter, CFA won't protect accesses through the DOS drive unless you add the test subdirectory explicitly to CFA protected folders. IMO this is not very exploitable because CFA does not allow you to read protected folders at all so an attacker has to know that the folder exists by that name.
F-Secure and Emsisoft both did really well in these tests and blocked all forms of this attack that I found. They do so by having ransomware protection not care about what directories are protected. Unknown reputation processes that open any file and then later delete it are considered ransomware behavior.
Using this DOS device technique with a drive letter eventually got Symantec Endpoint Protection 14.2 to trigger for the first time. SONAR flagged my binary as suspicious with high confidence but it failed to block it! Every time it encrypted a file, the program paused for about 5 seconds, and SEP event logs say that it quarantined the offending binary (which was true) but it did not kill the binary from running. It also deleted the ".encrypted" ransom file but did not block the binary from deleting the original so you end up losing both the document and the encrypted version of it (!!!). Note that if I don't use a DOS device and directly start encrypting My Documents, SEP never reacts. Consumer Norton 360 does not react to either attack vector. I found this super interesting, seems like SONAR is tuned differently on their consumer vs business products. On SEP I put Sonar to the maximum settings.
One thing cool about SONAR is that as soon as the binary got flagged as malicious, SONAR stopped allowing me to execute it again to retest. I had to recompile the binary to change the hash. No other cloud service reacted so quickly to one endpoint flagging a test binary.
Overall this is kind of neat but I don't think this is a doomsday exploit. Most AVs seem to understand that DefineDOSDevice is a suspicious API call and it is really hard to mask the fact that you're calling that. There are many ways for ransomware to cleverly gain read and write access to user documents and this is just yet another of those techniques.
My observations still stand that Emsi and F-Secure lead the industry on ransomware protection through behavior blocking.
It would be interesting to see how Cruel Comodo Firewall handles this situation.
- Apr 19, 2017
- 249
@Mjolnir RIPlace demo tool can't do anything.
Attachments
It sounds like you have a Windows config that doesn't respect this form of MoveFileEx.
Honestly the actual demo is a bit of a letdown.... The technique is sorta interesting but it was over the top to turn it into a tirade directed at almost everyone in the industry except for two vendors that supposedly got back to him.
I was doing some research and it turns out this is not original. A lot of malware use DefineDosDevice in interesting ways to evade AV software.
What level of UAC did you used? default...?
Default. I don't think this API has a different behavior though since SUBST is often used in batch scripts and are a legacy DOS function.
- Mar 16, 2019
- 3,862
@MacDefender G-Data is known to have a good behavior blocker with two modules, BEAST and DeepRay. Consider testing it as well.
I'll add it to my tests when I get a chance! There's just so many security suites to try!
UAC as default is like no UAC, it's useless.
UAC must be at max to afford some decent protection.
Tried putting UAC at max, for RIPlacer it doesn't seem to have an impact on the exploit succeeding. However, whether or not you elevate the process does seem to change some details about how the exploit works: Virtual Disk Drivers, UAC and NT
Namely, if you request elevation before the operation, then the DOS device gets defined global to the system and not local to the user. But this isn't an auto-elevating API, you have to ask for elevation beforehands.
Similar threads
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
