MacDefender

Level 4
Verified
Btw, which RIPlace sample did you use for testing Emsisoft? I see no alert from Emsisoft and also Solarquest tested here: https://malwaretips.com/threads/riplace-ransomware.96561/post-846042
This is the one that was tested: VirusTotal
I used one I made myself using the technique described in the writeup combined with my core "fake ransomware" that lists a "test" subdirectory of My Documents and then tries to encrypt files one by one.

Emsi doesn't place additional scrutiny on particular protected directories like CFA or BD/F-Secure style special protected folders, so I am suspecting that the act of listing and then encrypting files one by one is considered more suspicious than trying to take a specific user-specified path and performing an action on that file.

But the underlying technique on vulnerable versions of Windows is brilliant -- a "is this file contained within this folder" API call will return "no" for those funky RIPlace paths... so if you place a ton of weight on "is this file in My Documents?" the RIPlace technique greatly reduces your behavior blocker's efficacy. OTOH if you're looking for mass listing then modifying of files in all directories you won't be affected, though at great risk of false positives.
 

SeriousHoax

Level 16
Verified
Malware Tester
I used one I made myself using the technique described in the writeup combined with my core "fake ransomware" that lists a "test" subdirectory of My Documents and then tries to encrypt files one by one.

Emsi doesn't place additional scrutiny on particular protected directories like CFA or BD/F-Secure style special protected folders, so I am suspecting that the act of listing and then encrypting files one by one is considered more suspicious than trying to take a specific user-specified path and performing an action on that file.

But the underlying technique on vulnerable versions of Windows is brilliant -- a "is this file contained within this folder" API call will return "no" for those funky RIPlace paths... so if you place a ton of weight on "is this file in My Documents?" the RIPlace technique greatly reduces your behavior blocker's efficacy. OTOH if you're looking for mass listing then modifying of files in all directories you won't be affected, though at great risk of false positives.
Hmm I see. But I think Emsisoft probably should have a signatures of it as a PUP at least like some other AVs.
 

MacDefender

Level 4
Verified
Hmm I see. But I think Emsisoft probably should have a signatures of it as a PUP at least like some other AVs.
I agree at this point it should be labeled as a "hack tool" or PUP. Especially since the secondary engine is supposed to focus on signatures for PUPs. Having your AV vendor pretend they never heard of RIPlace is not a good look. I'd like to see signatures respond promptly to new trends.
 

MacDefender

Level 4
Verified
Hello, Fabian Wosar,
I was wondering if you have any plan to add it in Emsisoft's signature? If yes then that would be great and if no then would love to know the reason :)
In addition I'd like to hear the thoughts from an AV developer how to work around this kind of deficiency. The API that Microsoft is recommending vendors to use to check file paths isn't handling these URIs the same way as the MoveFileEx Api actually modifying the files. The official RIPlace POC isn't setting off Emsisoft though incorporating the technique into a recursive directory encrypter does.
 

MacDefender

Level 4
Verified
@harlan4096's F-Secure SAFE test is very interesting too. I ran into similar issues with some of my home cooked malware where DeepGuard would block it before it had any chance to do anything malicious.

DeepGuard doesn't just seem to be a behavior blocker; it also seems to have some memory scanning heuristic detection behaviors. It reacts to malicious instructions in an executable even if you structure it so that the malicious code is buried behind a condition that will never be true.

(Note that it's not bulletproof -- in my case I believe I compiled my binaries under a slightly different optimization level and changed the variant of the DefineDOSDevice API I imported into my C# class and that combination made DeepGuard allow it to run, but DeepGuard still got upset when it started encrypting files)
 

MacDefender

Level 4
Verified
Curious if some of these AVs are using a different API to check for whether a file is in a directory than the one Microsoft recommends. Some just plain don't allow ransomware behavior in any directory, regardless of whether it's a user designated special one, and that's a great way to protect against this too.
 
View attachment 230119

Runs successfully on Windows Insider Fast ring. Does not run on a non beta Windows build. I suspect Microsoft patched something recently

Their exploit very explicitly uses "MoveFileExA" with a mapped UNC (like \\.\Something) and certain versions of Windows will not allow renaming files where either the source or destination is a UNC URI.

My modified exploit uses the same API but instead of an UNC path it simply maps a drive letter into My Documents, Q in this case. This is sufficient to bypass some forms of antiransomware, which has my jaw dropped. I'll double check against CFA on both regular and beta Windows builds. It never fails to rename for me -- drive letters seem accepted but theoretically any non stupid anti-malware should be able to map Q: back to the original My Documents location.



As an aside, DeepGuard static heuristics refuse to allow their POC to run at all, W32/Malware. I disabled F-Secure to try their POC on this machine.


EDIT: Forgot about the SONAR question. Yes, in my testing, SONAR and static heuristics were set to their maximum settings. Quite honestly Norton is not good at (zero day) ransomware protection -- it does not mind unknown executables tampering with My Documents contents, but it is highly sensitive to behaviors like phoning home, registering for startup, containing code that looks for antivirus process names, etc. I kind of sympathize with their approach because protecting My Documents from modifications tends to result in false positives without careful whitelists -- Steam and Blizzard games often receive daily updates and those games love to mess with My Documents subdirectories

EDIT 2: Clarified my critique of Norton above applies specifically to true unknown ransomware. For variants of existing malware, I found that their heuristic detection "AdvML.C" frequently trips on things they don't yet have signatures for.
and Eset ?
 

MacDefender

Level 4
Verified
and Eset ?
ESET, in my testing, has offered extremely poor to nonexistent dynamic behavior blocking protection against ransomware. I have not had it trigger protection on behaviors like recursively encrypting all of My Documents.

I understand you can write your own HIPS policies with ESET that can protect specific folders, but out of the box with no configuration, ESET primarily relies on its amazing scanner.
 
ESET, in my testing, has offered extremely poor to nonexistent dynamic behavior blocking protection against ransomware. I have not had it trigger protection on behaviors like recursively encrypting all of My Documents.

I understand you can write your own HIPS policies with ESET that can protect specific folders, but out of the box with no configuration, ESET primarily relies on its amazing scanner.
but you could try the new HIPS module and the new engine machine learning that was implemented in version 13. Eset detected the malware.
 
Last edited:

MacDefender

Level 4
Verified
but you could try the new HIPS module and the new engine machine learning that was implemented in version 13. Eset detected the malware.
I was testing version 13. I wrote my own pieces of ransomware using the same technique and when there's no ESET signatures, neither the new ML engine nor the HIPS flagged it. I posted on their forums about it and was told by their developers that they are designed to detect variants of existing ransomware, not newly privately written malware and it's not ethical to write you own proof of concept malware to test engines. I'll respectfully disagree with them on the last point.

But yeah just be aware that while ESET'S scanner is really good, their HIPS module does not provide the same kind of dynamic behavior blocking protection you would get from KSW, Emsisoft, F-Secure, SONAR, And so on.
 

SeriousHoax

Level 16
Verified
Malware Tester
I was testing version 13. I wrote my own pieces of ransomware using the same technique and when there's no ESET signatures, neither the new ML engine nor the HIPS flagged it.
After the release of version 13 I saw many complain on their forum about ML/Augur detection. I wonder if they toned downed their AI a bit after that. I said this before, ESET people are very sensitive about false positives, way too much and that's the only reason they don't have a proper behavior blocker yet.