frogboy

In memoriam 1961-2018
2016 saw attackers holding data for ransom at an alarming rate; but in conjunction with the rise of ransomware and the continued ubiquity of mass malware, attackers are increasingly utilizing non-malware attacks in an attempt to remain undetected and persistent in organizations’ networks.

According to Carbon Black data, these non-malware attacks are capable of gaining control of computers without downloading any files and are using trusted, native operating system tools (such as PowerShell) and exploiting running applications (such as web browsers and Office applications) to conduct malicious behavior.

In its end-of-year threat report, Carbon Black found that instances of severe non-malware attacks grew throughout 2016. And in any given 90-day period, about one-third of organizations are likely to encounter at least one severe, non-malware attack.

Instances of non-malware attacks leveraging PowerShell and Windows Management Instrumentation (WMI) grew throughout 2016. Such attacks spiked by more than 90% in the second quarter of this year (93.2%) and have stayed at escalated levels since. And, some leading attack campaigns in 2016, including PowerWare and the hack against the Democratic National Committee (DNC) leveraged non-malware attack vectors to carry out nefarious actions.

Meanwhile, the research also found that ransomware, which is on track to be an $850 million business in 2016 according to FBI data, has emerged as the fastest-growing malware across all industries in 2016.

When considering the total amount of ransomware seen this year, manufacturing companies (16% of total ransomware instances), utility/energy companies (15.4% of all ransomware instances) and technology companies (12.6% of all ransomware instances) led the way.

Locky emerged as the go-to ransomware family of 2016, used in one-quarter of all ransomware-based attacks. CryptoWall, CryptXXX, Bitman and Onion (CTB Locker) round out the top five ransomware families seen in 2016.

Full Article. Non-Malware Attacks on the Rise, in the Shadow of Ransomware
 

jamescv7

Level 85
Verified
Trusted
Now Antivirus companies should formulate much deeper information from scriptors attack, it seems they focus too much on a common vector which already obsolete and less rate for bypass.

Yes they knew attacks came from Powershell, Javascript, Scripts and many more but still lacks on implementation of security.
 

shmu26

Level 85
Verified
Trusted
Content Creator
thanks. I added all the Wmi stuff to vulnerable processes list in NVT ERP. Hope I don't get inundated by prompts...
looks like I am checkmated. WmiPrvSE is running on my system, and I got no prompt. Apparently, it starts up before NoVirusThanks does. It seems to be an essential process.

How to protect it? Do I have to become an AppGuard addict?
 

tim one

Level 21
Verified
Trusted
Malware Hunter
The main problem in this contexts is the analysis of self-modifying code (think to .js code that download a ransomware ).
Programming languages such as PHP and JavaScript are dynamic, so they allow the possibility of generating, during execution, the code to run. Also, malcoders use techniques of metamorphism to circumvent the antivirus by modifying the code of the malware in order to not be recognized by antivirus itself. In these contexts, it becomes more and more important to analyze the characteristics of malware that self-modify themselves.

Antivirus programs use behavioral patterns for self-modifying codes, which may process the evolution of the code during execution.
Some AV patterns, statically extract the evolution graph of the code, and other patterns dynamically extract the graph of the evolution of the code.
These two patterns have advantages and limitations that are typical of dynamic and static analysis. For example, it is possible to have a precise model of the evolution of the code, but this leads to an algorithm for the identification of metamorphic variants that it is abstract. To gain certainty, then it is necessary to find appropriate abstractions of the self-modifying behavior.

In my opinion these patterns for the self-modifying code, have to find an application in the development of new algorithms for the automatic identification of malicious code. These models can be used to process abstract malware signatures starting from some samples of variants of metamorphic malware, and then use these signatures for the automatic detection of new variants of metamorphic codes.
Also by extracting the abstract signature from the analysis of a malware sample itself by processing the metamorphic engine.

Developed patterns and algorithms should then be tested on the existing malware in order to understand potentials and limits, so the experimental data collected are necessary to improve the pattern used for the automatic identification of malware in order to increase, always more, the performance of the antivirus in static and dynamic mode.

This means to do malware research.
 

shmu26

Level 85
Verified
Trusted
Content Creator
The main problem in this contexts is the analysis of self-modifying code (think to .js code that download a ransomware ).
Programming languages such as PHP and JavaScript are dynamic, so they allow the possibility of generating, during execution, the code to run. Also, malcoders use techniques of metamorphism to circumvent the antivirus by modifying the code of the malware in order to not be recognized by antivirus itself. In these contexts, it becomes more and more important to analyze the characteristics of malware that self-modify themselves.

Antivirus programs use behavioral patterns for self-modifying codes, which may process the evolution of the code during execution.
Some AV patterns, statically extract the evolution graph of the code, and other patterns dynamically extract the graph of the evolution of the code.
These two patterns have advantages and limitations that are typical of dynamic and static analysis. For example, it is possible to have a precise model of the evolution of the code, but this leads to an algorithm for the identification of metamorphic variants that it is abstract. To gain certainty, then it is necessary to find appropriate abstractions of the self-modifying behavior.

In my opinion these patterns for the self-modifying code, have to find an application in the development of new algorithms for the automatic identification of malicious code. These models can be used to process abstract malware signatures starting from some samples of variants of metamorphic malware, and then use these signatures for the automatic detection of new variants of metamorphic codes.
Also by extracting the abstract signature from the analysis of a malware sample itself by processing the metamorphic engine.

Developed patterns and algorithms should then be tested on the existing malware in order to understand potentials and limits, so the experimental data collected are necessary to improve the pattern used for the automatic identification of malware in order to increase, always more, the performance of the antivirus in static and dynamic mode.

This means to do malware research.
sounds tough. why not just block script interpreters?
 

shmu26

Level 85
Verified
Trusted
Content Creator
The main problem in this contexts is the analysis of self-modifying code (think to .js code that download a ransomware ).
If I understand right, WMI is useful to malcoders as a remote access and control tool.
But in order to actually do anything on the endpoint machine, something like powershell or wscript must be executed.
Is this correct?
 

shmu26

Level 85
Verified
Trusted
Content Creator
If I understand right, WMI is useful to malcoders as a remote access and control tool.
But in order to actually do anything on the endpoint machine, something like powershell or wscript must be executed.
Is this correct?
to answer my own question: there is a process called wmic.exe (found in system32 and in syswow64), it is a command line utility, and it gives command line control over WMI. It is very easy to monitor or block this process, and in fact, this is the WMI process that appears on the Hljbx vulnerable processes list.
 
Top