PC Infected by AutoIt script while protecting by WSA complete

[Lalith Jayasinghe]

I used KIS before and I moved(I removed KIS from the system and installed WSA complete) to WSA because of the Resource lightness of it but after few days, now my two computers got infected.

known Symptoms:
It creating shortcuts when an USB drive inserted and creating a folder for itself on the drive.
Also I noticed that there is an autoit3.exe process on the task manager. When I see it's(autoit3.exe) location, I found that it is c:\Google
I am attaching few screen shots here.

I bought WSA for 1year-5 devices and now I have my doubts about it's security .

What is the best thing to do ,Change my virus guard ?


**. I scanned those folder and files with WSA but no infection found.

 

[Janl92l]

i would choose another free product with webroot. if u have alrdy a license,use it. webroot is compatible with any other av out there and u dont feel it is installed. I would suggest u try avast(costum install),panda,qihoo is,avira or avg as 2t layer of protection. If u havnt,donwload malwarebytes free and hitman pro as a second one demand scanner and let them run a full scan.

 

[viktik]

Try this cloud based tool.

http://malwaretips.com/threads/baidu-system-repair-tool.40252/

 

[cruelsister]

Lalith- AutoIT scripts have been around for quite a while and as a legitimate scripting language can (and has) been used for many useful and noble purposes. Sadly Blackhats have also been aware of the power of the script and for a number of years have incorporated AutoIt into malware.

Although one can make simple things like trojan downloaders, keyloggers, etc quite easily with the script, recently AutoIT can be found in things like Zeus and some Critoni Phase 3 ransomware. We also found that the POS skimmers that plagued a major Retailers recent breach was generated by an AutoIT script. The scripts can be so constructed to do things from the banal (like dropping another script written in vbs to act as a downloader) to the more complex (like Process Hollowing- something legitimate like svchost will be created with an encrypted Portable Executable (PE) attached to it. The legit svchost is temporarily suspended while the PE malware is written into memory; then the legit process is restarted and runs the malware by itself). This malware can do many other things like turn off System Restore, regedit, task manager, as well as appending text to sent emails, FaceBook entries, etc. Other things are possible but I'm sure you get the idea.

The issue with detection of AutoIT malware is that it can be changed so easily any definition based security solution just can't keep up. A good BlackHat will write the script with much nonsense (verbose) code, so by deleting some of it virtually a new file can be created. This is important in the case of something like a keylogger that must connect to a C&C. As most malware servers will only be on line for 12 hours or so, a new version can be easily created for when a new server is needed. The issue here is that most AV products really aren't good at catching malware in the first few hours of creation, and furthermore many products can't (and won't) distinguish between a valid script and a malicious one. Case in point are both of the most popular second opinion scanners, MB and HMP- both are horrid against scripts.

A further complication is that many of the scripts will include (drop) a hidden command line file that will (especially when a malicious vbs daughter is the malware vector) replicate the malware just in case something like Emsisoft Emergency Kit detects and deletes something.

As far as protecting against these guys, obviously a definition based defense will be of little value. Something simple like WinPatrol will alert to an autostart entry being created, and a firewall with Outbound Notification will alert you to something like a downloader or keylogger as it tries to transmit to its C&C. In both cases the user will notice right away that something nasty is occurring. Of course a security application with an auto-sandboxing feature will indeed protect as scripts will be isolated and prevented from doing harm (although many malware of this type have VM aware functionality- they won't run in a VM, but will in a real system. This is included to fool IT professionals).

But the best defense is to throw away your computer. I've found that this is 100% effective against all forms of malware (except things you get by Phone and Post, so stop mail delivery and disconnect the telephone also).

 

[FreddyFreeloader]

Would something like NoScript or SafeScript be of any use against this?
Here's a thread that is of a similar malware:
http://malwaretips.com/threads/2015-02-28-1.42928/

 

[Deleted member 2913]

cruelsister,

Comodo Internet Security, AutoSandbox can protect from this script?

 

[Lalith Jayasinghe]

I am a JAVA coder, I know very well most of major OS applied tight security against JAVA executions ( which leaves JAVA less user friendly and leave us(coders) many problems. Still I think it is good even I am coder.)
So I think it is time to build up systems more protective against script like AutoScript. (As they doing to JAVA).

 

[cruelsister]

YesNoo- Comodo (with the Sandbox on) will isolate by default any script (both fair and foul). This would include any spawned processes, so Process Hollowing will also be contained. In addition, setting the Firewall to either notify all outbound network connections or automatically block Outbound requests by sandboxed processes (which stop most of these cold) is also nice.

Lalith- I just realized that I never mentioned that malware of this type are also called worms and just love to spread via USB, which is your issue. Removal can be a bit difficult as many of the spawn will set themselves up as hidden. And as a Java coder I'm sure you are familiar with added a bit of verbose code and noping out a bit to create a brand new (and undetectable) file. Also it is easy for you to see the issues that poor AV's have in distinguishing a valid code from one that will boink a system.

 

[Lalith Jayasinghe]

@ cruelsister
lets think , I don't want to use any Autoit script and I want to halt all running autoit process from the system and block all future executions to the autoit3.exe or anyautoit.exe. So basically it will block the executing point right. Is there anyway to do it? I bloked the autoit3.exe file using webroot manual file blocking but I don't know if it do the trick.

 

[Lalith Jayasinghe]

I installed CIS today and it identify the script as a malware and removed it. Finally I saved .

 

[kiric96]

i had the same issue less than a month ago, hopefully EAM BB saved me.... by the way what is the current detection rate at VTotal?

 

[cruelsister]

Detection rates are a very bad way of looking at script malware. They change just as fast as their servers change, so an active malicious script frequently has a lifespan of less (much less) than 24 hours. Realistically script malware are undetectable by definition based products until it is pointless that they are.

Lady- Sorry, I didn't see your post until now. Unlike vbs scripts, you really can't change any settings within Windows to halt an AutoIt from running for reasons that would be way over the top to get into here. Best is just to use CF and enable the sandbox.

 

[kiric96]

Detection rates are a very bad way of looking at script malware. They change just as fast as their servers change, so an active malicious script frequently has a lifespan of less (much less) than 24 hours. Realistically script malware are undetectable by definition based products until it is pointless that they are.

Lady- Sorry, I didn't see your post until now. Unlike vbs scripts, you really can't change any settings within Windows to halt an AutoIt from running for reasons that would be way over the top to get into here. Best is just to use CF and enable the sandbox.

100% agree, i was talking about generic signatures with one emsisoft developer... he said, that if BB catch the file there is no need to create a generic signature... what do you think?

 

[cruelsister]

As long as whatever you are using will inform that a script is running all is fine. This could be via a Firewall alert that an unknown process is connecting out or by some sort of BB. I personally would prefer something that will contain all scripts no matter what they are trying to do, namely sandboxing technology, as I've seen first-hand how easy it is to construct a worm on the Enterprise level that will evade HIPS and BB's .

As to Emsisoft- they aren't the best at detecting the auto-replicating functionality of some worms. By this I mean that even though detection may occur stopping either the parent or daughter, right after the initial deletion a hidden resurrection command is initiated and the worm is back.

 

[kiric96]

right after the initial deletion a hidden resurrection command is initiated and the worm is back.

would you mind if you explain me how that works?

 

[cruelsister]

It works sort of like this- The parent script when run will spawn a daughter somewhere or other (normally in Roaming) that will be the malware vector. In addition a command script will also be spawned (normally a hidden system file); this file does nothing except poll the system for the existence of the malware vector. If it is present, the command script is quiescent; if the original spawned daughter is detected and deleted by whatever means the command script replicates and replaces it (normally at system start post deletion). So unless you are doing a full system scan everytime you start up your computer the infection will persist.

Not all worms have this functionality, but many do. That’s why I prefer sandboxing technology over other methods- I could care less if another worm is resurrected virtually as everything will be flushed anyway.

 

[kiric96]

It works sort of like this- The parent script when run will spawn a daughter somewhere or other (normally in Roaming) that will be the malware vector. In addition a command script will also be spawned (normally a hidden system file); this file does nothing except poll the system for the existence of the malware vector. If it is present, the command script is quiescent; if the original spawned daughter is detected and deleted by whatever means the command script replicates and replaces it (normally at system start post deletion). So unless you are doing a full system scan everytime you start up your computer the infection will persist.

Not all worms have this functionality, but many do. That’s why I prefer sandboxing technology over other methods- I could care less if another worm is resurrected virtually as everything will be flushed anyway.

an that resurrecting script can be detected on fly or not?

 

[cruelsister]

It's rarely detected directly as it is not malicious in and of itself. The best way to stop it is by preventing its spawning either by means of direct detection of the parent via definitions or having the parent contained in a sandbox.