true ! the first defense against malwares is user's behavior
"pyrate", Behavior Blocker Bypass POC #3
- Thread starter MacDefender
- Start date
true ! the first defense against malwares is user's behavior
- Jun 24, 2016
- 2,485
Hi @MacDefender, great thread.
Would you give me permission to share this on ESET's forums, see what they say and hopefully get an idea how to avoid similar (but real) scenarios? Of course I will give you credit for everything and link to this thread.
Would you give me permission to share this on ESET's forums, see what they say and hopefully get an idea how to avoid similar (but real) scenarios? Of course I will give you credit for everything and link to this thread.
- Mar 16, 2019
- 3,862
All they're gonna do is, this is not a real threat so we don't detect such threats, bla bla bla. I'm used to their excuses.
- Apr 1, 2019
- 2,868
(Edited to remove joke suggesting malicious behavior.) But, it would be nice to get their real take on a POC now and again.
Last edited:
- Mar 16, 2019
- 3,862
I agree. But it has been like this always. They don't have a traditional behavior blocker so when someone share something like this they always tend to say similar things. This is what frustrates me. ESET is my preferred AV because of its lightness and having the best signature on the market but they fall short on the behavioral detection area and I'm yet to see any attempt from them to improve in this area.Maybe he should send them a ‘fun’ e-mail.
Kidding of course, I do not endorse any such behavior. But it would be nice to get their real take on a POC now and again.
naively on your part, 99% of these activators are malicious, modify the registry, change the firewall, create services that connect, who knows where,
- Aug 21, 2018
- 505
Hello,
I used 10 random files (500 kb - 1mb in size).
Here's my quick test results:
GDATA AV:
Start.bat (files encrypted)
pyrate.exe (files encrypted)
idle.exe (files encrypted)
Sophos Home Premium:
Start.bat (4/10 files encrypted, then intercepted by Cryptoguard)
pyrate.exe (4/10 files encrypted, then intercepted by Cryptoguard)
idle.exe (4/10 files encrypted, then intercepted by Cryptoguard)
Mcafee IS:
Start.bat (files encrypted)
pyrate.exe (files encrypted)
idle.exe (files encrypted)
Kindest regards,
-sepik
I used 10 random files (500 kb - 1mb in size).
Here's my quick test results:
GDATA AV:
Start.bat (files encrypted)
pyrate.exe (files encrypted)
idle.exe (files encrypted)
Sophos Home Premium:
Start.bat (4/10 files encrypted, then intercepted by Cryptoguard)
pyrate.exe (4/10 files encrypted, then intercepted by Cryptoguard)
idle.exe (4/10 files encrypted, then intercepted by Cryptoguard)
Mcafee IS:
Start.bat (files encrypted)
pyrate.exe (files encrypted)
idle.exe (files encrypted)
Kindest regards,
-sepik
Thank you! You have my permission @Robbie and I would like them to know that I'm a paying ESET customer and think highly of their product, but at the same time, they basically have zero behavioral blocker style detections that have ever triggered in my tests or in any of the testing I've seen on MalwareHub ("dynamic" mostly means the network AV scanner caught something being downloaded via signatures, or a visit to a malicious URL)
I think we all know what they will say, but nonetheless, we should give them a chance to state their position.
Yup that was a younger and dumber me!
I've made a number of posts here about it, but since then, my "specialty" has been analyzing greyware on P2P/Usenet. It is absolutely fascinating how it's a landmine of both "legitimate" pirated products and very very sneakily backdoored stuff.
I have a special Windows Server installer that I keep. It is almost legit but literally the backdoor is in the post-reboot environment where your AV would not be active, and they don't unpack it until then. Sneaky sneaky, would evade most AVs unless they were smart enough to fully scan a DVD-ROM.
- May 10, 2019
- 2,289
Does anyone have an idea of disabling autopilot in G Data's BEAST would help protect from this sample?
- Jun 24, 2016
- 2,485
ESET's Marcos states the following:
After I read @MacDefender's aproval I sent him the download link over DM.
You can follow the thread on ESET's forums here: "pyrate", Behavior Blocker Bypass POC
After I read @MacDefender's aproval I sent him the download link over DM.
You can follow the thread on ESET's forums here: "pyrate", Behavior Blocker Bypass POC
- Mar 28, 2019
- 569
@MacDefender you sure this is not Application Control? As I remember App Control has a setting that can opt to monitor the execution chain, default checked.
Edit:
Left: Do not inherit restrictions from the main process (application);
Right: Execution chain.
Last edited:
I am familiar with that setting but I do not believe it’s Application Control, as ultimately it was a PDM/Win32.Trojan.Gen detection which is typically KSW, and it flagged my source .exe as malicious and not Python. Unless Application Control trust groups somehow feed into KSW sensitivity?
I am curious what they will end up saying. As much as I am an ESET fan, I think they like to say “it’s not real malware” as a convenient excuse.
But if they add a static detection I am 99% confident that I could change my malicious script to avoid it — I was able to do that with my previous binary exploit and that is arguably harder:TrojanZipperPOC and ESET signatures Case Study
- Mar 28, 2019
- 569
I did this a lot too, recently when downloading a program to recover data from HDD. That's one of the most reason I trust on a suite with good behavior blocker.
Any chance to get this sample for HUB testing?
- Sep 5, 2017
- 1,173
Thanks for your amazing efforts and analysis
some antivirus has boot scanner which scan OS files during boot may one of then will be caught ??
Yeah perhaps it would be caught, or enabling of Secure Boot would lead to the malware not executing. But the first reboot after running Windows Setup is into the WinPE installation environment. In there, no antivirus (Windows Defender or otherwise) is allowed to run. Maybe that environment refuses to run files not signed by Microsoft, but I don't think so (third party driver installers can be bundled into there). Either way, it's very risky and sneaky that the payload deployment was intentionally made to happen during a phase of Windows setup where AV isn't running.
It's just funny because I have always thought that scanning an external disk before execution is a waste of time since the realtime scanner is going to get around to it anyway. I guess this is one exception to that!
BTW regarding:
Theoretically the "IDLE" exploit can be packaged as a ZIP file and that does not trigger smartscreen. Running IDLE.exe also does not trigger the default SmartScreen because IDLE is a digitally signed and safe reputation program.
I only packaged it as a 7z SFX EXE (which makes SmartScreen catch it) because it would be a 35MB zip file vs a 20MB 7z archive, and I didn't want to force all my testers here to get 7zip to unzip the exploit.
Python is actually often distributed as a self contained zip file, so unzipping and executing Python out of a downloaded archive is not necessarily far-fetched.
(but as Andy pointed out before, you can use the H_C config to force a SmartScreen popup to tell you about IDLE.exe regardless of it being signed. But that says nothing about the fact that I tainted a Python library buried deep within the archive....)
Similar threads
