Python Ransomware

[cruelsister]

People always look at horror when malware is signed- but should they? It is often mistaken that just because some software has a valid Digital Signature from a Vendor, that that Vendor is also Trusted. This (fortunately) is rarely the case. As an example:

Some may know that a strain of Python coded ransomware has showed up the past few weeks. The initial samples had a valid certificate from some jive-time company (La Crem LTD). The Blacklists quickly realized that not only was La Crem NOT on a TVL so would be treated like any other unknown file, but having that signature actually made their malware more easily detectable since after the initial detection La Crem was Blacklisted.

The point is this- any new variant with the now invalid certificate would be detected by everyone and their Mommy, whereas killing this certificate would make detection more problematic. And sure enough, a new variant was released (this one would only run the payload on reboot. And the cool thing is, just say you have a Document titled Important.doc; the ransomware will encrypt the original but will also create a file with the identical file name that would just present you with the Ransom Message. pretty Cool, no?).

Fun facts: The new variant is still less than 24 hours old. The initial detection results from VT was this: Antivirus scan for 2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198 at 2018-09-04 04:03:42 UTC - VirusTotal

Currently it is this (I renamed the file for my Zoo): Antivirus scan for 2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198 at 2018-09-04 14:01:15 UTC - VirusTotal

And I'm sure in 2 days everyone will detect this guy, and when the Pro AV Testings sites test various products against a few days after that everything will be Rainbows and Unicorns!

 

[AriDfoix]

I thought they had no problems with reverse engineering a Python sample, big names not presents yet? Why?

 

[cruelsister]

Why?

A superb question and a point I've been trying to make for a few years. You have 2 types of security Software- those that have an Enterprise presence (like Symantec, Mcafee) and those that do not. For those that have an Enterprise presence they are reticent to detect unknown Scriptors as malware; mainly this is due to many IP folks that utilize Scripts (macros, vb, python) to automate things like internal updating over the network. This has a downside as many of the major breaches you have heard of (like Target, Home Depot) and many that have been suppressed and you will NEVER hear of were caused by relatively trivial scripts getting by multi-million dollar security solutions (my favorite was when someone from Symantec called the malware that bypassed their product "something that could be coded by a 14 year old").

As to those products that do not have any significant Enterprise presence and still ignore scriptors (as an example seen a video I published on April 13th), I have no idea. I was always hoping that folks would get outraged, but apparently not...

In short, many products cannot distinguish a good Script from a Bad one. This is a pity.

 

[ForgottenSeer 69673]

Yes, this was interesting as to those that detect it early. Makes me wonder how they got the sample so fast.

 

[cruelsister]

It also amazed me that Malwarebytes detected it so soon. Even a blind squirrel finds a nut sometimes...

 

[Sunshine-boy]

CS how do you know about Avast Hardened Mode, Kaspersky system watcher, TrendMicro bb, Symantec Sonar or,..؟VT prove nothing.

 

[Local Host]

CS how do you know about Avast Hardened Mode, Kaspersky system watcher, TrendMicro bb, Symantec Sonar or,..؟VT prove nothing.

This ^
No one relies on signatures for this type of malware early on, this is 2018 not 1999.
Kaspersky SW would probably see the behavior and rollback the changes.

 

[Sunshine-boy]

No one relies on signatures

Also every Av uses cloud so the first is dead but others will be safe.
One for all.

 

[Deleted Member 3a5v73x]

Antivirus scan for c954406d928892e7bf3f52b33fabba69bce1e6f8753ae043337903317fbb67c2 at 2018-09-04 13:28:39 UTC - VirusTotal

 

[cruelsister]

VT prove nothing

As far as if a given Product will be bypassed by by the malware you are 100% correct. Many products have other modules that would protect (like Comodo!). VT results obviously can only determine if the AV component of a product (which in some freebies is all they have) will react.

 

[Andy Ful]

Still no detection from Kaspersky. That does not mean that Kaspersky desktop AV missed the sample.
https://www.virusbulletin.com/uploads/pdf/magazine/2017/VB2017-Abrams.pdf

"MYTH 4: LACK OF DETECTION ON VIRUSTOTAL MEANS THE SCANNER DOESN’T DETECT IT In some cases a vendor withholds displaying detection of a threat. At times it may be advantageous to have detection in the product on your desktop, but not to display detection on virus-scanning services that malware authors may use to determine if their application is being detected. In other cases detection of the threat is irrelevant due to other technologies that prevent infection without naming a threat. "

 

[shmu26]

Still no detection from Kaspersky. That does not mean that Kaspersky desktop AV missed the sample.
https://www.virusbulletin.com/uploads/pdf/magazine/2017/VB2017-Abrams.pdf

"MYTH 4: LACK OF DETECTION ON VIRUSTOTAL MEANS THE SCANNER DOESN’T DETECT IT In some cases a vendor withholds displaying detection of a threat. At times it may be advantageous to have detection in the product on your desktop, but not to display detection on virus-scanning services that malware authors may use to determine if their application is being detected. In other cases detection of the threat is irrelevant due to other technologies that prevent infection without naming a threat. "

That article is really good!

 

[ForgottenSeer 58943]

Still no detection from Kaspersky. That does not mean that Kaspersky desktop AV missed the sample.
https://www.virusbulletin.com/uploads/pdf/magazine/2017/VB2017-Abrams.pdf

"MYTH 4: LACK OF DETECTION ON VIRUSTOTAL MEANS THE SCANNER DOESN’T DETECT IT In some cases a vendor withholds displaying detection of a threat. At times it may be advantageous to have detection in the product on your desktop, but not to display detection on virus-scanning services that malware authors may use to determine if their application is being detected. In other cases detection of the threat is irrelevant due to other technologies that prevent infection without naming a threat. "

This is actually the case more than not but there is another (financial) aspect to all of that. For example you'll find FortiGuard detecting this or that, ,or a bad URL but often not broadcasting that fact on the public scanners. There is a competitive advantage to protecting customers while not informing your competitors of things in that you are basically assisting to degrade your product standing. Cylance for example - on my test system detected that threat immediately, but VT still showed it as undetected as Davidsd pointed out.

PS: Emsisoft isn't very good with script type threats IMO.

 

[Eddie Morra]

VT prove nothing

The engines on VirusTotal aren't necessarily going to be the same ones incorporated into the home/enterprise services offered by the vendors either. The vendors have the right to weaken or strengthen the engines they offer on VirusTotal.

It's mentioned in the VirusTotal FAQ.

VirusTotal antivirus solutions sometimes are not exactly the same as the public commercial versions. Very often, antivirus companies parametrize their engines specifically for VirusTotal (stronger heuristics, cloud interaction, inclusion of beta signatures, etc.). Therefore, sometimes the antivirus solution in VirusTotal will not behave exactly the same as the equivalent public commercial version of the given product.

FAQ - VirusTotal

 

[shmu26]

The engines on VirusTotal aren't necessarily going to be the same ones incorporated into the home/enterprise services offered by the vendors either. The vendors have the right to weaken or strengthen the engines they offer on VirusTotal.

It's mentioned in the VirusTotal FAQ.



FAQ - VirusTotal

That's definitely true, and there is a lot more to the story, as explained in the article that @Andy Ful linked us to:
https://www.virusbulletin.com/uploads/pdf/magazine/2017/VB2017-Abrams.pdf
After you read this article, you will understand why a dog is a fish.

 

[ForgottenSeer 58943]

Also some other things to remember;

Trend Housecall doesn't share signatures with Trend Micro.

Some engines at online scanning places actually use linux command line scanners. Impacting results even further. Some companies 'manipulate' online scanners. (Kaspersky) Either to show better results, or trigger false results with other products.

I know people get all up in arms if their pet product missed something. Then they start looking for something anew and the endless security charade starts again like spring after a long winter. Try not to get too wound up about these matters. The fact is, while this or that blackhat, or magical superstar harlem globe trotter coder could code something to bypass your AV, the capability to deliver it is probably almost zero. That's a handy little thing all of these people leave out from their videos, never showing actual, real world delivery into a system from outside of the WAN factoring all of the technologies, updates, system variables, URL scanners, extensions, safety DNS, ISP filtration, blah blah blah. Much less implanting someone stupid enough behind the keyboard to start script executions. Then they are also assuming the person is using Windows and these days, that's a bad assumption. (Linux, BSD, Debian, macos, android, iOS, Chromeos, etc) Where they'd not even have a chance to implant.

It's mostly security theater IMO.

 

[Andy Ful]

If someone has this sample, it would be good to test it on Malware Hub with Kaspersky, Windows Defender, and Trend Micro. The question is: Does VT use Kaspersky with KSN or WD with 'Block at first sight'?

 

[Nightwalker]

If someone has this sample, it would be good to test it on Malware Hub with Kaspersky, Windows Defender, and Trend Micro. The question is: Does VT use Kaspersky with KSN or WD with 'Block at first sight'?

I see some KSN detections from VT, but I dont think it is on the same level of that actual protection that KSN offers.

Anyway I am almost sure that Kaspersky System Watcher would block this malware ...

 

[silversurfer]

If someone has this sample, it would be good to test it on Malware Hub with Kaspersky, Windows Defender, and Trend Micro. The question is: Does VT use Kaspersky with KSN or WD with 'Block at first sight'?

I can upload the sample to the MH ?
https://www.hybrid-analysis.com/sam...652cf45a3c8b358535b3c677198?environmentId=100

Similar sample (rsa.exe) was included here: https://malwaretips.com/threads/3-09-2018-15.86431/
Antivirus scan for 617f9a67d803f24efcc6028149f4308065694132af7e01d198e211e3ad6831c2 at 2018-09-05 13:18:39 UTC - VirusTotal

 

[ForgottenSeer 69673]

CS how do you know about Avast Hardened Mode, Kaspersky system watcher, TrendMicro bb, Symantec Sonar or,..؟VT prove nothing.

TrendMicro HouseCall detected it and that is just a free online scanner if I remember right.