Python Ransomware

harlan4096

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,905
KTS2020beta:
1536159823528.png
 
  • Like
Reactions: Al-Faqir, stefanos, AtlBo and 7 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
My doubt is how different AV handle and differentiate between:
- valid signatures
- Extended Validation certificate
and which use a TVL and "double check" a "valid" certificate with a TVL .

In other words, how does a AV behave when a malware with valid signature is executed? Does it blindly trust the certificate or does it e.g still monitor it/check the TVL?
For Emsisoft:
file digitally signed
 
  • Like
Reactions: silversurfer, simmerskool, AtlBo and 4 others
E

Eddie Morra

Solarquest said:
In other words, how does a AV behave when a malware with valid signature is executed? Does it blindly trust the certificate or does it e.g still monitor it/check the TVL?
Click to expand...
It depends on how the vendor implemented it so there will be bound to be differences between different AV vendors.

Some vendors do have a setting which can be enabled to automatically trust digitally signed software though. I know that Kaspersky and a few other vendors used to have an option for this.

For example, Kasperky's Application Control will trust software which is digitally signed:
If this check box is selected, Application Control classifies digitally signed applications as trusted. Application Control moves these applications to the Trusted group and does not scan their activity.

If this check box is cleared, Application Control does not classify digitally signed applications as trusted, and scans their activities.
Click to expand...

Application Control settings
 
Last edited by a moderator:
  • Like
Reactions: silversurfer, oldschool, harlan4096 and 3 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
That's my doubt, how different AV handle it...
Emsi gave some (kind of) information
Kaspersky has this option (that I disable)...does it also have a TVL?

What about the other AV? I think it would be interesting to get o good overview...
 
Last edited:
  • Like
Reactions: silversurfer, oldschool, harlan4096 and 4 others
A

AriDfoix

Level 3
Verified
Sep 2, 2018
125
This one is pretty old, I compiled it at the beginning of the year, source is available here, burningion/10-print-python-pygame

when I submitted to hybrid-analysis I was amazed to find it was identified like something called lazagne, seems a tool for password retrieval, anyway there is a huge difference between 32 bit and 64 bit ransomwares?

https://www.hybrid-analysis.com/sam...b268fbddf0157c7facf4c336125?environmentId=120

For more infos about what this program means, see this: A Universe in One Line of Code with 10 PRINT
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
Webroot and Microsoft now detect this ransomware on VT. Kaspersky, Trend Micro, and Cylance still do not. So it may be that for Kaspersky and Cylance, the ransomware detection on VT can be really different from their desktop software, as compared to test results posted on this thread.
 
  • Like
Reactions: shmu26, harlan4096, simmerskool and 2 others
F

ForgottenSeer 69673

Andy Ful said:
Webroot and Microsoft now detect this ransomware on VT. Kaspersky, Trend Micro, and Cylance still do not. So it may be that for Kaspersky and Cylance, the ransomware detection on VT can be really different from their desktop software, as compared to test results posted on this thread.
Click to expand...
Andy where did you find a sample of this Ransomware? I could try it against Cylance but not sure where to get this sample.
 
  • Like
Reactions: oldschool
A

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,714
ticklemefeet said:
Andy where did you find a sample of this Ransomware? I could try it against Cylance but not sure where to get this sample.
Click to expand...
Try the malware hub in the malware sample section. I assume you know how to deal with malware and anyone that do so is responsible for what happens, right?
 
  • Like
Reactions: oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
ticklemefeet said:
Andy where did you find a sample of this Ransomware? I could try it against Cylance but not sure where to get this sample.
Click to expand...
It was checked by @ForgottenSeer 58943 :
Discuss - Python Ransomware
The link to sample can be found if you follow the information included on VT. Unfortunately, MalwareTips members cannot share the malware links, except when they are members of Malware Hub (I am not).
 
  • Like
Reactions: silversurfer, harlan4096, simmerskool and 2 others
F

ForgottenSeer 58943

Andy Ful said:
It was checked by @ForgottenSeer 58943 :
Discuss - Python Ransomware
The link to sample can be found if you follow the information included on VT. Unfortunately, MalwareTips members cannot share the malware links, except when they are members of Malware Hub (I am not).
Click to expand...

Correct. I used my corporate account for Hybrid Analysis and grabbed a copy. Cylance detected it immediately upon unarchiving of it so you are safe with Cylance in respect to this threat. But in all fairness it bypasses A LOT of solutions from what I can see so far.
 
  • Like
Reactions: silversurfer, harlan4096, simmerskool and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
I tested this sample. It uses the legal InnoSetup installer as a wrapper, and drops malicious installation files to the temp folder. There is a lockyfud.exe malware file + some legal DLLs and some Python files. The malware lockyfud.exe is detected by Kaspersky , Cylance, and Trend Micro.
Kaspersky , Cylance, and Trend Micro do not detect the wrapper installer, because it does not do anything malicious. Anyway, they are block unwrapped malware installation.
The lesson - sometimes the AV can protect against the malware, even if it is not detected by that AV version on VT.

Edit
The above situation may follow for some reasons. It can be done intentionally or it can follow from dynamic detection. Anyway, the proper signature detection should include also the wrapped installer.
 
Last edited:
  • Like
Reactions: Al-Faqir, upnorth, silversurfer and 9 others
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,319
cruelsister said:
A superb question and a point I've been trying to make for a few years. You have 2 types of security Software- those that have an Enterprise presence (like Symantec, Mcafee) and those that do not. For those that have an Enterprise presence they are reticent to detect unknown Scriptors as malware; mainly this is due to many IP folks that utilize Scripts (macros, vb, python) to automate things like internal updating over the network. This has a downside as many of the major breaches you have heard of (like Target, Home Depot) and many that have been suppressed and you will NEVER hear of were caused by relatively trivial scripts getting by multi-million dollar security solutions (my favorite was when someone from Symantec called the malware that bypassed their product "something that could be coded by a 14 year old").

As to those products that do not have any significant Enterprise presence and still ignore scriptors (as an example seen a video I published on April 13th), I have no idea. I was always hoping that folks would get outraged, but apparently not...

In short, many products cannot distinguish a good Script from a Bad one. This is a pity.
Click to expand...
Yeah , it's actually the IT job to harden the system via SRP/application control.
But anyway do the big companies getting hacked by maze and such have a decent IT department ?
Is it pure laziness ?
If so maybe being a small business and using basic pishing knowledge+ default deny like hard configurator / Cruel comodo is enough to stop most of the Cyber attacks that compromised the big Enterprise.
 
Last edited:
  • Like
Reactions: Dhruv2193

Similar threads

enaph
    • Like
    • Applause
Security News RCE Vulnerability in qBittorrent’s SSL Handling Patched After 14 Years
Replies
0
Views
643
Security News
enaph
enaph
Gandalf_The_Grey
    • Like
Malware News Meet Interlock — The new ransomware targeting FreeBSD servers
Replies
0
Views
294
Security News
Gandalf_The_Grey
Gandalf_The_Grey
XylentAntivirus
    • Like
How to provide is file is malware? The importance of Open Source Antiviruses.
Replies
2
Views
507
Malware Analysis
Trident
Trident

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top