Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Python Ransomware
Message
<blockquote data-quote="cruelsister" data-source="post: 762050" data-attributes="member: 7463"><p>People always look at horror when malware is signed- but should they? It is often mistaken that just because some software has a valid Digital Signature from a Vendor, that that Vendor is also Trusted. This (fortunately) is rarely the case. As an example:</p><p></p><p>Some may know that a strain of Python coded ransomware has showed up the past few weeks. The initial samples had a valid certificate from some jive-time company (La Crem LTD). The Blacklists quickly realized that not only was La Crem NOT on a TVL so would be treated like any other unknown file, but having that signature actually made their malware more easily detectable since after the initial detection La Crem was Blacklisted.</p><p></p><p>The point is this- any new variant with the now invalid certificate would be detected by everyone and their Mommy, whereas killing this certificate would make detection more problematic. And sure enough, a new variant was released (this one would only run the payload on reboot. And the cool thing is, just say you have a Document titled Important.doc; the ransomware will encrypt the original but will also create a file with the identical file name that would just present you with the Ransom Message. pretty Cool, no?).</p><p></p><p>Fun facts: The new variant is still less than 24 hours old. The initial detection results from VT was this: <a href="https://www.virustotal.com/en/file/2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198/analysis/1536033822/" target="_blank">Antivirus scan for 2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198 at 2018-09-04 04:03:42 UTC - VirusTotal</a></p><p></p><p>Currently it is this (I renamed the file for my Zoo): <a href="https://www.virustotal.com/en/file/2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198/analysis/1536069675/" target="_blank">Antivirus scan for 2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198 at 2018-09-04 14:01:15 UTC - VirusTotal</a></p><p></p><p>And I'm sure in 2 days everyone will detect this guy, and when the Pro AV Testings sites test various products against a few days after that everything will be Rainbows and Unicorns!</p></blockquote><p></p>
[QUOTE="cruelsister, post: 762050, member: 7463"] People always look at horror when malware is signed- but should they? It is often mistaken that just because some software has a valid Digital Signature from a Vendor, that that Vendor is also Trusted. This (fortunately) is rarely the case. As an example: Some may know that a strain of Python coded ransomware has showed up the past few weeks. The initial samples had a valid certificate from some jive-time company (La Crem LTD). The Blacklists quickly realized that not only was La Crem NOT on a TVL so would be treated like any other unknown file, but having that signature actually made their malware more easily detectable since after the initial detection La Crem was Blacklisted. The point is this- any new variant with the now invalid certificate would be detected by everyone and their Mommy, whereas killing this certificate would make detection more problematic. And sure enough, a new variant was released (this one would only run the payload on reboot. And the cool thing is, just say you have a Document titled Important.doc; the ransomware will encrypt the original but will also create a file with the identical file name that would just present you with the Ransom Message. pretty Cool, no?). Fun facts: The new variant is still less than 24 hours old. The initial detection results from VT was this: [URL="https://www.virustotal.com/en/file/2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198/analysis/1536033822/"]Antivirus scan for 2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198 at 2018-09-04 04:03:42 UTC - VirusTotal[/URL] Currently it is this (I renamed the file for my Zoo): [URL="https://www.virustotal.com/en/file/2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198/analysis/1536069675/"]Antivirus scan for 2a42f2f98bffbdf3f354d162d4f707c33d9bb652cf45a3c8b358535b3c677198 at 2018-09-04 14:01:15 UTC - VirusTotal[/URL] And I'm sure in 2 days everyone will detect this guy, and when the Pro AV Testings sites test various products against a few days after that everything will be Rainbows and Unicorns! [/QUOTE]
Insert quotes…
Verification
Post reply
Top