Malware Analysis Random Musing

[davisd]

Default-Deny is the answer to fill Windows swiss cheddar holes, I'd use AppGuard even for home environment if I were to work from home, AppLocker too messy and time consuming to set up properly, focus on productivity and stop worry about security once set, Antivirus software is for playground, eagerly waiting for the next public test to be published to see who caught the ball this time, and based on results, switch to tops in the list, still most keep beating a meat over which AV has better and smarter behaviour blocker implemented..

 

[cruelsister]

These points were lost on the crowd.

Posts without supple meaning are often missed opportunities for thought.

 

[The_King]

These points were lost on the crowd.

For those that are running 3rd party AV's along with WF, I am sure they would have taken notice of these points.

Would others running BIS, KIS etc with their respected builtin FW also need to take notice, unless the same technique can be used to disable those
FW as well. Also these builtin FW can be password protected to prevent them from being turned off . afaik

 

[The_King]

Posts without supple meaning are often missed opportunities for thought.

The fact that those AV's did allow what I would call suspicious behavior is indeed very concerning.

Would the block to this type of attack be classified has a behavior blocker?

 

[cruelsister]

The fact that those AV's did allow what I would call suspicious behavior is indeed very concerning.

As the files discussed are examples of simple LOLBin's (essentially all are the exact same thing with minor coding variations), your concern is well placed as such legitimate commands can be used for nefarious purposes. But how exactly can an Anti-Malware application handle itself when confronted by one of these? Essentially an AM application must try to determine intent instead of what is actually being done. Should all security applications act like McAfee and block all?

Consider a parallel: I often use a knife to chop vegetables (I'm actually a good cook), but I can also decide to use that same knife to stab someone in the chest. Should the Police, then, break into my kitchen and confiscate all my knives as a matter of course?

 

[The_King]

As the files discussed are examples of simple LOLBin's (essentially all are the exact same thing with minor coding variations), your concern is well placed as such legitimate commands can be used for nefarious purposes. But how exactly can an Anti-Malware application handle itself when confronted by one of these? Essentially an AM application must try to determine intent instead of what is actually being done. Should all security applications act like McAfee and block all?

Consider a parallel: I often use a knife to chop vegetables (I'm actually a good cook), but I can also decide to use that same knife to stab someone in the chest. Should the Police, then, break into my kitchen and confiscate all my knives as a matter of course?

Blocking such scripts or exe from someone who wants to use windows admin tools for nefarious reasons and someone who wants to write his or her own custom code to perform the same action for whatever reason can probably result in a high rate of false detection by AV companies. Which can be detrimental to their
products because most users want to be protected and at the same time want their code to run without the AV getting in the way. Its probably a difficult balancing
act for many AV companies.

There is also the issue of window updates failing because your AV decided it was nefarious since it never seen netsh.exe being used that way in a previous update.
AV interfering with windows updates is a thing, not long ago BitDefender blocked a windows security update because it thought it was a Trojan.

Another question thanks to @simalinga for reminding me.

won't stop such as a modified (true zero-day) X-data from encrypting the files of the innocent).

How effective are hardware based firewalls that have a security policy to default block C2 traffic against ransomware attacks.

 

[The_King]

Told you. They keep focusing on WF being disabled and not the varied detections of the same files across AVs.

That point was already made in post #5 of this thread.

According to @Andy Ful

I am not sure if we are still on topic. The OP was about Windows Firewall.

 

[The_King]

This is funny.

@cruelsister was clear in that her primary focus was not on the disabling of Windows Firewall. The reason for her original post was to point out how varied AV detections are for the same file. WF is irrelevant to the discussion. She could have used, for example, a script that disabled a service.

I think I address this issue in my post #28 to her, hopefully she will respond soon.

 

[cruelsister]

original post was to point out how varied AV detections are for the same file

Perfectly said. But such variability does have actual consequences in the protection provided by some products as such seemingly innocuous coding modifications can be done to otherwise detectable malware that will do a great deal more than disable a firewall.

 

[The_King]

That would depend. Netsh.exe is a legitimate windows file included with Windows to do legitimate things (interacts with the network configuration of a system). Certainly in the case of what so far has been discussed here just disabling Windows Firewall is legitimate in itself. But it may not be something beneficial if misused as it often is by being woven into either a RAT or Info Stealer, where it can also be coded to add or remove Firewall Rules in order to accomplish some nasty aim.

What would be a worry is that other netsh commands (like "wlan show profile") do fun things like steal WIFI credentials. Packet harvesting, and the persistence of malware by the use of a helper dll can also be accomplished with netsh (not that I would know, being Kind and Gentle myself).

"wlan show profile" would show WIFI profiles only, you can legit view passwords adding key=clear provided you are part of the BUILTIN\Administrators group.
which comes to the important point @Andy Ful mentioned "Generally, if the attacker can get high privileges on Windows, then everything is possible"

Not to darken your day, but there really is nothing you can do about it.

You can indeed do something about it, stop using windows or switch to a more secure OS like Linux or even MacOS.

If more people are aware of just how bad Windows security is maybe there would not be 1.3billion W10 devices that can be taken over by malware so easily.

 

[Andy Ful]

The funny thing about Windows is that one can say contradictory sentences about it and these sentences can be true in some way. For example:

1. Windows is not especially secure.
2. Windows is pretty much secure.

There are some arguments that could support point 1.

• Windows and applications are mostly written in programming languages that are vulnerable to memory corruption. So there are countless possibilities for exploits.
• The default admin account is vulnerable by design to privilege escalation.
• Windows was developed for a long time for the convenience of Administrators. That is why it is hard to protect it against the attacks that use Administrators' actions (like was noticed in this thread).
• Windows is the most popular OS and it is profitable to attack it.
• Windows uses many legacy features that are vulnerable by design. It is like a ship built from several shipwrecks and by several constructors.
• The new Windows versions always silently introduce new vulnerabilities.
• etc.

There are some arguments that could support point 2.

• Windows 10 is not an easy target when it is well updated. It is similar to a tough boxer who can take many punches without a knockout.
• Windows is more secure than our life - many daily activities are not as secure (swimming, walking down the stairs, crossing the road, driving a car, smoking cigarettes, using a debit card, using closed doors to prevent theft, etc.).
• Microsoft and some other vendors actively participate in a Bug Bounty Program (they pay hackers and researchers for finding vulnerabilities). These vulnerabilities are usually closed before using them in the wild (like in the famous WannaCry attacks).
• There are many security software for Windows that can make it much more secure. The problem is that people do not want to use Windows in a limited way of Linux.
• One can be much more secure when using above-average security. You do not have to be faster than the angry bear, but only faster than the guy running behind you.
• Many computer infections are related to social engineering tricks and not to Windows security flaws.
• Many computer infections follow from wishful thinking, like for example "I know that this file is shady, but I am eager to run it. Computer security will probably save me anyway".

So, many people can probably have a very different view of Windows security (including Windows Firewall, Defender, etc.). It would be hard to be sure who is right and who is wrong about it.

Sorry if my post is slightly off-topic.

 

[wat0114]

One might conclude either:

1. Symantec and McAfee are the better AV's
2. Symantec and McAfee are overly aggressive
3. Don't depend on AV alone to secure Windows

I choose 3.

Actually I forgot 4. Don't depend on AV at all.

 

[The_King]

One might conclude either:

1. Symantec and McAfee are the better AV's
2. Symantec and McAfee are overly aggressive
3. Don't depend on AV alone to secure Windows

I choose 3.

Actually I forgot 4. Don't depend on AV at all.

5. Using a windows login account that is not part of the Administrator group can
greatly improve your security by limiting access to windows admin tools that was used in this type of attack.

Imagine if every users on this site had admin rights and could makes changes to critical or vital settings that makes the website run smoothly, that would be very bad for security.

Normal users like you and I can't perform Admin tasks on this site hence it more secured from our daily interaction with this site.

*Although mind you the point of the test was to point out how varied AV detection's are for the same file, in order to achieve this admin rights was used

 

[The_King]

Linux is not safer than Windows. It is full of undiscovered vulnerabilities.

This is your opinion not a fact. There are many points Andy made in regards to pros and cons of windows security.

The general consensus among the tech community for years is that Linux has always been considered the more secure OS than Windows.

Being open source Linux has much less chance of having undiscovered vulnerabilities compared to Windows which is close source.

 

[Andy Ful]

Most Linux vulnerabilities can affect servers and Enterprise networks, especially unpatched or misconfigured ones. See for example:

A Look at Linux: Threats, Risks, and Recommendations | Trend Micro (US)

This article aims to discuss the Linux threat landscape and examine how Linux has become an attractive target for attackers, as well as how it can be prone to a variety of threats and risks.

www.trendmicro.com

Enough with the Linux security FUD

Every few weeks, another security story appears saying how insecure Linux is. There's only one problem with most of them: They're fake news. The real problem is incompetent system administrators.

www.zdnet.com

Linux malware - Wikipedia

en.wikipedia.org

Linux is much safer (compared to Windows) for Home users.
Also, well configured and hardened Linux is generally safer compared to Windows (this can change in the near future).

An overview of targeted attacks and APTs on Linux

The GReAT team at Kaspersky publishes regular summaries of APT activity. In this report, we focus on the targeting of Linux resources by APT threat actors.

securelist.com

Hardening Linux Workstations and Servers | Cyber.gov.au

This publication has been developed to assist organisations understand how to harden Linux workstations and servers, including by applying the Essential Eight from the Australian Cyber Security Centre (ACSC)’s Strategies to Mitigate Cyber Security Incidents.

www.cyber.gov.au

A grain of salt:

Linux | Madaidan's Insecurities

 

[ForgottenSeer 85179]

A grain of salt:
Linux | Madaidan's Insecurities

because of that i don't agree that Linux is safer than Windows.
Linux lacks a lot of important security features which Windows provide - but to be fair, some needs first enabled in Windows.

In my opinion, MacOS combine both advantages from Windows and Linux for best out of the box security.
Windows (specially Enterprise) can be secured to an extremely high level too.

 

[Andy Ful]

because of that i don't agree that Linux is safer than Windows.

I respect your view.
If you want we can continue the discussion privately (or in another thread) before @cruelsister will become really cruel.

 

[The_King]

It isn't opinion. It is common sense. 99 % of security researchers target Windows because bug bounties pay and it is good to build a reputation within the industry by compromising Windows and the software running on it.

Virtually none of the researchers target Linux for vulnerabilities. And that means that it is full of undiscovered vulnerabilities. That's a known fact about Linux within the industry, and nobody questions it. It's when you come to forums like this one that people start saying incorrect things about Linux.

The only reason Linux is "safer" is that it is not targeted. Throw the full might of attackers against Linux, and literally hundreds of vulnerabilities will fall out of the cradle. Easier than stealing a lollipop from a baby.


So what ? That has nothing to do with Linux security and the non-pentested nature of the Linux ecosystem.

Please do some research before making ridiculous statements like this.

Linux basically runs the internet, the majority of the worlds banking system that deal with trillions yes that's right trillions of dollars everyday.
If these system were not secure why would these billion companies all run on Linux.

NASA, world Governments, Your TV all run on Linux

Android which is the most used OS in the world runs on Linux a linux kernel, You can even say the world runs on Linux and you would not be far off.

That minuscule bug bounty you speak of does not compare to the amount of of billions that go into secure Linux across the global

Has @Andy Ful already stated this is probably going to make CS want to beat some people up , so here is where i too will exit this thread.

 

[Chuck57]

Actually most of the U.S. Govt runs on Windows machines, including many still using XP. The mainframes and servers are mostly security enhanced Unix or Linux. I can speak for Los Alamos National Laboratory, which now is running Win 10 machines and security enhanced Unix mainframes. I'm not sure how 'enhanced' the 'security' is, since only several years ago some teens from Los Alamos High School broke into the Lab computers - from desktops at the high school. It was, to put it mildly, embarrassing for Los Alamos Lab computer security experts.