Malware analysis Random Musing

davisd

Level 3
Verified
Jan 27, 2019
105
Default-Deny is the answer to fill Windows swiss cheddar holes, I'd use AppGuard even for home environment if I were to work from home, AppLocker too messy and time consuming to set up properly, focus on productivity and stop worry about security once set, Antivirus software is for playground, eagerly waiting for the next public test to be published to see who caught the ball this time, and based on results, switch to tops in the list, still most keep beating a meat over which AV has better and smarter behaviour blocker implemented.. :cautious:
 
Last edited:

simalinga

Level 1
Feb 28, 2021
14
Results: when run against various AV applications, it was seen that stuff like Microsoft, Kaspersky, Emsisoft would not find issue with any of the above, while Symantec and McAfee flagged them all.

G-Data found that adding an icon to the Invisible FW baseline exe to be fine, as was the Visible form but will flag as malicious the Invisible form without an icon (Win32.Trojan.PSE.DR6CWW).

Avira didn't have an issue with any except hated the compressed versions, both of which were blocked.

Avast found all fine except the Invisible Icon exe which was blocked.
These points were lost on the crowd.
 

Opc9

Level 5
Aug 2, 2020
237
These points were lost on the crowd.
For those that are running 3rd party AV's along with WF, I am sure they would have taken notice of these points.

Would others running BIS, KIS etc with their respected builtin FW also need to take notice, unless the same technique can be used to disable those
FW as well. Also these builtin FW can be password protected to prevent them from being turned off . afaik
 

cruelsister

Level 38
Verified
Trusted
Content Creator
Apr 13, 2013
2,729
The fact that those AV's did allow what I would call suspicious behavior is indeed very concerning.
As the files discussed are examples of simple LOLBin's (essentially all are the exact same thing with minor coding variations), your concern is well placed as such legitimate commands can be used for nefarious purposes. But how exactly can an Anti-Malware application handle itself when confronted by one of these? Essentially an AM application must try to determine intent instead of what is actually being done. Should all security applications act like McAfee and block all?

Consider a parallel: I often use a knife to chop vegetables (I'm actually a good cook), but I can also decide to use that same knife to stab someone in the chest. Should the Police, then, break into my kitchen and confiscate all my knives as a matter of course?
 

Opc9

Level 5
Aug 2, 2020
237
As the files discussed are examples of simple LOLBin's (essentially all are the exact same thing with minor coding variations), your concern is well placed as such legitimate commands can be used for nefarious purposes. But how exactly can an Anti-Malware application handle itself when confronted by one of these? Essentially an AM application must try to determine intent instead of what is actually being done. Should all security applications act like McAfee and block all?

Consider a parallel: I often use a knife to chop vegetables (I'm actually a good cook), but I can also decide to use that same knife to stab someone in the chest. Should the Police, then, break into my kitchen and confiscate all my knives as a matter of course?
Blocking such scripts or exe from someone who wants to use windows admin tools for nefarious reasons and someone who wants to write his or her own custom code to perform the same action for whatever reason can probably result in a high rate of false detection by AV companies. Which can be detrimental to their
products because most users want to be protected and at the same time want their code to run without the AV getting in the way. Its probably a difficult balancing
act for many AV companies.

There is also the issue of window updates failing because your AV decided it was nefarious since it never seen netsh.exe being used that way in a previous update.
AV interfering with windows updates is a thing, not long ago BitDefender blocked a windows security update because it thought it was a Trojan.

Another question thanks to @simalinga for reminding me.
won't stop such as a modified (true zero-day) X-data from encrypting the files of the innocent).
How effective are hardware based firewalls that have a security policy to default block C2 traffic against ransomware attacks.
 
Last edited:

simalinga

Level 1
Feb 28, 2021
14
That point was already made in post #5 of this thread.

According to @Andy Ful
This is funny.

@cruelsister was clear in that her primary focus was not on the disabling of Windows Firewall. The reason for her original post was to point out how varied AV detections are for the same file. WF is irrelevant to the discussion. She could have used, for example, a script that disabled a service.
 

Opc9

Level 5
Aug 2, 2020
237
This is funny.

@cruelsister was clear in that her primary focus was not on the disabling of Windows Firewall. The reason for her original post was to point out how varied AV detections are for the same file. WF is irrelevant to the discussion. She could have used, for example, a script that disabled a service.
I think I address this issue in my post #28 to her, hopefully she will respond soon. (y)
 

cruelsister

Level 38
Verified
Trusted
Content Creator
Apr 13, 2013
2,729
original post was to point out how varied AV detections are for the same file
Perfectly said. But such variability does have actual consequences in the protection provided by some products as such seemingly innocuous coding modifications can be done to otherwise detectable malware that will do a great deal more than disable a firewall.
 
Last edited:

Opc9

Level 5
Aug 2, 2020
237
That would depend. Netsh.exe is a legitimate windows file included with Windows to do legitimate things (interacts with the network configuration of a system). Certainly in the case of what so far has been discussed here just disabling Windows Firewall is legitimate in itself. But it may not be something beneficial if misused as it often is by being woven into either a RAT or Info Stealer, where it can also be coded to add or remove Firewall Rules in order to accomplish some nasty aim.

What would be a worry is that other netsh commands (like "wlan show profile") do fun things like steal WIFI credentials. Packet harvesting, and the persistence of malware by the use of a helper dll can also be accomplished with netsh (not that I would know, being Kind and Gentle myself).
"wlan show profile" would show WIFI profiles only, you can legit view passwords adding key=clear provided you are part of the BUILTIN\Administrators group.
which comes to the important point @Andy Ful mentioned "Generally, if the attacker can get high privileges on Windows, then everything is possible"

Not to darken your day, but there really is nothing you can do about it.
You can indeed do something about it, stop using windows or switch to a more secure OS like Linux or even MacOS.

If more people are aware of just how bad Windows security is maybe there would not be 1.3billion W10 devices that can be taken over by malware so easily.
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,780
The funny thing about Windows is that one can say contradictory sentences about it and these sentences can be true in some way. For example:
  1. Windows is not especially secure.
  2. Windows is pretty much secure.
There are some arguments that could support point 1.
  • Windows and applications are mostly written in programming languages that are vulnerable to memory corruption. So there are countless possibilities for exploits.
  • The default admin account is vulnerable by design to privilege escalation.
  • Windows was developed for a long time for the convenience of Administrators. That is why it is hard to protect it against the attacks that use Administrators' actions (like was noticed in this thread).
  • Windows is the most popular OS and it is profitable to attack it.
  • Windows uses many legacy features that are vulnerable by design. It is like a ship built from several shipwrecks and by several constructors.
  • The new Windows versions always silently introduce new vulnerabilities.
  • etc.
There are some arguments that could support point 2.
  • Windows 10 is not an easy target when it is well updated. It is similar to a tough boxer who can take many punches without a knockout.
  • Windows is more secure than our life - many daily activities are not as secure (swimming, walking down the stairs, crossing the road, driving a car, smoking cigarettes, using a debit card, using closed doors to prevent theft, etc.).
  • Microsoft and some other vendors actively participate in a Bug Bounty Program (they pay hackers and researchers for finding vulnerabilities). These vulnerabilities are usually closed before using them in the wild (like in the famous WannaCry attacks).
  • There are many security software for Windows that can make it much more secure. The problem is that people do not want to use Windows in a limited way of Linux.
  • One can be much more secure when using above-average security. You do not have to be faster than the angry bear, but only faster than the guy running behind you.
  • Many computer infections are related to social engineering tricks and not to Windows security flaws.
  • Many computer infections follow from wishful thinking, like for example "I know that this file is shady, but I am eager to run it. Computer security will probably save me anyway".
So, many people can probably have a very different view of Windows security (including Windows Firewall, Defender, etc.). It would be hard to be sure who is right and who is wrong about it.:)(y)

Sorry if my post is slightly off-topic.
 
Last edited:

Opc9

Level 5
Aug 2, 2020
237
One might conclude either:

  1. Symantec and McAfee are the better AV's
  2. Symantec and McAfee are overly aggressive
  3. Don't depend on AV alone to secure Windows
I choose 3.

Actually I forgot 4. Don't depend on AV at all.
5. Using a windows login account that is not part of the Administrator group can
greatly improve your security by limiting access to windows admin tools that was used in this type of attack.

Imagine if every users on this site had admin rights and could makes changes to critical or vital settings that makes the website run smoothly, that would be very bad for security.

Normal users like you and I can't perform Admin tasks on this site hence it more secured from our daily interaction with this site.

*Although mind you the point of the test was to point out how varied AV detection's are for the same file, in order to achieve this admin rights was used ;)
 
Last edited:

Opc9

Level 5
Aug 2, 2020
237
Linux is not safer than Windows. It is full of undiscovered vulnerabilities.
This is your opinion not a fact. There are many points Andy made in regards to pros and cons of windows security.

The general consensus among the tech community for years is that Linux has always been considered the more secure OS than Windows.

Being open source Linux has much less chance of having undiscovered vulnerabilities compared to Windows which is close source.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,780
Most Linux vulnerabilities can affect servers and Enterprise networks, especially unpatched or misconfigured ones. See for example:

Linux is much safer (compared to Windows) for Home users.
Also, well configured and hardened Linux is generally safer compared to Windows (this can change in the near future).

A grain of salt:
 
Last edited:

SecurityNightmares

Level 36
Verified
Jan 9, 2020
2,562
because of that i don't agree that Linux is safer than Windows.
Linux lacks a lot of important security features which Windows provide - but to be fair, some needs first enabled in Windows.

In my opinion, MacOS combine both advantages from Windows and Linux for best out of the box security.
Windows (specially Enterprise) can be secured to an extremely high level too.
 
Top