Malware Analysis Random Musing

[cruelsister]

Don't know if this will be of interest to anyone, but will post it anyway.

As there are always questions about which AV product to pick and should a given test be trusted, I was just curious and tried a few things for giggles.

To begin, let's consider Windows Firewall. As one may or may not want it enabled, one can either disable it manually through the GUI or instead enter a command (running as Administrator) to do so. But if instead we would rather create an executable to accomplish our goal (of disabling WF), how would a typical AV react?

The test:
A script to disable WF was written. It was converted to an executable in different ways (don't real know if one would actually consider any of these truly malicious, but that's not really the point):

1). a baseline version with the option to show the command box (visible) on run, or to hide the command box (invisible). These will be the baseline.
2). to add run as Administrator to the above baseline programs.
3). To add an icon to the baseline programs
4). To compress the baseline thingies with something like UPX

(Please note that ONLY the exe's that would be run with Admin Privilege will actually disable the Firewall)

Results: when run against various AV applications, it was seen that stuff like Microsoft, Kaspersky, Emsisoft would not find issue with any of the above, while Symantec and McAfee flagged them all.

G-Data found that adding an icon to the Invisible FW baseline exe to be fine, as was the Visible form but will flag as malicious the Invisible form without an icon (Win32.Trojan.PSE.DR6CWW).

Avira didn't have an issue with any except hated the compressed versions, both of which were blocked.

Avast found all fine except the Invisible Icon exe which was blocked.

Conclusion- obviously I have much too much time on my hands this morning.

 

[Brahman]

Would love to see that all in your YouTube channel...

 

[The_King]

I would like to know if Windows Core Isolation was enable along with memory integrity and if not will those settings have changed the outcome of this test?

 

[Digmor Crusher]

Thanks CS, I would be very interested in finding out how some non-antivirus programs such as Voodoo Shield, Osarmour, Malwarebytes, Configure Defender etc would react. Anti-virus gets tested to death on here but these other programs, not so much.

 

[cruelsister]

Opc9- Although the point (yeah, I actually did have a point) here was to demonstrate the variability of what certain AV products will detect as potentially malicious, with regard to native Windows protection, having UAC enabled even at the lowest level would alert to the Admiin Privilege request, thus blocking any action (but keep in mind that UAC at any level won't stop such as a modified (true zero-day) X-data from encrypting the files of the innocent).

 

[cruelsister]

Thanks CS, I would be very interested in finding out how some non-antivirus programs such as Voodoo Shield, Osarmour, Malwarebytes, Configure Defender etc would react. Anti-virus gets tested to death on here but these other programs, not so much.

Good Question. VS, not surprisingly will detect all as unsafe (remember Symantec and McAfee will also do so and VS feeds from such detections). OA also blocks all (based on its dislike of netsh.exe). Malwarebytes will allow all except the Visible Admin file (thus allowing WF to be disabled). Didn't specifically try Config Defender but would assume it mimics the results from Defender itself.

 

[Digmor Crusher]

Thanks for quick reply. Maybe Andy can comment on CD, SWH and HC.

 

[Andy Ful]

I think that one should also take into account that in the home environment the router still functions as a hardware firewall, even if Windows Firewall is disabled. So, the problem is (so far) when we use the computer (usually a laptop) in an insecure environment. This can change in the future due to many vulnerabilities in routers' firmware and the increasing popularity of working remotely from the home.
Also in Enterprises, one should assume that the chances of infection are fair so Windows Firewall can only be a part of network protection.

Generally, Windows Firewall alone is a weak security layer if the machine is already infected and the malware could get high privileges.

 

[The_King]

I think that one should also take into account that in the home environment the router still functions as a hardware firewall, even if Windows Firewall is disabled. So, the problem is (so far) when we use the computer (usually a laptop) in an insecure environment. This can change in the future due to many vulnerabilities in routers' firmware and the increasing popularity of working remotely from the home.
Also in Enterprises, one should assume that the chances of infection are fair so Windows Firewall can only be a part of network protection.

Generally, Windows Firewall alone is a weak security layer if the machine is already infected and the malware could get high privileges.

So is it wrong to say that Windows Core Isolation and memory integrity would protect system and security processes even if the system is compromised with malware?

What is Core Isolation?

When these features are enabled, Windows uses hardware virtualization features to create a secure area of system memory that’s isolated from the normal operating system. Windows can run system processes and security software in this secure area. This protects important operating system processes from being tampered with by anything running outside the secure area.

Even if malware is running on your PC and knows an exploit that should allow it to crack these Windows processes, the virtualization-based security is an additional layer of protection that will isolate them from attack.

What Is Memory Integrity?

This feature is a subset of Core Isolation. Windows normally requires digital signatures for device drivers and other code that runs in low-level Windows kernel mode. This ensures they haven’t been tampered with by malware. When “Memory Integrity” is enabled, the “code integrity service” in Windows runs inside the hypervisor-protected container created by Core Isolation. This should make it nearly impossible for malware to tamper with the code integrity checks and gain access to the Windows kernel.

 

[Andy Ful]

Thanks for quick reply. Maybe Andy can comment on CD, SWH and HC.

All will be blocked by H_C Recommended_Settings.
Defender on default settings will block UAC bypass (except the new method), so the malware will not disable Windows Firewall. Windows 10 already blocks many UAC bypasses, but Defender can currently block all known bypasses and can also learn to block the new bypasses, like in the case of my POC malware based on disabling Defender. But in the case of the new UAC bypass, one has to activate the ASR rule "Use advanced protection against ransomware" or activate "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" (to block any non-prevalent EXEs). These rules can be activated by CD.

SWH + Windows SmartScreen + Windows built-in unpacker can prevent the execution of these EXEs, too. SWH will do it when one would like to open them from an archiver application or email client. Windows built-in unpacker + SmartScreen will block execution when the EXE is uncompressed before execution or it is executed after downloading from the Internet.
If the malware is executed from the USB drive, it can be blocked by the Defender ASR rule "Block untrusted and unsigned processes that run from USB".

Of course, some of these protection layers would not stop @cruelsister (if highly motivated), because she could sign the malware with a valid EV certificate and make an effort to find a working UAC bypass. Fortunately, such attacks on home users are very rare and users on SUA (with Windows 10) were still protected.

Post edited.

 

[Andy Ful]

So is it wrong to say that Windows Core Isolation and memory integrity would protect system and security processes even if the system is compromised with malware?

It is wrong to say so when the attacker uses the system processes or system tools that are designed to perform Administrative management. Core Isolation uses hardware virtualization to prevent abusing important/sensitive system processes via exploiting something in the Windows kernel.

 

[The_King]

It is wrong to say so when the attacker uses the system processes or system tools that are designed to perform Administrative management. Core Isolation uses hardware virtualization to prevent abusing important/sensitive system processes via exploiting something in the Windows kernel.

So then, if the script used to disable WF used system processes or system admin tools it should not be blocked if run with admin privileges?
Thanks for the reply.

 

[Andy Ful]

So then, if the script used to disable WF used system processes or system admin tools it should not be blocked if run with admin privileges?
Thanks for the reply.

That depends on your needs and security setup. Such possibilities were created by Microsoft for Administrators in Enterprises. Unfortunately, scripting is available also in Windows Home. In my personal opinion, this put in danger home users. Of course, Microsoft had its own reasons for doing this.

 

[rndmblk]

Results: when run against various AV applications, it was seen that stuff like Microsoft, Kaspersky, Emsisoft would not find issue with any of the above

Is that a worry?

 

[cruelsister]

Is that a worry?

That would depend. Netsh.exe is a legitimate windows file included with Windows to do legitimate things (interacts with the network configuration of a system). Certainly in the case of what so far has been discussed here just disabling Windows Firewall is legitimate in itself. But it may not be something beneficial if misused as it often is by being woven into either a RAT or Info Stealer, where it can also be coded to add or remove Firewall Rules in order to accomplish some nasty aim.

What would be a worry is that other netsh commands (like "wlan show profile") do fun things like steal WIFI credentials. Packet harvesting, and the persistence of malware by the use of a helper dll can also be accomplished with netsh (not that I would know, being Kind and Gentle myself).

Not to darken your day, but there really is nothing you can do about it.

 

[Andy Ful]

Generally, if the attacker can get high privileges on Windows, then everything is possible. Windows was made for the convenience of Administrators in the first place. Security was never a priority (except the last few years).
This may change with new systems like Windows 10X, but I am not sure.

 

[The_King]

Generally, if the attacker can get high privileges on Windows, then everything is possible. Windows was made for the convenience of Administrators in the first place. Security was never a priority (except the last few years).
This may change with new systems like Windows 10X, but I am not sure.

Is that not part of the problem then running Windows with an Admin account all the time instead of using a standard user account?

 

[rndmblk]

Is that not part of the problem then running Windows with an Admin account all the time instead of using a standard user account?

I thought so and as a result have a local account that is an administrator and my day to day account is a standard user

 

[Andy Ful]

Is that not part of the problem then running Windows with an Admin account all the time instead of using a standard user account?

Yes. It is much easier to protect the computer when daily work is done on SUA.
But even on SUA, the attacker can use social engineering and convince the user to use credentials or use ransomware which does not need to elevate. The important protection for average users is blocking the malware delivery paths. This is usually done by blocking the email attachments that include executables and scripts, blocking malware URLs & phishing, blocking malicious ADs, blocking files with very low prevalence, etc. Even delaying by one day the execution of the file downloaded from the Internet can significantly increase safety (like in the example of IOBit malware). The infection rate can be also significantly reduced by applying a few safe habits and learning to recognize a scam.
AV protection is also very important, but not the current differences between AVs. I think that these differences are much less important compared to users' safe habits and common sense.

Edit.
I am not sure if we are still on topic. The OP was about Windows Firewall.

 

[Andy Ful]

Back to the topic. Microsoft security is focused on Enterprises and business users. They use computers in the environment with a much bigger attack surface (compared to Home users). So, allowing to disable Windows Firewall and Defender should be much harder for sure. The current model is adjusted for the Administrators convenience and backward compatibility. Microsoft understands this well, so it is highly motivated to introduce in Enterprises the "Zero Trust Security".