Self-made ransomware VS antivirus products

SKG2016

Level 1
Thread author
Verified
Dec 19, 2016
42
Disclaimer: I had not made this ransomware and this post was from a virus specialist in testing malware and security product. It is my pleasure for me to be allowed to re-post the thread.

2016 is a year of ransomware, and most premium AV providers announce new features of anti-ransomware in their new product, or integrate them with signature based on-access scan and proactive defense, so I wonder, how effective are they?

Around Dec 10 a tester DIYed a simple crypto ransomware with but with a code that is not currently recognised by any AV signature.

Unfortunately I do not have the sample as that tester does not want to spread the ransomware but here is the file info from VirusTotal as per 25/12/2016(Merry Christmas everyone :)):
Antivirus scan for f66632ac896e02a917427e48dfc0ca8d742fbac5e39691530ec1cc28c24101ff at 2016-12-23 06:08:59 UTC - VirusTotal

Detection History:

2016-12-20 23:03:23 UTC (8 / 57) (Except for Avira, all engine reported seems to be based on BitDefender, please correct me if I was wrong):
Antivirus scan for f66632ac896e02a917427e48dfc0ca8d742fbac5e39691530ec1cc28c24101ff at 2016-12-20 23:03:23 UTC - VirusTotal

2016-12-21 14:18:10 UTC (12 / 56):
Antivirus scan for f66632ac896e02a917427e48dfc0ca8d742fbac5e39691530ec1cc28c24101ff at 2016-12-21 14:18:10 UTC - VirusTotal


Up to now, 29/57 reported this file being malicious, impressive result right? But on Dec 12 when the test was conducted, this ransomware has yet to be seen by any AV software and is literally a zero-day threat.

Let us see how those antivirus asking us to pay every year perform in this test.

Test condition:
-VirtualBox, Windows 7 32 bit version;
-AV database up to date as per 12/12/2016 (well pretty much useless because detecting such new threat requires heuristic analysis and proactive defense);
-No Internet connection: the purpose is to prevent any AV reporting it malicious and upload it to the cloud before the test is completed, since this test took two days;
-All settings are at their default UNLESS specified below.

Virus behaviour:
-To minimise possibility of detection by AV, this ransomware will encrypt the file before injecting any code into the system;
-The virus will be idle in the system for several minutes before becoming active to prevent on-access heuristic scan from recognising the threat using sand-box scanning technique;
-Generate a 256-bit AES key randomly;
-Encrypt all the files in Desktop and Documents using this key with RSA4096+AES256(CTR) mixed method;
-All the encrypted files are stored in .enc suffix;
-Malicious payload is stored offline to prevent AV from recognising the link (in fact no network as stated above);
-No system hijacking as well as screen lock, a "Recover Your Files! Readme.txt" file will be generated on Desktop including a made-up payment instruction.

Ok, let's go!

List of software(at their latest product version):
Bitdefender Free
AVG Free
Dr. Web
FSCS
Symantec Endpoint Protection
AVIRA Free
Fileseclab
AVAST Free
BullGuard
360 Total Security
ESET Internet Security
McAfee Endpoint Security
Windows Defender
TrendMicro
GDATA
Kaspersky Internet Security
Bitdefender Total Security

Result at default settings:
No need to create a table, it was simply ALL FAILED except GDATA and Bitdefender. (Note: for GDATA the component responsible for detection is Real time protection, if it is disabled even with behavior monitor and exploit protection on GD still failed to detect this ransomware)

So apparently GDATA and Bitdefender are the only product which is able to effectively block this, but let's not stop here, tweak and play with some settings and see how it goes. I have also included some cloud based second opinion scanners to see whether this threat can be identified.

HitmanPro.Alert: failed surprisingly considering their advanced multi engine cloud scanning and behavior analysis;

TrendMicro: successfully blocked if anti-ransomware is set properly (Desktop was not in the default protection list so it was encrypted, so it counts as a fail despite documents are protected);

Bitdefender: if the anti ransomware protection is closed, even with Active Threat Control on aggressive level, this really shocks me since ATC is one of the world's leading behavior based detection system;

Kaspersky: Still cannot block at maximum protection setting, but if the "Perform recommended action automatically" is toggled off and HIPS set up correctly in the application control, a pop up window will ask for action, it is kinda a successful block if the user know what he is doing. But according to my experience, switching off the automatic action setting is impractical since Kaspersky will pop up a million request for action windows whenever a program is accessing any sensitive data in the system and any program attempting to establish UDP connection, even the app is in the Trusted group. So that is why I marked it as a fail.

Conclusion:

-A nightmare for anyone who gives a 100% trust to AV product.

-Even ATC in Bitdefender failed, so my advice is although chance of getting hit by one of those zero-day threat is slim as a personal user, but backing up regularly is always a good habit and it is NEVER a waste of time.

-Proactive defensive did not play a very big role in this test, it simply did not fulfill its purpose of existence. (I did not say it is useless, as a matter of fact it is the primary defense to new threats, not only ransomware, this is only a single case scenario) It is because if the proactive defensive system is set to a way too aggressive level enough to detect this threat too many false positives will occur and users will be annoyed. That's why all advance AV companies have their own virus cloud analysis to process huge amount of data, but there is a time delay between the threat's first attack and the AV cloud finish the analysis. If the ransomware already infected a mass number of machines, it would be a bit too late.

-All successive cases of identifying the threat is by HIPS: host-based intrusion prevention system. This is in fact a very simple mechanism compared to component like active threat control. It restricts the access to specific resources on the system based a preset rule, and that is fundamentally how all anti-ransomware modules work. This is most efficient if you want to protect personal files since all suspicious actions will either trigger prompt for action (e.g. Kaspersky) or block by default (e.g. Bitdefender).

Screenshots:
Only some key shots are posted since getting all of them here takes way too much time, forgive my laziness XDD :)

Kaspersky default: failed
KIS1212-Failed.JPG


Kaspersky setting tweak
KIS-setting-success.JPG


Kaspersky successfully blocked: prompt for action:
KIS-no_auto_action-Success.JPG

As screenshot indicates the recommended action is ALLOW, so in auto mode this ransomware is allowed to run

Bitdefender with aggressive ATC and anti-ransomware disabled: failed
BD-ATC-Failed.png


Bitdefender with anti ransomware enabled and configured: success
BD-RWProtect-Success2.png


HitmanPro.Alert: failed
HMPA-online-Failed.JPG


GDATA: success
GDATA1212-Success.JPG


Avast(free): it automatically sandbox the ransomware sample, but after 15 seconds of trial execute it is allowed to run and hence: failed
AVAST-SB.JPG

AVAST-Failed.JPG


Trend Micro: failed
TrendMicro-Failed.JPG


That's basically it, please let me know what you think, all discussions and criticisms are welcomed.
 
Last edited:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
We should know that majority of BB and HIPS rely very much on signatures, generic detection and cloud thus the bypass rate is high.

If you use a program with Whitelisting Technology then you are safe for possible quick attacks.

Building an AI by scratch is difficult and will take time to master it.
 
5

509322

This sample and the test results are a perfect demonstration that at some point all detection\behavioral modules will fail.

Most people here at MT know this, but many somehow expect that they will somehow find a soft or a new soft release that will out-perform.

The definition of insanity is doing the same thing over-and-over, but expecting a different result.

Just as a side note, more and more Enterprises are adopting solutions that use software restriction policies, restricted sandboxes (VDIs) or combinations of the two. They have reached the conclusion, and rightly so, that detection and behavioral monitoring (including machine learning and artificial intelligence) will ultimately fail to protect systems.
 
Last edited by a moderator:

Evjl's Rain

Level 47
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Apr 18, 2016
3,684
according to the screenshot, if we set avast's harderned mode to moderate (because Deepscreen was triggered) avast would have blocked it
not sure about aggressive mode but it could have blocked it also

when I clicked on the link of the sample, avast blocked the URL
 

Der.Reisende

Level 45
Honorary Member
Top Poster
Content Creator
Malware Hunter
Dec 27, 2014
3,423
dj8cqdf3.jpg
dj8cqdf3.jpg
File to Test:
hxxp://www28.zippyshare.com/v/IfARbgFw/file.html
passwort to unzip :MyRansomware
Awesome, will test it soon! Thank you for the heads up!

EDIT: Game over, does not work for me (probably stopped by Dr. Web Preventive Protection -> Exploit Protection). However no log entry for that.
Regardless of the setting same error (even with unauthorized code allowed).
Paranoid preset used.
run.JPG run2.JPG
 
Last edited:
M

MalwareBlockerYT

Disclaimer: I had not made this ransomware and this post was from a virus specialist in testing malware and security product. It is my pleasure for me to be allowed to re-post the thread.

2016 is a year of ransomware, and most premium AV providers announce new features of anti-ransomware in their new product, or integrate them with signature based on-access scan and proactive defense, so I wonder, how effective are they?

Around Dec 10 a tester DIYed a simple crypto ransomware with but with a code that is not currently recognised by any AV signature.

Unfortunately I do not have the sample as that tester does not want to spread the ransomware but here is the file info from VirusTotal as per 25/12/2016(Merry Christmas everyone :)):
Antivirus scan for f66632ac896e02a917427e48dfc0ca8d742fbac5e39691530ec1cc28c24101ff at 2016-12-23 06:08:59 UTC - VirusTotal

Detection History:

2016-12-20 23:03:23 UTC (8 / 57) (Except for Avira, all engine reported seems to be based on BitDefender, please correct me if I was wrong):
Antivirus scan for f66632ac896e02a917427e48dfc0ca8d742fbac5e39691530ec1cc28c24101ff at 2016-12-20 23:03:23 UTC - VirusTotal

2016-12-21 14:18:10 UTC (12 / 56):
Antivirus scan for f66632ac896e02a917427e48dfc0ca8d742fbac5e39691530ec1cc28c24101ff at 2016-12-21 14:18:10 UTC - VirusTotal


Up to now, 29/57 reported this file being malicious, impressive result right? But on Dec 12 when the test was conducted, this ransomware has yet to be seen by any AV software and is literally a zero-day threat.

Let us see how those antivirus asking us to pay every year perform in this test.

Test condition:
-VirtualBox, Windows 7 32 bit version;
-AV database up to date as per 12/12/2016 (well pretty much useless because detecting such new threat requires heuristic analysis and proactive defense);
-No Internet connection: the purpose is to prevent any AV reporting it malicious and upload it to the cloud before the test is completed, since this test took two days;
-All settings are at their default UNLESS specified below.

Virus behaviour:
-To minimise possibility of detection by AV, this ransomware will encrypt the file before injecting any code into the system;
-The virus will be idle in the system for several minutes before becoming active to prevent on-access heuristic scan from recognising the threat using sand-box scanning technique;
-Generate a 256-bit AES key randomly;
-Encrypt all the files in Desktop and Documents using this key with RSA4096+AES256(CTR) mixed method;
-All the encrypted files are stored in .enc suffix;
-Malicious payload is stored offline to prevent AV from recognising the link (in fact no network as stated above);
-No system hijacking as well as screen lock, a "Recover Your Files! Readme.txt" file will be generated on Desktop including a made-up payment instruction.

Ok, let's go!

List of software(at their latest product version):
Bitdefender Free
AVG Free
Dr. Web
FSCS
Symantec Endpoint Protection
AVIRA Free
Fileseclab
AVAST Free
BullGuard
360 Total Security
ESET Internet Security
McAfee Endpoint Security
Windows Defender
TrendMicro
GDATA
Kaspersky Internet Security
Bitdefender Total Security

Result at default settings:
No need to create a table, it was simply ALL FAILED except GDATA and Bitdefender. (Note: for GDATA the component responsible for detection is Real time protection, if it is disabled even with behavior monitor and exploit protection on GD still failed to detect this ransomware)

So apparently GDATA and Bitdefender are the only product which is able to effectively block this, but let's not stop here, tweak and play with some settings and see how it goes. I have also included some cloud based second opinion scanners to see whether this threat can be identified.

HitmanPro.Alert: failed surprisingly considering their advanced multi engine cloud scanning and behavior analysis;

TrendMicro: successfully blocked if anti-ransomware is set properly (Desktop was not in the default protection list so it was encrypted, so it counts as a fail despite documents are protected);

Bitdefender: if the anti ransomware protection is closed, even with Active Threat Control on aggressive level, this really shocks me since ATC is one of the world's leading behavior based detection system;

Kaspersky: Still cannot block at maximum protection setting, but if the "Perform recommended action automatically" is toggled off and HIPS set up correctly in the application control, a pop up window will ask for action, it is kinda a successful block if the user know what he is doing. But according to my experience, switching off the automatic action setting is impractical since Kaspersky will pop up a million request for action windows whenever a program is accessing any sensitive data in the system and any program attempting to establish UDP connection, even the app is in the Trusted group. So that is why I marked it as a fail.

Conclusion:

-A nightmare for anyone who gives a 100% trust to AV product.

-Even ATC in Bitdefender failed, so my advice is although chance of getting hit by one of those zero-day threat is slim as a personal user, but backing up regularly is always a good habit and it is NEVER a waste of time.

-Proactive defensive did not play a very big role in this test, it simply did not fulfill its purpose of existence. (I did not say it is useless, as a matter of fact it is the primary defense to new threats, not only ransomware, this is only a single case scenario) It is because if the proactive defensive system is set to a way too aggressive level enough to detect this threat too many false positives will occur and users will be annoyed. That's why all advance AV companies have their own virus cloud analysis to process huge amount of data, but there is a time delay between the threat's first attack and the AV cloud finish the analysis. If the ransomware already infected a mass number of machines, it would be a bit too late.

-All successive cases of identifying the threat is by HIPS: host-based intrusion prevention system. This is in fact a very simple mechanism compared to component like active threat control. It restricts the access to specific resources on the system based a preset rule, and that is fundamentally how all anti-ransomware modules work. This is most efficient if you want to protect personal files since all suspicious actions will either trigger prompt for action (e.g. Kaspersky) or block by default (e.g. Bitdefender).

Screenshots:
Only some key shots are posted since getting all of them here takes way too much time, forgive my laziness XDD :)

Kaspersky default: failed
View attachment 128528

Kaspersky setting tweak
View attachment 128529

Kaspersky successfully blocked: prompt for action:
View attachment 128530
As screenshot indicates the recommended action is ALLOW, so in auto mode this ransomware is allowed to run

Bitdefender with aggressive ATC and anti-ransomware disabled: failed
View attachment 128531

Bitdefender with anti ransomware enabled and configured: success
View attachment 128533

HitmanPro.Alert: failed
View attachment 128534

GDATA: success
View attachment 128535

Avast(free): it automatically sandbox the ransomware sample, but after 15 seconds of trial execute it is allowed to run and hence: failed
View attachment 128536
View attachment 128537

Trend Micro: failed
View attachment 128538

That's basically it, please let me know what you think, all discussions and criticisms are welcomed.
Why did they not test Emsisoft? Also the key reason why it doesn't get blocked is because there are no signatures for the file. You are relying on BB & HIPs & not signatures so the result is going to be worse until the AV has a signature for the file.
 
5

509322

They didn't rely upon BB or HIPS - which a BB is a HIPS which targets specific file actions. Read towards the bottom of the OP. There he covers HIPS.

Instead the tester was looking for fully automated behavioral algorithms to block the file execution or actions. ATC is not a behavior blocker in the same sense as Emsisoft's. By that I mean the not so trivial difference of no ATC behavioral alerts in Bitdefender versus alerts in Emsisoft's behavior blocker. One is fully automated while the other requires interaction, but I think Emsisoft automated some of their behavior blocking actions. That's a question for Fabian Wosar.

If they ran the file using HIPS, the end result would be this: Windows Explorer is attempting to execute MyRansomware.exe > User BLOCK
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top