Der.Reisende

Level 42
Verified
Trusted
Content Creator
Malware Hunter
Avira has a signature for it. It's all over on this one.
Sure, but without signature you're wasted, if HIPS / BB or whatever are not able to stop it.
As you correctly noted, "This sample and the test results are a perfect demonstration that at some point all detection\behavioral modules will fail."
P.S. AFAIK, many samples are just altered slightly to make them undetected again, recycling at it's best.
 
5

509322

Sure, but without signature you're wasted, if HIPS / BB or whatever are not able to stop it.
As you correctly noted, "This sample and the test results are a perfect demonstration that at some point all detection\behavioral modules will fail."
P.S. AFAIK, many samples are just altered slightly to make them undetected again, recycling at it's best.
I meant if Avira has a signature for the specific file, then due to the AV practice of signature copying, probably most others will have one within hours.
 

SKG2016

Level 1

SKG2016

Level 1
The purpose of this thread is not to urge AV companies to develop an ultimate solution based on BB but to expose a great weakness of it. This ransomware is programmed by an amateur IT enthusiast who only has intermediate knowledge to coding. As mentioned there is no advanced code injection in the executable.

At least against brand new threats like this, complete HIPS control + whitelisting is the only way to protect our files from being encrypted. Although there cannot be perfect solution, this is the most we can do.
 

Xtwillight

Level 6
Malware Tester
Why did you give us a malicious link?
SKG2016 write "Unfortunately I do not have the sample as that tester does not want to spread the ransomware but here is the file info from VirusTotal as per 25/12/2016 "[/QUOTE][/SIZE] That's not true on the Posting URL="[URL="https://malwaretips.com/threads/self-made-ransomware-vs-antivirus-products.66903/ said:
Self-made ransomware VS antivirus products[/URL]"


is the Link hxxp://bbs.kafan.cn/thread-2069598-1-1.html.
On the Side is Link to my MyRansomware.7z ! And the Virustotal Result.

Since the At virus total results and the sample at virus total one was sent.
Is an independent audit BB and other technical facilities no longer possible.


It true maybe Possible as the user of the thread It had published.

But not more than he the sample has sent to virus total!
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
@SKG2016, Apogize, English is not my first language, so could you please help me understand your posts?

1. Are you talking about two different persons or is his/her status changed from specialist to amateur or is the person you are referring to a specialist in virus testing and an amateur in malware coding?

SKG2016 post1 said:
I had not made this ransomware and this post was from a virus specialist in testing malware and security product
SKG2016 post29 said:
This ransomware is programmed by an amateur IT enthusiast who only has intermediate knowledge to coding

2. Next thing I don not understand is when I surf to the link you provided, I see a table with names of Antivirus products and English text. Later on I again see names of Antivirus with failed and success. Are those reported fails and successes the test against one anti-ransomware sample travelling back in time or are those reported failed/success from different samples?

Thanks
 
Last edited:

tim one

Level 21
Verified
Trusted
Malware Hunter
Probably it would be difficult to interpret the C++ code of this sample but it is quite reasonable to think that the ramsomware may inject the code, unlike what you are referring to.
By analyzing the PE imports from VT it seems that this sample injects code into the address space of another process.
Indeed, it seems to allocate space in the remote target process (VirtualAlloc), then writing the function to the allocated space in the process heap (HeapReAlloc) and the creation of a new thread for the process and placing the function in its stack (CreateThread).
Lastly, free the allocated space used to execute the code (VirtualFree).

PE imports:

GetStdHandle
GetDriveTypeW
FileTimeToSystemTime
SetEndOfFile
EncodePointer
CreateTimerQueue
Method systemtimetotzspecificlocaltime
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
UnhandledExceptionFilter
GetFileInformationByHandle
InitializeSListHead
InterlockedPopEntrySList
GetLocaleInfoW
SetStdHandle
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
GetThreadTimes
HeapReAlloc
GetStringTypeW
FreeLibrary
GetThreadPriority
FreeLibraryAndExitThread
GetTimeZoneInformation
OutputDebugStringW
FindClose
TlsGetValue
GetFullPathNameW
SignalObjectAndWait
InterlockedPushEntrySList
SetLastError
PeekNamedPipe
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
QueryPerformanceFrequency
SetThreadPriority
EnumSystemLocalesW
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
DeleteTimerQueueTimer
RegisterWaitForSingleObject
CreateThread
InterlockedFlushSList
CreateSemaphoreW
IsProcessorFeaturePresent
DecodePointer
SetEnvironmentVariableA
TerminateProcess
SetUnhandledExceptionFilter
GetModuleHandleExW
ChangeTimerQueueTimer
ReadConsoleW
GetCurrentThreadId
WriteConsoleW
AreFileApisANSI
Initializecriticalsectionandspincount function
HeapFree
EnterCriticalSection
LoadLibraryW
GetVersionExW
SetEvent
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
RtlUnwind
GetDateFormatW
GetStartupInfoW
DeleteFileW
GetProcAddress
GetProcessHeap
QueryDepthSList
GetTimeFormatW
FreeEnvironmentStringsW
FindNextFileW
CreateTimerQueueTimer
FindFirstFileW
IsValidLocale
DuplicateHandle
FindFirstFileExW
GetUserDefaultLCID
GetProcessAffinityMask
CreateEventW
CreateFileW
Either the getfiletype
TlsSetValue
HeapAlloc
LeaveCriticalSection
GetLastError
IsValidCodePage
LCMapStringW
GetConsoleCP
UnregisterWaitEx
CompareStringW
GetEnvironmentStringsW
WaitForSingleObjectEx
SwitchToThread
UnregisterWait
GetCurrentProcessId
GetCommandLineW
WideCharToMultiByte
HeapSize
SetThreadAffinityMask
GetCurrentThread
RaiseException
ReleaseSemaphore
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
GetACP
GetModuleHandleW
FileTimeToLocalFileTime
GetLogicalProcessorInformation
GetNumaHighestNodeNumber
GetCurrentDirectoryW
VirtualFree
Sleep
VirtualAlloc
GetOEMCP
 
W

Wave

Here are some quick details from my analysis of the sample (reversing):

When the sample is executed it will use the string "RSA_Priv_key.enc" (for whatever purpose). Afterwards, it will call the function SHGetFolderPathW (exported by Shell32.dll - Win32 API); it calls this function for a second time later on. Later on, it will do some string comparisons for "C:\\Users\\asus\\Documents\\visual studio 2013\\Projects\\MyRansomware\\TestFile\\" (therefore I assume the developer of this sample had his user account name as "asus"), and then it will start a Do loop.

Once the encryption pay load has been successfully executed (it will utilize "RSA_Priv_key.enc" and "EncryptedKey.encskip") it will use the following string: " Your files have been encrypted. For decryption, please pay 0.1 bitcoint to the account 13P2J5ButQVJHxmQdrwqRepDai4"
"gQ2G9HY.Then you should send the payment proof along with the file 'EncryptedKey.encskip' on your desktop to mail"
": myransomware@yandex.com.The decryption tool and instructions will be sent to you after the payment.".

The mentioned string above will be placed into a text file called "Recover Your Files! Readme.txt", on the disk.

The sample uses the CryptoAPI for encryption.

The PE exports are listed below:
Code:
Address  Ordinal Name                                  Library
-------  ------- ----                                  -------
00499000         CryptReleaseContext                   ADVAPI32
00499004         CryptAcquireContextA                  ADVAPI32
00499008         CryptGenRandom                        ADVAPI32
00499010         FindClose                             KERNEL32
00499014         FindNextFileW                         KERNEL32
00499018         SetLastError                          KERNEL32
0049901C         GetLastError                          KERNEL32
00499020         QueryPerformanceFrequency             KERNEL32
00499024         GetCurrentThread                      KERNEL32
00499028         GetThreadTimes                        KERNEL32
0049902C         GetModuleFileNameW                    KERNEL32
00499030         Sleep                                 KERNEL32
00499034         QueryPerformanceCounter               KERNEL32
00499038         FindFirstFileW                        KERNEL32
0049903C         SetEnvironmentVariableA               KERNEL32
00499040         WideCharToMultiByte                   KERNEL32
00499044         GetCurrentThreadId                    KERNEL32
00499048         MultiByteToWideChar                   KERNEL32
0049904C         GetStringTypeW                        KERNEL32
00499050         EncodePointer                         KERNEL32
00499054         DecodePointer                         KERNEL32
00499058         EnterCriticalSection                  KERNEL32
0049905C         LeaveCriticalSection                  KERNEL32
00499060         DeleteCriticalSection                 KERNEL32
00499064         GetSystemTimeAsFileTime               KERNEL32
00499068         HeapFree                              KERNEL32
0049906C         HeapAlloc                             KERNEL32
00499070         FindFirstFileExW                      KERNEL32
00499074         GetDriveTypeW                         KERNEL32
00499078         SystemTimeToTzSpecificLocalTime       KERNEL32
0049907C         FileTimeToSystemTime                  KERNEL32
00499080         DeleteFileW                           KERNEL32
00499084         GetCPInfo                             KERNEL32
00499088         IsDebuggerPresent                     KERNEL32
0049908C         IsProcessorFeaturePresent             KERNEL32
00499090         ExitProcess                           KERNEL32
00499094         GetModuleHandleExW                    KERNEL32
00499098         GetProcAddress                        KERNEL32
0049909C         AreFileApisANSI                       KERNEL32
004990A0         GetCommandLineW                       KERNEL32
004990A4         RaiseException                        KERNEL32
004990A8         RtlUnwind                             KERNEL32
004990AC         CreateTimerQueue                      KERNEL32
004990B0         CloseHandle                           KERNEL32
004990B4         SetEvent                              KERNEL32
004990B8         WaitForSingleObjectEx                 KERNEL32
004990BC         SignalObjectAndWait                   KERNEL32
004990C0         GetCurrentProcess                     KERNEL32
004990C4         SwitchToThread                        KERNEL32
004990C8         CreateThread                          KERNEL32
004990CC         SetThreadPriority                     KERNEL32
004990D0         GetThreadPriority                     KERNEL32
004990D4         TlsAlloc                              KERNEL32
004990D8         TlsGetValue                           KERNEL32
004990DC         TlsSetValue                           KERNEL32
004990E0         TlsFree                               KERNEL32
004990E4         GetLogicalProcessorInformation        KERNEL32
004990E8         CreateTimerQueueTimer                 KERNEL32
004990EC         ChangeTimerQueueTimer                 KERNEL32
004990F0         DeleteTimerQueueTimer                 KERNEL32
004990F4         GetModuleHandleW                      KERNEL32
004990F8         GetNumaHighestNodeNumber              KERNEL32
004990FC         GetProcessAffinityMask                KERNEL32
00499100         SetThreadAffinityMask                 KERNEL32
00499104         RegisterWaitForSingleObject           KERNEL32
00499108         UnregisterWait                        KERNEL32
0049910C         UnhandledExceptionFilter              KERNEL32
00499110         SetUnhandledExceptionFilter           KERNEL32
00499114         InitializeCriticalSectionAndSpinCount KERNEL32
00499118         CreateEventW                          KERNEL32
0049911C         TerminateProcess                      KERNEL32
00499120         GetStartupInfoW                       KERNEL32
00499124         GetTickCount                          KERNEL32
00499128         CreateSemaphoreW                      KERNEL32
0049912C         GetDateFormatW                        KERNEL32
00499130         GetTimeFormatW                        KERNEL32
00499134         CompareStringW                        KERNEL32
00499138         LCMapStringW                          KERNEL32
0049913C         GetLocaleInfoW                        KERNEL32
00499140         IsValidLocale                         KERNEL32
00499144         GetUserDefaultLCID                    KERNEL32
00499148         EnumSystemLocalesW                    KERNEL32
0049914C         GetStdHandle                          KERNEL32
00499150         GetFileType                           KERNEL32
00499154         GetProcessHeap                        KERNEL32
00499158         WriteFile                             KERNEL32
0049915C         ReadFile                              KERNEL32
00499160         SetFilePointerEx                      KERNEL32
00499164         FlushFileBuffers                      KERNEL32
00499168         GetConsoleCP                          KERNEL32
0049916C         GetConsoleMode                        KERNEL32
00499170         FileTimeToLocalFileTime               KERNEL32
00499174         GetFileInformationByHandle            KERNEL32
00499178         PeekNamedPipe                         KERNEL32
0049917C         GetFullPathNameW                      KERNEL32
00499180         GetCurrentDirectoryW                  KERNEL32
00499184         CreateFileW                           KERNEL32
00499188         HeapSize                              KERNEL32
0049918C         FreeLibrary                           KERNEL32
00499190         LoadLibraryExW                        KERNEL32
00499194         IsValidCodePage                       KERNEL32
00499198         GetACP                                KERNEL32
0049919C         GetOEMCP                              KERNEL32
004991A0         GetCurrentProcessId                   KERNEL32
004991A4         GetEnvironmentStringsW                KERNEL32
004991A8         FreeEnvironmentStringsW               KERNEL32
004991AC         HeapReAlloc                           KERNEL32
004991B0         OutputDebugStringW                    KERNEL32
004991B4         FreeLibraryAndExitThread              KERNEL32
004991B8         GetModuleHandleA                      KERNEL32
004991BC         GetVersionExW                         KERNEL32
004991C0         VirtualAlloc                          KERNEL32
004991C4         VirtualFree                           KERNEL32
004991C8         VirtualProtect                        KERNEL32
004991CC         DuplicateHandle                       KERNEL32
004991D0         ReleaseSemaphore                      KERNEL32
004991D4         InitializeSListHead                   KERNEL32
004991D8         InterlockedPopEntrySList              KERNEL32
004991DC         InterlockedPushEntrySList             KERNEL32
004991E0         InterlockedFlushSList                 KERNEL32
004991E4         QueryDepthSList                       KERNEL32
004991E8         UnregisterWaitEx                      KERNEL32
004991EC         GetTimeZoneInformation                KERNEL32
004991F0         ReadConsoleW                          KERNEL32
004991F4         SetStdHandle                          KERNEL32
004991F8         WriteConsoleW                         KERNEL32
004991FC         SetEndOfFile                          KERNEL32
00499200         LoadLibraryW                          KERNEL32
00499208         SHGetFolderPathW                      SHELL32
You can use IDA Pro for disassembly.

It is actually not that sophisticated sample in terms of effectiveness, but I am not a "master" at reverse engineering ransomware... These are just some quick details from my non-sober analysis, so hopefully it is still useful. Maybe I will come back to this another day when I am in a more "right mind".

Thanks for reading.
 

SKG2016

Level 1
@SKG2016, Apogize, English is not my first language, so could you please help me understand your posts?

1. Are you talking about two different persons or is his/her status changed from specialist to amateur or is the person you are referring to a specialist in virus testing and an amateur in malware coding?






2. Next thing I don not understand is when I surf to the link you provided, I see a table with names of Antivirus products and English text. Later on I again see names of Antivirus with failed and success. Are those reported fails and successes the test against one anti-ransomware sample travelling back in time or are those reported failed/success from different samples?

Thanks
Thanks for the reply.

1.I do not personally know that poster but I would reckon that his specialist is in analysing virus behaviour in a system by monitoring the code injection, damage done network activities in the system but no coding a specific virus. Virus testing is a very broad subject and consists of numerous different areas, at the same time there are also a lot of computer language coding a program.(Anyways the author in any aspect is more professional than me, I am a complete rookie and the entire thread is quoting his based on my best comprehension) So I do not think those two words conflict each other.

2. Same time and same sample but with settings tweaked in AV products. My quotes in this thread is only an objective summary of his post and include some subjective opinion of mine when it comes to conclusion. We reported results in a slightly different format but I did not change any result. If you wish you can use the crappy Google Translate to attempt reading the original post but good luck when understanding it :)
 

SKG2016

Level 1
Here are some quick details from my analysis of the sample (reversing):

When the sample is executed it will use the string "RSA_Priv_key.enc" (for whatever purpose). Afterwards, it will call the function SHGetFolderPathW (exported by Shell32.dll - Win32 API); it calls this function for a second time later on. Later on, it will do some string comparisons for "C:\\Users\\asus\\Documents\\visual studio 2013\\Projects\\MyRansomware\\TestFile\\" (therefore I assume the developer of this sample had his user account name as "asus"), and then it will start a Do loop.

Once the encryption pay load has been successfully executed (it will utilize "RSA_Priv_key.enc" and "EncryptedKey.encskip") it will use the following string: " Your files have been encrypted. For decryption, please pay 0.1 bitcoint to the account 13P2J5ButQVJHxmQdrwqRepDai4"
"gQ2G9HY.Then you should send the payment proof along with the file 'EncryptedKey.encskip' on your desktop to mail"
": myransomware@yandex.com.The decryption tool and instructions will be sent to you after the payment.".

The mentioned string above will be placed into a text file called "Recover Your Files! Readme.txt", on the disk.

The sample uses the CryptoAPI for encryption.

The PE exports are listed below:
Code:
Address  Ordinal Name                                  Library
-------  ------- ----                                  -------
00499000         CryptReleaseContext                   ADVAPI32
00499004         CryptAcquireContextA                  ADVAPI32
00499008         CryptGenRandom                        ADVAPI32
00499010         FindClose                             KERNEL32
00499014         FindNextFileW                         KERNEL32
00499018         SetLastError                          KERNEL32
0049901C         GetLastError                          KERNEL32
00499020         QueryPerformanceFrequency             KERNEL32
00499024         GetCurrentThread                      KERNEL32
00499028         GetThreadTimes                        KERNEL32
0049902C         GetModuleFileNameW                    KERNEL32
00499030         Sleep                                 KERNEL32
00499034         QueryPerformanceCounter               KERNEL32
00499038         FindFirstFileW                        KERNEL32
0049903C         SetEnvironmentVariableA               KERNEL32
00499040         WideCharToMultiByte                   KERNEL32
00499044         GetCurrentThreadId                    KERNEL32
00499048         MultiByteToWideChar                   KERNEL32
0049904C         GetStringTypeW                        KERNEL32
00499050         EncodePointer                         KERNEL32
00499054         DecodePointer                         KERNEL32
00499058         EnterCriticalSection                  KERNEL32
0049905C         LeaveCriticalSection                  KERNEL32
00499060         DeleteCriticalSection                 KERNEL32
00499064         GetSystemTimeAsFileTime               KERNEL32
00499068         HeapFree                              KERNEL32
0049906C         HeapAlloc                             KERNEL32
00499070         FindFirstFileExW                      KERNEL32
00499074         GetDriveTypeW                         KERNEL32
00499078         SystemTimeToTzSpecificLocalTime       KERNEL32
0049907C         FileTimeToSystemTime                  KERNEL32
00499080         DeleteFileW                           KERNEL32
00499084         GetCPInfo                             KERNEL32
00499088         IsDebuggerPresent                     KERNEL32
0049908C         IsProcessorFeaturePresent             KERNEL32
00499090         ExitProcess                           KERNEL32
00499094         GetModuleHandleExW                    KERNEL32
00499098         GetProcAddress                        KERNEL32
0049909C         AreFileApisANSI                       KERNEL32
004990A0         GetCommandLineW                       KERNEL32
004990A4         RaiseException                        KERNEL32
004990A8         RtlUnwind                             KERNEL32
004990AC         CreateTimerQueue                      KERNEL32
004990B0         CloseHandle                           KERNEL32
004990B4         SetEvent                              KERNEL32
004990B8         WaitForSingleObjectEx                 KERNEL32
004990BC         SignalObjectAndWait                   KERNEL32
004990C0         GetCurrentProcess                     KERNEL32
004990C4         SwitchToThread                        KERNEL32
004990C8         CreateThread                          KERNEL32
004990CC         SetThreadPriority                     KERNEL32
004990D0         GetThreadPriority                     KERNEL32
004990D4         TlsAlloc                              KERNEL32
004990D8         TlsGetValue                           KERNEL32
004990DC         TlsSetValue                           KERNEL32
004990E0         TlsFree                               KERNEL32
004990E4         GetLogicalProcessorInformation        KERNEL32
004990E8         CreateTimerQueueTimer                 KERNEL32
004990EC         ChangeTimerQueueTimer                 KERNEL32
004990F0         DeleteTimerQueueTimer                 KERNEL32
004990F4         GetModuleHandleW                      KERNEL32
004990F8         GetNumaHighestNodeNumber              KERNEL32
004990FC         GetProcessAffinityMask                KERNEL32
00499100         SetThreadAffinityMask                 KERNEL32
00499104         RegisterWaitForSingleObject           KERNEL32
00499108         UnregisterWait                        KERNEL32
0049910C         UnhandledExceptionFilter              KERNEL32
00499110         SetUnhandledExceptionFilter           KERNEL32
00499114         InitializeCriticalSectionAndSpinCount KERNEL32
00499118         CreateEventW                          KERNEL32
0049911C         TerminateProcess                      KERNEL32
00499120         GetStartupInfoW                       KERNEL32
00499124         GetTickCount                          KERNEL32
00499128         CreateSemaphoreW                      KERNEL32
0049912C         GetDateFormatW                        KERNEL32
00499130         GetTimeFormatW                        KERNEL32
00499134         CompareStringW                        KERNEL32
00499138         LCMapStringW                          KERNEL32
0049913C         GetLocaleInfoW                        KERNEL32
00499140         IsValidLocale                         KERNEL32
00499144         GetUserDefaultLCID                    KERNEL32
00499148         EnumSystemLocalesW                    KERNEL32
0049914C         GetStdHandle                          KERNEL32
00499150         GetFileType                           KERNEL32
00499154         GetProcessHeap                        KERNEL32
00499158         WriteFile                             KERNEL32
0049915C         ReadFile                              KERNEL32
00499160         SetFilePointerEx                      KERNEL32
00499164         FlushFileBuffers                      KERNEL32
00499168         GetConsoleCP                          KERNEL32
0049916C         GetConsoleMode                        KERNEL32
00499170         FileTimeToLocalFileTime               KERNEL32
00499174         GetFileInformationByHandle            KERNEL32
00499178         PeekNamedPipe                         KERNEL32
0049917C         GetFullPathNameW                      KERNEL32
00499180         GetCurrentDirectoryW                  KERNEL32
00499184         CreateFileW                           KERNEL32
00499188         HeapSize                              KERNEL32
0049918C         FreeLibrary                           KERNEL32
00499190         LoadLibraryExW                        KERNEL32
00499194         IsValidCodePage                       KERNEL32
00499198         GetACP                                KERNEL32
0049919C         GetOEMCP                              KERNEL32
004991A0         GetCurrentProcessId                   KERNEL32
004991A4         GetEnvironmentStringsW                KERNEL32
004991A8         FreeEnvironmentStringsW               KERNEL32
004991AC         HeapReAlloc                           KERNEL32
004991B0         OutputDebugStringW                    KERNEL32
004991B4         FreeLibraryAndExitThread              KERNEL32
004991B8         GetModuleHandleA                      KERNEL32
004991BC         GetVersionExW                         KERNEL32
004991C0         VirtualAlloc                          KERNEL32
004991C4         VirtualFree                           KERNEL32
004991C8         VirtualProtect                        KERNEL32
004991CC         DuplicateHandle                       KERNEL32
004991D0         ReleaseSemaphore                      KERNEL32
004991D4         InitializeSListHead                   KERNEL32
004991D8         InterlockedPopEntrySList              KERNEL32
004991DC         InterlockedPushEntrySList             KERNEL32
004991E0         InterlockedFlushSList                 KERNEL32
004991E4         QueryDepthSList                       KERNEL32
004991E8         UnregisterWaitEx                      KERNEL32
004991EC         GetTimeZoneInformation                KERNEL32
004991F0         ReadConsoleW                          KERNEL32
004991F4         SetStdHandle                          KERNEL32
004991F8         WriteConsoleW                         KERNEL32
004991FC         SetEndOfFile                          KERNEL32
00499200         LoadLibraryW                          KERNEL32
00499208         SHGetFolderPathW                      SHELL32
You can use IDA Pro for disassembly.

It is actually not that sophisticated sample in terms of effectiveness, but I am not a "master" at reverse engineering ransomware... These are just some quick details from my non-sober analysis, so hopefully it is still useful. Maybe I will come back to this another day when I am in a more "right mind".

Thanks for reading.
Any pros in this forum would do a detailed analysis of this sample and feedback to some major AV companies to help them improve their BB module?
 

SKG2016

Level 1
Kaspersky has a similar module to Bitdefender for ransomware protection. Was it enabled in the test?
If you would have read the post carefully, I did mention initially Kaspersky was tested at default and failed and then some settings were tweaked:
Kaspersky: Still cannot block at maximum protection setting, but if the "Perform recommended action automatically" is toggled off and HIPS set up correctly in the application control, a pop up window will ask for action, it is kinda a successful block if the user know what he is doing. But according to my experience, switching off the automatic action setting is impractical since Kaspersky will pop up a million request for action windows whenever a program is accessing any sensitive data in the system and any program attempting to establish UDP connection, even the app is in the Trusted group.
Yep indeed that setting change worked like a charm, but novice user will struggle to perform such medium level modification to an AV product.

So that is why I marked it as a fail.
 
W

Wave

Any pros in this forum would do a detailed analysis of this sample and feedback to some major AV companies to help them improve their BB module?
They can improve their Behavior Blocker with many techniques (or create one), not just aimed towards ransomware.

Firstly, they need to get code execution running within the address space of the target process to monitor; they can do this by creating their own thread within the process remotely so they can use this thread for their own code execution - DLL injection works fine for security software since it doesn't need to be concealed like a rootkit, and even then they can use manual mapping injection so the DLL is not linked with the PEB module list (thus it won't show as a loaded module within the monitored process which is a bit more stealthy and a better technique if you are injecting early on the process start-up).

Secondly, they will need to either write a hooking engine (a basic one which supports a trampoline will do just fine) or use an existing hooking engine which they have permission to use (e.g. MS Detours is great for an enterprise company which has money since the Express version only supports x86 processes which is not good enough for a security product of course...).

Thirdly, they will need to utilize the hooking engine to detour a bunch of APIs - they do not need to show an alert upon the callback of all the functions listed below, but monitor the API usage... Through the API logging they can identify specific behavior patterns such as dynamic forking/RunPE attempts, DLL injection, attempts to install a device driver, attempts to add to start-up, etc. When necessary, they can work with IPC (Inter-Process Communication) and then suspend the program which is being blocked, and then resume it after the GUI has sent back a response (which when gets picked back up by the suspended process which has now been resumed - you cannot "suspend" a process really, you just suspend the threads within the process either by enumerating through all the threads and calling SuspendThread or just by calling ZwSuspendProcess (and of course passing through a handle to the process being monitored, however if you suspend the process running from within it's code execution directly you can pass (HANDLE)-1 or (HANDLE)0 as the HANDLE parameter which will work fine).

Here is a list of APIs which would be useful to monitor usage of:
- ZwTerminateProcess
- ZwOpenProcess
- ZwSuspendProcess
- ZwAllocateVirtualMemory
- ZwWriteVirtualMemory
- ZwUnmapViewOfSection
- ZwTerminateThread
- ZwSuspendThread
- ZwOpenThread
- ZwCreateThread/Ex
- RtlCreateUserThread (NTAPI equivalent of the famous CreateRemoteThread function)
- ZwLoadDriver
- ZwUnloadDriver
- ZwSetSystemInformation
- ZwCreateFile
- ZwWriteFile
- ZwCreateKey
- ZwDeleteKey
- ZwSetValueKey
- ZwDeleteValueKey
- ZwRaiseHardError
- ZwShutdownSystem
- RtlSetProcessIsCritical / NtSetInformationProcess
- RtlAdjustPrivilege
- LdrLoadDll
- NtCreateUserProcess (only from Vista and on-wards, for XP support you hook RtlCreateUserProcess which is best for native program execution anyway)
- CreateService/StartService (both A/W routines of course)
- SetWindowsHookEx (both A/W routines of course)
- SetWinEventHook

As opposed to detouring NtCreateUserProcess or RtlCreateUserProcess for process execution monitoring they can use a device driver with the kernel-mode callback PsSetCreateProcessNotifyRoutine/Ex for monitoring process execution - when process execution has been detected via the callback being invoked they can perform injection into the newly starting-up process.

As opposed to detouring NTAPI functions for registry operations they can use a device driver with the kernel-mode callback CmRegisterCallbackEx (old version is without the Ex prefix), it allows you to get notifications for registry modifications.

As opposed to detouring NTAPI functions for I/O operations they can use a file-system mini-filter device driver which is much more efficient in terms of performance for detection of file modification attempts; this can be used for protection against the Master Boot Record, Windows Hosts file, system files, etc. It can also be utilized for real-time scanning for when a file is accessed, written to, etc.

They can work on browser protection by identifying when specific function within APIs used by the browser have been detoured (HttpSendRequestA/W, SSL_Write, PR_Write) which are used by form-grabbers.

They can work on anti-rootkit protection by scanning for kernel-mode patching on x86 systems (SSDT hooking and Direct Kernel Object Manipulation) and then repairing these modifications in the Windows Kernel. They can also scan for processes in kernel-mode and then compare to a list of enumerated processes from user-mode to pick out "hidden processes".

In terms of ransomware protection specifically, you can attempt to monitor usage of the CryptoAPI however this is not the best method since not all ransomware will use the CryptoAPI (therefore it's not as reliable as alternative methods) and monitoring usage of other encryption APIs can be a bit difficult due to them maybe being linked via static methods (as opposed to being exported by an external library and being dynamically linked). Therefore, a better alternative method would be using a device driver to monitor the file modification attempts (mini-filter) and then using this to identify encryption on files through a custom algorithm, and then intercepting/auto-blocking once encryption behavior has been matched to the running program.

As an addition to the above, you can identify when a program is attempting to enumerate the drives on the system (or the files on the drives) and you can work with a scoring system and increment it with this behavior, or just store this information for future reference - for additional stealth, place a few bait files with dynamic file-names around the place and detect when an untrusted program "encrypts" them, even if you don't detect encryption, work with entropy identification for catching out when the entropy is increased a lot more from how it was prior to modification.

As well as this, a firewall component is good against some ransomware which will need to send the private key (transmission), and therefore a firewall component can be useful for identifying ransomware via network signatures; if the user blocks the connection on the alert since an unknown program is attempting to transmit data then the user blocking this activity may also save them - however not all ransomware is dependent on networking functionality (like the one used for the purposes of this thread), although it's still a good addition towards layered protection.

You can also make a folder protected via using a kernel-mode callback called FltRegisterFilter - this can help prevent ransomware from encrypting the files backed up to this folder. This is what AV software typically uses for self-protection mechanisms also (along with ObRegisterCallbacks and a callback for registry protection).

That being said, if the user makes a dumb decision with an alert then it's game over and if the product does not support blocking new service installations (sechost.dll!CreateServiceA/W, sechost.dll!StartServiceA/W or ZwLoadDriver/ZwSetSystemInformation which are two rootkit-implying alternatives for loading a device driver) then it's game over if the sample has administrative rights to obtain the SeLoadDriverPrivilege...

The reason Anti-Virus software would need to have at least most of their Behavior Blocker/HIPS components working from a user-mode level is due to the x86-x64 limitations; on x86 systems you can perform kernel-mode patching however on x64 you cannot do this without bypassing PatchGuard (which would be extremely risky and unethical); for more information read the section on PatchGuard/Kernel-Patch Protection on my recent thread: Windows built-in protection mechanisms (skip to Part 3).

With all of the above being said, nothing is full-proof... For example, a direct NTAPI system call (via setting up some memory and then using memcpy to copy across an array of bytes to use syscall for the target function prologue - e.g. RtlCreateUserProcess) will bypass user-mode hooks, so you'd need to watch memory manipulation very carefully.

To be really stealth, depending on the OS edition, hooking functions like KiFastSystemCall, X86SwitchTo64BitMode (and potentially Wow64 functions like Wow64SystemServiceEx) can be really deadly towards malware, because they won't even know about it... I've never bumped into a malware sample which is capable of identifying when these functions are hooked, and from hooking these functions you can take over ring 3 API call execution which is tracing back down to the NTAPI calls before syscall for kernel-mode execution. ;)

Hope this helped and stay safe,
Wave. ;)

Edit: added a small chunk of information regarding browser and rootkit protection.
 
Last edited by a moderator:
Top