Avira has a signature for it. It's all over on this one.
Self-made ransomware VS antivirus products
- Thread starter SKG2016
- Start date
Sure, but without signature you're wasted, if HIPS / BB or whatever are not able to stop it.
As you correctly noted, "This sample and the test results are a perfect demonstration that at some point all detection\behavioral modules will fail."
P.S. AFAIK, many samples are just altered slightly to make them undetected again, recycling at it's best.
I meant if Avira has a signature for the specific file, then due to the AV practice of signature copying, probably most others will have one within hours.
Sorry, misunderstoodProbably yes
Some vendors copy as standard practice. Others don't.
- Jan 4, 2016
- 1,022
I noticed a new member published a new ransomware in the hub, coded by him. That can be used to reproduce this kind of test by the hub testers
Yes but he wasn't meant to post in the hub - he is a new member.
- Dec 19, 2016
- 42
here the sample
http://att.kafan.cn/forum.php?mod=attachment&aid=Mjg1MDA5N3w5ZDk5ZGQ3NXwxNDgyNjY0MzgzfDB8MjA2OTU5OA==
here the Passwort: MyRansomware
here Emsisoft Reaction
Ty for the sample but anyways there is no point testing it now because it is purely signature based since the ransomware is out for a while. You can try disable file antivirus and real time protection off and see if the proactive engine can recognise the behaviour of the ransomeware.
- Dec 19, 2016
- 42
The purpose of this thread is not to urge AV companies to develop an ultimate solution based on BB but to expose a great weakness of it. This ransomware is programmed by an amateur IT enthusiast who only has intermediate knowledge to coding. As mentioned there is no advanced code injection in the executable.
At least against brand new threats like this, complete HIPS control + whitelisting is the only way to protect our files from being encrypted. Although there cannot be perfect solution, this is the most we can do.
At least against brand new threats like this, complete HIPS control + whitelisting is the only way to protect our files from being encrypted. Although there cannot be perfect solution, this is the most we can do.
- Jan 4, 2016
- 1,022
Kaspersky has a similar module to Bitdefender for ransomware protection. Was it enabled in the test?
- Jul 1, 2014
- 298
SKG2016 write "Unfortunately I do not have the sample as that tester does not want to spread the ransomware but here is the file info from VirusTotal as per 25/12/2016 "[/QUOTE][/SIZE] That's not true on the Posting URL="[URL="https://malwaretips.com/threads/self-made-ransomware-vs-antivirus-products.66903/ said:
Last edited:
- Mar 13, 2016
- 1,298
@SKG2016, Apogize, English is not my first language, so could you please help me understand your posts?
1. Are you talking about two different persons or is his/her status changed from specialist to amateur or is the person you are referring to a specialist in virus testing and an amateur in malware coding?
2. Next thing I don not understand is when I surf to the link you provided, I see a table with names of Antivirus products and English text. Later on I again see names of Antivirus with failed and success. Are those reported fails and successes the test against one anti-ransomware sample travelling back in time or are those reported failed/success from different samples?
Thanks
1. Are you talking about two different persons or is his/her status changed from specialist to amateur or is the person you are referring to a specialist in virus testing and an amateur in malware coding?
SKG2016 post1 said:
SKG2016 post29 said:
2. Next thing I don not understand is when I surf to the link you provided, I see a table with names of Antivirus products and English text. Later on I again see names of Antivirus with failed and success. Are those reported fails and successes the test against one anti-ransomware sample travelling back in time or are those reported failed/success from different samples?
Thanks
Last edited:
- Jul 22, 2014
- 2,525
Unfortunately I'm out of town and cannot test it with Emsi.
If you have time, can you pls execute it again with file detection disabled in Emsisoft? Thank you
If you have time, can you pls execute it again with file detection disabled in Emsisoft? Thank you
Probably it would be difficult to interpret the C++ code of this sample but it is quite reasonable to think that the ramsomware may inject the code, unlike what you are referring to.
By analyzing the PE imports from VT it seems that this sample injects code into the address space of another process.
Indeed, it seems to allocate space in the remote target process (VirtualAlloc), then writing the function to the allocated space in the process heap (HeapReAlloc) and the creation of a new thread for the process and placing the function in its stack (CreateThread).
Lastly, free the allocated space used to execute the code (VirtualFree).
PE imports:
By analyzing the PE imports from VT it seems that this sample injects code into the address space of another process.
Indeed, it seems to allocate space in the remote target process (VirtualAlloc), then writing the function to the allocated space in the process heap (HeapReAlloc) and the creation of a new thread for the process and placing the function in its stack (CreateThread).
Lastly, free the allocated space used to execute the code (VirtualFree).
PE imports:
GetStdHandle
GetDriveTypeW
FileTimeToSystemTime
SetEndOfFile
EncodePointer
CreateTimerQueue
Method systemtimetotzspecificlocaltime
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
UnhandledExceptionFilter
GetFileInformationByHandle
InitializeSListHead
InterlockedPopEntrySList
GetLocaleInfoW
SetStdHandle
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
GetThreadTimes
HeapReAlloc
GetStringTypeW
FreeLibrary
GetThreadPriority
FreeLibraryAndExitThread
GetTimeZoneInformation
OutputDebugStringW
FindClose
TlsGetValue
GetFullPathNameW
SignalObjectAndWait
InterlockedPushEntrySList
SetLastError
PeekNamedPipe
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
QueryPerformanceFrequency
SetThreadPriority
EnumSystemLocalesW
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
DeleteTimerQueueTimer
RegisterWaitForSingleObject
CreateThread
InterlockedFlushSList
CreateSemaphoreW
IsProcessorFeaturePresent
DecodePointer
SetEnvironmentVariableA
TerminateProcess
SetUnhandledExceptionFilter
GetModuleHandleExW
ChangeTimerQueueTimer
ReadConsoleW
GetCurrentThreadId
WriteConsoleW
AreFileApisANSI
Initializecriticalsectionandspincount function
HeapFree
EnterCriticalSection
LoadLibraryW
GetVersionExW
SetEvent
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
RtlUnwind
GetDateFormatW
GetStartupInfoW
DeleteFileW
GetProcAddress
GetProcessHeap
QueryDepthSList
GetTimeFormatW
FreeEnvironmentStringsW
FindNextFileW
CreateTimerQueueTimer
FindFirstFileW
IsValidLocale
DuplicateHandle
FindFirstFileExW
GetUserDefaultLCID
GetProcessAffinityMask
CreateEventW
CreateFileW
Either the getfiletype
TlsSetValue
HeapAlloc
LeaveCriticalSection
GetLastError
IsValidCodePage
LCMapStringW
GetConsoleCP
UnregisterWaitEx
CompareStringW
GetEnvironmentStringsW
WaitForSingleObjectEx
SwitchToThread
UnregisterWait
GetCurrentProcessId
GetCommandLineW
WideCharToMultiByte
HeapSize
SetThreadAffinityMask
GetCurrentThread
RaiseException
ReleaseSemaphore
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
GetACP
GetModuleHandleW
FileTimeToLocalFileTime
GetLogicalProcessorInformation
GetNumaHighestNodeNumber
GetCurrentDirectoryW
VirtualFree
Sleep
VirtualAlloc
GetOEMCP
GetDriveTypeW
FileTimeToSystemTime
SetEndOfFile
EncodePointer
CreateTimerQueue
Method systemtimetotzspecificlocaltime
DeleteCriticalSection
GetCurrentProcess
GetConsoleMode
UnhandledExceptionFilter
GetFileInformationByHandle
InitializeSListHead
InterlockedPopEntrySList
GetLocaleInfoW
SetStdHandle
GetCPInfo
WriteFile
GetSystemTimeAsFileTime
GetThreadTimes
HeapReAlloc
GetStringTypeW
FreeLibrary
GetThreadPriority
FreeLibraryAndExitThread
GetTimeZoneInformation
OutputDebugStringW
FindClose
TlsGetValue
GetFullPathNameW
SignalObjectAndWait
InterlockedPushEntrySList
SetLastError
PeekNamedPipe
GetModuleFileNameW
IsDebuggerPresent
ExitProcess
QueryPerformanceFrequency
SetThreadPriority
EnumSystemLocalesW
LoadLibraryExW
MultiByteToWideChar
SetFilePointerEx
DeleteTimerQueueTimer
RegisterWaitForSingleObject
CreateThread
InterlockedFlushSList
CreateSemaphoreW
IsProcessorFeaturePresent
DecodePointer
SetEnvironmentVariableA
TerminateProcess
SetUnhandledExceptionFilter
GetModuleHandleExW
ChangeTimerQueueTimer
ReadConsoleW
GetCurrentThreadId
WriteConsoleW
AreFileApisANSI
Initializecriticalsectionandspincount function
HeapFree
EnterCriticalSection
LoadLibraryW
GetVersionExW
SetEvent
QueryPerformanceCounter
GetTickCount
TlsAlloc
VirtualProtect
FlushFileBuffers
RtlUnwind
GetDateFormatW
GetStartupInfoW
DeleteFileW
GetProcAddress
GetProcessHeap
QueryDepthSList
GetTimeFormatW
FreeEnvironmentStringsW
FindNextFileW
CreateTimerQueueTimer
FindFirstFileW
IsValidLocale
DuplicateHandle
FindFirstFileExW
GetUserDefaultLCID
GetProcessAffinityMask
CreateEventW
CreateFileW
Either the getfiletype
TlsSetValue
HeapAlloc
LeaveCriticalSection
GetLastError
IsValidCodePage
LCMapStringW
GetConsoleCP
UnregisterWaitEx
CompareStringW
GetEnvironmentStringsW
WaitForSingleObjectEx
SwitchToThread
UnregisterWait
GetCurrentProcessId
GetCommandLineW
WideCharToMultiByte
HeapSize
SetThreadAffinityMask
GetCurrentThread
RaiseException
ReleaseSemaphore
TlsFree
GetModuleHandleA
ReadFile
CloseHandle
GetACP
GetModuleHandleW
FileTimeToLocalFileTime
GetLogicalProcessorInformation
GetNumaHighestNodeNumber
GetCurrentDirectoryW
VirtualFree
Sleep
VirtualAlloc
GetOEMCP
here the sample
http://att.kafan.cn/forum.php?mod=attachment&aid=Mjg1MDA5N3w5ZDk5ZGQ3NXwxNDgyNjY0MzgzfDB8MjA2OTU5OA==
here the Passwort: MyRansomware
here Emsisoft Reaction
This is signature\file reputation detection of myransomware.exe.
File Guard and file reputation lookup under Privacy settings must both be disabled for true behavior blocker only test.
Here are some quick details from my analysis of the sample (reversing):
When the sample is executed it will use the string "RSA_Priv_key.enc" (for whatever purpose). Afterwards, it will call the function SHGetFolderPathW (exported by Shell32.dll - Win32 API); it calls this function for a second time later on. Later on, it will do some string comparisons for "C:\\Users\\asus\\Documents\\visual studio 2013\\Projects\\MyRansomware\\TestFile\\" (therefore I assume the developer of this sample had his user account name as "asus"), and then it will start a Do loop.
Once the encryption pay load has been successfully executed (it will utilize "RSA_Priv_key.enc" and "EncryptedKey.encskip") it will use the following string: " Your files have been encrypted. For decryption, please pay 0.1 bitcoint to the account 13P2J5ButQVJHxmQdrwqRepDai4"
"gQ2G9HY.Then you should send the payment proof along with the file 'EncryptedKey.encskip' on your desktop to mail"
": myransomware@yandex.com.The decryption tool and instructions will be sent to you after the payment.".
The mentioned string above will be placed into a text file called "Recover Your Files! Readme.txt", on the disk.
The sample uses the CryptoAPI for encryption.
The PE exports are listed below:
You can use IDA Pro for disassembly.
It is actually not that sophisticated sample in terms of effectiveness, but I am not a "master" at reverse engineering ransomware... These are just some quick details from my non-sober analysis, so hopefully it is still useful. Maybe I will come back to this another day when I am in a more "right mind".
Thanks for reading.
When the sample is executed it will use the string "RSA_Priv_key.enc" (for whatever purpose). Afterwards, it will call the function SHGetFolderPathW (exported by Shell32.dll - Win32 API); it calls this function for a second time later on. Later on, it will do some string comparisons for "C:\\Users\\asus\\Documents\\visual studio 2013\\Projects\\MyRansomware\\TestFile\\" (therefore I assume the developer of this sample had his user account name as "asus"), and then it will start a Do loop.
Once the encryption pay load has been successfully executed (it will utilize "RSA_Priv_key.enc" and "EncryptedKey.encskip") it will use the following string: " Your files have been encrypted. For decryption, please pay 0.1 bitcoint to the account 13P2J5ButQVJHxmQdrwqRepDai4"
"gQ2G9HY.Then you should send the payment proof along with the file 'EncryptedKey.encskip' on your desktop to mail"
": myransomware@yandex.com.The decryption tool and instructions will be sent to you after the payment.".
The mentioned string above will be placed into a text file called "Recover Your Files! Readme.txt", on the disk.
The sample uses the CryptoAPI for encryption.
The PE exports are listed below:
Code:
Address Ordinal Name Library
------- ------- ---- -------
00499000 CryptReleaseContext ADVAPI32
00499004 CryptAcquireContextA ADVAPI32
00499008 CryptGenRandom ADVAPI32
00499010 FindClose KERNEL32
00499014 FindNextFileW KERNEL32
00499018 SetLastError KERNEL32
0049901C GetLastError KERNEL32
00499020 QueryPerformanceFrequency KERNEL32
00499024 GetCurrentThread KERNEL32
00499028 GetThreadTimes KERNEL32
0049902C GetModuleFileNameW KERNEL32
00499030 Sleep KERNEL32
00499034 QueryPerformanceCounter KERNEL32
00499038 FindFirstFileW KERNEL32
0049903C SetEnvironmentVariableA KERNEL32
00499040 WideCharToMultiByte KERNEL32
00499044 GetCurrentThreadId KERNEL32
00499048 MultiByteToWideChar KERNEL32
0049904C GetStringTypeW KERNEL32
00499050 EncodePointer KERNEL32
00499054 DecodePointer KERNEL32
00499058 EnterCriticalSection KERNEL32
0049905C LeaveCriticalSection KERNEL32
00499060 DeleteCriticalSection KERNEL32
00499064 GetSystemTimeAsFileTime KERNEL32
00499068 HeapFree KERNEL32
0049906C HeapAlloc KERNEL32
00499070 FindFirstFileExW KERNEL32
00499074 GetDriveTypeW KERNEL32
00499078 SystemTimeToTzSpecificLocalTime KERNEL32
0049907C FileTimeToSystemTime KERNEL32
00499080 DeleteFileW KERNEL32
00499084 GetCPInfo KERNEL32
00499088 IsDebuggerPresent KERNEL32
0049908C IsProcessorFeaturePresent KERNEL32
00499090 ExitProcess KERNEL32
00499094 GetModuleHandleExW KERNEL32
00499098 GetProcAddress KERNEL32
0049909C AreFileApisANSI KERNEL32
004990A0 GetCommandLineW KERNEL32
004990A4 RaiseException KERNEL32
004990A8 RtlUnwind KERNEL32
004990AC CreateTimerQueue KERNEL32
004990B0 CloseHandle KERNEL32
004990B4 SetEvent KERNEL32
004990B8 WaitForSingleObjectEx KERNEL32
004990BC SignalObjectAndWait KERNEL32
004990C0 GetCurrentProcess KERNEL32
004990C4 SwitchToThread KERNEL32
004990C8 CreateThread KERNEL32
004990CC SetThreadPriority KERNEL32
004990D0 GetThreadPriority KERNEL32
004990D4 TlsAlloc KERNEL32
004990D8 TlsGetValue KERNEL32
004990DC TlsSetValue KERNEL32
004990E0 TlsFree KERNEL32
004990E4 GetLogicalProcessorInformation KERNEL32
004990E8 CreateTimerQueueTimer KERNEL32
004990EC ChangeTimerQueueTimer KERNEL32
004990F0 DeleteTimerQueueTimer KERNEL32
004990F4 GetModuleHandleW KERNEL32
004990F8 GetNumaHighestNodeNumber KERNEL32
004990FC GetProcessAffinityMask KERNEL32
00499100 SetThreadAffinityMask KERNEL32
00499104 RegisterWaitForSingleObject KERNEL32
00499108 UnregisterWait KERNEL32
0049910C UnhandledExceptionFilter KERNEL32
00499110 SetUnhandledExceptionFilter KERNEL32
00499114 InitializeCriticalSectionAndSpinCount KERNEL32
00499118 CreateEventW KERNEL32
0049911C TerminateProcess KERNEL32
00499120 GetStartupInfoW KERNEL32
00499124 GetTickCount KERNEL32
00499128 CreateSemaphoreW KERNEL32
0049912C GetDateFormatW KERNEL32
00499130 GetTimeFormatW KERNEL32
00499134 CompareStringW KERNEL32
00499138 LCMapStringW KERNEL32
0049913C GetLocaleInfoW KERNEL32
00499140 IsValidLocale KERNEL32
00499144 GetUserDefaultLCID KERNEL32
00499148 EnumSystemLocalesW KERNEL32
0049914C GetStdHandle KERNEL32
00499150 GetFileType KERNEL32
00499154 GetProcessHeap KERNEL32
00499158 WriteFile KERNEL32
0049915C ReadFile KERNEL32
00499160 SetFilePointerEx KERNEL32
00499164 FlushFileBuffers KERNEL32
00499168 GetConsoleCP KERNEL32
0049916C GetConsoleMode KERNEL32
00499170 FileTimeToLocalFileTime KERNEL32
00499174 GetFileInformationByHandle KERNEL32
00499178 PeekNamedPipe KERNEL32
0049917C GetFullPathNameW KERNEL32
00499180 GetCurrentDirectoryW KERNEL32
00499184 CreateFileW KERNEL32
00499188 HeapSize KERNEL32
0049918C FreeLibrary KERNEL32
00499190 LoadLibraryExW KERNEL32
00499194 IsValidCodePage KERNEL32
00499198 GetACP KERNEL32
0049919C GetOEMCP KERNEL32
004991A0 GetCurrentProcessId KERNEL32
004991A4 GetEnvironmentStringsW KERNEL32
004991A8 FreeEnvironmentStringsW KERNEL32
004991AC HeapReAlloc KERNEL32
004991B0 OutputDebugStringW KERNEL32
004991B4 FreeLibraryAndExitThread KERNEL32
004991B8 GetModuleHandleA KERNEL32
004991BC GetVersionExW KERNEL32
004991C0 VirtualAlloc KERNEL32
004991C4 VirtualFree KERNEL32
004991C8 VirtualProtect KERNEL32
004991CC DuplicateHandle KERNEL32
004991D0 ReleaseSemaphore KERNEL32
004991D4 InitializeSListHead KERNEL32
004991D8 InterlockedPopEntrySList KERNEL32
004991DC InterlockedPushEntrySList KERNEL32
004991E0 InterlockedFlushSList KERNEL32
004991E4 QueryDepthSList KERNEL32
004991E8 UnregisterWaitEx KERNEL32
004991EC GetTimeZoneInformation KERNEL32
004991F0 ReadConsoleW KERNEL32
004991F4 SetStdHandle KERNEL32
004991F8 WriteConsoleW KERNEL32
004991FC SetEndOfFile KERNEL32
00499200 LoadLibraryW KERNEL32
00499208 SHGetFolderPathW SHELL32You can use IDA Pro for disassembly.
It is actually not that sophisticated sample in terms of effectiveness, but I am not a "master" at reverse engineering ransomware... These are just some quick details from my non-sober analysis, so hopefully it is still useful. Maybe I will come back to this another day when I am in a more "right mind".
Thanks for reading.
- Dec 19, 2016
- 42
Thanks for the reply.
1.I do not personally know that poster but I would reckon that his specialist is in analysing virus behaviour in a system by monitoring the code injection, damage done network activities in the system but no coding a specific virus. Virus testing is a very broad subject and consists of numerous different areas, at the same time there are also a lot of computer language coding a program.(Anyways the author in any aspect is more professional than me, I am a complete rookie and the entire thread is quoting his based on my best comprehension) So I do not think those two words conflict each other.
2. Same time and same sample but with settings tweaked in AV products. My quotes in this thread is only an objective summary of his post and include some subjective opinion of mine when it comes to conclusion. We reported results in a slightly different format but I did not change any result. If you wish you can use the crappy Google Translate to attempt reading the original post but good luck when understanding it
- Dec 19, 2016
- 42
Any pros in this forum would do a detailed analysis of this sample and feedback to some major AV companies to help them improve their BB module?
- Dec 19, 2016
- 42
If you would have read the post carefully, I did mention initially Kaspersky was tested at default and failed and then some settings were tweaked:
Yep indeed that setting change worked like a charm, but novice user will struggle to perform such medium level modification to an AV product.
They can improve their Behavior Blocker with many techniques (or create one), not just aimed towards ransomware.
Firstly, they need to get code execution running within the address space of the target process to monitor; they can do this by creating their own thread within the process remotely so they can use this thread for their own code execution - DLL injection works fine for security software since it doesn't need to be concealed like a rootkit, and even then they can use manual mapping injection so the DLL is not linked with the PEB module list (thus it won't show as a loaded module within the monitored process which is a bit more stealthy and a better technique if you are injecting early on the process start-up).
Secondly, they will need to either write a hooking engine (a basic one which supports a trampoline will do just fine) or use an existing hooking engine which they have permission to use (e.g. MS Detours is great for an enterprise company which has money since the Express version only supports x86 processes which is not good enough for a security product of course...).
Thirdly, they will need to utilize the hooking engine to detour a bunch of APIs - they do not need to show an alert upon the callback of all the functions listed below, but monitor the API usage... Through the API logging they can identify specific behavior patterns such as dynamic forking/RunPE attempts, DLL injection, attempts to install a device driver, attempts to add to start-up, etc. When necessary, they can work with IPC (Inter-Process Communication) and then suspend the program which is being blocked, and then resume it after the GUI has sent back a response (which when gets picked back up by the suspended process which has now been resumed - you cannot "suspend" a process really, you just suspend the threads within the process either by enumerating through all the threads and calling SuspendThread or just by calling ZwSuspendProcess (and of course passing through a handle to the process being monitored, however if you suspend the process running from within it's code execution directly you can pass (HANDLE)-1 or (HANDLE)0 as the HANDLE parameter which will work fine).
Here is a list of APIs which would be useful to monitor usage of:
- ZwTerminateProcess
- ZwOpenProcess
- ZwSuspendProcess
- ZwAllocateVirtualMemory
- ZwWriteVirtualMemory
- ZwUnmapViewOfSection
- ZwTerminateThread
- ZwSuspendThread
- ZwOpenThread
- ZwCreateThread/Ex
- RtlCreateUserThread (NTAPI equivalent of the famous CreateRemoteThread function)
- ZwLoadDriver
- ZwUnloadDriver
- ZwSetSystemInformation
- ZwCreateFile
- ZwWriteFile
- ZwCreateKey
- ZwDeleteKey
- ZwSetValueKey
- ZwDeleteValueKey
- ZwRaiseHardError
- ZwShutdownSystem
- RtlSetProcessIsCritical / NtSetInformationProcess
- RtlAdjustPrivilege
- LdrLoadDll
- NtCreateUserProcess (only from Vista and on-wards, for XP support you hook RtlCreateUserProcess which is best for native program execution anyway)
- CreateService/StartService (both A/W routines of course)
- SetWindowsHookEx (both A/W routines of course)
- SetWinEventHook
As opposed to detouring NtCreateUserProcess or RtlCreateUserProcess for process execution monitoring they can use a device driver with the kernel-mode callback PsSetCreateProcessNotifyRoutine/Ex for monitoring process execution - when process execution has been detected via the callback being invoked they can perform injection into the newly starting-up process.
As opposed to detouring NTAPI functions for registry operations they can use a device driver with the kernel-mode callback CmRegisterCallbackEx (old version is without the Ex prefix), it allows you to get notifications for registry modifications.
As opposed to detouring NTAPI functions for I/O operations they can use a file-system mini-filter device driver which is much more efficient in terms of performance for detection of file modification attempts; this can be used for protection against the Master Boot Record, Windows Hosts file, system files, etc. It can also be utilized for real-time scanning for when a file is accessed, written to, etc.
They can work on browser protection by identifying when specific function within APIs used by the browser have been detoured (HttpSendRequestA/W, SSL_Write, PR_Write) which are used by form-grabbers.
They can work on anti-rootkit protection by scanning for kernel-mode patching on x86 systems (SSDT hooking and Direct Kernel Object Manipulation) and then repairing these modifications in the Windows Kernel. They can also scan for processes in kernel-mode and then compare to a list of enumerated processes from user-mode to pick out "hidden processes".
In terms of ransomware protection specifically, you can attempt to monitor usage of the CryptoAPI however this is not the best method since not all ransomware will use the CryptoAPI (therefore it's not as reliable as alternative methods) and monitoring usage of other encryption APIs can be a bit difficult due to them maybe being linked via static methods (as opposed to being exported by an external library and being dynamically linked). Therefore, a better alternative method would be using a device driver to monitor the file modification attempts (mini-filter) and then using this to identify encryption on files through a custom algorithm, and then intercepting/auto-blocking once encryption behavior has been matched to the running program.
As an addition to the above, you can identify when a program is attempting to enumerate the drives on the system (or the files on the drives) and you can work with a scoring system and increment it with this behavior, or just store this information for future reference - for additional stealth, place a few bait files with dynamic file-names around the place and detect when an untrusted program "encrypts" them, even if you don't detect encryption, work with entropy identification for catching out when the entropy is increased a lot more from how it was prior to modification.
As well as this, a firewall component is good against some ransomware which will need to send the private key (transmission), and therefore a firewall component can be useful for identifying ransomware via network signatures; if the user blocks the connection on the alert since an unknown program is attempting to transmit data then the user blocking this activity may also save them - however not all ransomware is dependent on networking functionality (like the one used for the purposes of this thread), although it's still a good addition towards layered protection.
You can also make a folder protected via using a kernel-mode callback called FltRegisterFilter - this can help prevent ransomware from encrypting the files backed up to this folder. This is what AV software typically uses for self-protection mechanisms also (along with ObRegisterCallbacks and a callback for registry protection).
That being said, if the user makes a dumb decision with an alert then it's game over and if the product does not support blocking new service installations (sechost.dll!CreateServiceA/W, sechost.dll!StartServiceA/W or ZwLoadDriver/ZwSetSystemInformation which are two rootkit-implying alternatives for loading a device driver) then it's game over if the sample has administrative rights to obtain the SeLoadDriverPrivilege...
The reason Anti-Virus software would need to have at least most of their Behavior Blocker/HIPS components working from a user-mode level is due to the x86-x64 limitations; on x86 systems you can perform kernel-mode patching however on x64 you cannot do this without bypassing PatchGuard (which would be extremely risky and unethical); for more information read the section on PatchGuard/Kernel-Patch Protection on my recent thread: Windows built-in protection mechanisms (skip to Part 3).
With all of the above being said, nothing is full-proof... For example, a direct NTAPI system call (via setting up some memory and then using memcpy to copy across an array of bytes to use syscall for the target function prologue - e.g. RtlCreateUserProcess) will bypass user-mode hooks, so you'd need to watch memory manipulation very carefully.
To be really stealth, depending on the OS edition, hooking functions like KiFastSystemCall, X86SwitchTo64BitMode (and potentially Wow64 functions like Wow64SystemServiceEx) can be really deadly towards malware, because they won't even know about it... I've never bumped into a malware sample which is capable of identifying when these functions are hooked, and from hooking these functions you can take over ring 3 API call execution which is tracing back down to the NTAPI calls before syscall for kernel-mode execution.
Hope this helped and stay safe,
Wave.
Edit: added a small chunk of information regarding browser and rootkit protection.
Last edited by a moderator:
Similar threads
