W

Wave

Any pros in this forum would do a detailed analysis of this sample and feedback to some major AV companies to help them improve their BB module?
A detailed analysis isn't really necessary, it's not actually a "sophisticated" sample like the article makes out, just a lot of security products are dumb and have unbalanced protection mechanisms, therefore focus more on static identification methods (e.g. checksum signatures, static heuristics), and therefore will fail against unknown threats. Even if they would've had a generic detection for the sample, with some packing mechanisms that becomes a miss of detection.

We can already see the APIs used, the sample doesn't even use the NTAPI itself, but the normal Win32 functions which end up leading down to the NTAPI functions of course - it is just common malware. Regardless of the "Virus behavior" which was custom for the thread by the author to reduce chances of detection, it won't stop the products from monitoring the behavior... So if the products did it properly then they would detect it regardless of all the mechanisms used, with dynamic methods. :)

However, I think I am making out like it "easy" to develop this sort of protection functionality... It's not, it's hard work and takes a lot of time (e.g. testing), and needs to be done very carefully since it's very fragile throughout the development.
 

Xtwillight

Level 6
Malware Tester
Excuse me my English is not so good.


  • To this Time the sample with the link inserted on the website.
    A Self-made ransomware should not in virus total to the Test upload.
    So that User themselves with their AV/IS and so on can test.

  • SKG2016 Write Ty for the sample but anyways there is no point testing it now because it is purely signature based since the ransomware is out for a while. You can try disable file antivirus and real time protection off and see if the proactive engine can recognise the behaviour of the ransomeware.
  • At the time when I then the test file down load
    have, it was already known.
    And my EMSI responded immediately as the download was finished.

  • Because the file was already known.
    I had also not Need seen that I with HIPS or behaviour software Perform testing make.

  • For me, this is only interesting if the file totally unknown is.
    Wave has It shows good what he looks at and documented :)
 

SKG2016

Level 1
Excuse me my English is not so good.


  • To this Time the sample with the link inserted on the website.
    A Self-made ransomware should not in virus total to the Test upload.
    So that User themselves with their AV/IS and so on can test.

  • SKG2016 Write Ty for the sample but anyways there is no point testing it now because it is purely signature based since the ransomware is out for a while. You can try disable file antivirus and real time protection off and see if the proactive engine can recognise the behaviour of the ransomeware.
  • At the time when I then the test file down load
    have, it was already known.
    And my EMSI responded immediately as the download was finished.
  • Because the file was already known.
    I had also not Need seen that I with HIPS or behaviour software Perform testing make.

  • For me, this is only interesting if the file totally unknown is.
    Wave has It shows good what he looks at and documented :)
Yeh I believe it is no point testing it anymore as file is leaked but the point is to show how vulnerable your files could be without HIPS even with the best AVs in the world installed :)
 
W

Wave

For me, this is only interesting if the file totally unknown is.
Wave has It shows good what he looks at and documented :)
I agree that it's a bit useless if the sample is already known because we are using layered protection so if the vendor has a signature for the sample then it's not a miss, even if the behavioral components alone fail.

Thank you! :)

Yeh I believe it is no point testing it anymore as file is leaked but the point is to show how vulnerable your files could be without HIPS even with the best AVs in the world installed :)
Well with HIPS you are still in danger because of yourself; if you make the wrong decision on an alert then the infection won't be prevented, or at least the further actions from what has already happened on the system may not continue - depends if you Quarantine, Block action, etc. (since blocking an action won't prevent the sample from doing other things if it's still executing in memory).

Regarding dynamic heuristics, it's more useful if the false positives are low and if it auto-blocks, thus reducing chances of a user from ignoring the security product - this is why security software mainly prefers to auto-quarantine, not just because it's easier to do it without asking the user, since there are many people out there who will aimlessly click Allow but if it's auto-blocked then they need to go through the settings (do more) to let the program run, so more people think "Well the security blocked it so it must be unsafe, I won't bother now".

If you want to test the dynamic protection of the security software, assuming you can, just disable the component for the real-time file system scanner - this will work with checksum hash and static heuristic detection mechanisms (e.g. HEX for byte detection to work the generic detection, scanning of the IAT/EAT and PE File Header with a scoring system, entropy levels, etc.). If the file system real-time scanning is disabled then just make sure that the Host Intrusion Prevention System/Behavior Blocker (or whatever the behavioral component for the product you are using is called) is enabled; bear in mind that not all security products have individual components like this... Emsisoft have the Behavior Blocker and ESET have the HIPS.

It really depends on how the product works.
 

Solarquest

Moderator
Verified
Staff member
Malware Hunter
For Emsisoft I think it still makes sense to test the sample with file scan and cloud disabled to test if BB would have detected, blocked it and alerted the user.
Even with cloud enabled it would make sense since Emsisoft checks the anti malware network only if BB find something suspicious.
 

Fabian Wosar

From Emsisoft
Verified
Developer
Probably it would be difficult to interpret the C++ code of this sample but it is quite reasonable to think that the ramsomware may inject the code, unlike what you are referring to.
It doesn't. All the functions you named are wrong. VirtualAllocEx and CreateRemoteThread are the ones you actually mean.

The sample uses the CryptoAPI for encryption.
It doesn't. It actually uses a popular C++ library called Crypto++. The functions there are only to generate cryptographically secure random numbers.

In general, all the tests with that sample alone are useless. First of all, because it requires the key file for the encryption. If it doesn't have one, it just displays the "The GAME is stopped" message and quits. But even if you had a key and it would encrypt, the way it works is not ransomware-like. How many ransomware do you know that will give you a live status of which file it encrypts and which one it is currently working on?

A sample like that would only be used when hacking a server via RDP. NMoreira, for example, has similar information being displayed during encryption because for an attacker it can be useful to know. But at that point, you have bigger issues, and no software on earth would protect you. Because closing the software or clicking on "Allow" or adding an exclusion is just a few clicks away.
 
Top