Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Simple Windows Hardening
Message
<blockquote data-quote="Andy Ful" data-source="post: 969511" data-attributes="member: 32260"><p><strong><span style="font-size: 18px">SWH and Spider-Miner</span></strong></p><p></p><p><span style="font-size: 15px">This malware is intended to attack home users. It mimics the torrent file of a movie but in fact it is an EXE file. The hash is still absent on Virus Total.</span></p><p><span style="font-size: 15px"></span></p><p><span style="font-size: 15px">[ATTACH=full]263075[/ATTACH]</span></p><p></p><p></p><p></p><p>SWH is not intended to block EXE files and leaves the protection to SmartScreen and Antivirus. Anyway, SWH can support Microsoft Defender in this attack due to restricting PowerShell commands via SRP (it forces Constrained Language Mode for PowerShell).</p><p>From the malware analysis it follows that it does not drop the script files (like *.ps1) but can execute PowerShell encoded commands to abuse Defender. This will be blocked by Constrained Language Mode.</p><p></p><p>If one is not a happy-clicker then this attack is not dangerous and will be blocked by Windows 10 default protection (SmartScreen for Explorer). Furthermore, the attack requires admin rights to inject the Monero miner code into Svchost. So, the user will see the UAC prompt - from the malware analysis, we know that the malware does not use UAC bypass.</p><p></p><p>It seems that paradoxically the users of Microsoft Defender can be more secure (compared to some other AVs) against similar malware that could use UAC bypass. A few days ago I tested Defender and other AVs. Defender blocked the known Windows 10 UAC bypasses and they were not fully blocked by some 3rd party AVs.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 969511, member: 32260"] [B][SIZE=5]SWH and Spider-Miner[/SIZE][/B] [SIZE=4]This malware is intended to attack home users. It mimics the torrent file of a movie but in fact it is an EXE file. The hash is still absent on Virus Total. [ATTACH type="full" alt="1640296974538.png"]263075[/ATTACH][/SIZE] SWH is not intended to block EXE files and leaves the protection to SmartScreen and Antivirus. Anyway, SWH can support Microsoft Defender in this attack due to restricting PowerShell commands via SRP (it forces Constrained Language Mode for PowerShell). From the malware analysis it follows that it does not drop the script files (like *.ps1) but can execute PowerShell encoded commands to abuse Defender. This will be blocked by Constrained Language Mode. If one is not a happy-clicker then this attack is not dangerous and will be blocked by Windows 10 default protection (SmartScreen for Explorer). Furthermore, the attack requires admin rights to inject the Monero miner code into Svchost. So, the user will see the UAC prompt - from the malware analysis, we know that the malware does not use UAC bypass. It seems that paradoxically the users of Microsoft Defender can be more secure (compared to some other AVs) against similar malware that could use UAC bypass. A few days ago I tested Defender and other AVs. Defender blocked the known Windows 10 UAC bypasses and they were not fully blocked by some 3rd party AVs. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
