App Review Terminator Malware | The PC Security Channel

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Yeah, when the Zemana Anti-Malware driver (zam64.sys and zamguard64.sys essentially the same) were composed, proper checks were not implemented in the driver to verify the processes that are about to be terminated. The function is rather simple and since the driver is not obfuscated, it probably hasn’t been too difficult to reverse-engineer.

The driver contains one function related to the EDR termination, namely this:
ZmnPhTerminateProcessById()
Click to expand...
And this function takes one parameter - the process ID. This function gets a process handle and passes it to a Windows native API, namely
ZwTerminateProcess()
Click to expand...
(Part of ntddk.h) With the handle as a parameter. The native Windows API terminates the process.
All calls that start with Zw can only come from trusted and signed kernel drivers, programmes operating solely in user mode should perform Nt calls instead and this will be subject to additional validation. Using Zw routines allows to tamper with code running in kernel mode (such as anti-malware products).
learn.microsoft.com

Using Nt and Zw Versions of the Native System Services Routines - Windows drivers

Using Nt and Zw Versions of the Native System Services Routines
learn.microsoft.com



According to Voidsec, the driver can also be used in privilege escalation as well as full disk encryption.
voidsec.com

Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver - VoidSec

Reverse engineering Spybot's Terminator tool (Zemana Antimalware driver) to achieve LPE as SYSTEM and unrestricted raw SCSI disk read/write.
voidsec.com voidsec.com
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: roger_m, Dave Russo, [correlate] and 6 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
piquiteco said:
@Trident Is it related to ZAM (Zemana Anti-Malware) products reverse engineering or something? I ask because the ZAM products are gone?
Click to expand...
Yeah, it is old Zemana real-time protection driver (registers as such) and this process killing functionality has been implemented in order to be able to terminate malware. Problem is, according to Voidsec (I’ve not seen the whole driver source but only what they show) only checks if a process is critical Windows process and nothing else.

Additional checks could have been implemented to avoid terminating processes belonging to anti-malware applications, but Zemana did not implement these.

Later on (because the driver is already in kernel mode) it can call ZwTerminateProcess and that by default automatically searches other processes in kernel mode (without the driver it will be impossible).
So yeah, that’s long story short.
 
  • Like
  • Applause
  • +Reputation
Reactions: roger_m, Dave Russo, Jonny Quest and 7 others
piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Trident said:
So yeah, that’s long story short.
Click to expand...
I understood your explanation well. It's as if the spell turned against the sorcerer? My goodness, they do everything to fool the security products. I saw a malware that adds the C:\ in exclusions in MS Defender and MD had no reaction, I was scared, I was paranoid at the time, every day I checked MD if there was nothing exclusion lol :LOL:
 
  • Like
  • HaHa
  • Wow
Reactions: Dave Russo, ForgottenSeer 97327, Jonny Quest and 6 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
piquiteco said:
I saw a malware that adds the C:\ in exclusions in MS Defender and MD had no reaction, I was scared, I was paranoid at the time, every day I checked MD if there was nothing exclusion lol :LOL:
Click to expand...
This is a very old thing with Defender and MIcrosoft is not taking care of it because it requires elevated privileges. The answer would be "We don't expect malware to gain elevated privileges".
The following command on elevated PowerShell adds exclusions:
Add-MpPreference -ExclusionPath “<Folder Path>”
Add-MpPreference -ExclusionExtension “<File Extension>”

Microsoft Defender for Business automatically ignores these exclusions but the home version doesn't.
 
  • Like
  • Wow
Reactions: Dave Russo, ForgottenSeer 97327, Jonny Quest and 6 others
piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
Trident said:
This is a very old thing with Defender and MIcrosoft is not taking care of it because it requires elevated privileges. The answer would be "We don't expect malware to gain elevated privileges".
The following command on elevated PowerShell adds exclusions:
Add-MpPreference -ExclusionPath “<Folder Path>”
Add-MpPreference -ExclusionExtension “<File Extension>”

Microsoft Defender for Business automatically ignores these exclusions but the home version doesn't.
Click to expand...
And the tamper protection serves no purpose? I saw it recently, that's why I'm commenting, if I remember the place I'll share it with you. Now I went for real🖐
 
  • Like
Reactions: Dave Russo, ForgottenSeer 97327, [correlate] and 4 others
SeriousHoax

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862
piquiteco said:
And the tamper protection serves no purpose? I saw it recently, that's why I'm commenting, if I remember the place I'll share it with you. Now I went for real🖐
Click to expand...
No, Tamper Protection sadly doesn't stop this exclusion thing. There is a policy that can prevent adding exclusion from the windows security UI but not via any other method for example, like the PowerShell method that @Trident showed above.
 
  • Like
  • +Reputation
Reactions: kylprq, Dave Russo, ForgottenSeer 97327 and 7 others
piquiteco

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
SeriousHoax said:
No, Tamper Protection sadly doesn't stop this exclusion thing. There is a policy that can prevent adding exclusion from the windows security UI but not via any other method for example, like the PowerShell method that @Trident showed above.
Click to expand...
Got it, maybe blocking PowerShell and everything you have the right to by H_C as shown in this setup of a screenshot below in the spoiler and using SUA account might help. Unless you exploit some vulnerability or some bypass that does not use any locked script interpreter, in which case there is nothing to do, the truth is, they will always find a way around the security suites.
1687868066391.png
 
  • Like
  • +Reputation
Reactions: Dave Russo, ForgottenSeer 97327, Kongo and 3 others
You must log in or register to reply here.

Similar threads

NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
392
Video Reviews - Security and Privacy
bazang
bazang
NB InfoTech
    • Like
App Review PC Matic Home Review | PC Matic Home Security Antivirus vs Ransomware | 2024
Replies
4
Views
739
Video Reviews - Security and Privacy
Dave Russo
Dave Russo
A
    • Applause
Announcing Windows 11 Insider Preview Build 27718 (Canary Channel)
Replies
0
Views
144
Windows 11
Amanda Langowski
A

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top