App Review Terminator Malware | The PC Security Channel

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Yeah, when the Zemana Anti-Malware driver (zam64.sys and zamguard64.sys essentially the same) were composed, proper checks were not implemented in the driver to verify the processes that are about to be terminated. The function is rather simple and since the driver is not obfuscated, it probably hasn’t been too difficult to reverse-engineer.

The driver contains one function related to the EDR termination, namely this:
ZmnPhTerminateProcessById()
And this function takes one parameter - the process ID. This function gets a process handle and passes it to a Windows native API, namely
(Part of ntddk.h) With the handle as a parameter. The native Windows API terminates the process.
All calls that start with Zw can only come from trusted and signed kernel drivers, programmes operating solely in user mode should perform Nt calls instead and this will be subject to additional validation. Using Zw routines allows to tamper with code running in kernel mode (such as anti-malware products).



According to Voidsec, the driver can also be used in privilege escalation as well as full disk encryption.
 
Last edited:

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
@Trident Is it related to ZAM (Zemana Anti-Malware) products reverse engineering or something? I ask because the ZAM products are gone?
Yeah, it is old Zemana real-time protection driver (registers as such) and this process killing functionality has been implemented in order to be able to terminate malware. Problem is, according to Voidsec (I’ve not seen the whole driver source but only what they show) only checks if a process is critical Windows process and nothing else.

Additional checks could have been implemented to avoid terminating processes belonging to anti-malware applications, but Zemana did not implement these.

Later on (because the driver is already in kernel mode) it can call ZwTerminateProcess and that by default automatically searches other processes in kernel mode (without the driver it will be impossible).
So yeah, that’s long story short.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
So yeah, that’s long story short.
I understood your explanation well. It's as if the spell turned against the sorcerer? My goodness, they do everything to fool the security products. I saw a malware that adds the C:\ in exclusions in MS Defender and MD had no reaction, I was scared, I was paranoid at the time, every day I checked MD if there was nothing exclusion lol :LOL:
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
I saw a malware that adds the C:\ in exclusions in MS Defender and MD had no reaction, I was scared, I was paranoid at the time, every day I checked MD if there was nothing exclusion lol :LOL:
This is a very old thing with Defender and MIcrosoft is not taking care of it because it requires elevated privileges. The answer would be "We don't expect malware to gain elevated privileges".
The following command on elevated PowerShell adds exclusions:
Add-MpPreference -ExclusionPath “<Folder Path>”
Add-MpPreference -ExclusionExtension “<File Extension>”


Microsoft Defender for Business automatically ignores these exclusions but the home version doesn't.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
This is a very old thing with Defender and MIcrosoft is not taking care of it because it requires elevated privileges. The answer would be "We don't expect malware to gain elevated privileges".
The following command on elevated PowerShell adds exclusions:
Add-MpPreference -ExclusionPath “<Folder Path>”
Add-MpPreference -ExclusionExtension “<File Extension>”


Microsoft Defender for Business automatically ignores these exclusions but the home version doesn't.
And the tamper protection serves no purpose? I saw it recently, that's why I'm commenting, if I remember the place I'll share it with you. Now I went for real🖐
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,879
And the tamper protection serves no purpose? I saw it recently, that's why I'm commenting, if I remember the place I'll share it with you. Now I went for real🖐
No, Tamper Protection sadly doesn't stop this exclusion thing. There is a policy that can prevent adding exclusion from the windows security UI but not via any other method for example, like the PowerShell method that @Trident showed above.
 

piquiteco

Level 14
Verified
Top Poster
Well-known
Oct 16, 2022
624
No, Tamper Protection sadly doesn't stop this exclusion thing. There is a policy that can prevent adding exclusion from the windows security UI but not via any other method for example, like the PowerShell method that @Trident showed above.
Got it, maybe blocking PowerShell and everything you have the right to by H_C as shown in this setup of a screenshot below in the spoiler and using SUA account might help. Unless you exploit some vulnerability or some bypass that does not use any locked script interpreter, in which case there is nothing to do, the truth is, they will always find a way around the security suites.
1687868066391.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top