App Review The Zone Alarm challenge.

[Practical Response]

This cannot be done without informing the user about the AV uninstallation. The AV vendors provided special protection to prevent the malware running with high privileges from tampering with some services and drivers. As it can be seen those protections can be bypassed. In the case of Symantec Endpoint Protection, I invalidated 5 drivers, but the user and AV show only a general error. The user still does not know what happened. Is it a temporary error with services? Is it a conflict with the Windows Update? There is no sign of malicious actions.

Hopefully they are not a in your face kinda hacker then and do that while you watch going wth.

Fair point but route of infection still exists, how did the system get compromised. What kind of delivery method would you use to bypass the already in place security. Such as Norton here for example, the endpoint solution, how would you wrap your gift and send it down the pike to send on the machine unnoticed.

 

[Andy Ful]

Hopefully they are not a in your face kinda hacker then and do that while you watch going wth.

Fair point but route of infection still exists, how did the system get compromised. What kind of delivery method would you use to bypass the already in place security. Such as Norton here for example, the endpoint solution, how would you wrap your gift and send it down the pike to send on the machine unnoticed.

I would not use it as an initial attack vector. That method is preferable in remote attacks or lateral movement in organizations to weaken temporarily the protection and run/hide the payloads deep into the system. The best example is this video:

App Review - Avast's challenge.

malwaretips.com

 

[Trident]

That method is preferable in remote attacks or lateral movement in organizations to weaken temporarily the protection and run/hide the payloads deep into the system

They will need to use kernel-mode privileges (rootkits) in addition to the admin rights if they are hoping not to trigger any detections upon re-enabling security systems. Otherwise if they intend on keeping them disabled and don’t have means to gain kernel mode privileges, it is very smart to start with the disabling procedure and then move on to everything else.

How they will smuggle that is another question, smartest thing to do would be to use a password-protected archive (to evade email security) and then a very large file, possible signed… it can quickly disable defences and upon reboot, initiate payloads download. Although reboot in some environments is not frequent or not performed at all.

 

[Practical Response]

They will need to use kernel-mode privileges (rootkits) in addition to the admin rights if they are hoping not to trigger any detections upon re-enabling security systems. Otherwise if they intend on keeping them disabled and don’t have means to gain kernel mode privileges, it is very smart to start with the disabling procedure and then move on to everything else.

How they will smuggle that is another question, smartest thing to do would be to use a password-protected archive (to evade email security) and then a very large file, possible signed… it can quickly disable defences and upon reboot, initiate payloads download. Although reboot in some environments is not frequent or not performed at all.

So basically a padded phishing attempt would be the most likely delivery method.

 

[Andy Ful]

They will need to use kernel-mode privileges (rootkits) in addition to the admin rights if they are hoping not to trigger any detections upon re-enabling security systems.

It is not necessary. There are many stealthy methods of malware persistence. But of course, the rootkits can be used too.

 

[Trident]

It is not necessary. There are many stealthy methods of malware persistence. But of course, the rootkits can be used too.

The only stealthier method of persistence I can think of is by avoiding the usage of disk (directly to the ram + registry/WMI, etc.). This will not work great with solutions like Kaspersky that have full blown memory scanning as well as where certain LOLBins are disabled.

All other persistence methods require usage of files + registry entries. Upon re-enabling the tools, it is not guaranteed that detection won’t occur.

 

[likeastar20]

The only stealthier method of persistence I can think of is by avoiding the usage of disk (directly to the ram + registry/WMI, etc.). This will not work great with solutions like Kaspersky that have full blown memory scanning as well as where certain LOLBins are disabled.

All other persistence methods require usage of files + registry entries. Upon re-enabling the tools, it is not guaranteed that detection won’t occur.

What’s the list of AVs with “full blown” memory scanning?

 

[Andy Ful]

The only stealthier method of persistence I can think of is by avoiding the usage of disk (directly to the ram + registry). This will not work great with solutions like Kaspersky that have full blown memory scanning as well as where certain LOLBins are disabled.

There are several methods of executing shellcode and nonstandard methods of loading encrypted DLLs. Those methods are poorly detected even with memory scanning.
Of course, after some time the infection can be uncovered. But, this can happen after some weeks or months.

 

[Trident]

What’s the list of AVs with “full blown” memory scanning?

Off the top of my head, Eset, Bitdefender (paid versions?), Kaspersky (even the standalone, free scanner), Sophos (only in x86 and only hourly memory scan), Trend Micro (years ago, upon process being unpacked in memory, scan would be triggered just on the process, now the full memory content is scanned). Recently CrowdStrike implemented Hyper-V assisted memory scan. Perhaps there are others as well.

 

[Trident]

There are several methods of executing shellcode and nonstandard methods of loading encrypted DLLs. Those methods are poorly detected even with memory scanning.
Of course, after some time the infection can be uncovered. But, this can happen after some weeks or months.

Now that would depend on the behavioural blocking as well, if it is based on behavioural chains and profiles then the attack may go undetected (Symantec in the last month or 2 released a lot of SONAR profiles that attempt to cover dll hijacking and other DLL, as well as fileless attacks). If it is based on ATT&CK mapping and anomaly detection there are high chances that detections may occur.

This requires testing.

 

[Andy Ful]

Now that would depend on the behavioural blocking as well, if it is based on behavioural chains and profiles then the attack may go undetected (Symantec in the last month or 2 released a lot of SONAR profiles that attempt to cover dll hijacking and other DLL, as well as fileless attacks). If it is based on ATT&CK mapping and anomaly detection there are high chances that detections may occur.

This requires testing.

That is what the criminals do. They seek poorly detected methods and techniques. If the malware is not prevalent, it can survive for some time undetected. Tampering with antimalware drivers can increase that time. That is why, Microsoft and the AV vendors invented anti-tampering protection.

 

[Trident]

That is what the criminals do. They seek poorly detected methods and techniques. If the malware is not prevalent, it can survive for some time undetected. Tampering with antimalware drivers can increase that time. That is why, Microsoft and the AV vendors invented anti-tampering protection.

Definitely and if one seeks poorly-covered methods, they will find them.

The point is, attackers will want to keep security tools disabled otherwise there is too much work to ensure detection won’t occur. They have only limited time and they will need to act very quickly, in the case of disabling defences it will only take 2 hours (for Check Point since this thread is about Zone Alarm) to register failed update on the Infinity Portal. Email will be sent to admins as well.
The services must be running, otherwise it can’t download updates.
It is the CPFileAnalyz service that is processing them.

 

[Andy Ful]

Definitely and if one seeks poorly-covered methods, they will find them.

The point is, attackers will want to keep security tools disabled otherwise there is too much work to ensure detection won’t occur. They have only limited time and they will need to act very quickly, in the case of disabling defences

Yes, several minutes will be probably enough. Many Admins will think that the problem with drivers is accidental and unrelated to the possible attack.

 

[Trident]

Yes, several minutes will be probably enough.

If it’s their first encounter of the network and devices, by the time they perform lateral movement and asset discovery, not sure if few minutes will be enough, as well as additional security such as IPS might be implemented… there are ifs and buts there.

In any case, tampering with defences must not be allowed.
It is on the ATT&CK matrix for a reason.

 

[likeastar20]

Off the top of my head, Eset, Bitdefender (paid versions?), Kaspersky (even the standalone, free scanner), Sophos (only in x86 and only hourly memory scan), Trend Micro (years ago, upon process being unpacked in memory, scan would be triggered just on the process, now the full memory content is scanned). Recently CrowdStrike implemented Hyper-V assisted memory scan. Perhaps there are others as well.

For on-demand scanners, is KVRT the only one with that capability?

 

[likeastar20]

Now that would depend on the behavioural blocking as well, if it is based on behavioural chains and profiles then the attack may go undetected (Symantec in the last month or 2 released a lot of SONAR profiles that attempt to cover dll hijacking and other DLL, as well as fileless attacks). If it is based on ATT&CK mapping and anomaly detection there are high chances that detections may occur.

This requires testing.

I sent them some samples that work that way, so it's nice to see the improvement.

A new malware campaign exploits legitimate software and DLL hijacking to deliver the LummaC2 stealer. Password-protected RAR archives contain a legitimate executable and a malicious DLL with modified code. When the executable is launched, the DLL is executed, bypassing security measures. The malware fetches and decrypts additional malicious code from a disguised data file. The payload exfiltrates sensitive data such as cryptocurrency wallets, browser credentials, application information, email clients, and specific files.

 

[Sephirothnight]

@Trident,

Symantec failed when the attack was done via shortcut. The attack successfully tampered with 5 drivers:
SYMEVENT64.SYS
BHDrvx64.sys
Ironx64.sys
ccSetx64.sys
SRTSP64.SYS

I used the most aggressive settings for "Virus and Spyware Protection" and "Proactive threat Protection".
There were no alerts after Windows restart, but the Symantec Endpoint Protection icon disappeared from the System TaskBar. Security Center showed that Symantec Endpoint Protection might need some actions. But when I tried opening it, the error was shown:

View attachment 282721


If the attack was done via EXE loader, Download Insight blocked the execution and showed an alert that the EXE was unproven (low prevalence).

Thank you for the Symantec endpoint test and indeed I did not put a link to try it and I am sorry... On the comss.ru site it is an old version but on https://detovirus.blogspot .com/2024/03/discouvrez-symantec-endpoint-protection-14.3-ru8-securite-renforcee-et-protection-avancee.html there are several more recent versions. In any case, Symantec also failed, I would have hoped but no, too bad. Thank you for trying

 

[Andy Ful]

In any case, Symantec also failed, I would have hoped but no, too bad. Thank you for trying

It looks like a very good product.

 

[Trident]

It looks like a very good product.

In some cases it will detect malware earlier than Norton from my tests. Also, there are slightly more configuration options and slightly less features that deviate from the core protection.

It is possible with SEP to setup default-deny on certain downloads by manipulating the download Insight slider.

There are more features depending on SEP edition. This one is only very basic as it is the unmanaged one.