- May 29, 2018
- 2,728
Im aware of that, thanks. Never just bothered with it when using cf
On topic: i wouldnt block bitsadmin.exe due windows updates
yes, i wouldnt worry about this too much
This Trojan exploits antivirus software to steal your data
- Thread starter Solarquest
- Start date
Im aware of that, thanks. Never just bothered with it when using cf
On topic: i wouldnt block bitsadmin.exe due windows updates
- Dec 23, 2014
- 8,491
All can block wmic.exe . H_C in the Recommended settings do not block wmic.exe, but will block the malware from the start, by blocking the shortcut in the UserSpace (Download folder).
- Dec 23, 2014
- 8,491
If something malicious could run PowerShell, then Constrained Language mode and Firewall rules can be bypassed to download and execute DLL payload, by using BITS via cmdlet (not bitsadmin.exe) and sponsors. So, you have to block PowerShell (also mshta.exe and hh.exe), or restrict the possibility to run command lines.
Blocking the shortcuts (not only .lnk), removes one attack vector that uses command lines.
Last edited:
Would that be stopped though if child processes for Powershell are blocked via Exploit Guard?
- Apr 2, 2018
- 1,782
Another perfect example of how malware is evolving and becoming sophisticated and why users should be taught about safe surfing habits and be given security knowledge.
Another reason to create a HIPS and Firewall rule in my ESET IS to monitor the execution of bitsadmin.
What HIPS rules you created? Can you share them?
- Dec 29, 2014
- 1,716
All enabled here works a little bit like HIPs without much intrusion. Blocking mmc requires some whitelisting.
No Moonhorse. Not using 360 TS anymore, even though I like it too. I switched to F-C for the web filtering. Also, the ads and bulk of 360 got to me after 5 years. It felt light to work with and well engineered, although it does use 300 MB or so of RAM if I recall. Doesn't feel like wasted use of RAM, though. I miss the sandbox...
Quick comment on Comodo plus OSArmor. For me this is a very good combination, especially with HIPs disabled. OSArmor is like having good auto-block/alert HIPs rules basically. Amazing how few interruptions it creates.
- Dec 23, 2014
- 8,491
If something malicious can run PowerShell, then it can run sponsors without using PowerShell.
So, you will not have any child processes spawned by PowerShell.
I see your point, the intent of the ASR rule would be to stop other sponsors (script engines) from both executing something they downloaded.
Assumption is we’re discussing the use case of clicking a link file and not having link coverage in SRP - otherwise if we assume that already arbitrary code can be run, then the computer is already compromised, while it’s entire fair to see how to contain the damage , the question I’m trying to address is what is the minimal set of native mechanisms that prevents a compromise
After a minimal set has been determined one can add more layers and see how to mitigate a compromise
- Aug 22, 2014
- 286
These types of attacks by email are common in my country (Brazil) usually comes in bank slip with fake url
- Dec 23, 2014
- 8,491
I answered your question in the H_C thread. It is slightly off topic here.
I guess this is what Tavis Ormandy from Google's project zero has been talking about for some time now, malware taking advantage of vulnerabilities in AV's. It makes total sense and would be very lucrative for hackers as AV's have very deep hooks into the OS, so they are prime for exploitation. I wonder if the AV was sandboxed if the malware could still get though? Be interesting to see if the like of WD being sandboxed would have mitigated this? I'm curious to see if other AV's will start sandboxing their programs to help prevent their products from being exploited due to un-patched vulnerabilities.
Not to goo too far off topic, but I was listening to a Security Now podcast a while ago when MS announced that they were sandboxing WD and Steve Gibson mentioned that only MS would ever be able to successfully implement a sandbox for the AV, i guess due to the way the OS works. Is this the case that no other company can successfully do this as well, or does it mean that they have to some how take advantage of appcontainer to sandbox their product like the browsers due?
Not to goo too far off topic, but I was listening to a Security Now podcast a while ago when MS announced that they were sandboxing WD and Steve Gibson mentioned that only MS would ever be able to successfully implement a sandbox for the AV, i guess due to the way the OS works. Is this the case that no other company can successfully do this as well, or does it mean that they have to some how take advantage of appcontainer to sandbox their product like the browsers due?
- Jul 3, 2015
- 8,153
As @Andy Ful explained so well in his post shortly after yours, the problem is that bitsadmin.exe doesn't download under its own name. So AFAIK this will be sufficient to confuse any firewall.
- Aug 15, 2018
- 634
A very good point raised. I would also love to see how WD Sandboxed reacts to this malware.
- Aug 15, 2018
- 634
Can this be considered as a truly fileless malware? The malware downloads files with .jpg, .png or extensionless file but if an antivirus is configured to scan all file types MAYBE the malware will get detected upon launch provided the AV has a signature for it.
- Aug 15, 2018
- 634
Deny all applications from launching wscript and cscript.
Deny all applications from launching powershell(since I don't use it).
Block execution of WMIC and BitsAdmin.
Ask before launching cmd and mmc.
Block Excel, Word, Powerpoint, Access, SumatraPDF and Chrome from starting, modifying or intercepting svchost.exe.(Experimental)
Deny access to the Hosts file.
I just wish the HIPS could be configured to protect the MBR and the DNS Settings but for now, ESET HIPS do not cover these two aspects.
- Jul 22, 2014
- 2,525
New Astaroth Trojan Variant Exploits Anti-Malware Software to Steal Info
A new Astaroth Trojan campaign targeting Brazil and European countries is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and load malicious modules.
...
Update February 13 2019 20:00 EST:Article updated post-publication with additional comments from Avast:
We learned today about this particular Astaroth trojan variant analyzed in Cybereason’s report. Since this is not an exploit, there is no obligation for them to provide formal or advance communication. The authors misuse a trusted binary to run the malware, in this case they used an Avast process, probably due to the size of our user base in the target country of Brazil. One important thing to consider is that this is neither an injection nor a privilege escalation. Installed Avast binaries have self-protection mechanisms in place to avoid injections. In this instance, they are using an Avast file to run a binary in a similar way that a DLL using Windows’ rundll32.exe can run. We had previously issued a detection for the malware so all Avast users are protected from this variant. Additionally, we will be implementing changes to our environment to ensure the same process cannot be misused in this way the future.
- Jul 3, 2015
- 8,153
Finally, they cut to the point, after all the baloney.
- Dec 23, 2014
- 8,491
Nothing will change in the WD Sandbox. That malware does not touch WD processes and executables.
- Nov 7, 2016
- 468
- Jul 3, 2015
- 8,153
The problem with Windows Defender is that it is easy to turn off, not that it is easy to abuse. I would rather have an AV that is turned off than an AV that is being used as a weapon against me.
Similar threads
