- Apr 13, 2013
- 3,151
Good to know since much of this discussion is above my pay grade & I use CF
Yeah, CF pretty much will just blow stuff like this away on initial run, no matter what the initial vector (it can be something like an exploit from a website, an actual malware payload, or (my Favorite) coding in the malware into a legitimate application (not that I would know anything about this, being Kind and Gentle).
However if one installs CF on a compromised system, one MUST initially place the fireWall on the "Custom Ruleset" Mode. This will block the OutBound transmission constantly.
(the above is when you install CF on and infected system. Think Windows Firewall would have given you a peep?) The cool thing about this sort of malware is that one can time the activation- You can specify it runs once a month, once a week, or like in the malware that I used for the above screenshot was re-coded to Activate every 15 seconds. The Monthly activation is a real Pain for analysis, as one sees many times that an actual infected file is marked as clean due to the Sleep function).
Anyway, malware like this has been out for a number of years (initially coded by our Friends living in the Steppes of Central Asia) and is problematic for many reasons. The way to stop this crap is actually quite intuitive- either stop the initial vector (not likely for a true zero-day), stop the OutBound transmission, or look into the place where the persistence (ie- starting with each System start) mechanism was put in place (normally WMI Root).
This is actually an issue for a number of Security Applications- of the major Second Opinion Scanners (MB, HMP, EEK, Norton PE) only HMP detects and stops the Persistence (Fun Fact- although many seem to feel that if a 2nd opinion scanner finds no malware extent that the system is clean. Actually a "Clean" report just means that it has not found all of the things it was programmed to find, and God alone knows about anything else). Of the major AV's, things like Avira, Avast/AVG/FortiClient are Oblivious to it. Kaspersky will detect it, but that may be because (LIBEL ALERT!!!!!) they initially coded it.
Andy- I don't know if I would steer anyone trying to learn to go to Wilders. They seem to have preconceived notions and cannot be dissuaded from them. They will discuss if the latest portable build of CCleaner is legit until the Cows come Home, but when confronted by information that things like MB, HMP. EAM (their favs) are totally ineffective for worms- not a peep...
Last edited: