Jump to content

itman

Most Valued Members
  • Content Count

    6,181
  • Joined

  • Last visited

  • Days Won

    173

Kudos

  1. Upvote
    itman received kudos from NewbyUser in "pyrate", Behavior Blocker Bypass POC   
    Nothing.
    To begin, most Python ransomware attacks are targeted ones. So unless your a corp., your chances of being targeted are about zip. Bundled Python runtime component attacks are very "noisy" and usually leave a lot of residual artifacts on the device. As such, they aren't suitable for RaaS concerns that are selling their ransomware to the hacker masses.
    I don't have Python installed and have no intention to doing so. I am not a gamer that might be using software containing bundled Python runtime comments. Neither am I part of the scientific or research community that might be sharing Python software so bundled. What I am doing will unconditional block any python script from running legit or malicious.
  2. Upvote
    itman received kudos from mallard65 in "pyrate", Behavior Blocker Bypass POC   
    It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this.
    A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection:
    https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF
    So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com:
    Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to.
    In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.
     
  3. Upvote
    itman received kudos from mallard65 in "pyrate", Behavior Blocker Bypass POC   
    Assumed here is the POC .exe at startup or upon user consent of the displayed prompt creates the My Documents\test directory. The program then copies all or part of existing My Documents files into the My Documents\test directory. The program code then proceeds to encrypt whatever files exist in the My Documents\test directory. Again, Eset will not detect this as ransomware.
    Tell the POC author to first manually create the My Documents\test directory and copy whatever files he wants to it. Remove the corresponding program code that does this. Now run the POC directly executing the encryption commands against all files in the My Documents\test directory.
  4. Upvote
    itman received kudos from mallard65 in "pyrate", Behavior Blocker Bypass POC   
    This is a ludicrous statement. Yes, python.exe is a trusted .exe. So no alerting will be done on the .exe. But its scripts certainly are not trusted. I find it a far stretch that no one is scanning Python scripts; especially un-obfuscated ones.
  5. Upvote
    itman received kudos from SeriousHoax in "pyrate", Behavior Blocker Bypass POC   
    It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this.
    A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection:
    https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF
    So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com:
    Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to.
    In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.
     
  6. Upvote
    itman received kudos from peteyt in "pyrate", Behavior Blocker Bypass POC   
    It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this.
    A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection:
    https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF
    So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com:
    Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to.
    In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.
     
  7. Upvote
    itman received kudos from NewbyUser in "pyrate", Behavior Blocker Bypass POC   
    It's been a slow forum posting weekend and it appears this thread has run its course. We have all had the opportunity to "rant and rave" about Eset Home version protection features we all wished we had and in reality, probably never will have. So it is time to expose this Python POC for what it is - fake ransonware. Err ..... what, you say? The POC encrypted files. Well so does a lot of legit encryption and other apps including user created ones. So lets get into this.
    A few years back, the NextGen security software vendors were trying "to get traction" against the established AV vendors with their supposed superior behavior detection methods. Corresponding to this was the appearance a proliferation of ransomware "simulators" where one was encouraged to test their existing AV solution with. The most infamous of these was RanSim produced by KnowBe4: https://www.knowbe4.com/ransomware-simulator . I wrote a thread about the methodology used by this product and similar ones here: https://forum.eset.com/topic/10792-ransomware-simulators-a-detailed-analysis/ . Eset subsequently commented upon Ransim tactics in their own publish article on Eset ransomware protection:
    https://cdn1.esetstatic.com/ESET/INT/Docs/Others/eset-vs-crypto-ransomware.PDF
    So let's get into some details on the POC. First, note this from the POC's author posting about it at malwaretips.com:
    Next is why no vendor on Virus Total detected the POC initially and I believe presently. That one is pretty straightforward. The ransomware portion of the POC never ran. The POC pauses program execution waiting for user input to continue. VT's automated sandbox analysis timed out waiting for input it does not respond to.
    In summary, I am not 100% ruling out that techniques used in the POC could bypass existing Eset ransomware detection methods. However, a POC must be developed deploying real world ransomware deployment and execution methods with the most important being the program runs uninterrupted and encryption activities performed against all existing files in C:\Users\xxxx\Documents\*, etc. directories.
     
  8. Upvote
    itman received kudos from RoboMan in "pyrate", Behavior Blocker Bypass POC   
    Looks like someone just made things a lot easier for Python based ransomware: https://github.com/sithis993/Crypter#builder
  9. Upvote
    itman received kudos from RoboMan in "pyrate", Behavior Blocker Bypass POC   
    Here's a book, 'Creating a Ransomware With Python', in .pdf format for those wanting to get into the "nitty gritty":
    https://hakin9.org/product/creating-a-ransomware-with-python/
     
  10. Upvote
    itman received kudos from RoboMan in "pyrate", Behavior Blocker Bypass POC   
    It should also be noted that Python scripts can be run from PowerShell. In the PyLocky incident linked above, it used a legit installer to install Python.
    Ref.: https://ridicurious.com/2018/03/30/powershell-scripting-guide-to-python-part1/
  11. Upvote
    itman received kudos from NewbyUser in HIPS Alert for Host process   
    At this point, you will have to tract down what service is causing this and find out if its legit.
  12. Upvote
    itman received kudos from RoboMan in "pyrate", Behavior Blocker Bypass POC   
    Actually, I have brought up this issue previously. That is python runtime can be bundled with malicious script into an .exe. My statement at the time was that python runtime bundled in such a way should be at least be flagged as suspicious activity. I didn't get any Eset response at that time and doubt you will get one now.
  13. Upvote
    itman gave kudos to Nightowl in vrius txt et qewe   
    Most usually people who pay their ransom get the decryption key back without any problem, but whatever if you try to decrypt with a decryptor that isn't supported , data could get damaged as far as I know.
  14. Upvote
    itman received kudos from Super_Spartan in Dell Security Advisory Update?   
    Actually this sort of thing applies to any recover image regardless of how it was created. If the image creation precedes the Win 10 patch of the vulnerability, restoring that image recreates the vulnerability.
    Neat how Dell appears to have the capability to patch their built-in recovery partition image backup.
     
  15. Upvote
    itman received kudos from Super_Spartan in Latest CCleaner False Positive   
    The suspicious object detection would indicate it was an advanced machine learning detection.
    When Eset scans an archive, the files within don't yet physically exist on the disk. As such, Eset can't scan the files using advanced hueristics including advanced machine learning. Now when the files are actually extracted from the archive, Eset will employ advanced hueristics/AML upon attempted file creation as indicated by your posted Detection log entries in regards to WinRAR.
  16. Upvote
    itman received kudos from fabioquadros_ in This guys test a few days ago with Eset   
    Let's talk about malware delivery since I am really tired of this ad hoc amateur testing baloney.
    90%+ of malware including ransomware arrives on a device via e-mail. That is the malware dropper is the e-mail itself. If your going to test a product's anti-malware capability, you need to duplicate how the malware was delivered. This means your malware sample needs to be the source e-mail. Additionally, the e-mail must be delivered through normal e-mail methods; not downloaded as a password protected archive malware sample. If downloaded as an archive, extract the e-mail malware sample and e-mail to yourself.
    What is going on with these ad hoc tests is the samples being used are malware components embedded in the e-mail; scripts or whatever. Running these outside the context on how they were actually deployed is not only irresponsible, it is ridiculous. The common perception being perpetuated is that the malware payload; i.e. sample, is effective regardless of how it is deployed. That's is a flat out misconception.
    Finally, ponder a bit on what is the basic element of malware behavior testing. That element is duplicating the behavior on how the malware was delivered originally.
  17. Upvote
    itman received kudos from fabioquadros_ in This guys test a few days ago with Eset   
    Another "absurd" test from the PC Security Channel.
    To begin, the author is an Emsisoft employee that "supposedly" runs this web site independently. If you believe that, I assume you also still believe in the tooth fairy.
    The reason why he disabled real-time scanning is his supposed objective is to test Eset's behavior detection. He repeatedly refers to Eset's HIPS indicating the fool has no idea how Eset's protection mechanisms work. By disabling real-time protection, he disabled the most important new Eset protection; Augur's advanced machine learning.
    This type of "garbage" testing is what you would expect from the amateur ad hoc malware test sites. These also espouse disabling a security solution's real-time protection to supposedly test a products behavior detection capability. However, the PC Security Channel author purports that he is a skilled "security professional."
    Finally and most import and highlighted previously by @Marcos is this. Malware doesn't just "magically" arrive on your PC. All this like crap testing assumes just that since the amateurs just run their previously downloaded password protected archived samples one after another. The whole objective of modern security software is to prevent those downloads from happening. If this can be achieved, anything after that point is irrelevant.
  18. Upvote
    itman received kudos from fabioquadros_ in Steam game Medal of Honor being flagged as PUA   
    All I can say is you appear to be the first one to every get an Eset deep behavior detection. I for one have never seen anything showing a BH/........... detection.
  19. Upvote
    itman received kudos from 0xDEADBEEF in game driver FP   
    Appears Eset not alone here. At least one other AV is also flagging the driver: https://www.reddit.com/r/HonkaiImpact3rd/comments/f26zrh/vmprotect_suddenly_being_blocked_by_antivirus_is/
    And it appears Eset is detecting Winnti's malware fingerprints here: https://github.com/eset/malware-ioc/tree/master/winnti_group#samples-1
  20. Upvote
    itman received kudos from Nightowl in iPhone - iPad | NIGERIA IP ATTACK?   
    Huawei routers and overall all products associated with the company have numerous security issues and vulnerabilities. Their routers have been banned from sale in a number of countries: https://www.theverge.com/2019/4/30/18523701/huawei-vodafone-italy-security-backdoors-vulnerabilities-routers-core-network-wide-area-local . Since 2007, there are 536 recorded vulnerabilities with their products: https://www.cvedetails.com/vendor/5979/Huawei.html .
  21. Upvote
    itman received kudos from Sammo in Broken Cryptography   
    As long as you have the patch, you can't be at least exploited by this SHA1 vulnerability.
  22. Upvote
    itman received kudos from Sammo in Broken Cryptography   
    This has nothing to do with Eset.
    As the above posted description text clearly shows, it is a browser issue. Namely, the browser is allowing SHA1 connections. This can be corrected by removing the ciphers associated with SHA1-intermediate which involves a registry modification.
  23. Upvote
    itman received kudos from Kaan in Eset Too Many Files That Couldn't Be Opened   
    This is normal and expected behavior when the Eset default SmartScan profile is used. These files are locked by the OS and Eset cannot scan them.
    If you wish to minimize this behavior, perform a Custom scan as Administrator. Files will show show as locked but there will be fewer of them showing this status.
  24. Upvote
    itman received kudos from BeanSlappers in Stop Echos - Pings   
    Specifically, echo reply is only allowed from devices in the Trusted Zone; i.e. local subnet.
    Alternatively, you can manually create an outbound firewall rule to block echo reply from a specific device. Then move that rule prior to any existing default ICMP rules.
  25. Upvote
    itman received kudos from BeanSlappers in Stop Echos - Pings   
    Refer to the below screen shots. Substitute the shown Local 192.168.0.0 address for the DHCP assigned IP address for the local device you wish to block outbound echo reply activity. If you want to be notified about block activity, check mark the "Notify user" setting. Move this rule above any existing Eset default ICMP rules that exist.


×
×
  • Create New...