Jump to content

itman

Most Valued Members
  • Posts

    12,102
  • Joined

  • Last visited

  • Days Won

    319

Kudos

  1. Upvote
    itman received kudos from peteyt in Stealers not detected   
    Today's discussion is why is initial detection of infostealers; recent malware loaders I have analyzed; etc. so difficult to detect? For starters, they employ both sandbox and behavior evasion tactics.
    My analysis of the above yields the following activities;
    1. Spawning one or more identical child processes of itself.
    2. Malicious code injection into one of the child processes usually done remotely but not always, and execution of that code.
    Sandbox evasion occurs if the initially run .exe; usually a shell, detects it is being monitored, it simply creates a process that does not perform any of the above activities. Of note is there is nothing malicious about this payload  (parent) process.
    Behavior evasion occurs by performing above 1). and 2). activities. How?
    It deals with how most AV's do behavior monitoring. If the AV detects anything suspicious with the payload (parent) process, it will set a hook, usually a .dll, into that process to monitor activities. If the parent process spawns a child process/processes copy of itself, no monitoring hook is set in those processes.
    Since the child process is now running in an un-monitored AV state, malicious code injection into it can occur unimpeded.
    Next is many legit processes processes spawn copies of themselves; most notably browsers.
    There is a Sigma rule that detects parent child process cloning. Once triggered, process reputation evaluation needs to be performed.
    If the process reputation status is unknown or low, the parent process needs to flagged as suspicious and blocked from executing. Alternatively, the AV needs to set its behavior monitoring hook into any spawned child process. The issue here is it appears these child process's are being created from the dropper shell and not the parent process. Therefore, shell processes need to be monitored for like behavior.
  2. Upvote
    itman gave kudos to peteyt in Will the ESET icon spinning issue **EVER** get fixed?   
    Might be worth backing any custom settings etc. and using the eset uninstaller in safe mode https://support.eset.com/en/kb2289-uninstall-eset-manually-using-the-eset-uninstaller-tool
    Then Install the pre release version from scratch. This will rule out this being caused by leftover files from a previous version

  3. Upvote
    itman received kudos from vml in doc/fraud.aaw trojan and get another email   
    If it was a legit hack, the attacker would have shown proof in the e-mail of one or more passwords he was able to acquire. Were those passwords shown in the e-mail? If your e-mail password is disclosed in the scam email, change it ASAP.
     
  4. Upvote
    itman received kudos from vml in doc/fraud.aaw trojan and get another email   
    Some security advice.
    If you keep sensitive data on your PC, make sure its encrypted. Better yet, only store that data on external media not permanently attached to your PC also encrypted. If an attacker was able to upload this encrypted data, it is worthless to him.
  5. Upvote
    itman received kudos from Super_Spartan in How is ESET doing it so fast????   
    Here's my opinion.
    Whereas deleting and quarantining a malware file can occur quickly, removing registry or WMI references to it take some time.
    The forum is full of postings about Eset detecting malware, deleting it,  and quarantining it only to have the same malware keep reappearing later. This indicates Eset's malware cleaning capability is not as effective as exists in some other AV solutions.
  6. Upvote
    itman received kudos from Nightowl in doc/fraud.aaw trojan and get another email   
    Some security advice.
    If you keep sensitive data on your PC, make sure its encrypted. Better yet, only store that data on external media not permanently attached to your PC also encrypted. If an attacker was able to upload this encrypted data, it is worthless to him.
  7. Upvote
    itman received kudos from John Dow in Strange file in operating memory of the computer   
    Eset does not and cannot scan pagefile.sys, hiberfile.sys and swapfile.sys files. As your screen shot and my below screen shot shows, zero files were scanned;

    If you are worried about malware in the pagefile, it can be cleared at system shutdown by setting appropriate registry key to do so. Or, via like Group Policy setting if you are running a Win Pro+ version.
    Likewise, the hiberfil.sys and swapfile.sys files can be deleted by running appropriate command line option to disable Hibernation, rebooting, and then re-enabling Hibernation. The same also can be done via Group Policy option.
  8. Upvote
    itman received kudos from LesRMed in Eset VS Miner   
    I believe the truism "Common sense is not that common" is applicable here.
    You download a cracked game installer from a torrent web site. What else would you expect than to get nailed by nasty malware.
  9. Upvote
    itman received kudos from LesRMed in Eset VS Miner   
    Another example of malware distributed via cracked game installers a while back that trashed a bunch of AV solutions is Crackonosh: https://www.tomsguide.com/news/cracked-games-hacked-pcs .
    I have no sympathy whatsoever for people using cracked software who get infected as a result of such use.
  10. Upvote
    itman gave kudos to safety in Eset VS Miner   
    In general, the topic with this miner ("REALTEKD / TASKHOSTW") on technical forums in Russia and apparently in Ukraine over the past few years in popularity can only be compared with the Stop Djvu encryptor (but there at least the file extension changes stably, but here there is practically nothing does not change).
    Many antiviruses are taken out and blocked, not only ESET. In both cases, the infection occurs as a result of the use of hacked programs. The installer with this miner, as a rule, is several Gb, and there is no way to check it for viruses.
    In addition to blocking the launch of installers and utilities, blocking standard installation paths for anti-virus programs, access to the sites of technical forums and anti-virus companies is also blocked.



  11. Upvote
    itman received kudos from micasayyo in Banking Ridirection Not Working   
    Problem persists in this version.
    "My gut is telling me" it's going to take Eset a while to fix this redirection problem.
  12. Upvote
    itman received kudos from micasayyo in Banking Ridirection Not Working   
    No problem with redirection to protected B&PP defined web sites using Edge.
  13. Upvote
    itman received kudos from TTOZ in Terminator malware can disable Eset?   
    PC Security Channel reviews often don't fully disclose all protection details. In this review, he mentions the low detection rate of the Zemana driver at VT. Assume that rate applies to if the driver was previously installed. As I posted, Eset will detect it on download. It will also detect it as a result of Eset on-demand scan as it did for a vulnerable Process Explorer driver I had installed.
  14. Upvote
    itman gave kudos to stackz in PowerShell/TrojanDownloader.Agent.ETC on virustotal link   
    I can reproduce this. When you go to the VT page you are actually landing on the behavior page and ESET is picking up on some of the displayed Powershell script parts. See example pics below. So essentially there's no live malware to get infected from.
    At VT:

     
    In cache:

  15. Upvote
    itman received kudos from Super_Spartan in Is adding too many exclusions a bad thing?   
    Per Eset on-line product help;
    https://help.eset.com/essp/16.1/en-US/idh_exclude.html
  16. Upvote
    itman received kudos from safety in Detecting of malicious scripts *.py in the .unitypackage files   
    Blocking execution of Python scripts via a HIPS is somewhat "an effort in futility" given the multiple ways the scripts can be run: https://realpython.com/run-python-scripts/ .
    Now if Eset HIPS had the capability to block read access of a file plus global file wildcard use capability, then a HIPS rule could be created to block/ask for *.py and *.pyw file access.
    Finally, .py scripts can be converted to a .exe just like .bat, etc. scripts can be .
    The main danger of Python scripts is they are not parsed by Win AMSI interface. On the other hand, AMSI is being bypassed so much by malware these days, its probably a moot point.
  17. Upvote
    itman received kudos from safety in Detecting of malicious scripts *.py in the .unitypackage files   
    Based on what I read here: https://github.com/Hawkish-Team/Hawkish-Grabber , I would say detection likelihood would be low.
  18. Upvote
    itman received kudos from king99 in Malware undetected for 5 years   
    My best guess is that the VirtualBox 2018 download will not install currently on Win 10/11. Assumed is the cert. for the download is SHA-1 signed. Microsoft disallowed SHA-1 certs. in 2019: https://support.microsoft.com/en-us/topic/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus-64d1c82d-31ee-c273-3930-69a4cde8e64f .
    I just downloaded VB ver. 7.0.8 from here: https://www.virtualbox.org/wiki/Downloads. The download is validly signed with a SHA-2 cert.. Of note is the old SHA-1 cert. dating to 2014 is still shown. It is also shown as invalid due to not being validly countersigned.
    My best guess at this point is your VirtualBox 2018 download is showing as invalidly signed for the above reasons. At this point, it is impossible to determine how you downloaded a malicious version of VB.
    I suspect that Oracle cert. is for manually signing VB Win kernel modules to remove conflict w/Win 10/11 Secure Boot processing as noted here: https://gist.github.com/reillysiemens/ac6bea1e6c7684d62f544bd79b2182a4
  19. Upvote
    itman received kudos from king99 in Malware undetected for 5 years   
    A few other comments about "Dirty Moe" malware.
    It is deployed via exploiting;
    https://decoded.avast.io/martinchlumecky/dirtymoe-1/
    The Virtual Box sample referenced at VT dates to 2018. There was a vulnerability in VB at that time that was being ignored by Oracle. A researcher was so frustrated with Oracle for ignoring the vulnerability, he created his own POC exploit code and released it publicly: https://www.bleepingcomputer.com/news/security/virtualbox-zero-day-vulnerability-details-and-exploit-are-publicly-available/ .
    Putting it all together, appears this VB sample was altered to include either the exploit code and possibly, the Dirty Moe malware code or dropper code to download it from attack C&C server.
    -EDIT- Forgot this "tidbit" which is why Dirty Moe is referenced as undetectable;
    https://securityintelligence.com/news/dirtymoe-botnet-returns-undetectable-threat-profile/
  20. Upvote
    itman received kudos from king99 in Malware undetected for 5 years   
    Looks like the detection was an Avast behavior based one. One possibility is this download was tampered with as indicated by the invalid signature. Also, this "Dirty Moe" malware does install a signed kernel mode mini-port driver.
  21. Upvote
    itman received kudos from peteyt in ESET and malwarebazaar (abuse.ch)   
    Quite a few are fixated with VirusTotal as the "Holy Grail" reference when it comes to security software detection capability. It is very far from that status as noted in this article: https://www.virusbulletin.com/virusbulletin/2018/01/vb2017-paper-virustotal-tips-tricks-and-myths/
    Of note;
  22. Upvote
    itman received kudos from peteyt in ESET and malwarebazaar (abuse.ch)   
    You really can't count on Eset detection on VT for new malware.
    The first thing Eset will do for new malware is create a LiveGrid blacklist detection for it while it analyzes the malware further. Those LiveGrid blacklist detection's do not show in VT results.
    Remember that not all Eset detection and/or protection mechanisms are deployed on the copy deployed at VT.
  23. Upvote
    itman received kudos from miki1980 in js/chromex.agent.bz help   
    The first question that needs to be answered is what is this C:\Windows\SystemTemp directory is about? Checking my Win 10 22H2 installation, I also have the sub-directory and it appears to have been created on 6/4/2023. No Win Update of any type ran on that date or the prior date. The directory is totally locked down, not even read access is allowed. As such, I am surprised Eset could detect anything resident in that directory.
    This Github article: https://github.com/golang/go/issues/56899 states C:\Windows\SystemTemp directory was created as a Windows security hardening feature for Win 11. Looks like Microsoft also added the directory to Win 10 but possibly not used there?
    In any case, I can't see how a Chrome extension could be created C:\Windows\SystemTemp unless something changed its Win access permissions to do so, then reestablished the original permissions. In any case, Eset can't delete the malicious extension from C:\Windows\SystemTemp because it doesn't have the permissions to do so it appears. Hence, the constant Eset notification when the malicious Chrome extension attempts to load into Brave.
  24. Upvote
    itman received kudos from miki1980 in js/chromex.agent.bz help   
    You removed the screen shot that originally was shown in your posting.
    The screen shot showed that the JavaScript Eset is detecting originates from a C:\Windows\????Temp\ sub-directory. The process that accesses the script in this directory appears to be one that unzips extensions prior to loading\running it in the Brave browser. You need to identify what is creating this extension and stop it from doing so.
  25. Upvote
    itman received kudos from miki1980 in js/chromex.agent.bz help   
    Assuming you have set up syncing from your Smart phone to the Brave browser, the malware Eset is detecting originates from your Smart phone. It is being transferred to your Brave browser whenever the sync processing runs.
    You will have to remove the malware from the Smart phone. Until that is done, your only alternative is to disable syncing of your Smart phone to the Brave browser.
    Ref.: https://support.brave.com/hc/en-us/articles/360021218111-How-do-I-set-up-Sync-
×
×
  • Create New...