itman 1,786 Posted November 10, 2016 Share Posted November 10, 2016 Ref.: https://avlab.pl/sites/default/files/68files/ENG_2016_ransomware.pdf For testing, we used 28 malicious software files of crypto ransomware. Among others there were: Cerber, CryptXXX, DetoxCrypto, Hitler Ransomware, HolyCrypt, Locky, Numecod, Petya, Jigsaw, Vipasana, Stampado and many others. The study included the total amount of 28 samples collected in a collaboration with independent researchers. Test Results Smart Security ver. 9 - 25/28 Smart Security ver. 10 beta - 27/28 Summary Upgrade to ver. 10 ASAP. Perhaps Eset could have them retest w/final of ver. 10? Link to comment Share on other sites More sharing options...
itman 1,786 Posted November 11, 2016 Author Share Posted November 11, 2016 (edited) Also noteworthy is the vast majority of ransomware is delivered via e-mail; primarily in attachments. The overwhelming ransomware delivered this way is Locky as noted below. Would be illuminating to see a test of Eset's Internet/Smart Security client e-mail protection against Locky. According to the 2016 Verizon DBIR, email is the #1 delivery channel for malware. And what percentage of that malware delivered over email is ransomware? According to Proofpoint, over 96 percent. Ref: https://blog.barkly.com/ransomware-attacks-bypassing-antivirus#0 Edited November 11, 2016 by itman Link to comment Share on other sites More sharing options...
itman 1,786 Posted November 12, 2016 Author Share Posted November 12, 2016 In regards to Locky ransomware, they are variants of it that begin their infection process using .bat scripts. Would like to know if Eset's ver. 10 script protection includes monitoring of cmd.exe which can run hidden and conhost.exe Link to comment Share on other sites More sharing options...
Administrators Marcos 5,404 Posted November 13, 2016 Administrators Share Posted November 13, 2016 I don't recall seeing Locky started by batch files. It's mainly js or vbs files that are spread by spammed email and when run, they download Locky's binary and execute it. Link to comment Share on other sites More sharing options...
itman 1,786 Posted November 13, 2016 Author Share Posted November 13, 2016 (edited) FYI. After some additional deobfuscation on the VBA macro I combined the 3 parts to reveal full script and the actions performed. 1. VBA macro creates file %temp%\arra.bat 2. Writes decodes and writes value of textbox1 and textbox2 to arra.bat 3. Executes %temp%\arra.bat 3.1. Arra.bat in turn creates %tmp%\dasdee.vbs 3.2. Echo’s the script contents to the dasdee.vbs script 3.3. Executes dasdee.vbs using cscript 3.3.1. dasdee.vbs performs a GET request to the http address passed in parameter %0% and saves the response to the location in parameter %1% 3.4. The bat file then executes the file save by the vbs script, deletes the vbs scripts and deletes itself. Ref.: https://www.sternsecurity.com/blog/locky-ransomware-analysis Edited November 13, 2016 by itman Link to comment Share on other sites More sharing options...
itman 1,786 Posted November 15, 2016 Author Share Posted November 15, 2016 Noteworthy is that Microsoft has "beefed up" macro protection in Office 2016 and recently 2013. So cmd.exe protection is not that critical in those versions. However, there are still enterprises and individuals using pre-2013 Pro. or non-Pro. versions of Office. Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 9, 2016 Author Share Posted December 9, 2016 A-V Comparative did a recent commissioned test comparative for PC Matic. They used 1000 ransomware samples. Eset Smart Security ver. 9 scored 100% detection rate! hxxp://www.av-comparatives.org/wp-content/uploads/2016/11/avc_sp_pcpitstop_2016_en.pdf Link to comment Share on other sites More sharing options...
Administrators Marcos 5,404 Posted December 9, 2016 Administrators Share Posted December 9, 2016 The latest TorrentLocker Baidu Win32.Trojan.WisdomEyes.16070401.9500.9928 ESET-NOD32 a variant of Win32/Injector.DIOL CrowdStrike malicious_confidence_89% (D)3/56 ON 2016-12-09 09:41:16 Link to comment Share on other sites More sharing options...
itman 1,786 Posted December 25, 2016 Author Share Posted December 25, 2016 Here's one for Eset to research: https://malwaretips.com/threads/self-made-ransomware-vs-antivirus-products.66903/ Basically a 0-day that remained so for quite a while. Introduced into the wild on 12/12. Nine days later, only 12 vendors on VirusTotal had a signature for it and Eset was not one of them. As noted in the testor's comments on Malwaretips, Eset Smart Security failed to detect it. Link to comment Share on other sites More sharing options...
itman 1,786 Posted February 20, 2017 Author Share Posted February 20, 2017 Latest AV Lab report where Eset gets 100% in ransomware protection; also 100% in financial malware protection: https://www.mrg-effitas.com/wp-content/uploads/2017/02/MRG-Effitas-360-Assessment-Q4-2016.pdf Link to comment Share on other sites More sharing options...
Recommended Posts