Jump to content

Archived

This topic is now archived and is closed to further replies.

0xDEADBEEF

Another ransomware that escapes from ESET's detection

Recommended Posts

Well, another of real-life experience with ransomware bypassing ESET protection layers. It is still "at large" even for now with ver15819 definition and has 3 days of reputation history... Other vendors have successfully block the encryption through their behavioral detection layer, how about ESET? The SHA256 is a3d939adaa73dc95cc29a43889b2f7b64ecceecd70ed490d6621656a3712f372

behavior.jpg.45fe55056f65c6e27d229ca60331bf38.jpg

Share this post


Link to post
Share on other sites

1 day 16 hours and counting does seem a long time with no protection on defs 15821 :blink:

Share this post


Link to post
Share on other sites

How are you testing? For me that sample is detected as:

Python/Filecoder.AM trojan

 

Share this post


Link to post
Share on other sites

It's already detected as Python/Filecoder.AM. It's a Chinese ranomware written in Python with Chinese instructions. It's been seen on less than 10 machines in total.

Share this post


Link to post
Share on other sites

Payload, a5d6b262473a60eedd295eca16e3969ef8554da8.exe, was dropped in C:\.

One reason I am now running VoodooShield in whitelisting mode.

Share this post


Link to post
Share on other sites

Submitting the samples to ESET would probably be a better idea , rather than willingly downloading something you know is loaded to prove a point. That way others would be protected when the modules are updated.

:rolleyes:
 

Share this post


Link to post
Share on other sites
2 hours ago, cyberhash said:

Submitting the samples to ESET would probably be a better idea , rather than willingly downloading something you know is loaded to prove a point. That way others would be protected when the modules are updated.

:rolleyes:
 

Of course I submitted :rolleyes:. I just didn't put the link here because it is not appropriate. Even I didn't, LiveGrid should have collected the sample if it worked as claimed. Or it will be captured by VT sample sharing which already has 30 vendors reporting that sample as malicious at the time I spotted it.

The point is: who protects me in such scenario?

Share this post


Link to post
Share on other sites

@0xDEADBEEF

I think its great that you submitted the sample :wub:. Likewise when i went and checked out the hash of the file, there was already another 12 or so other hashes of the same threat showing.

You and @itman must visit some dangerous corners of the web as it was just not ESET that was not detecting the file. To find something that @Marcos said was seen on less than 10 pc's worldwide. Finding a needle in a haystack does not even come close :ph34r:

Share this post


Link to post
Share on other sites
14 minutes ago, cyberhash said:

@0xDEADBEEF

I think its great that you submitted the sample :wub:. Likewise when i went and checked out the hash of the file, there was already another 12 or so other hashes of the same threat showing.

You and @itman must visit some dangerous corners of the web as it was just not ESET that was not detecting the file. To find something that @Marcos said was seen on less than 10 pc's worldwide. Finding a needle in a haystack does not even come close :ph34r:

It is less than 10 PC's worldwide with ESET sensors, but it doesn't necessarily mean the prevalence of the sample is indeed that low. I don't know how large the user base of ESET is in China, but this might not be a good news to Chinese users I assume? 

Of course, it is unrealistic to hope that antivirus software can always block "rare" malware. But I cannot help wondering if there are some effective ways to help mitigate these corner cases. Paranoid users like me will use sandboxes or some other auto-processing pipelines to evaluate the sample before running, even when the antivirus flag it as benign (this is still very limited if the execution is triggered through exploit or reside purely in memory). Normal users trust what antivirus says instead. The paradox is that, when I see something marked as benign by ESET, how do I know if it is really benign, or it is actually because it has not been fully analyzed by their intelligent system? When I see the reputation is unknown, do I wait for days until the reputation becomes "safe"? It is not the first time I encounter this situation, and I really hope that ESET can strengthen its anti ransomware protection through some way. A false positive might be disastrous, encountering a ransomware like this is equally bad.

Share this post


Link to post
Share on other sites

As far as behavior detection of this puppy, let's discuss this.

VT has a brief behavior analysis on it here: https://www.virustotal.com/en/file/a3d939adaa73dc95cc29a43889b2f7b64ecceecd70ed490d6621656a3712f372/analysis/ . Besides the .pyd files used which are the Python equivalent of Windows .dll files, a number of .manifest files were also used. This indicates to me that the "on the fly" version of Python was used; it is downloaded and run on the target machine.

Next is the performance of AI/Next Gen/Machine Learning whatever as noted on VT. Only three products detected this bugger prior to 7/27:

  • Sophos ML - on 6/7 - by heuristics.
  • ClouldStrike Falcon -  on 7/10 - appears to be the only one to detect via AI algorithms.
  • Sentinel One - on 7/18 - static machine learning.

Cylance detected on 7/28 indicating that product is all "smoke and mirrors." And finally, Endgame didn't detect it at all.

Overall, this ransomware is one sophisticated malware; possibility in the advanced persistent threat category as also supported by its low in-the-wild frequency.

As far as the multiple of third party anti-ransomware product detection, the verdict is still out. But I strongly suspect they will also fail against it.

Bottom line - if you want 0-day protection against malware like this, use anti-exec whitelisting.

Share this post


Link to post
Share on other sites
26 minutes ago, itman said:

This indicates to me that the "on the fly" version of Python was used; it is downloaded and run on the target machine.

Lol yes. It is a complex one although its behaviors also touch multiple red lines compare to some more stealth ones. It took my poor sandbox over 5 minutes to process a 60sec running trace. Hmm, is ESET'S DBT useful when dealing with this kind of malware?

Share this post


Link to post
Share on other sites
3 minutes ago, 0xDEADBEEF said:

Lol yes. It is a complex one although its behaviors also touch multiple red lines compare to some more stealth ones. It took my poor sandbox over 5 minutes to process a 60sec running trace. Hmm, is ESET'S DBT useful when dealing with this kind of malware?

You try this one: https://malwr.com/ .

Share this post


Link to post
Share on other sites


The only real way of doing such a thing is by black/white listing, and quite the opposite as to what an antivirus does by default. It's been discussed on other threads on these forums where even windows updates or driver updates are that low a reputation where black/white listing could do potentially as much damage to a machine as malware itself could if it's left to user choice. Likewise if ESET were to block a new Nvidia driver that's only been released 4 minutes ago and is only installed on 12 pc's worldwide (Inspected via Livegrid) could also be problematic, or an update to Ms Office with low rep. Imagine a scenario with no "Outlook" because it's low rep and ESET blocked it, or a borked system because ESET blocked a driver update halfway through because of it's low rep. The effects of such a mistake would be felt by xxxxx thousands of angry users.

I love my security as much as you do, but i equally think that these kind of measures are above and beyond what your average home user even knows about, let alone have to deal with or make choices.

A true whitelist app is the only way to go, and equally one that is 100% reliant on the user making the choices as when it goes wrong then you can only blame yourself. But i feel that this is something that only a small percentage of the users of home antivirus products would ever want to use/apply. Even using a browser plugin like noscript is beyond a large proportion of users and apps for whitelisting system files are further up the ladder than noscript.

Sophos for example used reputation based cloud technology, but never managed to protect The NHS in the UK from Wannacry.

Netiquette/Knowledge is always as important as the software and equally both can fail, and risk reduction always plays a big part. Staying away from the dark areas of the web is always a good idea and if you are using the web for day to day tasks then by the time that things become a widespread threat most if not all vendors will be capable of detecting and blocking them. As the users on the bad sites have became infected and theoretically virus beta testers ^_^

Like yourself i also have no idea of ESET's market share in asia and have no idea as to the reach of Livegrid's capability there, but i did see that vendors like Tencent did detect the hash of the file you gave and they probably have a larger share of the home market and more capable of detecting malware written in their own native language in a shorter period of time.



 

Share this post


Link to post
Share on other sites
15 minutes ago, cyberhash said:

A true whitelist app is the only way to go, and equally one that is 100% reliant on the user making the choices as when it goes wrong then you can only blame yourself. But i feel that this is something that only a small percentage of the users of home antivirus products would ever want to use/apply.

Agreed. Should only be used by people with the technical skills to differentiate between "good and bad" .exe's.

Share this post


Link to post
Share on other sites
17 hours ago, cyberhash said:

Like yourself i also have no idea of ESET's market share in asia and have no idea as to the reach of Livegrid's capability there, but i did see that vendors like Tencent did detect the hash of the file you gave and they probably have a larger share of the home market and more capable of detecting malware written in their own native language in a shorter period of time

I do not understand why "exposure" is so important , as long as ESET v10 has  DEDICATED ANTIRANSOMWARE module.

If ESET still bases its detection on a signature update and waits for the "sample" to be submitted, what's the point of the dedicated antiransomware module?????

Share this post


Link to post
Share on other sites
5 hours ago, MSE said:

I do not understand why "exposure" is so important , as long as ESET v10 has  DEDICATED ANTIRANSOMWARE module.

If ESET still bases its detection on a signature update and waits for the "sample" to be submitted, what's the point of the dedicated antiransomware module?????

Based on the original posting by @0xDEADBEEF, the ransomware deployed its own python based encryption routines versus using the Windows based crypto based API's. Eset's ransomware protection, I assume, is geared to detecting the Windows based crypto API's.

The only way this kind of custom crypto ransomware can be detected is if the anti-ransomware solution provides some type of file auto backup capability whenever a file is modified. It then monitors for excessive file modification activity from a process against files located in the logged on user directories targeted by ransomware. If such activity is detected, it terminates the offending process and restores all affected files up to the point of ransomware process termination.

For what is worth, this particular ransomware employed a lot of custom coding which is rare; and also expensive. The bulk of ransomware is originated from the ransomware-as-a-service(RaaS) providers and does not employ the "exotic" features shown in this ransomware sample.

Share this post


Link to post
Share on other sites
5 hours ago, itman said:

The only way this kind of custom crypto ransomware can be detected is if the anti-ransomware solution provides some type of file auto backup capability whenever a file is modified

Detection ratio for this particular ransomware was 35/63.

Hard to believe that 35 antivirus solutions have auto backup capabilities.

ESET (paid) performed the same as  Avast! (free), MSE (free), Kingsoft (free), AVG (free), ....

Share this post


Link to post
Share on other sites
16 minutes ago, MSE said:

Detection ratio for this particular ransomware was 35/63.

Hard to believe that 35 antivirus solutions have auto backup capabilities.

VT doesn't test anti-ransomware solutions; the only ones that have the auto backup feature that I am aware of.

As previously posted, a few of Next Gen/AI vendors detected it using extended sandboxed behavior analysis. A few of same did not. Everyone else detected the ransomware via signature detection - the same as Eset - with most creating the signature after Eset did.

Share this post


Link to post
Share on other sites
On 28/07/2017 at 9:57 PM, cyberhash said:


The only real way of doing such a thing is by black/white listing, and quite the opposite as to what an antivirus does by default. It's been discussed on other threads on these forums where even windows updates or driver updates are that low a reputation where black/white listing could do potentially as much damage to a machine as malware itself could if it's left to user choice. Likewise if ESET were to block a new Nvidia driver that's only been released 4 minutes ago and is only installed on 12 pc's worldwide (Inspected via Livegrid) could also be problematic, or an update to Ms Office with low rep. Imagine a scenario with no "Outlook" because it's low rep and ESET blocked it, or a borked system because ESET blocked a driver update halfway through because of it's low rep. The effects of such a mistake would be felt by xxxxx thousands of angry users.

I love my security as much as you do, but i equally think that these kind of measures are above and beyond what your average home user even knows about, let alone have to deal with or make choices.

A true whitelist app is the only way to go, and equally one that is 100% reliant on the user making the choices as when it goes wrong then you can only blame yourself. But i feel that this is something that only a small percentage of the users of home antivirus products would ever want to use/apply. Even using a browser plugin like noscript is beyond a large proportion of users and apps for whitelisting system files are further up the ladder than noscript.

Sophos for example used reputation based cloud technology, but never managed to protect The NHS in the UK from Wannacry.

Netiquette/Knowledge is always as important as the software and equally both can fail, and risk reduction always plays a big part. Staying away from the dark areas of the web is always a good idea and if you are using the web for day to day tasks then by the time that things become a widespread threat most if not all vendors will be capable of detecting and blocking them. As the users on the bad sites have became infected and theoretically virus beta testers ^_^

Like yourself i also have no idea of ESET's market share in asia and have no idea as to the reach of Livegrid's capability there, but i did see that vendors like Tencent did detect the hash of the file you gave and they probably have a larger share of the home market and more capable of detecting malware written in their own native language in a shorter period of time.



 

Isn't there a risk that if a whitelisted app gets compromised whitelisting software might not realise and simply allow the app as it is whitelisted and so persumed safe?

Share this post


Link to post
Share on other sites
15 minutes ago, peteyt said:

Isn't there a risk that if a whitelisted app gets compromised whitelisting software might not realise and simply allow the app as it is whitelisted and so persumed safe?

Whitelisting for a home user would be a nightmare as the amount of things that are installed/removed/updated , would involve a lot of user intervention. Plus for it to be effective would need to be in a full manual mode, and the amount of rules you would need to create would be enormous. Even allowing system files like Svchost on a global allow rule would leave your system vulnerable if you made a mistake and allowed any single bad process to use it to infect a machine.

Likewise blocking a wrong instance of "Svchost for example" by mistake could render your machine unusable.

To be honest, in my opinion this type of security is way over the top for your average home users needs or capability.

HIPS that's already in ESS is essentially the same thing and if you were to run that in fully interactive mode you would see the amount of user intervention that's continually needed, one wrong choice and your system could be broken.
 

@0xDEADBEEF and @itman obviously love playing with fire and testing things and need something more hardcore in the way of protection. Anything they play with and find then submit can only be a good thing for the rest of us :)

Share this post


Link to post
Share on other sites

@0xDEADBEEF, did you run this ransomware on Win 10? Did you have native SmartScreen enabled? If the .exe ran from any shell, native SS wouldn't have detected it:lol:. However if it was directly executed, native SS should have flagged the .exe as unknown.

Share this post


Link to post
Share on other sites
2 hours ago, peteyt said:

Isn't there a risk that if a whitelisted app gets compromised whitelisting software might not realise and simply allow the app as it is whitelisted and so persumed safe?

Yes.

And I couldn't think of a better example than VoodooShield whose self-protection mechanisms are non-existent. I "beefed up" same using appropriate Eset HIPS rules; process termination and modification plus registry file execute options, etc.. Same rules in fact I used to "beef up" Eset's GUI process that runs in unprotected user mode.

Share this post


Link to post
Share on other sites
2 hours ago, itman said:

Yes.

And I couldn't think of a better example than VoodooShield whose self-protection mechanisms are non-existent. I "beefed up" same using appropriate Eset HIPS rules; process termination and modification plus registry file execute options, etc.. Same rules in fact I used to "beef up" Eset's GUI process that runs in unprotected user mode.

I mean you only have to look at notpetya which used a well known legitimate program - compromised it and basically sent everyone an infected update

Share this post


Link to post
Share on other sites
14 hours ago, itman said:

with most creating the signature after Eset did.

I very much doubt this, as ESET was among a few not detecting this, at that specific time.

I am still eager to see a ransomware detected by the dedicated ransomware module  from v10.

Share this post


Link to post
Share on other sites
15 hours ago, itman said:

@0xDEADBEEF, did you run this ransomware on Win 10? Did you have native SmartScreen enabled? If the .exe ran from any shell, native SS wouldn't have detected it:lol:. However if it was directly executed, native SS should have flagged the .exe as unknown.

My sandbox is based on win7 x64. I personally don't consider SS as an effective advisory against malware because it simply generates too many FPs on legitimate programs. With such high FP rate, SS can be easily bypassed with a bit of social engineering. This sample is just one example which pretends to be an unpopular VPN client.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...