MartinPe 10 Posted June 1, 2023 Share Posted June 1, 2023 You are not alone in this, means the malware is Windows fault? CrowdStrike details Spyboy Terminator said to kill Microsoft Defender, Avast, and more EDRs - Neowin Hope you will be able to detect this. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted June 1, 2023 Administrators Share Posted June 1, 2023 As far as I know, they misused a vulnerable Zemana anti-logger driver to disable AVs from kernel mode. The driver has been detected by ESET for some time already as a potentially unsafe application like any other vulnerable legit drivers and users with detection of pot. unsafe applications enabled were fully protected. The article reads "Only Elastic detects the file as malicious whereas the file is undetected by 70 other vendors according to VirusTotal " which gives a false impression that no AV could protect against driver exploitation. Scan results at VT are one thing and actual protection by security solutions another one. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted June 1, 2023 Most Valued Members Share Posted June 1, 2023 24 minutes ago, MartinPe said: You are not alone in this, means the malware is Windows fault? CrowdStrike details Spyboy Terminator said to kill Microsoft Defender, Avast, and more EDRs - Neowin Hope you will be able to detect this. Interesting comment from VT Link to comment Share on other sites More sharing options...
itman 1,659 Posted June 1, 2023 Share Posted June 1, 2023 Eset will block a direct download of the driver as my test yesterday shows: https://forum.eset.com/topic/36535-eset-and-malwarebazaar-abusech/?do=findComment&comment=167543 micasayyo 1 Link to comment Share on other sites More sharing options...
TTOZ 2 Posted July 1, 2023 Share Posted July 1, 2023 (edited) On 6/1/2023 at 11:23 PM, Marcos said: As far as I know, they misused a vulnerable Zemana anti-logger driver to disable AVs from kernel mode. The driver has been detected by ESET for some time already as a potentially unsafe application like any other vulnerable legit drivers and users with detection of pot. unsafe applications enabled were fully protected. The article reads "Only Elastic detects the file as malicious whereas the file is undetected by 70 other vendors according to VirusTotal " which gives a false impression that no AV could protect against driver exploitation. Scan results at VT are one thing and actual protection by security solutions another one. This is huge. You are therefore one of the first and one of the very few that was clever enough to at least recognize it as potentially unsafe, and I would not have allowed it had I seen a warning, as it would be something unknown to me. There is a video today of the latest kaspersky and double clicking the terminator instantly eliminates all kaspersky processes. That really put me off them. I had a really big problem with ESET last year where it corrupted my boot sector and irrecoverably hosed my entire installation, it was after a (successful) system restore. I got a refund and to be honest I was so stressed out that I just didn't want to deal with it and I shut down and disappeared from here after the refund, but if you were in my shoes I would think you would understand. Especially since it happened within the first 30 days of using the product for the first time ever in my life. The thing is now, with Eset being one of the very few clever enough to deal with terminator (and many AV don't, still to this very day)! I really am considering it all over again as I got a brand new computer a few days ago, I have done the clean windows 11 install and now it's time to find an AV suite for it. Should I start another topic about that do you think? To see if they ever worked out what happened and whether I would not be at risk of it happening a second time? I know this post is on a tangent but it's purely my hours of research today to study which AV were the quickest in dealing with such a clever piece of malware, that brought me here. THIS is the stuff that matters. Real world protection from unexpected surprises. Something I always thought Bitdefender and Kaspersky also excelled at, but it seems I was wrong, as the latter only finally blocked the driver today, more than a month after malware was in the wild, and BD still has no protection against it. So despite everything, ESET is heavily on my radar again. Furthermore, as far as actual usage goes, I liked it the most out of all. It was so light weight and a complete package and it never affected my browsing speeds in any way. That's of course if they'll even have me a second time LOL! Edited July 1, 2023 by TTOZ Spelling errors Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 1, 2023 Share Posted July 1, 2023 (edited) 1 hour ago, TTOZ said: I had a really big problem with ESET last year where it corrupted my boot sector and irrecoverably hosed my entire installation, it was after a (successful) system restore. Interesting story. For what it is worth, I had a very similar incident the first time I installed Eset on Win 7. This was close to 10 years ago. In my case, I restored using an image backup. Posted the event in the forum here and received the response from the moderator that it was not possible for Eset to do something like this, etc. etc.. Being an "adventurous soul," I decided to install Eset a second time and it installed w/o issue. I have been using Eset ever since. Things like this happen occasionally for reasons unknown. I would go ahead and install Eset on your new PC. It should install w/o issue. Edited July 1, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 1, 2023 Share Posted July 1, 2023 For those interested, PC Security Channel just published a video on this Terminator malware here: https://www.youtube.com/watch?v=uRB__njsOlk . Best part of the video is how he "rips" Microsoft Defender self-defense capability. Also if you are running Win 10/11 Pro+ and have Core Isolation - Memory Integrity enabled, this vulnerable Zemana driver will be blocked by Windows itself via its vulnerable/malicious driver list capability. Link to comment Share on other sites More sharing options...
TTOZ 2 Posted July 1, 2023 Share Posted July 1, 2023 4 hours ago, itman said: For those interested, PC Security Channel just published a video on this Terminator malware here: https://www.youtube.com/watch?v=uRB__njsOlk . Best part of the video is how he "rips" Microsoft Defender self-defense capability. Also if you are running Win 10/11 Pro+ and have Core Isolation - Memory Integrity enabled, this vulnerable Zemana driver will be blocked by Windows itself via its vulnerable/malicious driver list capability. Very interesting about core isolation. It was enabled by default when I did my fresh Win 11 install but I will have to disable it if I ever want to undervolt. This MSI GT77 is known to be insane when undervolted, but to be completely honest, it's so powerful as it is (I get 32.8K Cinebench R23 and 22.3K Time Spy out of the box with no tweaks) that I think I'd rather just be safe and leave it on. But, do you mean it actually gets blocked or do you mean UAC prompts you whether to allow it or not? If it gets properly blocked then that's pretty impressive and also confusing as to why people are saying defender is the worst against terminator, when most people are not power users and would just leave core isolation enabled since it's the default (and still works when other AV are installed anyway). Link to comment Share on other sites More sharing options...
rotaru 10 Posted July 1, 2023 Share Posted July 1, 2023 4 hours ago, itman said: just published a video on this Terminator malware here: https://www.youtube.com/watch?v=uRB__njsOlk I thought we were not supposed to believe whatever is posted on Youtube..... Link to comment Share on other sites More sharing options...
TTOZ 2 Posted July 1, 2023 Share Posted July 1, 2023 4 hours ago, itman said: Interesting story. For what it is worth, I had a very similar incident the first time I installed Eset on Win 7. This was close to 10 years ago. In my case, I restored using an image backup. Posted the event in the forum here and received the response from the moderator that it was not possible for Eset to do something like this, etc. etc.. Being an "adventurous soul," I decided to install Eset a second time and it installed w/o issue. I have been using Eset ever since. Things like this happen occasionally for reasons unknown. I would go ahead and install Eset on your new PC. It should install w/o issue. What happened was, I disabled ESET self protection per forum instructions so system restore could finish successfully, and it did, and then 2 minutes after the system loaded I opened ESET to make sure it was back on, and before I even got there it just hard crashed and that was it. Had to hold power button to shut down, when I powered back on I could not even get into safe mode MENU at boot, it wouldn't proceed past bios screen. Malwarebytes staff explained to me that the way the AV insert low level code throughout the system that it's entirely possible even their software could do that if really unlucky, so that's honest, but a few months before that I had a previous laptop hosed by Bit Defender which got stuck in a false detection loop and kept finding "infected" files and deleting them. I force shut down in that case too as it kept bringing up prompts about the next "infection" and when I rebooted, of course I ran 5 different offline tools and BD itself and there wasn't a single infected file. It just went crazy as I was changing folder view settings in Windows 11, not opening or downloading any files at the time. Each reply back from them took SEVEN days even after they'd apologise and promise faster responses, and this for a system with critical files corrupted deleted all over the place LOL. And then ESET were amazing with support, SO fast, but then that happened. A new, different machine hosed. So you can imagine how I felt. I went to MWB and there's been zero issue on the same machine but I SO miss an all in one suite with 2 way firewall. So BD, NO WAY. Never again in my lifetime. ESET, yeah, GREAT people, I'd love to give it a second chance. I am demoing Kaspersky now and it's OK but no where near as fast as NOD was. I made a system restore point BEFORE I installed Kaspersky, so now I can uninstall it, reboot, then run SR and it should mean zero traces. I was going to try AVG using this method as well but I really, really like and miss ESET. But I am scared. I am not trolling in any way, As much as I like them, there's that fear in the back of my mind. I don't tend to backup my OS drive. I have multiple backups of all my other drives and everything is set up so I just reinstall the OS if needed and the rest is all on the other drives including Steam games. I suppose it's something I could look into. I'd need to buy an extra drive again to do it and right now I am strapped cause the GT77 purchase ate through my savings. Cheers and thanks for the reply, sorry something similar happened to you too. Link to comment Share on other sites More sharing options...
TTOZ 2 Posted July 1, 2023 Share Posted July 1, 2023 9 minutes ago, rotaru said: I thought we were not supposed to believe whatever is posted on Youtube..... Leo is a legit guy who helps us on his channel and he properly tests security software and updates us on situations like with Terminator. PC Security channel is a fantastic channel. Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 1, 2023 Share Posted July 1, 2023 1 hour ago, TTOZ said: But, do you mean it actually gets blocked or do you mean UAC prompts you whether to allow it or not? I Eset detects the Zemana driver on download as a PUA and quarantines it. As far as Windows native protection on Win Pro+ versions w/memory integrity enabled, it won't allow the Zemana driver to load at boot time if it was previously installed somehow. Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 1, 2023 Share Posted July 1, 2023 1 hour ago, rotaru said: I thought we were not supposed to believe whatever is posted on Youtube..... PC Security Channel reviews often don't fully disclose all protection details. In this review, he mentions the low detection rate of the Zemana driver at VT. Assume that rate applies to if the driver was previously installed. As I posted, Eset will detect it on download. It will also detect it as a result of Eset on-demand scan as it did for a vulnerable Process Explorer driver I had installed. TTOZ 1 Link to comment Share on other sites More sharing options...
The_Eagle_007 3 Posted July 2, 2023 Share Posted July 2, 2023 Eset is able to quarantine the zemana vulnerable driver theat. Plus it also protects from Spybot malwares reported by other AV. So Eset users are safe. Link to comment Share on other sites More sharing options...
TTOZ 2 Posted July 2, 2023 Share Posted July 2, 2023 I will start a topic it seems then to see if ESET have improved compatibility with system restore. It is more than twice the price of Kaspersky for 2 years for 3 machines right now, so I still have to think about it, but I'll see what the staff says. I am really impressed how quickly they were able to protect against such a unique threat, and that has gone a long way to me wanting to use them again. Cheers all. Link to comment Share on other sites More sharing options...
SeriousHoax 83 Posted July 2, 2023 Share Posted July 2, 2023 14 hours ago, itman said: PC Security Channel reviews often don't fully disclose all protection details. In this review, he mentions the low detection rate of the Zemana driver at VT. Assume that rate applies to if the driver was previously installed. As I posted, Eset will detect it on download. It will also detect it as a result of Eset on-demand scan as it did for a vulnerable Process Explorer driver I had installed. Also, some products won't detect the driver itself but will stop any attempt to exploit it. For example, this is what Kaspersky told me," Our products detect the attempts to exploit CVE-2021-31728. It is enough." A similar thing was said by Bitdefender as well. But I do like ESET's approach of adding the driver to their PUA detection, and I think they have also taken measures to stop the exploit via HIPS or other internal method. Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 2, 2023 Share Posted July 2, 2023 (edited) Let's get into the "nitty gritty" of the vulnerability; Quote Description Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware 2.74.0.150 allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook with IOCTL 0x80002044 and execute the executable memory using this hook with IOCTL 0x80002014 or 0x80002018, this exposes ring 0 code execution in the context of the driver allowing the non-privileged process to elevate privileges. Technical Details IOCTL 0x80002040 exposes kernel memory allocation in the NonPagedPool where a user-mode string is copied into the target buffer, this buffer can be used for shellcode by forcing the input data to be larger than 0x1000 bytes, a buffer larger than 0x834 will cause a STATUS_ACCESS_VIOLATION and so you must trick the IOCTL into failing and forgetting to free the buffer, you can then search SystemBigPoolInformation for the newly allocated buffer with the shellcode. IOCTL 0x80002018 instructs the driver to setup a hook function which contains fixed prologue code (passed from a user-mode buffer and copied until the first jmp instruction) for a miniport driver's IRP_MJ_SCSI_HANDLER, this hook is installed and used when either IOCTL 0x80002014 or 0x80002018 are sent, these IOCTL's send SCSI requests to a driver specified by the user input, but also install the hook function before-hand and remove it after. This can by leveraged by: opening a handle to \.\ZemanaAntiMalware registering with the driver by sending IOCTL 0x80002010 allocating kernel memory in the NonPagedPool by abusing a flaw in IOCTL 0x80002040 searching for this kernel memory by enumerating SystemBigPoolInformation installing a miniport driver hook prologue fix using IOCTL 0x80002044 executing the miniport driver hook with IOCTL 0x80002014 or IOCTL 0x80002018 A proof of concept is available at https://github.com/irql0/CVE-2021-31728/blob/master/kernel_exec/main.c https://github.com/irql0/CVE-2021-31728/blob/master/CVE-2021-31728.md One should always be suspicious of mini-port filter device drivers in regards to if they are properly coded. For the most part, they are not used today in favor of direct interfacing with the Windows Filtering Platform. Edited July 2, 2023 by itman Link to comment Share on other sites More sharing options...
itman 1,659 Posted July 2, 2023 Share Posted July 2, 2023 (edited) Finally, this Zemana driver just didn't "mysterious" install itself. Refering to the original Neowin article; Quote Harris says that the tool works in a way similar to how Bring Your Own Vulnerable Driver (BYOVD) disables security components present on the system: At time of writing, the Terminator software requires administrative privileges and User Account Controls (UAC) acceptance to properly function. Once executed with the proper level of privilege, the binary will write a legitimate, signed driver file — Zemana Anti-Malware — to the C:\Windows\System32\drivers\ folder. The driver file is given a random name between 4 and 10 characters. This technique is similar to other Bring Your Own Driver (BYOD) campaigns observed being used by threat actors over the past several years. Under normal circumstances, the driver would be named zamguard64.sys or zam64.sys. The driver is signed by “Zemana Ltd.” and has the following thumbprint: 96A7749D856CB49DE32005BCDD8621F38E2B4C05. Once written to disk, the software loads the driver and has been observed terminating the user-mode processes of AV and EDR software. One is strongly advised to set UAC to maximum level which makes a UAC bypass which doesn't appear to be deployed here much more difficult to perform. Edited July 2, 2023 by itman Link to comment Share on other sites More sharing options...
TTOZ 2 Posted July 17, 2023 Share Posted July 17, 2023 I decided on AVG. I tried the ESET demo and the software is so complicated I thought I'd try something simpler, and I fell in love with AVG IS. I have never used any IS or AV that is so simple to operate, especially adding scanning exceptions and controlling the outbound firewall, and like ESET there is no forced VPN installed thankfully either (I use Nord). I gave ESET a good go and was reminded of this topic because I just got an email to say my ESET trial expires in 15 days. But when I get a bargain (10 PC's or phones/3 years 139 AUD total cost) like I got, I just couldn't say no. ESET is great software and I would like to point that out that it always made me feel safe and has very few false positives and on that note it is superior to what I went with, and ESET also performs slightly better overall, but it really is for power users. It took me 20 minutes to find the update settings and webcam settings, as well as trying to find application control. Those who are tech heads, I would recommend ESET over AVG for sure. For those who are old like me and need something simple, well, the choice was more difficult but I made it and I am genuinely happy so far. Also for those who appreciate good support, Eset is the best I encountered from all AV developers to this date, only the Malwarebytes team equaling ESET's incredibly quick and thorough replies. The rest, including AVG, do not even come close in that department. I did want to use the eset free scan tool as a second opinion scanner but it crashes every time I launch it, apparently that's a known thing so I gave up trying and went to MWB instead for that. Cheers all Link to comment Share on other sites More sharing options...
Recommended Posts