Notice where its exe's run from: https://blog.malwarebytes.org/wp-content/uploads/2015/11/warning31.png So your cryptolocker rules (assuming you have those) will alert you to a program startup in %AppData% directories. What is a bit unclear is how the bugger can access the Windows root CA to copy to untrusted cert area.
It's probably a registry key that should be protected, but apparently not a lot of HIPS do monitor this.
I figured it out. The blacklisted certificates are from Avast Software, AVG Technologies, Avira, Baidu, Bitdefender, ESET, ESS Distribution, Lavasoft, Malwarebytes, McAfee, Panda Security, Trend Micro and ThreatTrack Security. The malware author is using the code signing certs. the above vendors used to sign their software. I don't believe HIPS monitors these cert. registry keys by default. I have moved a root cert. to the untrusted area using certmgr.msc and never received a HIPS alert from Eset. Of course there is a UAC bypass modification component to this since those cert. storage keys require full admin/system privileges.
They are stored under this key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\AuthRoot\Certificates However I also have a ton of certs installed under this Eset generated key and at this point don't know why Eset does this: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Services\S-1-5-18\SystemCertificates\ESET_EndCertStore\Certificates. Appears they do some type of cert. pinning when SSL protocol scanning is enabled. I believe all Zemana does is verify that the certs. are valid and chain backwards to the issuing CA.
Thanks, and check out this post about Zemana: https://www.wilderssecurity.com/thre...-while-im-browsing.372415/page-2#post-2449810
Yeah, I missed this one: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates. Also, this adware doesn't bypass UAC but rather changes the type of alert you receive from UAC. However, if the file is signed with a certificate that was blacklisted, UAC will simply block the file from running and a red warning will be displayed. The only way around this would be to temporarily disable UAC and then install the vendor's software or delete the bogus untrusted publishers certs.. The adware also only affects installs of security software from the mentioned vendors. It has no impact on existing installed software. Appears the primary purpose of the certificate manipulation is to block vendor's special removal software for adware of this type.
Zemana SSL Intrusion Prevention: Protects SSL (https) data pre-encryption. Prevents Man-in-the-Browser (MitB) and HTML injection attacks. Monitors the Trusted Root CA Store for fake root certificate installations. Note there is no MITM protection. Yes, it monitors the Trusted Root CA Store i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates but this adware isn't modifying that. It is installing the vendors code signing certs. into the Untrusted Cert. store i.e. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates Zemana only protects unencrypted data. So if malware is received via an encrypted web site, you've had it. Finally, I think we have previously resolved that Zemana AKL doesn't protect against browser memory based injection.
Yes good point, this malware is modifying another reg key that is not related to what Zemana is monitoring. But can you elaborate on these 3 points? I didn't understand it.
MITM Two types; local and external. Local MITM malware will establish a local host proxy server i.e. 127.0.0.x based to capture outbound encrypted SSL traffic and unencrypt it using a root CA cert. it installed or a compromised existing root CA cert. e.g. recent Dell debacle. From what I can determine, all ZAL prevents is the installation of the malware root CA cert.. External MITM is almost impossible to prevent. SSL traffic is captured by an external rouge server connection. Only software that I know that can prevent this is software that is installed both locally and at the receiving bank server to create a secure VPN tunnel between each. I believe Trusteer Rapport is the only software that does this. Zemana Only Protects Unencrypted Traffic ZAL doesn't scan encrypted traffic for malware . To do so, it would have to install it's own root CA cert.. A HTTPS website downloads encrypted malware to establish a backdoor on your PC. Zemana AKL doesn't protect against browser memory based injection Discussed in the "Fileless Malware" thread. From what has been discussed to date, ZAL only prevents disk based .dll injection into a protected process.
OK I see, that stuff is indeed out of ZA's scope. It's designed to block banking trojans that inject code into the browser. Same goes for SpyShelter. You're basically talking about exploits, it won't stop that, and it's also no AV.