HIPS should protect against process hollowing and low level disk access, I assume that Comodo does this in paranoid mode, what type of alerts do you get to see?
Yes, it does on Paranoid Mode. I can't remember most of the alerts, but some were related to cmd.exe, svchost, Bootsec.exe, and so on. Really freaky
Reportedly, Petya is still distributed via email. Victims would receive an email tailored to look and read like a business-related missive from an “applicant” seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant’s curriculum vitae (CV). In one of the samples we analyzed, the Dropbox folder the link points contains two files: a self-extracting executable file, which purports to be the CV, and the applicant’s photo. Further digging revealed that the photo is a stock image that is most likely used without permission from the photographer. http://blog.trendmicro.com/trendlabs-security-intelligence/files/2016/03/petya_archive.jpg Figure 2. Contents of the Dropbox folder Of course, the file downloaded isn’t actually a resume at all, but rather a self-extracting executable file which would then unleash a Trojan onto the system. The Trojan then blinds any antivirus programs installed before downloading (and executing) the Petya ransomware. Ref.: http://blog.trendmicro.com/trendlab...nsomware-overwrites-mbr-lock-users-computers/
Cruelsister published a Utube video where he tested HMPA, MBAR, and WAR. Only WAR was able to stop Petya. Whereas, most conventional security solutions would have detected the dropper by reputation upon execution even before signatures that now exist for the dropper would have detected it. Petya's weakness is there is nothing especially slealthy about the dropper download.
Itman- The file that I tested against was the dropped file. It is stealthy in that numerous variants have made their appearance over the past few days tinkered with slightly to make them zero-day, so they have (and will) bypass traditional AV solutions. As I was wondering about a topic for this week's video, perhaps AVAST will go up against one of the newer Petya files (and if I can't find one, it's fairly simple to make one). But please don't diminish the nastiness of this ransomware- unlike some will have you believe, post-infection remediation is not a trivial matter at all.
Test Eset and Emsisoft against Petya. Both have rep scanners that should stop the .exe dropper from running. Of course you would have to find a variant for which they don't already have a sig for. But I believe the rep scanning would be done before the AV sig check.
I don't want to run ESET again as I just did so a about 10 days ago with Winlocky. And it's not so much an issue of finding a new variant as one can be produced in less than a minute.
Here is some more info. I didn't understand everything, but I suppose it uses process hollowing to make detection harder for HIPS? But I believe that HIPS who protect the MBR (low level disk access) should protect against this. https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/
All you have to do is when the dropper gives a UAC alert, just answer "no." Then delete the dropper. In order to execute its harmful features, it needs to run with Administrator privileges. However, it doesn’t even try to deploy any user account control (UAC) bypass technique. It relies fully on social engineering. When we try to run it, UAC pops up this alert: https://blog.malwarebytes.org/wp-content/uploads/2016/03/uac_popup.png
I use Ubuntu 14.04.4 AMD64 on my SSD as OS drive; use a 750GB HDD encrypted with Linux LUKS EXT4 as data drive. Guess no ransomware will work on my setup, lol
Not this one but there is Linux ransomware. https://en.wikipedia.org/wiki/Linux.Encoder.1 There are also other forms of Malware that can affect Linux. It is less common than in Windows but it does happen. Linux is huge in the backend of the web and the internet of things and there are many desirable targets for cyber criminals and malware. A quick google search will give you lots of examples.
Thank you. However it's really minor as compared to Windows Ransomwares. Only about 2000 computers were infected, and the fix was issued in April 2015. So if people run their Linux system up to date, then no worries. Plus, my actual data HDD is full disk encrypted, it should be safer.
If the dropper can't run, no other elements of the malware can be installed. Once the dropper runs, it will then proceed to overwrite the MBR and force a blue screen. Upon the OS restart is when the encryption occurs. As I stated previously, any AV that does reputation scanning should have also caught the dropper at startup time and alerted. It would have most likely quarantined the dropper at that time without further user interaction. I assume the same result would have occurred for anyone using anti-exec software. What has yet to be fully explained is where the dropper was downloaded to. I am assuming to the usual place where ransomware downloads; e.g. %AppData% directories.
It was a joke itman, I mean you was clearly stating the obvious. Of course when you don't allow it to execute via either UAC or anti-exe, it won't work.
The dropper would be stopped by ACLs set to only allow execution in the Windows and Program Files directory, SRP or Applocker set to the same without any 3rd party software. That assumes that the email attachment was actually downloaded and run. That is the best defense of all, once again common sense. This one is actually pretty lame. The only place where it is clever is in obfuscating the dropper code, otherwise it is easily foiled and even a fully infected system can have its data recovered with common data recovery tools although it is a pain to spend hours scanning a disk for files.
I moved to GPT last month, and I'm not looking forward to go back to MBR.I thought it would be hard to make the move, but Arch Linux and cryptsetup didn't complain at all. Too bad Windows users still don't have a good encryption option if they use GPT, because TrueCrypt and VeraCrypt don't support it AFAIK.
MBR infections are pretty old school anyway and easily removed even if you use mbr systems. There is not much the 512 byte mbr does except jump to the boot sector of the boot partition and there isn't much an infected mbr can do other than jump to more code.
Yes, but this malware isn't about the mbr. After over writing the mbr, the system is rebooted, and then the mbr code encrypts the MFT. That's it's killer. In fact unless you have a full image to restore, fixing the mbr, and ruin any chance of the fixing the ransonware damage.
Petya is unsigned. The Ransomware is stopped by the change to the register key: a) "Validate Admin Code signatures" set to 1. Is good to also use the prevention tip: b) Turn off automatic restart after a system failure.
One could easily image the mbr of the infected system. In fact, what I would do with such a system is to image the whole disk and then try to recover files. Nothing personal to me either, that is just standard data recovery procedure. That way, if you make a mistake, you just start over with a clean image. As I said, this one is pretty lame as ransomware goes. It does something that is really fast, encrypt the mft but that still leaves the file system in a recoverable state. I find ransomware that can run from a standard account without activating any UAC prompts and completely encrypt that users files to be something a bit more to worry about.
Oh, nasty, just plain nasty. @Peter2150 Overtures of the ole notorious and dreaded KillDisk? Remember?
