In memory fileless malwar edetection ..... any antimalware software?

Another point people may not be aware of is that you cannot run a standalone .ps1 script. I has to be run as an object to the Powershell executable. Microsoft set the default file association for .ps1 to notepad.exe for security reasons.

 

I always disable SRP when updating or installing software or OS. No updates are set to automatic, all is done manually.

 

Most of the crypto malware arrives as a .zip e-mail attachment.

Now I am going to tell a story about how someone who knows better can do stupid things. I use Thunderbird as my e-mail client. My daughter often e-mails me pics of her and my grand daughter. I got tired of always having to manually open the attachments, so in a total brain cramp moment I decided to change TBird's attachment setting to always open attachments in line. Very bad move as follows.

It wasn't that long after, I received a strange pop up while in TBird about an update having been rejected because it was invalid. Spoke to the Mozilla TBird forum mods about it and they were clueless; basically stating that they had never seen anything like this. I also later noticed the default storage directory for TBird attachments had been mysteriously changed to User\AppData\Temp. Best I can determine is an e-mail I had opened must have had a .zip attachment from one of the ransomware bad guys, it auto opened when reading the e-mail, and it proceeded to attempt to download crypto malware to my PC in the disguise of a Tbird update. I was very lucky in this instance due to TBird having a self-checking mechanism for valid updates. The blocking of that update saved my butt from being nailed with having all my files encrypted. Although I have HIPS rules for protecting the AppData directories and the Program Data directory, I did not have one for the Program Files x86 directory.

Bottom line - never ever open either manually or automatically by some e-mail setting any .zip attachment unless you can 100% trust the origin of the e-mail.

-EDIT- Forgot to mention that I receive my e-mail encrypted via IMAPS. I had Eset's SSL protocol scanning enabled, TLS encryption, and scanning my e-mail upon receipt. Real time scanning was set to the maximum setting. And this bugger slipped by it; no alerts, no log entries, nada.

 

Interesting, so the only reason it automatically ran was because of your Thunderbird's settings? Or is there something more to that?

 

It was Thunderbird's settings. I like the product but you definitely have to research what its settings do prior to activating an option.

-EDIT-
Actually there is another issue with Thunderbird in my opinion:

As far as Thunderbird goes, I now realize that using Mozilla's Maintenance service and allowing silent updating is a big security risk. In this mode, all UAC elevated prompting is bypassed. I have changed the update option in Thunderbird to "notify about updates." This method allows for updating via the thunderbird.exe process with elevated UAC prompt and the Mozilla Maintenance service is never started or used.​

Further risks associated with using Mozilla Maintenance service noted here: https://wizzley.com/...security-issue/ . Note that according to this article you have to either disable the service or uninstall it to actually prevent update downloads from the service.
​

Since I did receive a bogus update, I attribute that most likely to the above. Also since this incident, I have enabled outbound firewall monitoring in Eset. It has a feature that will alert me if any network aware app such as thunderbird.exe is has been modified.

 

Since you're into SRP, came across a pretty good guide by Webroot: https://community.webroot.com/t5/We...securing-your-environment-against/ta-p/191172

They go as far as recommending disabling Windows script host.

 

In memory malware might evolve more. Imagine it injecting your browser and grabbing all passowrd etc. Nothing seems to detect this type of malawre ATM in real time, even classical HIPS.

 

Thanks for link. They are using less secure blacklisting approach (prevent execution from known locations that malware is usually using). I use whitelist approach - prevent anything that is not whitelisted.
WIndows script host - I already have it disabled.

 

Outpost anti-leak will detect process memory injection.

 

No, not this one.

 

Example of what you're referring to?

If your referring to this: http://gizmodo.com/new-russian-atm-malware-can-steal-allc-your-banking-det-1731296403 , it applies to stand alone ATM machines.

 

Equivalent in a HIPS would be policy based mode; with no rule, the process is automatically blocked.

 

I have already mentioned this here but my work place was hit by Powerliks. The company hired to take care of our computers came and attempted to fix them.
When I noticed they couldn't get rid of it, I ran a scan with Symantec endpoint as well and nothing, Ran Malwarebytes and nothing. Although Symantec kept giving a warning it could not clean it at that time. I also noticed the IT people tried running things like Spybot Rkill ect all the normal adviced cleaning programs. I took things into my own hands on my work computer and downloaded Eset's cleaning file for just the version of Powerliks I had. It cleaned it. My manager on the other hand just kept getting infected and fired the company that was suppose to fix it. He hired another and am not sure how that turned out.
The older version spread through out the company via lan because I knew I had not opened any attachments, unless it was from the manager. During that escapade I read about Powerliks and how it was creating a hidden Reg key to start from. It didn't always start with each reboot but would later on. I always knew when it had started because of some task manager entries. There were multiplies of them which I knew was wrong. dllhost.exe

 

Why didn't you inform them on how you got your PC cleaned? Or you did and they kept getting infected?

 

I think the new IT people took care of it. We were told not to waste time trying to fix our own computers or co workers. I took it on anyway thinking I was going to retire soon and didn't care. Was going to retire last Dec but decided to stay another year.

 

If the browser or other exploited app is running restricted (by sandbox or HIPS), it will indeed get harder for in-memory malware to do any damage.

That doesn't block in-mem exploits, you need anti-exploit for that.

 

In-memory ransomware and banking trojans would be scary, but I wonder why it's still not seen ITW, there must be a reason. Perhaps it's too difficult for hackers to succesfully attack systems with in-mem malware?

 

Next time, go first to bleepingcomputer.com to see if they have a removal guide. They have one for Poweliks that also lists all the stand-alone removal tools: http://www.bleepingcomputer.com/virus-removal/remove-poweliks-trojan#accordion-2 . They also offer free malware removal assistance.

Best way to prevent Poweliks infections is a HIPS rule to monitor Powershell execution. That might take a bit of work in a corp. environment if the tech support staff created a bunch of Powershell scripts. Also a HIPS rule should have been in place to monitor Windows startup areas and registry keys.

-EDIT-
There is also an exploit component to Powerliks;

The Trojan uses the Microsoft Windows CVE-2015-0016 Remote Privilege Escalation Vulnerability to escalate privileges on the compromised computer.
ref.: http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-080408-5614-99
​

So just keeping your computer updated with the latest OS patches will go along way to prevent an infection.

 

Most of fileless malware load a dll into browser while in memory and this is not intercepted by HIPS. I have personally tested this injection with Defence Plus and no pop up alerts from Comodo even in paranoid mode with max security.

 

I am using Eset HIPS and it stopped both regular and reflective dll (memory based) injection. You can read my testing results here: https://www.wilderssecurity.com/threads/mrg-effitas-online-banking-browser-security-q2-2015.378862/ . Note that you do have to create rules for your browsers and other Internet facing apps to accomplish this. By default, Eset HIPS does not prevent this.

Additionally, Emsisoft EAM/EIS behavior blocker will by default detect the memory injection attempt from any unknown and unsigned process and issue an alert. Again this result is noted in the above link.

I also strongly suspect Comodo's Defense+ will stop memory injection attempts but again I believe you have to create specific rules for your Internet facing apps to accomplish this.

Sandboxie will prevent memory injection of a protected process but only if the malware was present within the sandbox. It will not prevent memory injection from any malware running outside of the sandbox.

Finally, HitmanPro Alert and supposedly the to be released ver 1.8 of MBAE will prevent all defined apps from memory injection. EMET is only effective against simple memory injection attempts since it uses limited predefined address space.

 

I have RPC, SMB, and access to $ADMIN all disabled in Eset's IPS.

 

$ADMIN itman are you cheating by using a Linux system?