This puppy uses Windows directory: Files associated with the Radamant Ransomware Kit: %Desktop%\YOUR_FILES.url C:\Windows\directx.exe Registry entries associated with the Radamant Ransomware Kit: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost C:\Windows\directx.exe HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost C:\Windows\directx.exe Ref.: http://www.bleepingcomputer.com/new...re-kit-adds-rdm-extension-to-encrypted-files/
I was thinking, normally HIPS will trust apps inside C:\Windows\, but only if they're "Microsoft signed". And EXE Radar will also block applications from running if it's not a system file.
Yes it will. Moreover, I decided to not "Allow all software from Program Files folder" on ERP. At first time it was a nightmare of pop ups in a row but made use of Learning Mode" by opening all my stuff (spent 30 minutes doing so) now the "kid" is quiet.
Notepad, explorer, and write are few .exe's in C:\Windows that are unsigned. So, not sure about the signed apps check. Also, depends on the HIPS options in this area.
I still have this option enabled, it's a risk in theory, but if the exploit can't run, it's not a big deal. Yes correct, but according to Andreas (developer of ERP), Windows has got a certain API that can tell you if some app belongs to the Windows OS or not. So even if they don't have a signature, security tools can still decide if the app is legit or not.
Interesting. Appears there already is existing Trojan named directx.exe: http://www.bleepingcomputer.com/startups/DirectX_Service-14356.html . Suspect malware author just modified it to run in Windows versus Windows\System32 directory. Don't know why malware author would create a svchost sub-key. Perhaps some AV software ignores entries created as such? Or, Bleeping hasn't fully identified it. My bets are that is the case and the bugger is indeed installed as a service; just like the prior Trojan ver. was. Best way to block it is HIPS rules to prevent mods to the registry keys it uses. Also if infected, don't reboot your PC until all traces are removed. The encryption of files will occur at reboot.
Symantec already has a signature for this: http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-122110-0855-99 . Hopefully, the other AVs do also.
I run ERP telling it to ignored signed apps. Also I don't automatically allow windows or program files stuff. I white listed what's there but if a new kid shows up, it needs permission. Also Appguard blocks writing to any system folders and can block access of guarded apps to data areas
I understand everything you've said Peter but the part "I don't automatically allow windows..." Do you mean you've unchecked "Allow Microsoft Windows system protected processes" box?
I also have this feature enabled, like I said, if some app manages to write to the system folders, ERP will still block it, because Windows let's ERP know if it's a system file or not, with or without signature.
Yes I know, I just wanted to post some general info. But it's likely that Peter2150 has indeed disabled this feature. But for convenience it's better to leave it enabled, IMO.
If this is a resurrection of the old Trojan, it can install anywhere and can run under any name: http://www.threatexpert.com/files/DirectX.exe.html . Best way to protect against this is AV signature or HIPS registry keys blocks. -EDIT- Emsisoft has a sig for it so that is all I care about: http://www.isthisfilesafe.com/sha1/31FFA977ABC99EBCC17C64AF5C87982B7E37F6FE_details.aspx Also directx.exe is a signed file by guess whose cert.? Certificate Status: Valid Company: IT AUDIT AND COMPLIANCE SERVICES LLC Start: November 10, 2015 End: November 10, 2016 Serial: 00BB3CCAF99CC223A1AD34177B638A3BC8 Authority: COMODO RSA Code Signing CA Only 10 AVs so far detect it at Virustotal. Eset is also one of them. Interestingly, Symantec version VT uses doesn't. Perhaps a difference in Endpoint versus Norton sigs.?
MisterX I do indeed uncheck that option as it would allow anything their run Rasheed where did you get that information?
That's my opinion too now that I was re-studying my security apps and their config and potential breaches or flaws by default. Good to know I can tighten security even more with ERP.
Andreas has told me that it won't allow anything to run, if that setting is enabled. It will still block apps that are not related to the Windows OS.
When you think about it, leaving this feature enabled has a big advantage, because if ERP blocks something from inside the system folders, you will already now that something fishy is going on.
Ask Andreas what Win API he is using that will determine if a file is a system file. The only thing I know that will do so is system file checker i.e. SFC. Starting with WIN 7, windows processes run in Session 0. Session 0 is reserved exclusively for services and other non-interactive user applications. Users who are logged on to Windows and their user applications must run in Session 1 or higher. However, session level can be overridden using software such as PSEXEC as noted below: To launch cmd.exe in session 0, use psexec from Sysinternals. psexec.exe -s 0 cmd.exe Now you have a console running in session 0, you can also start cmd.exe in session 0 and display GUI: psexec.exe -s -i 0 cmd.exe that way when you switch to session 0, the cmd.exe will be waiting for you there. You have as many rights as you can get in Windows 7 using PSEXEC. Ref. http://superuser.com/questions/426868/interactive-session-0-in-windows-7 -EDIT- The version of PCEXEC the hackers use is PS2EXEC. You can read about it here: https://www.wilderssecurity.com/thre...powershell-malware.380590/page-3#post-2549580
Decryptor now available for this: http://www.bleepingcomputer.com/new...s-decrypter-for-the-randamant-ransomware-kit/ Can't beat the fact that Emsisoft aka Fabian is right on top of these new ransomware variants.
All that is doing is validating if a file is signed. Many files in %Windows% are not signed. Files in %Windows\System32 or SysWow6432 should be signed but not all are MS signed; e.g. graphic card driver files. Malware can also be signed.
Exactly and this posses a huge problem. Suffice reason for me to not allow Programs Folders and Windows system protected processes in ERP
Here is some more info. I think that with these API's, security tools can figure out of it's a "Windows Protected File" or not. I'm not sure if you can classify these files as "Microsoft signed", but I believe SpyShelter also uses this method to figure out if a .exe file is legit or not. https://msdn.microsoft.com/en-us/library/windows/desktop/aa382536(v=vs.85).aspx https://technet.microsoft.com/it-it/sysinternals/jj919409# Wrong, at least when it comes to the Windows system folder, I already explained, see above.