Windows 10 Ransomware Protection Bypassed Using DLL Injection

Discussion in 'other security issues & news' started by guest, Oct 9, 2018.

  1. guest

    guest Guest

    Windows 10 Ransomware Protection Bypassed Using DLL Injection
    October 9, 2018
    https://www.bleepingcomputer.com/ne...ware-protection-bypassed-using-dll-injection/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    So, what's new?
    And most predictably and to be expected:
    https://www.bleepingcomputer.com/ne...led-folder-access-anti-ransomware-protection/
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Yeah, I said this would happen when they released this feature. This is why I did not enable it on ANY of the PCs I manage.
     
  4. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Not sure exactly how this particular exploit works, but Windows Defender with ASR can block reflexive dll loading.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is no surprise at all, but apparently most ransomware doesn't use code injection? I do know they sometimes use process hollowing and from what I understood the "protected folders" feature did protect against this surprisingly. Actually, I don't know if Cruelsister did test this.
     
  6. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    This technique will bypass the protected folders feature of all AVs. This kind of a feature will always be defeatable.
    However, the newly improved Windows Defender ASR rules on Windows Pro 1809 with updates will default this technique. The ASR rules are not enabled by default, but they are there,
     
  7. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Doesn't this exploit still have to typically start out with the victim opening a malicious attachment or email link?
     
  8. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    8,625
    Location:
    USA
    Most ransomware likely doesn't use code injection. That said, there are other things that do. I guess this is a ransomware discussion but it is far from my only concern.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Easiest way to prevent this bypass is to prevent explorer.exe from being terminated. Also this technique, explorer termination and restarting, has been used in the past by malware.

    -EDIT- Scratch the above since it really isn't the problem. What the bypass is;
    requires monitoring of what is created in this registry key, HKCU\Software\Classes\CLSID\*. Appears that is feasible since all I have present in that key in Win 10 1803 are references to .dlls and .exe's loading from C:\Users\xxxxx\AppData\Local\Microsoft\OneDrive\18.131.0701.0007\amd64\ which does make one wonder since I have uninstalled OneDrive.

    Also since this bypass requires registry modification, mitigations for that such as reg command usage and the like are also effective.

    This bypass does have all the benefits that can be achieved via process hollowing without have to go through the effort to do so.
     
    Last edited: Oct 15, 2018
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    They probably don't use standard code injection because this can be spotted by HIPS. But this particular methods makes use of modifying a registry key, it's really ridiculous that this is possible in the Windows OS.

    Yes that's obvious, but ransomware could incorporate this technique, that is what's worrying.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.