Techniques for the manipulation of malicious payloads to improve evasion

http://securityaffairs.co/wordpress/55624/breaking-news/malicious-payloads-manipulation.html

 

Another misunderstand of SmartScreen in my opinion. Most revealing was WD's total failure against Metasploit.

 

@itman :

Apparently you have misunderstood the report.
Please reread the 26 pages in the report carefully.

Windows Defender blocked ALL the Metasploit tests.

SmartScreen blocked ALL the Veil Framework tests.

SmartScreen blocked ALL the TheFatRat tests.

Windows Defender and SmartScreen complemented each other perfectly.

NONE of the three test stages in the report was capable of bypassing the combined native security in Windows 8.1 and Windows 10 when threats was introduced to system from the internet.

 

Yep - tricky wording. "Yes" means bypassed in the table.

For each of the used tools, the following table shows the best results obtained by malicious payload creation. Remember that to obtain a good result means being able to bypass Windows security systems (denoted as “Yes” or “No” in the table) and some online scanners (denoted in the table by the number of antivirus solutions which recognize malicious payload on the total number of executed antivirus).

https://i0.wp.com/securityaffairs.co/wordpress/wp-content/uploads/2017/01/malicious-payloads.png?zoom=1.5625&resize=612%2C160

(* – Windows SmartScreen can block malicious payload if it is downloaded from the Internet; otherwise, Windows SmartScreen not considers it as malicious)​

 

@itman :

Yes, tricky wording in the report and therefore it's needed to read the fine print or else one might think the report says the opposite of what it actually said.

But nice test.

Anything SmartScreen didn't block was blocked by Windows Defender.

And anything not blocked by Windows Defender was blocked by SmartScreen.

Another test proving what so many has been saying for so long.
Windows Defender and SmartScreen are supposed to complement each other and be used in tandem.

Any test that disables any of them, does not show the correct picture of what protection the OS actually provides when used in the real world.

 

@Peter2150 :

Mark of the Web / Zone Identifier has been part of Windows since Windows XP SP2 at least.

A Zip arriving from the web through browser, mail or elsewhere will be marked.

When you unzip the content, then the content of the zip file will inherit the mark.

Quote from this link : https://support.microsoft.com/en-us...t-the-attachment-manager-in-microsoft-windows

 

Also notable in the Conclusion section of this report is the dangers of a .Net executable. I assume the FatRat created payload is using Powershell API's thereby bypassing any direct use of the scripting engine.

In this case study different tools and methodologies have been shown to create shellcode and Windows executables trying to evade some security systems such as antivirus systems and preinstalled Windows systems.

Making an overall analysis of the results obtained, we note that TheFatRat gives the best results, creating a fully undetectable payload (exe file with C# and powershell) that is recognized only by Kaspersky antivirus.

So, in a possible attack scenario such as social engineering, this payload would easily bypass all the security systems installed on a victim machine. If that payload is directly downloaded from Internet and if it is executed through clicking on it, only Windows SmartScreen can recognize it as a virus and bypassing this defense can be seen as a future development.
​

I believe SmartScreen will classify the payload as unknow and not as malicious if the payload had not been previously scanned and a reputation determination made.

​

 

This study ignored SmartScreen's browser's protections.

 

@Peter2150 :
Mark of the Web / Zone Identifier are in no way depending on use of IE.

A file arriving from the web will be marked by the OS as such.

 

@itman :

I know that it is considered important by certain members here on this forum to try and cause confusion and to try and lure readers into believing that third party security holds some kind of magic as rare as unicorns.

It's ridiculous.

This test had ONE purpose - to test what reactions the OS gave when introducing a further and further obfuscated malicious file to the system.
Would it be possible to obfuscate it so much that it would bypass the security in the OS ?

That is exactly the purpose of Veil Framework and TheFatRat - it obfuscates the file to the extreme.

Did it bypass the native security in Windows 8.1 and Windows 10 ?

No, it did not. All attempts in the test was blocked by the native security already implemented in the OS.

One of the MANY features of SmartScreen is that it will block unknown files.

Furthermore Windows Defender has since Windows 10 1607 been shipped with Block at First Sight activated by default. But from reading the report it sounds as if they either used a pre-1607 edition of Windows 10 or had Block at First Sight disabled.
So today on latest Windows 10 builds you will actually have two features that blocks unknowns.

Still the OS managed to block all bypass attempts in the test.

So I see no reason for you to underline the part about Kaspersky that you quoted from the report.

The OS blocked all attempts at bypassing the build-in native security.
No third-party security needed.
Well done.

 

Below is a screen shot from a ransomware on Win 10 x64 that did a bypass of the SmartScreen add-on used in Outlook 32-bit.

 

@itman :

I understand that it's painful for you to see the native security in Windows do so well.

You pretty much always shows up and try to downplay the success reports about and tests of the native security in Windows.

The report discussed in this thread shows the native security succeed in blocking all their bypass attempts.

Your screenshot shows absolutely nothing about entry route, system settings or enabled security.
Knowing what third-party product you always praise and therefore probably had running at the time of the screenshot, then all your screenshot shows is that your third-party product failed.

Now, I could go down your chosen path and post links to the billion of times people have posted about being infected while having all kinds of third-party security installed, but :
A - I would have to post links to half of the internet, since that happens constantly according to so many forums.
And B - I have no problem focusing on the topic of this thread, which is a test report showing the OS succeed perfectly in protecting itself.

 

As far as Windows Defender protection against ransomware, here is an AV lab test of it: https://avlab.pl/sites/default/files/68files/ENG_2016_ransomware.pdf . Pitiful.

 

@itman :

I hope you understand that your constant juvenile attempts at making the native security in Windows look bad, are only proving what I said earlier in this thread.

The topic of this thread are a test report that shows the OS perfectly protected itself with the build-in security.

As for your link - the test you link to are the test where the "testing institution" disabled both UAC and SmartScreen in order to get any of their samples to run.
It has been discussed long ago on this forum as well as several others.
So you actually just proved that the native security works as intended WHEN ENABLED !

But hey, I got links too :

Latest test of Windows Defender :

November-December 2016 - Windows 10 with Windows Defender 4.10 :
https://www.av-test.org/en/antiviru...ystem-center-endpoint-protection-4.10-164974/

Microsoft are doing great

Now, do you think it would be possible for you not to derail this thread any further ?

 

FYI - the link you posted was for System Center Endpoint Protection.

 

For your information - yes, I can read

 

If you read the Methodology section of the report and to set the record straight, AVLab did neither. All they did do was to answer "Yes" to the UAC prompt to allow the ransomware sample to run. This is acceptable since the ransomware dropper would have already elevated privileges if required. In reality, ransomware works just fine using the existing logon privileges. If a standard user, it will encrypt all his files. If a limited admin, it will encrypt all his files.

If UAC was an effective mitigation, we wouldn't have to worry about ransomware would we?

 

@itman :

All the testing institutions disables SmartScreen, since they can't get their samples to run otherwise.
And since they don't want the Windows webfilter to be active during testing.

This has been up repeatedly.

And yes, that "testing institution" you linked to granted Admin privileges to everything in order to get things running.

So you shot yourself in the foot and proved that the native security works as intended.

Now I know this is all very painful to you, but I will ask you a second time since you ignored me the last time I asked and instead you continued rambling on - do you think it would be humanly possible for you NOT to derail this thread any further ??

 

Ok. I bowing out. No reason to continue this discussion.

 

Anyone else reading along and with focus back on the test report that are actually the subject of this thread, I would like to point out that this report are finally testing the OS as it is intended to run - with all native security enabled.

Lots of people including myself has for years been saying that it is wrong when testing institutions always disables SmartScreen during their tests, because the block score they then show are not showing what the OS native security are actually capable of in real world use.

And as can be seen in this report, Windows Defender and SmartScreen complements each other perfectly, when they BOTH are allowed to be fully functional during use and during testing.

Nothing unknown was allowed through and nothing unknown was allowed to run.

Hopefully the other usual testing institutions will soon change their methods and start having all native security enabled during their tests, so their tests reflects how the system actually runs when in the hands of a real world user.

If anyone wants to further lock down their SmartScreen, then I can recommend enabling these two settings :

- Prevent bypassing SmartScreen prompts for files in Edge.

- Prevent bypassing SmartScreen prompts for sites in Edge.

More info :
https://technet.microsoft.com/en-us/itpro/microsoft-edge/available-policies

With SmartScreen enabled and those two settings enabled, then you even further protects yourself against human error.

 

Yes, I keep reading about Win Defender giving bad results, they can't be all wrong.

What I don't understand is, if Win Defender is so good, then why SmartScreen is needed? I also wonder how many users are saved by it in real life. Personally I totally forgot I disabled it, it's just as annoying as UAC.

 

little explanation:

Smartscreen : Alert about unknown files (aka not in the MS whitelist); doesn't mean the said files are malicious, just unknown.
Win Def : alert & block malicious files it knows .

so basically , i download an app, smartscreen alert me it is unknown, i ignore it believing it is legit and safe, i click run ; then Win Defender alert me; at this point (unless being totally ignorant or dumb), i should think something is wrong.

can't tell for the rest of the world , but all the customers i had were saved at least once, after i explained them why they get those "so-called annoying" prompts.

 

OK, I see. So SS is basically a white-list. I believe some AV's are now also using both a blacklist and white-list approach.

Would be cool if we had some more statistics. I also had great results securing noobs with tools like sandboxing, AV and AE. And by telling them to user their common sense. But it also depends on the type of users.