HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Very cool!

    Tuned I'll stay. :)
     
  2. lyzanxia

    lyzanxia Registered Member

    Joined:
    Jun 12, 2016
    Posts:
    5
    Location:
    Belgium
    Manual scan computer, not possible and displays "failed".

     
  3. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The attack consists of two components:

    1. The WannaCry Ransomware
    2. The ETERNALBLUE exploit leaked from the NSA by the ShadowBrokers

    When one machine in a network is infected (patient zero) the attack worms itself across the network via the ETERNALBLUE exploit. This exploit abuses a SMBv1 vulnerability, patched in MS17-010.

    According to our Dutch colleagues at Fox-IT an organisation got infected with WannaCry via "e-mail containing a link or a PDF file with a similar link rerieves an .hta file. The .hta file retrieves a payload, which will retrieve or install the malware".

    Once the malware becomes active, the worming across the network starts and ransomware pops up on infected machines.

    HitmanPro.Alert 2.6.5 (from April 2014) blocks the WannaCry ransomware.
    HitmanPro.Alert does not prevent the worming ETERNALBLUE kernel exploit.

    My guess is that many more attacks like this will take place. The SMBv1 vulnerability is extremely easy to exploit. And as we have witnessed, many businesses have not rolled the patch from Microsoft. So if you haven't patched, patch now!

    Edit: Microsoft just released patches for EOL Windows XP & Server 2003:
    https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

    Technical nose dive: https://www.bleepingcomputer.com/news/security/wana-decryptor-wanacrypt0r-technical-nose-dive/
    Background: https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
     
    Last edited: May 13, 2017
  4. Paul R

    Paul R Registered Member

    Joined:
    Aug 5, 2014
    Posts:
    59
    Location:
    Bury, Lancashire
    Open to new requests?
     
  5. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Yes. But wait until CTP2 arrives.
     
  6. guest

    guest Guest

    EMET is detecting it too, so the Lockdown Mitigation from HMP.A doesn't seem to be unexpected :cautious:
    And don't forget to enable the Lockdown Mitigations after you have finished reading your emails ;)
    ("she can't access her ISP email page from Internet Explorer unless she disables Lockdown Mitigations first.")
    A relaunch should solve it but If you still see a high memory-usage after relaunching it, a reboot is needed.
     
  7. test

    test Registered Member

    Joined:
    Feb 15, 2010
    Posts:
    499
    Location:
    italy
    hi Erik :), i've just got a FP:
    CryptoGuard triggered while upgrading Gimp (a protected app...) to the latest version*
    (Thumbprint ff824515a0d0b40d0d0b22a5ab5c3a98614db94d2a72b6ef6bf8acf5efd4fd3a) (OS: 10x64 Creator Update)

    Mitigation CryptoGuard

    Platform 10.0.15063/x64 v592 06_3c
    PID 416
    Application C:\Users\***\AppData\Local\Temp\is-UUC3M.tmp\gimp-2.8.22-setup.tmp
    Description Setup/Uninstall

    Filename C:\Users\***\AppData\Local\Temp\is-UUC3M.tmp\gimp-2.8.22-setup.tmp

    C:\Program Files\GIMP 2\lib\gimp\2.0\plug-ins\foggify.py
    C:\Program Files\GIMP 2\lib\gimp\2.0\plug-ins\file-openraster.py
    C:\Program Files\GIMP 2\lib\gimp\2.0\plug-ins\colorxhtml.py
    C:\Program Files\GIMP 2\lib\gimp\2.0\plug-ins\twain.exe

    Process Trace
    1 C:\Users\***\AppData\Local\Temp\is-UUC3M.tmp\gimp-2.8.22-setup.tmp [416]
    "C:\Users\***\AppData\Local\Temp\is-UUC3M.tmp\gimp-2.8.22-setup.tmp" /SL5="$100302,88805222,121344,C:\Users\***\Desktop\gimp-2.8.22-setup.exe" /SPAWNWND=$80310 /NOTIFYWND=$13058C
    2 C:\Users\***\Desktop\gimp-2.8.22-setup.exe [7292]
    "C:\Users\***\Desktop\gimp-2.8.22-setup.exe" /SPAWNWND=$80310 /NOTIFYWND=$13058C
    3 C:\Users\***\AppData\Local\Temp\is-O8967.tmp\gimp-2.8.22-setup.tmp [3580]
    "C:\Users\***\AppData\Local\Temp\is-O8967.tmp\gimp-2.8.22-setup.tmp" /SL5="$13058C,88805222,121344,C:\Users\***\Desktop\gimp-2.8.22-setup.exe"
    4 C:\Users\***\Desktop\gimp-2.8.22-setup.exe [3944]
    5 C:\Windows\explorer.exe [4352]
    6 C:\Windows\System32\userinit.exe [4180]
    7 C:\Windows\System32\winlogon.exe [824]
    winlogon.exe

    Thumbprint
    ff824515a0d0b40d0d0b22a5ab5c3a98614db94d2a72b6ef6bf8acf5efd4fd3a

    The following process is trying to attack your personal files:
    PID: 416
    Application: C:\Users\***\AppData\Local\Temp\is-UUC3M.tmp\gimp-2.8.22-setup.tmp

    List of files:
    C:\Program Files\GIMP 2\lib\gimp\2.0\plug-ins\foggify.py
    C:\Program Files\GIMP 2\lib\gimp\2.0\plug-ins\file-openraster.py
    C:\Program Files\GIMP 2\lib\gimp\2.0\plug-ins\colorxhtml.py
    C:\Program Files\GIMP 2\lib\gimp\2.0\plug-ins\twain.exe


    HitmanPro.Alert has intercepted and blocked this attack.
    You are strongly advised to immediately scan this computer with HitmanPro and remove the detected threats.


    * i've solved this issue simply disabling provisionally CryptoGuard module
     
    Last edited: May 13, 2017
  8. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,674
    Location:
    South Wales, UK
    Yes, very, very cool...am staying tuned...too! :)
     
  9. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Thanks. :thumb: Killing and then relaunching HMP.A did solve the memory issue, although after closing the UI only the "SYSTEM" process (the top one seen in my screenshot) remained in Task Manager. (During normal operation, two HMP.A processes are listed in Task Manager.)
     
    Last edited: May 13, 2017
  10. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    Thanks for that info!

    I still have one copy of XP running as a VM. Just patched it.

    It may require some patience to connect to that MS catalog server. It took many attempts to get through. Appears to be rather busy today! :D
     
  11. ohgood

    ohgood Registered Member

    Joined:
    Apr 3, 2015
    Posts:
    39
    Location:
    cold upper midwest
    Erik,

    Thank you very much for taking time to post about WannaCry Ransomware - and I think you are correct about future attacks. We sure do live in "very interesting times" ....
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Seems like a great opportunity to promote Sophos and HMPA, good to know it would have stopped this attack. :thumb:
     
  13. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Sent a PM to erik. Would like to be included in beta testing when it opens up again. Thank you.
     
  14. Tinstaafl

    Tinstaafl Registered Member

    Joined:
    Jul 30, 2015
    Posts:
    965
    Location:
    USA
    I wonder if the mainstream AV's have signatures for this particular HTML Application File (.hta) file? https://en.wikipedia.org/wiki/HTML_Application

    Or is this method undetectable until the malware payload is actually received? Like does it look like a normal request to access a web domain, that may be newly registered, and not on any blacklists yet?
     
  15. guest

    guest Guest

    Ok, then it seems to be better to reboot if the memory issue appears again :cautious:
     
  16. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    Yup, I'm with you.

    It could be a pain in the neck, though, if you have a lot of applications open when this happens and you're in the middle of heavy-duty Web research: you have to either close down everything to reboot, or proceed unprotected by HMP.A. Let's hope that the HMP.A team finds a solution to this issue.
     
  17. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Do you happen to have Norton installed do you? I had issues with HMP.A high RAM usage when ever Norton updated SONAR.

    Edited because I hadn't had my first cup of coffee yet.
     
    Last edited: May 13, 2017
  18. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Do you use both Norton and HMP.A Krusty?
     
  19. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Yeah, on two machines. I have Avast on my other.
     
  20. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Wow so you can run NIS and HMP:A with no issues?
     
  21. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    I do have Norton installed. Huh -- could SONAR updating be the cause of this high RAM usage? :cautious:

    In fact I have the Norton/HMP.A combo on two machines, a Vista and a Windows 7. But only the Vista machine gets this RAM issue. In the Windows 7 box, HMP.A has a knack for crashing twice in quick succession, but I don't know if that has anything to do with Norton.

    How'd you figure out that HMP.A high RAM usage and SONAR updating were related?
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    I had the same high RAM usage and between @erikloman and myself we worked out that as soon as SONAR updated HMP.A would use heaps of RAM.

    If you open Norton > Settings > Antivirus > Scans and Risks tab > scroll down to Items to Exclude from Auto-Protect, SONAR and Download Intelligence Detection > Configure > Add Files > navigate to hmpalert.exe > Apply, this should stop.

    A possible downside to this is - #782 but I cannot confirm that this is the cause.

    Yeah, except the above.
     
  23. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    574
    That's a great idea, I'll try it and see what happens -- thanks! :thumb:

    How strange. I'll keep an eye out for that after making the above change.
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    FYI, I have notified Symantec and they are looking into it... If they can reproduce it that is.
     
  25. Phil_S

    Phil_S Registered Member

    Joined:
    Nov 13, 2003
    Posts:
    155
    Location:
    UK
    I've been trying to update from 588 for the last 2 days, but test.hitmanpro.com appears unreachable. Can anyone else confirm?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.