A Specific Example Of How You Can Get Ransomware Just Surfing The Web

Discussion in 'malware problems & news' started by itman, May 10, 2016.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    This morning I was surfing a well known security based web site I frequent almost on a daily basis. It is also a site I would never thought I could be subjected to ransomware.

    How the ransomware got into the forum section I was browsing in is unknown. It could have inadventantly been linked into the posting I was accessing or purposely and maliciously placed there. The effect was the same with the ransomware downloaded to my browser's temporary internet file directory.

    Of note is the fact the ransomware was hidden in a .htm file. Eset's realtime scanner caught it by signature detection the moment my browser attempted to access the file.

    5/10/2016 11:07:48 AM Real-time file system protection

    file C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1ARTGYTD\
    cerber-ransomware-support-and-help-topic-decrypt-my-files-htmltxtvbs[1].htm

    Win32/Filecoder.Cerber trojan cleaned by deleting xxx-PC\xxx

    Event occurred during an attempt to access the file by the application:
    C:\Program Files\Internet Explorer\iexplore.exe (E55B59E3E9530C5E6947C46F937F6BA88DD2EB19).

    38986DCBD14EF6F7D9859270223AC4FB950208E2 <- hash value
     
  2. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Looks like you were reading a forum thread about Cerber ransomware at the time. Makes one wonder if the detection could have been a false positive, triggered by a thread participant posting the wrong strings so to speak. If it were a genuine threat, others would be bleeping mad.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Did you check html file using text editor? Html itself shouldn't be problematic but link in the file could point to malware or a site delivering malware.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    A false positive is possible but never have received that kind of alert from Eset before. Eset has one of the best FP rates among AV vendors. It was nice to see that all browser temp files are scanned by Eset - note I do have strict cleaning applied with all file extensions being scanned.

    I did inform the web site about the issue immediately and I assume they fixed the issue if there was indeed a problem.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    File is gone. Eset deleted it immediately.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    If you use default settings it should be stored in quarantine and it could be restored.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    See my reply #4. I have all Eset settings set to max. protection including realtime scan options. I previously checked quarantine, nothing there.

    Interestingly, I just looked at Eset statistics and it stated realtime protection found 2 threats w/1 cleaned. So I am presently running an in-depth scan just to make sure nothing is still hanging around. I believe that the [1] in the log file entry indicates it found the same malware twice.
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    Yes sorry, I missed that post.
     
  9. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Ahhh one of the beauties of having Temp and Temporary Internet Files on a non-system partition wrapped in Shadow Mode, along with Temp directory in Easy File Locker with browser not listed as an exception application ... reboot, game over. Phew!
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Checking this incident out a bit more, appears someone posted the .vbs script code Cerber uses on the web site. This is what Eset detected on the web page and deleted the .htm download that contained the code.

    Still nice to know Eset is scanning code in the temp download folder even if it is a bit aggressive in its detection.
     
  11. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    I was thinking about this subject over the weekend...
    • Some AVs may utilize URL checking but [not yet] know that a given document and/or or its embedded content (which might not even be accessible from the public internet) contain a threat. URL checking doesn't seem like it would live up to common expectations/assumptions.
    • Some AVs may not be able or allowed to examine things via browser extension and/or MITM proxy. So these approaches won't always be an available option.
    • Browsers can explicitly invoke AV scanning (Windows Antivirus API, Antimalware Scan Interface, whatever) but:
      • I don't know which browsers, these days, actually do this. Particularly for ordinary web content (html documents, javascript files, etc) that is not explicitly downloaded as a file.
      • This is platform dependent and not all platforms may support it.
    • Browsers could trigger AV scanning by making content hit the filesystem. For example, when caching. However:
      • In order for AV software to be able to properly scan such files, the files would have to be in a transparent/usable format. If a browser uses a custom caching mechanism that stores content in an unusual/altered way, it could interfere with AV recognition.
      • Browsers may not be built/configured to cache HTTPS delivered content due to security/privacy concerns.
    For such reasons I think it would be good to have a HTTP/HTTPS test site for challenging AV web content scanning. Yet, I don't recall ever seeing such a site and a few searches turned up nothing that looked sufficient. Perhaps even a website that serves EICAR strings for test html, js, jpg, swf, etc files might suffice for primitive testing.

    Has anyone come across a useful tool for testing AV web content scanning?
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Actually, the AMTSO web site: http://www.amtso.org/feature-settings-check-for-desktop-solutions/ has two tests for this. Specifically, the cloudcar test and the drive by download test. Not all vendors are participants in these tests. Only those that employ active web filters are listed.

    Tests are all HTTP based. Don't know of anyone that supports HTTPS tests since scanning of SSL traffic is not formally endorsed by any over site organizations that I am aware of.
    Only Win 10 has actual interface capability. And agreed, vendor info as to those actually using it is not widely known

    Almost all other vendors that scan incoming web traffic do so though the use of a NDIS miniport network adapter filter. I believe MS has provided this interface since Win 7 and it might possibly exist in Vista. Scanning capability varies by vendor with many just using their realtime scan engines i.e. signatures and blacklists to scan the incoming web traffic.
     
  13. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    Interesting testing against the AMTSO site. No script actually blocked two of them, but even though not listed, EIS, passed all the tests. Also surfing in Sandboxie, made the tests irrelevant.
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The two tests I referenced are supposed to be detected prior to physical creation of the file on the HDD.
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,041
    I still I am still in the browswer I looked at the sandboxed download folder, and there are only 3 files there out of all the tests. And since they are in the sandboxed folder, a) the system is still safe and b) when I close the browser they will be gone.
     
  16. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The tests are to determine if the web filter capability of your security solution is functional and conform to AMTSO guidelines. That is all they are designed for.

    So if the security solution does not employ a web filter, the tests are not applicable. AMTSO guidelines are that security solutions should provide protection covered by two tests prior to any physical file creation. If people don't agree with that, they should contact AMTSO directly about it.
     
  17. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    Thanks, want to look at that some more.
    There was/is IAttachmentExecute, which could be utilized (and was utilized by Firefox and Chrome/Chromium I believe) to indirectly invoke an AV scan. At least under some circumstances. I think it may have utilized IOfficeAntiVirus to trigger an AV scan. I don't recall/know much more than that at the moment, I'm sad to say.

    I don't know if Windows 10 supports either of those for legacy apps, but it appears to bring the Antimalware Scan Interface. Which looks more sophisticated/appropriate, at first glance anyway.

    FWIW, what caused me to think about this: I was going over my Firefox autoconfig and saw an old "open" comment about browser.download.manager.scanWhenDone being removed. A few searches suggested that Firefox's ability to explicitly invoke an AV scan may have been removed some time ago. I had recently looked at some cached content files and noticed they aren't just normal files, so I started to wonder if cache filesystem activity alone would be enough to allow AV a bite. On top of that I began to wonder how downloaded file processing may differ from "normal" content file processing. IOW, I'm all hazy at the moment but have a gut feeling that there could be issues. I need some cliff notes. Remember those old farts?
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Perhaps your are referring to the for example webcachexx.dat files IE uses? Doubt anything scans those since they are locked by the OS by virtue of always being in use. You have to shutdown taskhost.exe to get access to those files. Believe all they contain is your surfing history so the police/gov can do forensic analysis on them.
     
  19. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,084
    No, I was talking about Firefox cache2 entries. The few files I looked at appeared to contain the original content plus response header information appended to that. Which might (?) not be enough to foil AV inspection, but it was enough to provoke questioning.
     
Loading...