HitmanPro.ALERT Support and Discussion Thread

Discussion in 'other anti-malware software' started by erikloman, May 25, 2012.

  1. hjlbx

    hjlbx Guest

    Appears to me to be a PE. Installer to be more precise.

    The ransomware is "bound" to the uTorrent installer.

    The ransom screen states all files have been encrypted, but encrypted files are not shown in the video.

    At first I thought it was a screenlock ransomware...
     
    Last edited by a moderator: Mar 12, 2016
  2. hmpa111

    hmpa111 Registered Member

    Joined:
    Mar 11, 2016
    Posts:
    11
    I have never installed/ran the HMP, only HMP.A
     
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,125
    Not that I want the link to be removed in any way. But I have question, why wasn't the link posted by @hjlbx removed since it linked to Youtube test video? And the rules apparently state that such thing aren't allowed on this site.
     
  4. hjlbx

    hjlbx Guest

    It doesn't matter to me, but this is an official HMP.A support forum - and I would think that the developers - @erikloman and @markloman - would want to see the video.
     
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,996
    Location:
    USA
    You could PM Erik about a trial.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,904
    Location:
    U.S.A.
    Once a victim enables the macros, the macros will download an executable from a remote server and execute it.

    http://www.bleepstatic.com/images/news/ransomware/locky/word-macro.png

    Malicious Macro

    The file that is downloaded by the macro will be stored in the %Temp% folder and executed. This executable is the Locky ransomware that when started will begin to encrypt the files on your computer.

    Ref.: http://www.bleepingcomputer.com/new...ypts-local-files-and-unmapped-network-shares/
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    So of course the wisest course would be to turn on Macros.:argh:
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,491
    Location:
    The Netherlands
    OK thanks, that's what I thought. The point is that it doesn't matter which type of code injection method is used, HMPA should always alert about API hooking. And I assume HMPA always tries to figure out which process is responsible for the hooks, if it's not signed or white-listed, it will be blocked.

    About the other link, certain members claim that a new tool called "MemProtect" will protect against exploits, apparently it's protects processes with the "protected services" feature in Win 8, do you know anything about this? Can this be used to block exploits?

    https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx
     
  9. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,427
    Location:
    Paris
    This isn't Locky. This one has no need to connect out, it has nothing to do with macros, and doesn't drop an autorun entry into the registry (a Service is instead created). Group Policy does seem to protect Documents.
     
  10. I don't get why the fanboys of HPMA are so obsessed with sophisticated features. It does not matter whether someone removes the sparks, the distributor cap, the battery or the starter, in all cases your car won't start. With ransomeware and exploits you also need to block only one of the gates malware has to pass to succeed in the intrusion

    Cruel sister's video cleary shows that HPMA fails miserably. So my suggestion is to ask Cruel Sister for the sample and develop a counter measure to deliver the promised immediate protection.

     
    Last edited by a moderator: Mar 13, 2016
  11. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    This was indeed no Locky.

    This one most likely doesnt overwrite the existing file but creates a new one and deletes the original. This means that you can get most files back via undelete.

    Prevalent ransomware overwrite the existing file (= not deleting original). So there is no way to get files back.

    Can you post the hash of the sample used in the video?
     
  12. The world's most comprehensive real-time signature-less security software?
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,491
    Location:
    The Netherlands
    To be honest, I don't get why you're so obsessed with Windows Internal Security, to be fair. :D

    Also, HMPA and MBARW are monitoring specific file system operations, and clearly this isn't always foolproof. I wonder what makes WinAntiRansom so special, what does it detect, suspicious file system operations or something else?
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We need the hash so that we can get the sample! o_O
     
    Last edited: Mar 13, 2016
  15. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,427
    Location:
    Paris
    As I didn't code this one myself I'll be more than happy to share. Erik- as soon as I get back to my hotel tonight I'll shoot you an email with a link (that is, as long as you give me an address).
     
  16. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    We never claim 100% protection.
    We do mention that we have the most anti-exploit features, including hardware assistance. All in a 5MB footprint. We try hard with just a handful of developers to provide what others don't.

    Home user, businesses, hospitals and police become ransomware victims on a daily basis. Spam filters, web filters and AV solutions aren't enough. The headlines mentioning hospitals and police paying the ransom is proof of that.

    You can't fight modern attacks using signatures. That is why we focus on the sparks, distributer cap and starter. Its all about multi layer approach. Features!

    But everybody has a right to his/her opinion.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Well I for one as a user are mighty glad for what you do.
     
  18. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    7,514
    Location:
    Among the gum trees
    Me too! Keep up the great work guys.
     
  19. LOL :argh: You earned more than a handfull with 31.8 million cash acquisition by Sophos. WinAntiRansomPlus is developed by a smaller team and with less features it does provide effective protection.

    I am not arguing against a multi layer approach, I am disagreeing with your claim that the number of features matters: the effectiveness of the package is what really matters.
     
    Last edited by a moderator: Mar 13, 2016
  20. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    You're right, a typewriter is a more secure solution.
     
  21. Hiltihome

    Hiltihome Registered Member

    Joined:
    Jul 5, 2013
    Posts:
    887
    Location:
    Baden Germany
    Is cruelsisters trojan really a file cryptor, or just a screen locker?
     
  22. So you are labeling WinAntiRansom plus a typewriter :eek: just because it has less features :confused: also a HPMA fanboy I suppose
     
    Last edited by a moderator: Mar 13, 2016
  23. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Despite being acquired by Sophos, isn't it possible that a "handful of developers" only work on the product? Small teams have been known to work on particular software in other large companies so I suspect it is no different here. They just have more money for research and development.
     
  24. Yes you are quite right, only the text "We try hard with just a handful of developers to provide what others don't", sounds like they are the last warriors protecting the world. With 31.8 million to spare you could afford a larger development team.

    WinAntiRansomWare has a much smaller development team (as far as I know) and they were able to protect against the ransomware sample, so "what others don't" sounds silly when you just failed to provide protection.

    "We try hard ... to provide what others don't" also implies that other security vendors are not trying hard to provide protection against ransomware, exploits and keyloggers. Really
     
    Last edited by a moderator: Mar 13, 2016
  25. Buddel

    Buddel Registered Member

    Joined:
    Apr 28, 2015
    Posts:
    1,128
    So am I. Keep up the good job.:thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.