In memory fileless malwar edetection ..... any antimalware software?

Discussion in 'malware problems & news' started by aigle, Sep 10, 2015.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Another point people may not be aware of is that you cannot run a standalone .ps1 script. I has to be run as an object to the Powershell executable. Microsoft set the default file association for .ps1 to notepad.exe for security reasons.
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,504
    Location:
    Slovenia
    I always disable SRP when updating or installing software or OS. No updates are set to automatic, all is done manually.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Most of the crypto malware arrives as a .zip e-mail attachment.

    Now I am going to tell a story about how someone who knows better can do stupid things. I use Thunderbird as my e-mail client. My daughter often e-mails me pics of her and my grand daughter. I got tired of always having to manually open the attachments, so in a total brain cramp moment I decided to change TBird's attachment setting to always open attachments in line. Very bad move as follows.

    It wasn't that long after, I received a strange pop up while in TBird about an update having been rejected because it was invalid. Spoke to the Mozilla TBird forum mods about it and they were clueless; basically stating that they had never seen anything like this. I also later noticed the default storage directory for TBird attachments had been mysteriously changed to User\AppData\Temp. Best I can determine is an e-mail I had opened must have had a .zip attachment from one of the ransomware bad guys, it auto opened when reading the e-mail, and it proceeded to attempt to download crypto malware to my PC in the disguise of a Tbird update. I was very lucky in this instance due to TBird having a self-checking mechanism for valid updates. The blocking of that update saved my butt from being nailed with having all my files encrypted. Although I have HIPS rules for protecting the AppData directories and the Program Data directory, I did not have one for the Program Files x86 directory.

    Bottom line - never ever open either manually or automatically by some e-mail setting any .zip attachment unless you can 100% trust the origin of the e-mail.

    -EDIT- Forgot to mention that I receive my e-mail encrypted via IMAPS. I had Eset's SSL protocol scanning enabled, TLS encryption, and scanning my e-mail upon receipt. Real time scanning was set to the maximum setting. And this bugger slipped by it; no alerts, no log entries, nada.
     
    Last edited: Sep 17, 2015
  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi itman

    1. Sandboxie would have kept you safe from that one.

    2. Don't feel bad. One night, also tired, I got an email saying my Paypal acct needed attn. I filled out the form, basically giving away the farm on my bank account. As I clicked send, I suddenly had this sinking feeling. Quick call to Paypal confirmed. Another quick call to my bank stopped any potential loss. But the clean up was a good lesson. So I know the feeling of doing stupid things when you know better.
     
  5. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Interesting, so the only reason it automatically ran was because of your Thunderbird's settings? Or is there something more to that?
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    It was Thunderbird's settings. I like the product but you definitely have to research what its settings do prior to activating an option.

    -EDIT-
    Actually there is another issue with Thunderbird in my opinion:

    As far as Thunderbird goes, I now realize that using Mozilla's Maintenance service and allowing silent updating is a big security risk. In this mode, all UAC elevated prompting is bypassed. I have changed the update option in Thunderbird to "notify about updates." This method allows for updating via the thunderbird.exe process with elevated UAC prompt and the Mozilla Maintenance service is never started or used.​

    Further risks associated with using Mozilla Maintenance service noted here: https://wizzley.com/...security-issue/ . Note that according to this article you have to either disable the service or uninstall it to actually prevent update downloads from the service.
    Since I did receive a bogus update, I attribute that most likely to the above. Also since this incident, I have enabled outbound firewall monitoring in Eset. It has a feature that will alert me if any network aware app such as thunderbird.exe is has been modified.
     
    Last edited: Sep 18, 2015
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    In memory malware might evolve more. Imagine it injecting your browser and grabbing all passowrd etc. Nothing seems to detect this type of malawre ATM in real time, even classical HIPS.
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,504
    Location:
    Slovenia
    Thanks for link. They are using less secure blacklisting approach (prevent execution from known locations that malware is usually using). I use whitelist approach - prevent anything that is not whitelisted.
    WIndows script host - I already have it disabled.
     
  10. Kobayashi maru

    Kobayashi maru Registered Member

    Joined:
    Nov 7, 2009
    Posts:
    124
    Location:
    Drivin' all night my hands wet on the wheel....
    Outpost anti-leak will detect process memory injection.
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    No, not this one.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Last edited: Sep 19, 2015
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Equivalent in a HIPS would be policy based mode; with no rule, the process is automatically blocked.
     
  14. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I have already mentioned this here but my work place was hit by Powerliks. The company hired to take care of our computers came and attempted to fix them.
    When I noticed they couldn't get rid of it, I ran a scan with Symantec endpoint as well and nothing, Ran Malwarebytes and nothing. Although Symantec kept giving a warning it could not clean it at that time. I also noticed the IT people tried running things like Spybot Rkill ect all the normal adviced cleaning programs. I took things into my own hands on my work computer and downloaded Eset's cleaning file for just the version of Powerliks I had. It cleaned it. My manager on the other hand just kept getting infected and fired the company that was suppose to fix it. He hired another and am not sure how that turned out.
    The older version spread through out the company via lan because I knew I had not opened any attachments, unless it was from the manager. During that escapade I read about Powerliks and how it was creating a hidden Reg key to start from. It didn't always start with each reboot but would later on. I always knew when it had started because of some task manager entries. There were multiplies of them which I knew was wrong. dllhost.exe
     
    Last edited: Sep 19, 2015
  15. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,059
    Why didn't you inform them on how you got your PC cleaned? Or you did and they kept getting infected?
     
  16. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I think the new IT people took care of it. We were told not to waste time trying to fix our own computers or co workers. I took it on anyway thinking I was going to retire soon and didn't care. Was going to retire last Dec but decided to stay another year.
     
  17. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    If the browser or other exploited app is running restricted (by sandbox or HIPS), it will indeed get harder for in-memory malware to do any damage.

    That doesn't block in-mem exploits, you need anti-exploit for that.
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    In-memory ransomware and banking trojans would be scary, but I wonder why it's still not seen ITW, there must be a reason. Perhaps it's too difficult for hackers to succesfully attack systems with in-mem malware?
     
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    Next time, go first to bleepingcomputer.com to see if they have a removal guide. They have one for Poweliks that also lists all the stand-alone removal tools: http://www.bleepingcomputer.com/virus-removal/remove-poweliks-trojan#accordion-2 . They also offer free malware removal assistance.

    Best way to prevent Poweliks infections is a HIPS rule to monitor Powershell execution. That might take a bit of work in a corp. environment if the tech support staff created a bunch of Powershell scripts. Also a HIPS rule should have been in place to monitor Windows startup areas and registry keys.

    -EDIT-
    There is also an exploit component to Powerliks;

    The Trojan uses the Microsoft Windows CVE-2015-0016 Remote Privilege Escalation Vulnerability to escalate privileges on the compromised computer.
    ref.: http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-080408-5614-99
    So just keeping your computer updated with the latest OS patches will go along way to prevent an infection.
     
    Last edited: Sep 19, 2015
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Most of fileless malware load a dll into browser while in memory and this is not intercepted by HIPS. I have personally tested this injection with Defence Plus and no pop up alerts from Comodo even in paranoid mode with max security.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    I am using Eset HIPS and it stopped both regular and reflective dll (memory based) injection. You can read my testing results here: https://www.wilderssecurity.com/threads/mrg-effitas-online-banking-browser-security-q2-2015.378862/ . Note that you do have to create rules for your browsers and other Internet facing apps to accomplish this. By default, Eset HIPS does not prevent this.

    Additionally, Emsisoft EAM/EIS behavior blocker will by default detect the memory injection attempt from any unknown and unsigned process and issue an alert. Again this result is noted in the above link.

    I also strongly suspect Comodo's Defense+ will stop memory injection attempts but again I believe you have to create specific rules for your Internet facing apps to accomplish this.

    Sandboxie will prevent memory injection of a protected process but only if the malware was present within the sandbox. It will not prevent memory injection from any malware running outside of the sandbox.

    Finally, HitmanPro Alert and supposedly the to be released ver 1.8 of MBAE will prevent all defined apps from memory injection. EMET is only effective against simple memory injection attempts since it uses limited predefined address space.
     
    Last edited: Sep 20, 2015
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yeah, but most those defense don't stop memory read write. Good test is with process explorer. Put up the columns that give details about each process in terms of company etec. These don't normally display. The details will be there. Then in Appguard, add process explorer, to the Guarded Apps list and have another look at Process Explorer. All that info is empty because PE can't read it from the other process memory. Same is true of the write function although tougher to test.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,411
    Location:
    U.S.A.
    I have RPC, SMB, and access to $ADMIN all disabled in Eset's IPS.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    $ADMIN itman are you cheating by using a Linux system? :)
     
  25. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    No doubt doable, but Appguard makes it so much simpler
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.