Innovative Bots Spell Ruin for Malware Analysis

Locking Botnet Agents to Thwart Malware Analysis

 

Thanks nice article

Except there is/are ! AntiExecution software like ProcessGuard for eg. would prevent them. As would Sandboxes and Returnil, DeepFreeze etc type Apps

The AV peeps though admittedly would be more busy than they already are I'm sure they would try and find some way of countering these events. How long it might take them, or how they do it ? No doubt they should be aware of this technique by now, hope so anyway, and be Actively working on ways to combat it, before any serious onslaught emerges

 

No expert here, so I’m just going to attempt to determine to the best of my ability how this exploit might fair on my Win 7 Ultimate setup:

Okay, fair enough, this could happen.

This could also happen, but not if the browser’s fully patched and has no current vulnerabilities?

With my Applocker rules in place and running in a limited account, I don’t see this happening. Exploit should be stopped dead in its tracks by now.

Win 7’s two way firewall setup with default deny on both inbound and outbound connections. No downloading is going to happen the way I see it. Once again, because of Applocker and the limited account, how, again, is the file going to execute? I see no point with further analysis. The exploit, the way I see it, has already been rendered a non-factor.

This goes without even mentioning the relatively simple methods of denying the automatic launching of Java scripts and such in the browser as mentioned by member Rmus time and time again as he keeps proving to be such a highly effective defense against so many of these exploits.

 

Locked to a given computer? What if I want to move malware on an infected computer to a new computer?

Anyway, thank you for the post Searching .

 

Already seen in Rustock.C sample

 

Once again....if it can't execute it can't infect.

 

True, but misleading That's not the point of the whole topic. It means that the malware is starting to be more targetted than ever.

For instance: I got my pc infected with a malware which runs only on my PC, and anywhere else. This doesn't help us analyzing the threat because if you send our laboratories such sample, we probably could see little to nothing because maybe the sample is heavily crypted and it's "impossible"to get it decrypted

 

I get your point Eraser...and you do have your work cut out for you to stay ahead of this one.

The point I was making is that if the malware doesn't get a chance to download or execute on your system in the first place that there is no threat. As more and more malware will adopt this new system of avoiding detection by blacklisting scanners more and more people will be getting infected. Simple education and a few safety measures will greatly reduce the risk of getting hit in the first place. More and more the emphases will have to be on prevention.

 

Now I get your point

 

I should have elaborated more on my first post. Sorry about that.

 

By the way, I just read your latest blog. I agree 100% with it.

http://www.prevx.com/blog.asp