NanoCore Trojan is protected in memory from being killed off

Discussion in 'malware problems & news' started by mood, Jan 16, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    10,313
    NanoCore Trojan is protected in memory from being killed off
    If you are infected with this malware, you might find it is more difficult to eradicate than standard Trojans
    January 16, 2019

    https://www.zdnet.com/article/nanocore-trojan-stops-you-killing-its-process/
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,227
    Location:
    The Netherlands
    This is some sneaky stuff, so even AV's would not be able to kill it? If you ask me, this is a design fault in the Windows OS.
     
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,113
    Location:
    U.S.A.
    The macro VBA code, hash = FFEE1A33C084360B24C5B987B80887A2D77248224DBD6A0B6574FF9CEF74BDD6, is detected by 35/58 on VT. WD is not one of them.

    The .exe, hash = 32BB5F767FE7788BCA4DD07F89F145D70EC3F58E2581CAB9CA6182D3FCE9BC86, is detected by 54/70 on VT.

    So if you're using a major third party AV solution, I wouldn't worry about this one.
     
  4. drhu22

    drhu22 Registered Member

    Joined:
    Aug 21, 2010
    Posts:
    377
    But can it be killed... isnt that the point?
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,113
    Location:
    U.S.A.
    If it can't execute, you don't have to worry about killing it. Although the technique used could be deployed in another 0-day malware.
     
  6. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,523
    Exactly, prevention is the key, but layering your defenses is best.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,227
    Location:
    The Netherlands
    This is a no brainer, but to me it's more about the techniques being used and if HIPS will be able to block them. IMO, it should not have been possible to use this technique without using a driver for example, but apparently Windows does give malware the opportunity. So yes, it's a design fault if you ask me.
     
  8. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,904
    Location:
    Europe, UE citizen
    It's a trojan or a rootkit ?
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,113
    Location:
    U.S.A.
    It a trojan and fairly easy to remove if you know where to look:
    It's main danger is if allowed to execute it can't be terminated other than by system shutdown.

    Also I just ran across a ransomware sample exhibiting the same behavior - it couldn't be terminated. So I would say this malware's main danger is the non-termination technique it introduced.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.