Discussion in 'other anti-malware software' started by co22, Mar 28, 2017.
That would be great. Thanks Moose!
We'll send you a PM to work out details.
We've tested that sample against a wide range of products and all fail except for RansomOff. Obviously, there will be those that will claim because it's our sample that RO is tuned to detect it. It's fair criticism and if it wasn't for the legal liability of releasing a ransomware sample, we would share it. But the truth is that RO has a fundamentally different way of detecting ransomware behavior than generic behavior blockers and our sample triggers it just like any other ransomware.
Part of the the problem is most behavior blockers are modeled on known samples to derive the behaviors to watch. However, attackers are always evolving and finding new ways to do things so if you are just looking based on past threat tactics, anything new will get by. The sample shown in the video does things differently than other ransomware and those differences are enough to get past behavior monitoring. Nothing in that sample is revolutionary either. Just some simple obfuscations that any competent developer would be able to do.
Can someone please explain what a "leak test" is by the way? We aren't familiar with that term and it really doesn't seem relevant anyway. If all files on a system get encrypted, leak test or not, that's still fundamental ransomware behavior that should be alerted to.
Leak test is a term that was coined by test applications that demonstrated ways to get around application based firewalls. It has since been used as a term to refer to synthetic and artificial test tools that aim to demonstrate "weaknesses" in all kinds of security software. The problem of leak tests is, that they usually aren't actual malware, because the idea is for users to run them, so they can't actually do anything malicious. They just take one technique, test it in complete isolation and then spit out a verdict. This may help to assess simple tools, that are strictly rule based, like HIPS or firewalls, but fails miserably to assess anything that takes a bit of a more holistic approach.
Your test tool is as much ransomware as a password protected ZIP folder is. Encryption is tied to a lot of user interaction. The closest your leak test comes to ransomware is it being similar to tools used in RDP attacks like LeChifre or Al-Namrood. Those attacks can't be mitigated. Even your tool doesn't. After all, once you have an RDP connection, nothing stops the attacker from just clicking allow or just turning off or uninstalling your software.
Limiting the focus on detecting file encryption only is risky for other reasons as well. Take Harasom for example, a ransomware family that caused major mayhem in South America a few years ago. It does encrypt files, but embeds them inside HTML documents. So if a tool was to look for just files being encrypted without context, it would totally miss it. Judging by your comments and the insights into how you test and benchmark your own product, I wouldn't be surprised at all if it would go by completely unnoticed. You can try it out:
The later link lets you download the sample after a free registration. Just in case you don't have VTi access. I could obviously make a YouTube video to see if my hunch is correct while proclaiming I don't want to knock your product, but that would be a bit too "scheinheilig" for my taste.
Excellent point. The two most widely used like suites, Comodo and Matousec, were designed exactly for that purpose. That is to ensure that firewalls and the corresponding integrated HIPS in security suites were configured as tightly as possible to prevent common and known malware attack vectors. Most of the HIPS tests were to prevent malware from modifying critical system files and registry keys. Some additional tests were to detect .dll injection and the like into critical processes i.e. API use monitoring.
Interesting discussion here lately!
As for Harasom, it would be indeed interesting to see how RO reacts on that threat.
Fabian, in case you can still access the sample, might I ask you to please reupload that sample to Hybrid (or even Malwr), as the Malwr link is dead, and I've no idea how to access VT files (I'm pretty sure only researchers can). A quick search gave me only the link you already shared.
Thank you in advance!
Spoiler: Broken page
There you go: https://www.hybrid-analysis.com/sam...b2233d71efa3ae064a073a771f5?environmentId=100
I would like to see some tests for Locky, Spora, and the latest Cerber v6 variant.
Thank you for the very fast reply!
I finally got my hands on the sample, injects into / triggers msiexec.exe. This process runs twice in memory, but both have the status "suspended" as soon as the malware is run. Nothing changes even after minutes of letting them run. Could be that RansomOff is freezing it? As the ShadowDefender conflict in RansomOff (freezing ransomware, but not showing alerts) is still current (me waiting for a new release, checking daily), I cannot tell whether RO does alert or not. There is no ransom screen / notice. SysInternals AutoRuns does not show entries with a VT rating greater than 0.
No 2nd_opinion scanner used is able to track down traces of the malware infection.
No VM here and won't run any sample in a live system.
@HeiDef what about checking out the sample, maybe a vid on it?
Side note: The sample seems to trigger something AVG IDP is aware of - obviously only when network connection is established.
For this test, I shut down AVG completely before running the malware.
OK, so why did RO did manage to spot this behavior? My general impression is that most tools that are truly behavioral monitoring based all watch for rapid file modification. I'm speaking of tools like AppCheck, RansomFree, HMPA and of course RansomOff.
But as long as these simulators perform actual malicious behavior like rapid file encryption for example, then a tool that is designed to spot this should alert about this, no? But if I understood correctly, this simulator didn't behave like "real" ransomware and that's why EIS didn't alert about it.
OK so RO did manage to block the encryption? And cool to know that AVG alerted about it.
Don't forget KAR - it too blocks ransomware by default when its run. That and the tools you mentioned are a combo behavior blocker/cloud AV intelligence scanner. Understandable in view of the fact ransomware is evolving rapidly and definition-based AV's can't always stop them, especially when no definition for them exists. Zero day malware must be addressed with different technology.
We are getting ready to release a new build. This will have a number of features requested by various users to include process hollowing detection, import/export of settings and better persistence of protection settings across reboots along with a smattering of minor bug fixes. While we didn't yet find the cause of the BSOD reported by Baldrick, we did make some changes that will hopefully prevent the WU issues that paulderdash reported.
We are finishing up our testing so hope to push it out later tonight or early tomorrow. Once we release it, we'll do a video on harasom and the samples itman requested.
It's definitely possible that RO is doing something to it that makes it freeze. We have seen other cases where RO does kind of "sit on it" for a while so we'll have to look into that. We haven't played with this specific sample yet though to know for sure. We actually found it at http://www.kernelmode.info/forum/vi...9046c1ec74fb2233d71efa3ae064a073a771f5#p20052 As an aside, kernelmode.info generally does have a lot of samples for download.
But once we get the next build out the door we'll dig into this.
No idea, maybe something made the sample not be working as expected. With the current ShadowDefender issue, I could not test ransomware yet. Someone with a VM should confirm.
Or just wait for the vid @HeiDef promised above.
Great news, can't wait to get my hands on it
Great I took the one from Hybrid Analysis, kindly reuploaded by @Fabian Wosar.
It's a good place to get fresh samples (the sample I requested above did not find it's way to there earlier unfortunately).
The sample did nothing for more than half an hour but running in mem. According to Hybrid, it should have changed my wallpaper / lock my screen (and touch my files).
Since DreamsandVisions doesn't have a VM: This is the result on a Windows 7 32bit VM:
Detects the autorun entry being created.
System is fully encrypted and the ransomware lock screen is being displayed as I would have expected. I should play the lottery with those kinds of hunches. Almost as if I know my way around ransomware. Let's hope it gets fixed in the next version (maybe even today).
Thanks for pointing out a deficiency. We'll have it fixed next build.
Have managed to get hold of a minidump re. the BSOD I am getting when running RansomOff.5.2017.144.10111.BETA.x64. In the hope that it will be of use to you I can provide this. PLease advise as to how best to get it to you.
Awesome! Just sent you a PM.
We'll delay the next release to make sure we can incorporate whatever we can get from this.
Fabian is right - when it doesn't halt ransomware from running, its already failed. Tests like this aren't scientific but help to point
out the deficiency in security software. At the end of day though, every one will agree its the human element that counts - don't download or run anything you're not sure is safe. In that end, that is your best protection against malware.
Absolutely. And we never claim to be 100% effective. Nothing ever will be. But concur on the human element. It's always the weakest link.
In this case, after playing with the harasom sample, we recognized that we gave too much leeway to legit Windows executables (in this case msiexec). So we will tighten up the heuristics to make sure that won't be an issue. And again, always appreciative of good feedback.
Received and mini dump despatched, HeiDef
Yes, with these kind of tools you can't expect 100% security. BTW, cool that you added protection against process hollowing.
I get an alert every time a scheduled Macrium backup runs:
Alert Start: Signal
Alert Level: Detect
Alert DTG: 2017-06-01 23:17:41 UTC
The following process was detected modifying a common Windows registry start up location. Please verify that this is a legitimate modification.
File Path: 'c:\program files\macrium\reflect\reflectbin.exe'
New Start Up: 'c:\program files\macrium\reflect\reflect.exe -q'
Registry Path: '\registry\machine\software\microsoft\windows\currentversion\runonce\macriumrunonce'
I set an exemption for it, so it doesn't pop up on the screen, but it shows up in the alert log. Since I run a backup several times per day, the alerts are piling up. Is there anyway to stop this? I'm running the latest beta of RO under Windows 10 Home. Thanks.
Hey @Kid Shamrock
Right now there is no way to stop the alert from piling up in the alert window. The exemption just stops the popup but we can extend the exemption to prevent the alert as well or at the least stop the alert indicator from incrementing every time for an exempted process.
We are actually in the process of redesigning the way alerts work a bit. It won't be our next release but hope to have some changes in the near future.
Yes, I think there should be an option to stop an alert completely, if desired. Thanks for the fast response!