Ransomware n poor protection by HIPS

Discussion in 'other anti-malware software' started by aigle, Jul 10, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Inspired by the discussion about GPcode.exe in this thread

    https://www.wilderssecurity.com/showthread.php?t=214166

    I did some testing with another ransomware Trojan Arhiveus.

    http://www.secureworks.com/research/threats/arhiveus/

    When I run it on my system, it eats up ALL files in MY Documents and put them in a single file with a password.

    GesWall passed as expected. :thumb:
    CFP Defence Plus failed( execution of trojan allowed)
    ThreatFire failed
    Neoava Guard failed( execution allowed)- No alerts unlike the case with GPcode trojan where it aws atleast able to give some alerts.

    I don,t find any classical HIPS/ behav blocker able to counter act such a malware. :'(

    07-10_0028.jpg
    07-10_0029.jpg
    07-10_0030.jpg
    07-10_0031.jpg
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Here is GW log.

    SBIE, DW n SafeSpace etc are expected to have same level of protection.
     

    Attached Files:

  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    :thumb: You should get paid for all this malware testing ;)
     
  4. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm not surprised that ThreatFire doesn't stop ransomware, it doesn't stop keyloggers either. ThreatFire doesn't seem to recognize all suspicious behavior and ransomware and keyloggers are suspicious. That's what you get when you have to depend on security with artificial intelligence.
     
  5. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    aigle, a tiny comment if i may. "Classical HIPS" need configuring. So, lets say you have important documents in a folder. Protect that folder, allow only necessary programs.
    Did you try it like this, or only with default rules?
     
  6. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    I totally agree with this. When I see keyloggers running happily and malware like GPcode and this one trashing my files with no reaction at all from programs like Mamutu and TF, I have to question their worth.
     
  7. hammerman

    hammerman Registered Member

    Joined:
    Jul 14, 2007
    Posts:
    283
    Location:
    UK
    Aigle

    Nice find. ~removed off topic comment concerning publically trading malware....Bubba~
     
    Last edited by a moderator: Jul 10, 2008
  8. Someone

    Someone Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    1,106
    Hi

    But wouldn't behavioural blockers still be much better than nothing?

    Thanks
     
  9. dmenace

    dmenace Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    275
    What about Drive Sentry?
     
  10. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    I'll give SBIE a try later and report.
    Must backup my data first :p
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I will second that, kudos to aigle
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks for the replies, especially Kees and djohn.

    It,s not at all a professional testing. But reallt its, an ineteresting type of malware. I will like to play with them more.

    I am tired of ordinary malware, just trying to create exe n dll files here n there n trying to load drivers that are stopped brutally by the classical HIPS.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I totally agree with you. But my problem is that I take notes from here n there and usually keep them anywhere on my three of non-OS partitions here n there. I take screenshots so often and put them here n there in the same way. It,s not really a private data or personal info so I don,t bother to put them in a specific folder. If I have personal/ private data i will do that. But still these text n image filse are important to em and I will not like a malware to steal them in such a way bypassing my HIPS software.

    IMO such a feature is needed in classical HIPS. I wrote this at Comodo forums.
     
  14. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    you are welcome.The fact is your testing has more worthness at least to me,then some joe smoe from blank magazine that may be just a bias review anyways.I like to see some others here join in to the testings as well.I would love to be testing if (A) I had a test machine (B) I had samples (C) I had more knowledge.
     
  15. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    For those who are interested,

    I tested Arhiveus against both DefenseWall and Primary Response SafeConnect. The former successfully blocked and contained it with or without putting my "document" folder under the protection of "Secured Files". Unfortunately, the latter did not react to it.


    Peace & Gratitude,

    CogitoErgoSum
     
  16. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    I applaud all of your efforts to date in testing a good variety of malware samples against various sandboxes and HIPS. FYI, I have gotten some new ideas as to malware samples that I have either overlooked or not yet tested from reading through all of your threads. Keep up the good work.:thumb:


    Peace & Gratitude,

    CogitoErgoSum
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. And also i am thinksful for ur tests and sharing the results with us esp about DW n PRSC.
     
  18. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Tested Arhiveus.A against Sandboxie 3.28

    First test, sandbox with my own settings:
    Trojan crashed, as data partition is totally blocked with SandboxIE.

    Second test, sandbox with default settings:
    Created 2 files, which launched the Inmediate Recovery window. I didn't recover in none of both cases.
    Inside the sandbox, 2 files where created: "demo.als" and "EncryptedFiles.als"; and a folder: "my images". In that folder, only ONE picture was "stolen", but wasn't encrypted. By the way, the original picture is still in its original folder.
     
  19. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
    Hello aigle,

    You are very welcome. Thanks for the compliment.


    Peace & Gratitude,

    CogitoErgoSum
     
  20. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    It sounds to me like *SBIE passed the test* or... am I mis-interpreting?
     
  21. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Yes bellgamin, you are right, SBIE passed.
     
  22. simmikie

    simmikie Registered Member

    Joined:
    Nov 11, 2006
    Posts:
    321
    before completely writing off behaviour blockers, would someone test against the most effective of them all, Prevx2?


    Mike
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried SafeSpace against bothe these trojans, GPcoder and Arhiveus.

    SafeSpace stopped them, no data was lost. No pop ups. :thumb:

    I miss SafeSpace. I had a lot of potential but alas it died too prematurely. :'(
     
  24. GES/POR

    GES/POR Registered Member

    Joined:
    Nov 26, 2006
    Posts:
    1,490
    Location:
    Armacham
    I really would like to to believe that but do you have some proof? :)
     
  25. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Shoot fellows, look behind before looking ahead. Like others TF is turned into a discussion of complaints for quite a few customers. It's didn't fair any better with my set up. so i just reached backed into time and pulled up and old version of CyberHawk = (3) drivers, and i couldn't be happier in the way it compliments my HIPS of EQSecure. Let a dll injection try to insert itself and CyberHawk will TERMINATE it in a flash, issue over. Even a HIPS requires the user to terminate running processes.

    This was exactly what i been looking for and blinded like everone else that new is always better, and to that i say pfffft!

    WATCH SECURITY DEVELOPERS add more and more to their products in the times to come and have fun with issues and incompatibilities. For me, i'm staying put in the happy medium of the before times, because security apps are laying it on pretty thick all the time, and IMO, that is simply not necessary.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.