Techniques for the manipulation of malicious payloads to improve evasion

yep since ages. Not sure if you knows it already, anyway i will explain:

modern scanners obviously don't scan the file or malware's code (would be too long), they collect its hash (aka the file/malware's unique ADN) , the said hash is compared to those collected by the security vendor. Any differences with the legit hash will trigger an alert or a quarantine if malicious

simplified example: VLC.exe's legit hash is 123456 (the vendor got it from VLC team) , if during a scan of your system , your VLC.exe hash is 123678; an alert will be triggered.
This mechanism is often used in cloud scans, they don't upload the full file, just its hash then compare it to its database (of hash). if a scanner has no clue of the hash (for example new version of a legit file) , it can trigger an upload (like HMP does)

yes, the user type is key , if he is dumb or careless, nothing will work.

 

@Rasheed187 :

As you may have noticed - the topic of this thread are a report that did research on if it would be possible to bypass the native security with obfuscated samples.

As the report shows, the combination of Windows Defender + SmartScreen blocked 100%

If it's SmartScreen alone you wonder about, then take a look at this recent test of SmartScreen in Edge that NSS Labs did :
http://www.securityweek.com/microsoft-edge-tops-browser-protection-tests

 

@Martin_C good link, as i keep saying, Win 10 built-in security ecosystem is really efficient; careful users will have few chances to be infected, however if the user is an idiot...

Code:

The number of virtual machines installed are 4, on which the latest two Windows versions
(Windows 8.1 and Windows 10) are installed, with both 32 and 64 bit architecture. No component
or service or tool that could contaminate results has been installed. 

In the report they don't precise if they were run on SUA or Admin Account. I guess Admin account & UAC is set to default.

 

Isn't there are difference between IE/Edge's SmartScreen and the Win Explorer's SmartScreen? Because I'm all for auto-blocking of malware and phishing, that's why I always turn on "Safe Browsing" in FF, especially when it comes to securing noobs. But the SmartScreen that's built in to Windows leaves the end decision up to the user.

 

Go here: http://demo.smartscreen.msft.net/ . These are tests for SmartScreen functionality.

All tests listed under URL Rep Demos are browser based protections.

All tests listed under App Rep Demos are protections provided by the stand-alone ver. of SmartScreen in Win 10. These protections are also incorporated into the browser based SmartScreen so non-Win 10 users are covered when using IE11 and Edge.

Also SmartScreen can be used now in Chrome and FireFox. Not sure how that is done since I don't use either browser; perhaps by plug-in.

I have seen no evidence that SmartScreen can block/monitor anything other than browser based user initiated file downloads and only to the designated download folder e.g. Downloads folder. In other words, if malware drops malware payload in User Temp folder, SmartScreen will not scan it.

 

@guest : Thank you.

Yes, I agree. The native security in Windows 10 are extremely efficient.

Out of the box the user will have Windows Defender enabled with both Cloud-based Protection and Automatic sample submission enabled meaning Block at First Sight are also enabled.
Smart-Screen are enabled system wide, in browser and in all UWP apps.
Windows Firewall active.

That will keep every average user safe.

With 5 minutes work on top of that, a user can further improve their security through enabling PUA detection in Windows Defender, set UAC to max, password on Admin account, activate a Standard User Account and use that exclusively.

That will keep the extraordinarily curious users safe.

And with an additional 20 minutes on top of that, the remaining settings in Windows that matters for those of us that prefer Fort Knox style are also adjusted.

With Windows 10 it has never been easier to stay safe.
Absolutely no third-party security needed.

In the report, everything are default. So they tested from Admin account and UAC at default.
Only one thing can't have been default.
They seem to have turned off the Automatic sample submission in Windows Defender. Or used a pre-1607 edition of Windows 10.
Because Block at First Sight would have caused Windows Defender to react further in the cases where SmartScreen now took over.
I assume they disabled Automatic sample submission in order to be able to use exact same samples on all four test systems.

But nevertheless - the combined native security blocked 100% of their attempts.

 

More ridiculous nonsense from @itman.

SmartScreen has been systemwide since Windows 8.x
It doesn't matter where the file are on your system.
If it has the Mark of the Web, then SmartScreen will monitor it and block it if malicious, low rep or unknown.

 

lol @itman seriously!!! You didnt know
that smartscreen was system-wide ?! Come on...

 

What I stated was I have seen not evidence that SmartScreen App Rep protection is monitoring all downloaded files i.e outside the browser. If someone could produce such evidence, I will retract my statement.

 

To end this ridiculous mission that @itman constantly tries, with his posts designed to lure readers into having doubts, being confused and thereby induce fear.

As has been mentioned before in this thread and similar threads, SmartScreen has been OS systemwide since Windows 8.0

Official information on Windows 8.0 : https://technet.microsoft.com/en-us/library/dn283963(v=ws.11).aspx

Scroll down and read that SmartScreen are implemented in core and functioning systemwide. In browsers AND on desktop.

Official information on Windows 8.1 : https://technet.microsoft.com/en-us/windows/jj983723.aspx

Scroll down and read about SmartScreen being systemwide.

Official information on Windows 10 : https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide

Scroll down and read about SmartScreen being systemwide.

Official video demonstration of the difference between Windows 7 SmartScreen and the SmartScreen present in Windows 8.0, Windows 8.1 and Windows 10 : https://technet.microsoft.com/en-us...-insights-module-7-smartscreen-filtering.aspx

Play and watch SmartScreen being systemwide in all Windows editions since Windows 8.0

SmartScreen are extremely efficient.

Anyone reading along can see the proof by simply downloading the report that are the topic of this thread.

You will find it here : http://www.iswatlab.eu/wp-content/uploads/2017/01/Technical_Report_Evasion.pdf

As anyone can read in the report and as already explained on page 1 in this thread, the combination of Windows Defender + SmartScreen blocked 100% of all attempts at bypassing the native security.

For a test of SmartScreen alone, the already mentioned link to this test : http://www.securityweek.com/microsoft-edge-tops-browser-protection-tests

SmartScreen did excellent.

SmartScreen are proving itself to be extremely efficient - systemwide as well as in browser.

 

Hmm.

Something went wrong with a link in my post above.

The link to the official Microsoft video demonstration of SmartScreen are :
https://technet.microsoft.com/en-us...-insights-module-7-smartscreen-filtering.aspx

But can no longer edit post, so this new post instead with correct link to video.

 

to explain very very simply:

Smartscreen check the whitelist (via hash & certificate), Win Defender check the blacklist ( via signatures) and UAC doesn't care and block any elevation (when set on max)
if you add SUA that virtualize registry and folder, i think you have quite a good security net.

 

i can tell you it works well; i don't remember which executables but when i was offline (connection issues) smartscreen alerted during its execution ; i was surprised because i didn't got any alert from it before. then when back online, the execution didn't generated an alert. so i can conclude that a reputation check was made and the said executable was flagged as legit and safe.

 

Will check it out, and will turn on SS on Win 8 for testing.

When you think about it, you might as well only use white-listing, if it's not on the list, it can't run. Doesn't that make more sense, I believe that's how smartphone security basically works. I mean if AV says the file is clean, then why bother users with SmartScreen and UAC? You know that noobs will allow the app to run anyway.

 

Opening this up to everyone as I think this needs clarifying. I'm getting the impression from reading all the various links posted so far that SmartScreen is system-wide within Windows 10 and works primarily with IE/Edge. The only way I can see it working with Chrome/Firefox is after the file is downloaded within either of those browsers and then run. Is this right?

 

yes, you can but don't forget non-executables based malwares and other PUP.

smartscreen is another layer, and if my memory is good, it works ahead of Win Def.

all built-in security features of Windows are made to give efficient security without adding 3rd party apps; if the user decide to use other apps, then it is another story.

yes as they will do with whatever apps you give them, then that is the user fault, not a feature weakness. i saw some guys un-quarantine then whitelisting a keygen, just to be infected by it...

 

@itman

http://www.howtogeek.com/123938/htg-explains-how-the-smartscreen-filter-works-in-windows-8/

 

I went over to malwaretips.com looking for posts in regard to actual malware tests against SmartScreen in regards to what I posted previously namely:

malware drops malware payload in User Temp folder, SmartScreen will not scan it
​

Couldn't find any. Would greatly appreciate you post the links to same or PM me with them since this is what I am interested in.

I did find this posting however:

REMARKS

The SmartScreen Filter in Windows 8+ allows some vectors of infection listed below:

A) You have got the executable file (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR and VBE) using:

* the downloader or torrent application (EagleGet, utorrent etc.);
* container format file (zip, 7z, arj, rar, etc.);
* CD/DVD/Blue-ray disc;
* CD/DVD/Blue-ray disc image (iso, bin, etc.);
* non NTFS USB storage device (FAT32 pendrive, FAT32 usb disk);
* Memory Card;

so the file does not have the proper Alternate Data Stream attached ('Mark of the Web').

Ref.: https://malwaretips.com/threads/run-by-smartscreen-utility.65145/

​

 

@TonyW :

On Windows 8.0 , Windows 8.1 and Windows 10 SmartScreen are active both systemwide as well as in IE/Edge and all UWP apps.

Anything that arrives on system will be marked with Mark of the Web no matter if arriving through browser, mail or anything else.

And anything marked with Mark of the Web will be monitored by SmartScreen and blocked if malicious, low rep or unknown.

That is the systemwide implementation of SmartScreen that protects no matter what browser, mail application or whatever a user uses.

I have posted a link to a Microsoft video a little further up in thread, that explains the difference between Win7's browser-only-SmartScreen and Windows 8.x and Windows 10 with systemwide SmartScreen.

The browser implemented SmartScreen are an additional layer, that are active in IE/Edge.
It's easier to picture if you look at it as an advanced additional layer with a mean attitude that blocks web-threats before they land on system.

Whereas the systemwide SmartScreen will block web-threats before they can get a chance to execute.

More about the browser SmartScreen evolution here :

https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/

https://blogs.technet.microsoft.com...engineering-techniques-using-pdf-attachments/

 

Just a little information so nobody gets worried.

@itman : You have either misunderstood what Andy Ful writes or tries to twist parts of his words into something he never meant.

All the executables you list will be marked with Mark of the Web and monitored by SmartScreen IF THEY ARRIVE FROM INTERNET !!!!

That is what SmartScreen does - monitor anything introduced from the Web.

If on the other hand all the listed executables arrive from CD,DVD or USBstick then they will be picked up by Windows Defender that with Windows 10 1607 (Anniversary Update) are now ALSO blocking unknown files as already explained earlier in this thread about Windows Defenders Block at First Sight feature.

So everything you list will still be blocked if Windows Defender and SmartScreen are used in combination.
Which is exactly what the topic of this thread is about.

Furthermore Andy Ful made a error in his listing.
Anything arriving in archive/container format from the web will be marked with Mark of the Web and when unpacked then everything within archive will inherit the Mark of the Web.
Andy Ful corrects this mistake later in his posting.

And also - I have already explained this in this post on page 1 in this thread : https://www.wilderssecurity.com/thr...loads-to-improve-evasion.391559/#post-2648044

Finally I would like to add that I was already very well aware of Andy Ful's project since it has been on Github for quite some time.

The reason Andy Ful began his Run by SmartScreen project are NOT due to any shortcomings in SmartScreen like you apparently think.

The reason Andy Ful began his Run by SmartScreen project are due to the fact that SmartScreen are absolutely amazing at catching zero-days.

And he therefore wanted a way to add Mark of the Web to executables that didn't enter system through the web.

So Andy Ful's project are yet another proof that SmartScreen works very, very well.

 

I fully understood what he wrote. I repeat:

You have got the executable file (BAT, CMD, COM, CPL, DLL, EXE, JSE, MSI, OCX, PIF, SCR and VBE) using:

* the downloader or torrent application (EagleGet, utorrent etc.);
* container format file (zip, 7z, arj, rar, etc.);

 

Apparently not.
Please try and read what I wrote once more.
The post is not that long.

 

@Martin_C throws around Mark-Of-The-Web as if everyone knows what that is. I found an excellent article that explains it in layman terms without out having to resorting to Microsoft techno-babble: https://textslashplain.com/2016/04/04/downloads-and-the-mark-of-the-web/

Do note this section on bypasses of Mark-Of-The-Web:

What Could Go Wrong?

With such a simple scheme, what could go wrong? Unfortunately, quite a lot.
​

 

One final comment that I have purposely saved to the end.

It doesn't matter how good a security solution protections are if it can be easily bypassed. Bypassed in this context means can malware easily suspend, terminate, or modify the software? This has been said by me in other postings but seems the message is not getting across here on Wilders. Let's see how Win 10's native SmartScreen fares in this regard.

Perform the following:

1. Start Process Explorer. Note: No need to run it as admin for this test. We are simulating malware running under the limited admin account which most users logon as.
2. Suspend Smartscreen.exe.

SmartScreen is suspended as shown in the below screen shot. How is that possible? Native Win 10 SmartScreen runs as medium integrity process! When I saw that after upgrading to Win 10, I burst out laughing.

In marked contrast, one of those "unneeded" third party security products, Eset ver. 10, main kernel process runs as a protected process in Level 0; the same level and protection giving to the Win 10 OS kernel process.

So please do continue to use Win 10 native protections, this is exactly what the malware developers want.

 

Strange. I'm running Windows 8.1 x64 and procexp (no admin.) and it shows in the User Name column as <access denied>, is this normal?