Techniques for the manipulation of malicious payloads to improve evasion

@itman : more rambling and more desperate attempts to lure readers into fear. Sigh.

You try to portrait Mark of the Web as something mysterious "techno-babble" as you call it.
Seriously ??
You have got to be kidding.

Mark of the Web has been a key element of Windows since Windows XP SP2. That was in 2004 - 13 years ago !

That you don't know about it, is hardly Windows, mine or anybody else problem.
Every single developer in IT security knows about this.
It affects every aspect of Windows.

As for your "oh, my god - I suspended a process" post.

There are several kinds of SmartScreen processes started with various integrity levels according to what SmartScreen are monitoring and doing.
That you claim you have disabled SmartScreen due to having suspended a single medium integrity smartscreen.exe process, only proves that you have no clue what you are doing or talking about.
How embarrassing.

Anyone reading along - do not forget that this thread holds two tests.
A test of SmartScreen browser implementation alone that showed that when bombarded with 220918 malicious samples, SmartScreen blocked 99% and never allowed any of those to enter the system.
The other test showing that Windows Defender + SmartScreen systemwide implementation blocked 100% of the obfuscated samples when attempting to execute on the local system.

So real world testing proves that the native security works.

 

the tester (Lucent Warrior) was the mod of the malware hub, he (as i did) quitted the staff of MT, and he removed most of those videos. it was a test about VS. the thread still there.

https://malwaretips.com/threads/voodooshield-beta-3-35-auto-pilot-mode.63092/

with little mentions of Smartscreen.

yes i read that before, but i never tried this tool. those vectors are covered by Win Defender. (and you don't blindly run an executable from torrents or unknown removable devices )
It why i keep saying built-in security features of Windows are complementary , and not supposed to be used separately (or disabled).

Careless users will be infected whatever security soft you give them, aware ones won't even with just the built-in security of Win10. After all, malware devs profit from the careless and unsafe habits of the users. Some i knew often wrap their RAT in porn medias, crack/keygen of recently released most looked games/softwares because they know the people downloading them will run them at all cost. in fact few make their malwares to specifically bypass the OS security, they want the user bypassing them.

long long time ago i used a tool that check my wrapped malware with all engines of the market (without submitting it) to see if it is detected, if yes, i have to obfuscate it bettter using other tools. Once it pass the test , then i hope the victim will run it and ignore UAC/Smartscreen alerts, i won't waste my time trying to bypass those features.

Security forums 's members are extremely paranoids and well aware of vectors attacks, and they are a niche, malware writers focus on the innocent people mostly via social engineering, they are the targets.

 

Yes this is normal. You have to run it as admin to obtain that data.

 

Friends don't let friends get infected.

If people helped their loved ones with enabling the two policies I mentioned on page 1, then not even reckless users will end up in tears : https://www.wilderssecurity.com/thr...loads-to-improve-evasion.391559/#post-2648267

 

@Martin_C exact, when i visit my friends, i can't resist to check their computer, if they have Win10, i don't even bother installing security apps.

what is funny is after i set their computer and wrote a small how-to-do list when surfing, downloading and executing unknown softwares, i never get their panicked calls about infections anymore ^^

 

@guest : Exactly.

When using all the native security in Windows 10, then the risk of becoming infected are smaller then the chance of winning the national lottery simultaneously with traveling across country on a unicorn.

It's great that Windows has evolved like this.
Everybody wants to be productive when at work and have fun after work.
Nobody wants to constantly fight their pc like in past.

 

@Martin_C exact you are right, but you know , security forums are filled with people like us, that like to be over-protected. We are kind of Don Quixote fighting things that will surely never threaten us
i dont deny that the native security in Windows 10 can be enhanced by 3rd party tools, but that doesn't mean they are useless or ineffective.

 

Exactly my point. I don't even care about UAC being bypassed by malware, because there is an easier way to bypass it, namely the user who knows it's perfectly normal to click on "yes", otherwise they can't run or install apps. Same goes for SmartScreen, but at least it's giving the user a hint that a certain app might be malicious.

What the hell, I remember this from Win XP, it was so freaking annoying, I had to disable it with a registry tweak LOL. So basically it was the predecessor for SmartScreen. Like I said, I don't see the logic behind it. So first SS warns that some app is not in the white-list, after that Win Defender says the file is clean, and then you get presented with a UAC pop-up. No way, not on my machine.

 

@Rasheed187 who cares of what happen in your machine, seriously, in a security forum we talk about general use of softwares and features, not specific to a user (except for some diagnostic about an issue).
If you want brag about your uber-setup then open a blog instead of bashing and misleading people about native security features which are efficient enough and easy to use for everyone willing to research a bit how they functions.

you don't understand UAC, so whatever....

 

Well apparently you care. I'm not saying that people shouldn't use native security features, it's up to them, however it's a lot smarter to use top quality security tools, that's what I'm saying. And a lot people agree with me, even back in 2006 when Win Vista was launched LOL. Also, Win Defender is getting better, but is still outperformed by other AV's. But apparently you can't accept this.

 

More like Chicken Little telling Turkey Lurky and Ducky Wucky that the sky in falling in.

Pertaining to Microsoft, it has been and is the use of newspeak as noted in '1984.'

My bad, I said I wasn't going to comment anymore ........

 

Can we please stop this silly back and forth argument? It serves no purpose and must be confusing for those that are new to internet security and are trying to learn something.

The reason some views are given are due to one's own experiences. It doesn't mean you're right and the other person is wrong. If your system is set up the way it is and works for you so be it. Yes, we can all learn from others experiences but it doesn't help when opinions are shot down.

Many home users don't know much about the kind of security we talk about let alone read forums like this. For that group of people we can only advise them based on our experiences and their own computing habits.

Regarding anti-malware product tests, I think we must remember they are all under certain conditions done in a laboratory and don't reflect every scenario and system configuration possible. As has been said, some settings are even disabled during tests when, in fact, using complimentary protections work best for an overall result. Isn't this what we term a layered approach to computer security? If certain protections are turned off, surely there's no overall benefit.

The other thing to consider is there are users who admit to not using any real-time anti-malware product at all and yet they remain uninfected by malware. That may be due to how they go about their day-to-day activities online but it speaks volumes. On the other side of the coin, you have users who add so many security apps, it's hard to see the wood for the trees.

I hope to see in threads like this a fairer, more constructive and meaningful discussion about how things work and why certain things are done the way they are, such as in the tests that we routinely talk about.

 

Yes correct, that's exactly what I'm doing, my posts are based on my own experiences, but certain people can't accept certain facts. Take guest, he refuses to accept the fact that it's quite easy to stay safe without stuff like Windows SmartScreen and UAC. If people like to use these tools, then who cares? But if people are annoyed with it, turn the thing off, and rely on third party security tools. And again, in my own experience it's best to secure "average users" with tools that make the decisions for them. With that I mean that malware should be auto-blocked.

 

There was really no need to call him out on this as it's just prolonging the argument. You should also be able to accept the other scenario that it is possible to stay safe with Windows Defender, SmartScreen and UAC. Many do but it isn't for everyone.

Both points of view are valid based on each of your experiences. The more tactful way would be to agree to disagree, and move on.

 

it is all i meant , thx.

i always agreed that you can be safe with 3rd party apps, i never denied it, however i disagreed that native security features are useless because you have 3rd party apps. This is misleading and dangerous to say in a forum frequented by beginners looking for informations. I always talked in a general usage; not in a specific usage on a specific system.

Anyway i won't continue this discussion with him.

 

Yes I agree, I accept this scenario, you can even stay safe without any security tools, that isn't the point.

I already explained that on my system they are useless because of my third party security tools. Also, just because I say UAC is crap (on a single user machine) and some security tool sucks, doesn't mean people will all of a sudden decide not to use them, let's cut with this "misleading and dangerous to say" stuff. I even explained why I don't believe that Win SmartScreen and UAC are good enough to secure people, it's because they don't auto-block apps/malware.

 

Please accept that other members on this forum are allowed to discuss Windows mechanisms without seeing the threads derailed.
No members or outside users passing through benefits from calm threads about Windows internals repeatedly being filled with arguing between one person who find their interest annoying and everyone else in thread having to defend their interest.
A forum filled with threads that holds 20 useful on-topic posts hidden among 20 pages of off-topic arguing and a final post from a moderator that yet another thread gets closed, are not helping anyone seeking answers.

Let's keep thread on topic.

 

Yes I agree with this. But anyway, what do you think about my idea to switch to a white-listing system? With that I mean, if Win SmartScreen (Win SS) says the file is "unrecognized" it can't be run at all? When you think about it, you wouldn't even need an AV anymore. Is that perhaps the future of Windows? To clarify, I'm not saying I would approve of this idea.

 

Actually I think that is a great idea. Application whitelisting is crucial these days and having a large reputation system such as Microsoft's userbase would be greatly beneficial. However, I don't think your idea should necessarily be default for all setups. I think it would be a great option to enable for large organizations wanting to lock down their systems but also power users as well. So an option to enable via group policy and/or registry would be awesome.

 

Yes correct, because I think a lot of people would complain about not being able to install software, that's not listed in a central "Windows Store". But it would help to secure "average users", because currently Win SmartScreen is basically telling people that some app "might not be safe", and Win Defender doesn't offer important features like behavioral monitoring, that can tackle exploits and popular malware like banking trojans and ransomware, so it's not good enough.