The rise of .NET and Powershell malware

Seriously, sometimes I think that Windows is actually designed specifically for malware, there are so many attack vectors. And you can't expect a HIPS to lock everything down, because you want to have a balance between security and usability. Perhaps there should be a Windows Lite version, where certain attacks are simply not possible.

 

Sounds to me it operates a lot like Comodo's Defense+. Sandboxing is also incorporated into behavior blockers and advanced heuristics scanning.

 

I believe the Comodo sandbox is a bit more advanced. Like I said, SS will strip admin rights even from apps running in high integrity, and will block write access to most folders. I believe it will also auto block most behaviors. But I rather run apps virtualized.

 

Here is an example of the power of .Net apps.

A program commonly used by Wilders members is PrivaZer. It uses .Net, ver. 2 nonetheless? Anyone familiar with this program knows it can access and delete files and registry areas at will. Also, I never once received any HIPS alert about its activities until I started monitoring .Net executables, csc.exe and mscorsvw.exe.

 

Sounds ridiculous to me. To be honest, I don't have any illusions about HIPS being able to protect my system when faced with advanced malware. Most likely HIPS will fail, but they will hopefully be able to at least partially protect the system.

 

I used to get triggers from SpyShelter whenever PrivaZer ran a full clean and scan. I also had constructed a list of NVT-ERP command lines to whitelist during a PrivaZer scan/clean. It's been about a month since I uninstalled PrivaZer; not sure if I want to ditch CCleaner...

 

Just block that dll with EMET's ASR protection to protect your Office applications (word, powerpoint, excel and outlook).

 

Don't follow you on this one. The .dll could be created in and executed from any directory. It does not have to reside in %AppData%/Temp or %Windows%/Temp.

Also the malware is a C# program using Win API's to access Powershell assemblies to run a Powershell .dll or; C# API's to access .Net to run a .Net .dll. This has nothing to do with any Office app?

 

Just add those DLL's in ASR protection of EMET with any rich content application. EMET will block the loading of that DLL, no matter where it is located.

 

The issue is not blocking the execution of System.Management.Automation.dll from legit apps. The issue is blocking its execution from a unknown malware C# app that might land on your PC.

In EMET, you have to define an app to have it protected. This type of malware does not run have to be injected into explorer.exe, browsers, or other processes. It can run as a stand-alone process. Additionally, the Powershell .dll could be statically linked into the C# binary so there is no dynamically linking to detect. If the malware was delivered via exploit and memory injected into another process, EMET probably wouldn't detect even that.

 

@itman

I know stupid thing of C# dll is that they are not blocked by SRP etc, because they only require read access. Based on the quote and link provides by Rmus in post #5, I suggested to block the DLL you mentioned in rich content programs, assuming that execution outside UAC protected folders of stand alone executable using this DLL is blocked by an deny execute policy/anti-execution counter measure.

 

Interesting bypass of McAfee Application Control whitelisting POC here: ~Link removed~

Note that multiple methods are given in this POC.

 

This "tidbit" below galls me to no end. Microsoft knows they have a problem with Powershell. They addressed it in WIN 10 with Device Guard which is only available for the Enterprise version. Note the text in bold:

Device Guard introduces signing of of Windows Script Host scripts, as well as PowerShell to prevent malicious use. Unsigned PowerShell scripts are blocked and PowerShell itself is run in "constrained mode" which prevents it from executing arbitrary code via .NET scripting, COM interface, WinAPI, etc.

Ref.: http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html
​

So as usual, Microsoft left their retail customers "to blow in the malware wind!" And "hell will freeze over" before Microsoft addresses the same issue in WIN 7 & 8.

 

Rashseed187 posted in another thread about a very nasty .Net malware that hides itself in the VHD area of your OS HDD. Here's a link to that discussion: https://www.wilderssecurity.com/thre...ed-hips-discussion.372859/page-8#post-2559018