Very interesting fileless malware testing

Discussion in 'other anti-malware software' started by aigle, Dec 24, 2014.

  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    This is the second part of my some very interesting testing with fileless malware.

    https://www.wilderssecurity.com/threads/fileless-malware-detection.370944/

    I made a new thread as this malware, though fileless, is a bit different and deserves a separate thread.

    Poweliks is a very interesting fileless malware. It comes via exploits. I will say it is semi-fileless
    as contrary to real fileless malware it does write to the disk but only in the registry.
    It is body-less. It hides itself as a dll in the registry and adds an auto-start reg
    entery as well.

    http://blog.trendmicro.com/trendlab...e/poweliks-malware-hides-in-windows-registry/

    http://blog.trendmicro.com/trendlab...eliks-levels-up-with-new-autostart-mechanism/

    https://twitter.com/kafeine/status/515527952059351040/photo/1

    http://kb.eset.com/esetkb/index?page=content&id=SOLN3587
     
  2. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan

    Attached Files:

    • 0.jpg
      0.jpg
      File size:
      64 KB
      Views:
      74
    • est.jpg
      est.jpg
      File size:
      66.8 KB
      Views:
      73
    Last edited: Dec 24, 2014
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    MBAE- pssed as it stops the exploit that is the entery gate for the malware.
     

    Attached Files:

  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    EMET 4.1 - passed as it stops the exploit that is the entery gate for the malware
     

    Attached Files:

    Last edited: Dec 24, 2014
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    GesWall- passed. Malware was contained and system was clean.
     

    Attached Files:

  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Comodo Sandbox- Passed.Malware was contained and system was clean.
     

    Attached Files:

  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    SBIE- Passed. Malware could not be started and system was clean.
     

    Attached Files:

  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Comodo Defence Plus- Safe mode- failed. No pop up alerts as in malware is loaded by safe applications. Comodo people atleast should remove internet facing applications from trusted list or makeit optional.

    Comodo Defence Plus- Paranoid mode- passed as it will detect reg changes by trusted processes but it is very difucult for a user to guess if these alerts are malicious or benign. Moreover Defence Plus is almost unusable in paranoid mode.

    Comodo cloud and viruscope- no alerts.
     

    Attached Files:

  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I also ran some scanners on infected system.

    Comodo Cleaning Essentials- no detection
    Emsisoft Emergency Files- no detection
    MBAM-No detection
    Hitman Pro- Detected the malware.
     

    Attached Files:

    Last edited: Dec 24, 2014
  10. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    PS: please don't ask me to test any special software as I will not be able to do. I am really sorry for that but I will be too busy for a couple of months. Just remember, most HIPS without registry protection will fail. HIPS with reg protection might pass but it is user dependent. Anti-exploits will pass mostly. Sandbxes will pass mostly as well.

    Finally about scanners, I don't trust on signature based scanners.
     
    Last edited: Dec 24, 2014
  11. DX2

    DX2 Guest

    Very good reports, thanks for the info.
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    Thank you for testing and sharing results.
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    OK so sandboxing and anti-exploit both stopped it, no surprise here. Thanks for the test.
     
  14. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Pardon me for nitpicking, but as Poweliks is not directly related to what exploit was used, it is not guaranteed anti-exploit can always stop this. However in this particular case, every AV with strong NIPS will also block this.

    BTW, for me anti-exploit is not fundamentary different from signature-based approach (kind of bahavior sigs on memory space). IMO, only 2 really proactive approach would be HIPS and reputation-based detection (aka Contents Agnostic Malware Protection), though it doesn't mean they can't be bypassed nor don't need update. Well, I suppose DEP & ASLR could be called proactive as nearly all exploit have to bypass them, while most other anti-exploit mitigation focus on specific technique which might not be used in future exploit.
    Other approachs are more or less reactive, but the key is they are generic. In this regard, it's matter of quantity than quality. The meaning of signature had changed long before and now main role is in generic sig, IPS sig, and behavior sig that are more or less generic and actually they stop most of threats common user come across.
     
  15. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe
    Nice to see that discontinued GesWall - a good program ! - works again.
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It was the lightest get v strong sandbox. Really sad to see it dead just because the company died itself. It must had been easy to modify to make it work on Win 8 and 10.
     
  17. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Thanks for testing SBIE, aigle:cool:.

    Bo
     
  18. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It was sure due. The only living, prospering and breathing sandbox so far. I am afraid to see it dying one day too.
     
  19. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    I am really happy with what I seen from Invincea. I am glad Tzuk sold Sandboxie to them and not to someone else.:)

    Bo
     
  20. guest

    guest Guest

    I don't quite agree with you.
    Yes, any exploit mitigation tool checks for certain conditions to determine whether an application is being exploited, but afaik this does not happen based on a giant list of signatures.

    Let me write down an example to clarify that certain techniques will still be used in the future: In almost all the exploits targeting heap/integer overflows and use-after-free vulns the attacker would have control over data on the heap. In order to execute a ROP chain and a piece of shellcode an attacker would have to replace ESP/RSP with a location that he is able to control (stack pivoting). This will be notified by EMET/HMPA/MBAE due to the fact that certain critical functions will be eventually be called when the value of ESP is not within the stack boundargies defined in the TEB.
     
  21. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I think you misunderstand me. Firstly I didn't mean malware signature, but meant behavior signature. It just describes certain pattern of action, thus can't be giant list and don't need frequent update as malware's behavior don't quickly change while malware itself do. Also note I said "fundamentally".

    I also think some mitigation will still make sense in future exploit, however, e.g. there're some ways to bypass DEP w/out ROP or alike. StackPivotting is not always needed and available, and though it is on Linux so called Return-to-vuln (repeatedly abuse the same vuln) attack can be used instead of StackPivotting when LEAVE is not in executable. And as you know, some ROP alike attacks don't care about caller check. Proactive solution can be bypassed, but should be one that nearly all exploits have to bypass to succeed regardless what technique is used. But to be honest, I'm not so sure about my def of the word proactive.

    Well, I had to add sandbox to proactive protection too. HIPS and sandbox is proactive because it don't care an action pattern is good or bad, match or don't match to signature. CAMP is proactive because it don't care if file is similar to malware or not, or if it shows suspicious behavior.
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi aigle,

    Nice testing (as usual!).

    It reminds me of some years ago when you tested 8 products against the old MS06-014 (MDAC) exploit.

    ----
    rich
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks .
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    avast sandbox passed.
     

    Attached Files:

  25. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have requested more malware traffic files from kafeine at kernelmodoinfo. If I got these, I might test more of the file less malware. So far I am just waiting.
     
Loading...