hjlbx

Possible Malware Use of Behavior Blocker "Allowed" App - Question

Recommended Posts

Hello,

 

This is a question I've been meaning to ask, but I have not been sure how to ask it. 

 

If I don't know, I just don't know...and I'm only going to learn is by asking for help.

 

 I have a very limited understanding of how malware works.  I do know that there are many types of "infection" mechanisms.  I also know that malware can only use only those processes that are capable of performing its intended malicious handiwork.  For example, a malicious program cannot make a text file download from the internet but, as I understand it, it can use the host application that created that text file to perform various actions within the limits of its functionality.  If this is all wrong, then please point out my misunderstanding(s),

 

OK, so here we go.

 

My question relates to applications that have been assigned an "Allowed all" Behavior Blocker rule set.

 

Is there any possibility that malware can "hijack" an application that Allows all behaviors by the Behavior Blocker - thereby forcing the trusted/safe application to then perform malicious actions?

 

Is it not more secure to assign Custom monitoring in the Behavior Blocker rules and then allow only those behaviors that are absolutely critical for the normal function of safe/trusted applications?  (Same concept as Limited User Access/Drop My Rights).

 

I am only looking for a general answer...so as to use the most secure method of assigning Behavior Blocker monitoring rules.

 

Thanks,

 

hjlbx

 

 

Share this post


Link to post
Share on other sites

Yes from what I know malware can hijack a program, this is mostly related to exploits and other forms of program leaks, in which they will try to use the application to perform its malicious behavior to avoid detection, and this method does prove to be efficient but the best way to avoid this problem is just to keep your system up-to date, as well as other programs like Java and Flash Player, and having a good AV and Firewall solution that can help block these threats as well but mostly we as the end-user have to apply common sense when browsing online, if theres one thing and AV can't fix, its the end-user, we are the ones who make that click online.

In regards to your next question it really depends on the level of expertise you have in technologies like HIPS and Behavior Blocking, if your an amateur I would recommend keeping the default rules as these are set by experts and work pretty efficiently to detect zero-day malware. An from my experience with Emsisoft it has one of best Behavior Blockers i've seen as well their combination with their anti-malware network which helps draw decisions on a suspicious file. However, if you are an expert and know how to create rules for the Behavior Blocker its up to you if you want to make the changes, if you feel they are better than the current rules that they have set.

 

Best Regards,

JulioM7

Share this post


Link to post
Share on other sites

In theory malware can use trusted applications to do things it wouldn't be able to under normal circumstances. There are two possibilities of how this can happen:

  • Windows actually allows processes to interact with each other. These interactions do include sending keyboard strokes to them or even injecting code into them. All these techniques are covered by the behavior blocker already. So they are fully mitigated.
  • The other possibility is that the trusted application is somehow vulnerable. It may blindly load code from untrusted locations or it may contain a bug that can be exploited in a way that leads to code execution. This isn't mitigated at the moment and we are working on various improvements to help mitigate these attacks in the future.
Whether or not it is worth to fine tune rules is debatable. An argument could be made that just allowing one action but not others is enough to eventually fully compromise the system so it boils down to whether or not the extra time spent on maintaining the rules is worth slowing a potential attacker down a bit or not.

Share this post


Link to post
Share on other sites

Hello Fabian,

 

1.  Covered by Behavior Blocker

2.  Keep software up-to-date

 

Simple.

 

Thank You,

 

hjlbx

 

PS - The Behavior Blocker does virtually all of the work when you set the monitoring to "Custom," depending

        upon how I respond to the alerts.

 

        However, that brings up another situation.  Setting rules to Custom monitoring would result in many

        alerts.  Correct?

Share this post


Link to post
Share on other sites

Hello Fabian,

 

If I apply a BB Allow rule set, plus "Continue to monitor...", under what circumstances would the BB alert?

 

Thanks,

 

hjlbx

Share this post


Link to post
Share on other sites

Maybe I misunderstand the original question, but:

 

  For example, a malicious program cannot make a text file download from the internet but, as I understand it,

  it can use the host application that created that text file to perform various actions within the limits of its functionality.

 

a) a malicious program (just like a non-malicious program) surely CAN download any file from elsewhere

 

b) text files can be created by many applications; any program written in pretty much any programming language

can create text files.  No malware programme would need to use "the host application that created that text file"

to do things to that text file.

Share this post


Link to post
Share on other sites

a) a malicious program (just like a non-malicious program) surely CAN download any file from elsewhere

Sure it can, but it will draw suspicion to itself, which is why malware nowadays tries to inject its code into other processes so they don't show up in your firewall protocols or the task manager, which is what this entire thread was about.

Share this post


Link to post
Share on other sites

Sure it can, but it will draw suspicion to itself, which is why malware nowadays tries to inject its code into other processes so they don't show up in your firewall protocols or the task manager, which is what this entire thread was about.

talking about injections long time ago i got infected by a wapomi variant making a quick analysis i found that it uses the svchost process (runs inside), which is used by other applications, so the question is..

for you to understand me lets talk about an already infected system or a non detected sample, lets say that an update includes the detection... so will EAM detect the infected file if is running inside another process like svchost??

Share this post


Link to post
Share on other sites

for you to understand me lets talk about an already infected system or a non detected sample, lets say that an update includes the detection... so will EAM detect the infected file if is running inside another process like svchost??

No, because after the injection is done and the malware process terminated, there is no link between the injected code within svchost and the process who originally injected it into it. Meaning if the infected file is truly undetected, you will have to find and remove the malware file manually.

Share this post


Link to post
Share on other sites

No, because after the injection is done and the malware process terminated, there is no link between the injected code within svchost and the process who originally injected it into it. Meaning if the infected file is truly undetected, you will have to find and remove the malware file manually.

umm i did a quick view of the process that were running under svchost with the command tasklist /svc and the malicious file was listed.. i dont really know how svchost process work, and i understand that wapomi is an ancient virus... i was testing by that time ESET capabilities... i infect the system and then turned on all guards.. eset started to disinfect the exe files and detected that a program was doing something via svchost.. it was like "operating memory>>svchost>>wapomi.exe" but it was not able to deleted nor blocked it.. so my question is that one... in the same scenario will EAM detect that... sorry if you feel am asking the same thing.

and due to the fact that svchost.exe is a windows file (and shall be trusted i think) will the BB alert if something weid happens?

Share this post


Link to post
Share on other sites

If you are referring to a specific infection, can you please share the sample? Makes it a lot easier to talk about specifics.

ummm that was ages ago (that machine is now destroyed) xD i was just asking... that being said on that scenario how will emsi react??? i have wapomi samples but due the variants... i can not really tell if those samples will behave the same way as i mentioned above

Share this post


Link to post
Share on other sites

ummm that was ages ago (that machine is now destroyed) xD i was just asking... that being said on that scenario how will emsi react??? i have wapomi samples but due the variants... i can not really tell if those samples will behave the same way as i mentioned above

We don't even know what the scenario is, because we don't have a sample. In general from what you told me no actual injection was taking place. Instead the malware just created a shared process service. In that case, we would have detected it just fine. But again, that's just speculation without the sample.

Share this post


Link to post
Share on other sites

In theory malware can use trusted applications to do things it wouldn't be able to under normal circumstances. There are two possibilities of how this can happen:

  • Windows actually allows processes to interact with each other. These interactions do include sending keyboard strokes to them or even injecting code into them. All these techniques are covered by the behavior blocker already. So they are fully mitigated.
  • The other possibility is that the trusted application is somehow vulnerable. It may blindly load code from untrusted locations or it may contain a bug that can be exploited in a way that leads to code execution. This isn't mitigated at the moment and we are working on various improvements to help mitigate these attacks in the future.
Whether or not it is worth to fine tune rules is debatable. An argument could be made that just allowing one action but not others is enough to eventually fully compromise the system so it boils down to whether or not the extra time spent on maintaining the rules is worth slowing a potential attacker down a bit or not.
Hi all,

was point 2 improved/covered in the new Emsi 10? If not, any idea when?

What changed or will change?

I just saw this "short test", is this something related to point 1 or 2 above?

http://malwaretips.com/threads/emsisoft-anti-malware-10-vs-zero-day-scriptor.46540/

Thank you

Share this post


Link to post
Share on other sites

Cruelsister1 never shared her POC with us. So your guess is as good as mine of what it does. Other than that we will announce changes when we think they are ready.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.