pallino Posted December 11, 2017 Report Share Posted December 11, 2017 Hello Emsisoft Team, what do you think of the "Process Doppelgänging" Attack? Does Emsisoft's behavior blocker protect from this or, if not, will it soon? https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf thank you Link to comment Share on other sites More sharing options...
GT500 Posted December 12, 2017 Report Share Posted December 12, 2017 22 hours ago, pallino said: what do you think of the "Process Doppelgänging" Attack? The kind of people making malware don't have the knowledge of the undocumented internal workings of Windows to be able to pull it off. At least not without someone making them a working example that they can repurpose (sort of like criminals repurposed the NSA's code for exploiting EternalBlue so that they could spread malware with it). So far what I've seen is the presentation you linked to where there are some very basic code examples that analysts and researchers would understand, but not enough that someone could make a working example without know what they are doing and putting some real effort into it. 22 hours ago, pallino said: Does Emsisoft's behavior blocker protect from this or, if not, will it soon? I'm not aware of any working code examples that we could actually test this with. Our Behavior Blocker does have support for detecting and blocking fileless malware, however for pretty much everyone but the team who discovered and documented it this really only exists in theory (and will almost certainly stay that way). Link to comment Share on other sites More sharing options...
pallino Posted December 12, 2017 Author Report Share Posted December 12, 2017 More Infos should be available at https://blog.ensilo.com/webinar-process-doppelganging-blocked-by-ensilo Arthur, I think you are right but also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it. I hope Emsi will be ready for this and that nobody will make malware writer's work easier by releasing a POC! Can Emsi scan a file while it's in transaction? Thank you Link to comment Share on other sites More sharing options...
GT500 Posted December 12, 2017 Report Share Posted December 12, 2017 2 hours ago, pallino said: ... also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it. That depends on how feasible such an attack is. Even someone who knows what they are doing is going to stick to things that are easier to pull off, simply because it means they can do it faster. 2 hours ago, pallino said: Can Emsi scan a file while it's in transaction? I assume you mean while it's in the process of being downloaded? If so, the answer is "no". The scanner can't make a determination as to what the file is until it has the entire file to scan. Link to comment Share on other sites More sharing options...
Recommended Posts