pallino 4 Report post Posted December 11, 2017 Hello Emsisoft Team, what do you think of the "Process Doppelgänging" Attack? Does Emsisoft's behavior blocker protect from this or, if not, will it soon? https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf thank you Quote Share this post Link to post Share on other sites
GT500 823 Report post Posted December 12, 2017 22 hours ago, pallino said: what do you think of the "Process Doppelgänging" Attack? The kind of people making malware don't have the knowledge of the undocumented internal workings of Windows to be able to pull it off. At least not without someone making them a working example that they can repurpose (sort of like criminals repurposed the NSA's code for exploiting EternalBlue so that they could spread malware with it). So far what I've seen is the presentation you linked to where there are some very basic code examples that analysts and researchers would understand, but not enough that someone could make a working example without know what they are doing and putting some real effort into it. 22 hours ago, pallino said: Does Emsisoft's behavior blocker protect from this or, if not, will it soon? I'm not aware of any working code examples that we could actually test this with. Our Behavior Blocker does have support for detecting and blocking fileless malware, however for pretty much everyone but the team who discovered and documented it this really only exists in theory (and will almost certainly stay that way). Quote Share this post Link to post Share on other sites
pallino 4 Report post Posted December 12, 2017 More Infos should be available at https://blog.ensilo.com/webinar-process-doppelganging-blocked-by-ensilo Arthur, I think you are right but also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it. I hope Emsi will be ready for this and that nobody will make malware writer's work easier by releasing a POC! Can Emsi scan a file while it's in transaction? Thank you Quote Share this post Link to post Share on other sites
GT500 823 Report post Posted December 12, 2017 2 hours ago, pallino said: ... also believe that expert malware writer,e.g. APT groups/Nation sponsored groups, will "soon" understand this attack and use it. That depends on how feasible such an attack is. Even someone who knows what they are doing is going to stick to things that are easier to pull off, simply because it means they can do it faster. 2 hours ago, pallino said: Can Emsi scan a file while it's in transaction? I assume you mean while it's in the process of being downloaded? If so, the answer is "no". The scanner can't make a determination as to what the file is until it has the entire file to scan. Quote Share this post Link to post Share on other sites
