SANS Internet Storm Center

Is "2 out of 3" good enough for Anti-Malware?
One of my morning rituals is to take the last few malware samples I received in any of my inboxes and run them in a virtual machine to see if there is anything new. To be honest: There isn't much new that we haven't already written about. The sample is usually a zipped VBScript file that will download and run ransomware. But that isn't the only constant. The other constant is the inability of anti-malware to protect your system from these consistent attacks. The virtual machine runs a fully patched Windows 10 install, and home-user grade anti-malware. I would consider it a "well configured" average home user system. This morning, for example, I tried these three samples: 924936fb9f562dc08556bf0677a5d15c813eebde SCAN_20160915_241418570.zip c29dd0d1fe36b3891d685171683635c442d84c8d SCAN_20160915_3640961765775.zip 6213e371567b4620064933efa43e5ffdba455c65 SCAN_20160915_894622558880029.zip They all arrived in similar emails with a subject of "SCAN" . If you are paying attention of malware, you probably have seen e-mails like this for years with various attachments. Two of these samples were nicely detected by my anti-malware solution, and I wasn't even able to copy them to my virtual machine. But the third one, which isn't substantially different, made it past whatever signature was used to detect these generic JavaScript downloaders. Virustotal shows that some name-brand anti-malware solutions do not detect this particular sample: https://www.virustotal.com/en/file/8acb71453b9759a64eea060949ad87bae3d6f070b04daf2f70ed124b1a905399/analysis/ https://www.virustotal.com/en/file/f732887b200563bfdd89f516fc30139ea21e8adbd3280df3436c289bc154383a/analysis/ https://www.virustotal.com/en/file/a9b4a38e515ee10e1dc8eda13ac9abd8c11c0eece4ac1cb1c746015d17ff5a0c/analysis/ It also shows that all of these samples were rather "fresh" in that Virustotal had received them about 30 minutes ago, so around the time I had received them. Even if your anti-malware solution doesn't detect the downloader, there is still a chance that it will detect the malware that is downloaded by the JavaScript. This often leads to a false sense of security in that you will see, often multiple times, popups that your anti-malware solution did remove malicious code from your system. But these downloaders can be rather persistent. One sample I looked at yesterday took about 15 minutes, and about a dozen of "malware found" popups, until it finally downloaded a version of Locky that was not detected, and I ended up with another encrypted system. So what can you do? The less malware reaches the user, the better. Filter as much on mail servers and proxies as you can using generic filters ("zipped VBscripts" and the list. We talked about this before). Once you notice a possible infection, NEVER trust anti-malware to clean your system. It is probably best to shut down the system as soon as you notice "malware found" popups. This way, you MAY prevent the final successful install, and you may be able to save some of your files from being encrypted. Just like you should not rely on anti-malware: Blocklists of bad URLs and the like are just as bad (ours included). They will help you in hindsight to figure out who got infected yesterday (or an hour ago if they are good), but they will not consistently prevent exploitation. For example, here are the URLs that I think where used in the undetected sample (I didn't do a full analysis): (spaces added to protect readers.) bigfishcasting .com/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO delicefilm .com /afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO (this one has some reasonable recognition as a bad URL) keratin .sk/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO The issue with anti-malware missing the downloader, and then hoping that the downloaded malware will be detected, isn't new, and going back at least to the famous "WMF" incident more than 10 years ago, when anti-virus was suggested as a mitigation for the vulnerability, even though it didn't detect actual exploitation of the vulnerability but instead only the additional malware downloaded via the exploit. 10+ years later... not much changed. We are still making it too easy for the bad guys. --- Johannes B. Ullrich, Ph.D. STI\|Twitter\|LinkedIn I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022	Johannes 4347 Posts ISC Handler Sep 15th 2016
Thread locked Subscribe	Sep 15th 2016 5 years ago
Quote:The other constant is the inability of anti-malware to protect your system from these consistent attacks. AMEN! Despite this well-known inability, clowns^Wvendors like Microsoft still fail to give proper advice to their customers for the protection of their systems. See for example the current blog post https://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-release-feature-prifou/	Anonymous
Quote	Sep 15th 2016 5 years ago
In order to be somewhat proactive, we track malicious e-mails that get marked as spam BUT that don't get stripped of their attachments because of the lack of signature. We execute the attachment within Cuckoo and blacklist any of the observed web behavior on the firewall and proxy. Not full-proof but helpful. Even though email gets marked as spam doesn't mean a user won't click on it.	Anonymous
Quote	Sep 15th 2016 5 years ago
correct. Users clicking on spam has caused some of the large high profile breaches.	Johannes 4347 Posts ISC Handler
Quote	Sep 15th 2016 5 years ago
Quote:The other constant is the inability of anti-malware to protect your system from these consistent attacks. This is an issue that our team struggles with when talking about endpoint protection strategy. Even if we change our EP solution, we're just trading one set of insecurities for another. The new gen of protection technologies like Cylance that claim to protect via pre-execution analysis, i.e not reactive and signature-based like most current products...Dr. J, are these any better as far as keeping malware off our systems?	Clifford 1 Posts
Quote	Sep 15th 2016 5 years ago
I personally think App/Process Whitelisting (not applocker, which MS has said is not intended for security use) along with traditional AV is one of the better ways to go for EP. Especially if you have the power to say "hey Word is deff needed in our Org but powershell executing from Word deff is not something legitimate".	Anonymous
Quote	Sep 15th 2016 5 years ago
"not applocker, which MS has said is not intended for security use" Do you have reference for that? We've been considering using applocker for whitelisting. John	John 88 Posts
Quote	Sep 16th 2016 5 years ago
Sadly no. It was at a conference with one of the Microsoft guys. Was brought up during a QA as well so I know it wasn't me hearing him incorrectly. It has been shown frequently that it is quite easy to bypass AppLocker. I suggest you follow Casey Smith on twitter (@subTee) if you don't already. Check-out something like Carbon Black Protection, which is bit9 re-branded, if you have the budget. Not saying AppLocker is useless but if you can afford Carbon Black I would go with that instead, easier administrative wise as well.	Anonymous
Quote	Sep 17th 2016 5 years ago
Quoting John:"not applocker, which MS has said is not intended for security use" Do you have reference for that? We've been considering using applocker for whitelisting. Go for it! While AppLocker or the older Software Restriction Policies constitute (like the braindead UAC) NO security boundaries, they rise the bar high enough to defend almost all malware. Don't forget to read Will Dormann's advice https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html as well as Stefan Kanthak's http://home.arcor.de/skanthak/SAFER.html	Anonymous
Quote	Sep 18th 2016 5 years ago

One of my morning rituals is to take the last few malware samples I received in any of my inboxes and run them in a virtual machine to see if there is anything new. To be honest: There isn't much new that we haven't already written about. The sample is usually a zipped VBScript file that will download and run ransomware. But that isn't the only constant. The other constant is the inability of anti-malware to protect your system from these consistent attacks.

The virtual machine runs a fully patched Windows 10 install, and home-user grade anti-malware. I would consider it a "well configured" average home user system.

This morning, for example, I tried these three samples:

924936fb9f562dc08556bf0677a5d15c813eebde SCAN_20160915_241418570.zip
c29dd0d1fe36b3891d685171683635c442d84c8d SCAN_20160915_3640961765775.zip
6213e371567b4620064933efa43e5ffdba455c65 SCAN_20160915_894622558880029.zip

They all arrived in similar emails with a subject of "SCAN" .

If you are paying attention of malware, you probably have seen e-mails like this for years with various attachments.

Two of these samples were nicely detected by my anti-malware solution, and I wasn't even able to copy them to my virtual machine. But the third one, which isn't substantially different, made it past whatever signature was used to detect these generic JavaScript downloaders.

Virustotal shows that some name-brand anti-malware solutions do not detect this particular sample:

https://www.virustotal.com/en/file/8acb71453b9759a64eea060949ad87bae3d6f070b04daf2f70ed124b1a905399/analysis/
https://www.virustotal.com/en/file/f732887b200563bfdd89f516fc30139ea21e8adbd3280df3436c289bc154383a/analysis/
https://www.virustotal.com/en/file/a9b4a38e515ee10e1dc8eda13ac9abd8c11c0eece4ac1cb1c746015d17ff5a0c/analysis/

It also shows that all of these samples were rather "fresh" in that Virustotal had received them about 30 minutes ago, so around the time I had received them.

Even if your anti-malware solution doesn't detect the downloader, there is still a chance that it will detect the malware that is downloaded by the JavaScript. This often leads to a false sense of security in that you will see, often multiple times, popups that your anti-malware solution did remove malicious code from your system. But these downloaders can be rather persistent. One sample I looked at yesterday took about 15 minutes, and about a dozen of "malware found" popups, until it finally downloaded a version of Locky that was not detected, and I ended up with another encrypted system.

So what can you do?

The less malware reaches the user, the better. Filter as much on mail servers and proxies as you can using generic filters ("zipped VBscripts" and the list. We talked about this before).
Once you notice a possible infection, NEVER trust anti-malware to clean your system. It is probably best to shut down the system as soon as you notice "malware found" popups. This way, you MAY prevent the final successful install, and you may be able to save some of your files from being encrypted.
Just like you should not rely on anti-malware: Blocklists of bad URLs and the like are just as bad (ours included). They will help you in hindsight to figure out who got infected yesterday (or an hour ago if they are good), but they will not consistently prevent exploitation.

For example, here are the URLs that I think where used in the undetected sample (I didn't do a full analysis):

(spaces added to protect readers.)

bigfishcasting .com/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO
delicefilm .com /afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO (this one has some reasonable recognition as a bad URL)
keratin .sk/ afdIJGY8766gyu?YJRTHAigKa=sLUfGQkQRhO

The issue with anti-malware missing the downloader, and then hoping that the downloaded malware will be detected, isn't new, and going back at least to the famous "WMF" incident more than 10 years ago, when anti-virus was suggested as a mitigation for the vulnerability, even though it didn't detect actual exploitation of the vulnerability but instead only the additional malware downloaded via the exploit. 10+ years later... not much changed. We are still making it too easy for the bad guys.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022

Johannes

4347 Posts
ISC Handler

Sep 15th 2016

Quote:The other constant is the inability of anti-malware to protect your system from these consistent attacks.

AMEN!
Despite this well-known inability, clowns^Wvendors like Microsoft still fail to give proper advice to their customers for the protection of their systems.
See for example the current blog post https://blogs.technet.microsoft.com/mmpc/2016/09/13/msrt-september-2016-release-feature-prifou/

Anonymous

In order to be somewhat proactive, we track malicious e-mails that get marked as spam BUT that don't get stripped of their attachments because of the lack of signature. We execute the attachment within Cuckoo and blacklist any of the observed web behavior on the firewall and proxy. Not full-proof but helpful. Even though email gets marked as spam doesn't mean a user won't click on it.

Anonymous

correct. Users clicking on spam has caused some of the large high profile breaches.

Johannes

4347 Posts
ISC Handler

Quote:The other constant is the inability of anti-malware to protect your system from these consistent attacks.

This is an issue that our team struggles with when talking about endpoint protection strategy. Even if we change our EP solution, we're just trading one set of insecurities for another. The new gen of protection technologies like Cylance that claim to protect via pre-execution analysis, i.e not reactive and signature-based like most current products...Dr. J, are these any better as far as keeping malware off our systems?

Clifford

1 Posts

I personally think App/Process Whitelisting (not applocker, which MS has said is not intended for security use) along with traditional AV is one of the better ways to go for EP. Especially if you have the power to say "hey Word is deff needed in our Org but powershell executing from Word deff is not something legitimate".

Anonymous

"not applocker, which MS has said is not intended for security use"

Do you have reference for that? We've been considering using applocker for whitelisting.

John

John

88 Posts

Sadly no. It was at a conference with one of the Microsoft guys. Was brought up during a QA as well so I know it wasn't me hearing him incorrectly. It has been shown frequently that it is quite easy to bypass AppLocker. I suggest you follow Casey Smith on twitter (@subTee) if you don't already. Check-out something like Carbon Black Protection, which is bit9 re-branded, if you have the budget. Not saying AppLocker is useless but if you can afford Carbon Black I would go with that instead, easier administrative wise as well.

Anonymous

Quoting John:"not applocker, which MS has said is not intended for security use"

Do you have reference for that? We've been considering using applocker for whitelisting.

Go for it!
While AppLocker or the older Software Restriction Policies constitute (like the braindead UAC) NO security boundaries, they rise the bar high enough to defend almost all malware.
Don't forget to read Will Dormann's advice https://insights.sei.cmu.edu/cert/2016/06/bypassing-application-whitelisting.html
as well as Stefan Kanthak's http://home.arcor.de/skanthak/SAFER.html

Anonymous