Are new exploits so scary if antivirus doesn't see them?
Each time, when opening the Internet Explorer browser, one of you is afraid of panic to catch another virus ... But is this really so? Are we all defenseless against such things?
Everything that is mentioned in the article relates to Windows-based systems.
It so happened historically that other members of my family are sitting at the computer besides me. Once I turned it on in the morning, a WinLocker hello knocked me into the monitor ... well, how could this happen, I thought, because I had an antivirus with the latest databases that missed this stuff ... and someone sitting may also have launched. And yes, the browser was IE9.
I managed Winlocker, and even wondered how many antiviruses were catching him at that moment (only 1).
There is no blue pill that would take and protect you from exloit. If it is, then, in 70% of cases, it was very carefully thought out (hello, metasploit and others like it) and, alas, the operating system and the antivirus (if it exists at all) are defenseless ...
')
But what to do with the remaining 30%written on the knee ? Is it possible to protect yourself from such innovations as obfuscated WinLockers and other malware?
Up to this point, I knew several ways to prevent infection:
I refused to use the methods described above (in particular, HIDS).
After all, there is another(certainly not a panacea) interesting trick ... which is available in Windows
By analyzing WinLocker, it was clearly visible that it downloaded automatically to the
The answer lay on the surface. - so we prohibit the launch of files from the folder TEMP!
Read, write access will be, but there will be no access to execution - even despite the fact that you are sitting with administrator rights - I personally checked it when checking the autoload of the same Winlocker from the Temp folder.
If you need to start something, you can always change the security level for this policy.
I hope this additional method will help someone ... Besides, looking through the Windows application log of the source for the SoftwareRestrictionPolicies source (event code 866), I can clearly see that for my PC this was not in vain, because inexperienced users behind it usingIE9 IE10 .
UPD:
Thanks for the criticism and comments in the comments. It is interesting that after writing the article, only 22 out of 46 anti-virus companies still detect the malware.
UPD2:
Thanks to shanker and ApeCoder for commenting on the dubious nature of this exploit.
This Winlocker got into the system by exploiting the vulnerability CVE-2012-4969
His analysis from lavasoft can be found here.
Everything that is mentioned in the article relates to Windows-based systems.
Instead of intro
It so happened historically that other members of my family are sitting at the computer besides me. Once I turned it on in the morning, a WinLocker hello knocked me into the monitor ... well, how could this happen, I thought, because I had an antivirus with the latest databases that missed this stuff ... and someone sitting may also have launched. And yes, the browser was IE9.
I managed Winlocker, and even wondered how many antiviruses were catching him at that moment (only 1).
There is no blue pill that would take and protect you from exloit. If it is, then, in 70% of cases, it was very carefully thought out (hello, metasploit and others like it) and, alas, the operating system and the antivirus (if it exists at all) are defenseless ...
')
But what to do with the remaining 30%
Closer to the point
Up to this point, I knew several ways to prevent infection:
- We use HIDS (usually used as proactive defense - when your antivirus / firewall monitors the system and says that such a file wants to do something)
- use a more reliable browser (Chrome?)
- sandbox (or is it already out of date?)
- Of course, corporate clients can use something else like Honey-pot to catch a new unknown Malvari in the process of analyzing traffic.
- A set of tools from Microsoft - EMET (thanks, Speedimon ) - a program that prevents the exploitation of software vulnerabilities
- Of course, there may be another IPS system binding
I refused to use the methods described above (in particular, HIDS).
Group Policies
After all, there is another
By analyzing WinLocker, it was clearly visible that it downloaded automatically to the
%Temp% ( Win7 -> %appdata%\..\Local\Temp) folder %Temp% ( Win7 -> %appdata%\..\Local\Temp) , from which I started using the autorun registry entry.The answer lay on the surface. - so we prohibit the launch of files from the folder TEMP!
We do simple 4 steps:
- Open the Group Policy System (gpedit.msc)
- Computer Configuration - Security Settings - Software Restriction Policies
- Create an additional rule for the path
- Enter the path we need, choose the security level Forbidden - and voila! Now the program will never start from this path.
Read, write access will be, but there will be no access to execution - even despite the fact that you are sitting with administrator rights - I personally checked it when checking the autoload of the same Winlocker from the Temp folder.
If you need to start something, you can always change the security level for this policy.
I hope this additional method will help someone ... Besides, looking through the Windows application log of the source for the SoftwareRestrictionPolicies source (event code 866), I can clearly see that for my PC this was not in vain, because inexperienced users behind it using
UPD:
Thanks for the criticism and comments in the comments. It is interesting that after writing the article, only 22 out of 46 anti-virus companies still detect the malware.
UPD2:
Thanks to shanker and ApeCoder for commenting on the dubious nature of this exploit.
This Winlocker got into the system by exploiting the vulnerability CVE-2012-4969
His analysis from lavasoft can be found here.
Source: https://habr.com/ru/post/163925/
All Articles