Are new exploits so scary if the antivirus does not see them?
Each time you open an Internet Explorer browser, one of you is panicky afraid of catching another virus ... But is it really so? Are we all defenseless against such things?
Everything described in the article applies to Windows-based systems.
It so happened historically that other members of my family are sitting at the computer besides me. Once turning it on in the morning, WinLocker’s regards knocked on my monitor ... well, how could this happen, I thought, because I had an antivirus with the very latest databases that missed this crap ... and someone else who was sitting might have launched it. And yes, the browser was IE9.
I managed Winlocker, and even asked how many antiviruses it was catching at that moment (only 1).
There is no blue pill that would take and protect you from exloit. If it is, then, in 70% of cases it was very carefully thought out (hello, metasploit and others like him) and, alas, the operating system and antivirus (if any) are defenseless ...
But what to do with the remaining 30%written on the knee ? Is it possible to protect yourself from such innovations as obfuscated WinLockers and other malware?
Up to this point, I knew several ways to prevent infection:
I refused to use the methods described above (in particular, HIDS).
After all, there is one more(of course, not a panacea) interesting trick ... which is available on Windows.
By analyzing WinLocker, it was clearly visible that it was downloaded automatically into a folder
The answer lay on the surface. - so prohibit the launch of files from the TEMP folder!
Read, write access will be, but there will be no access to execute - even though you are sitting with administrator rights - it was personally checked by me when checking the startup of the same Winlocker from the Temp folder.
If you need to run something, you can always change the security level for this policy.
I hope this additional method helps someone ... In addition, looking at the log of Windows log applications by the source SoftwareRestrictionPolicies (event code 866), I can clearly see that it was not in vain for my PC, because inexperienced users usingIE9 IE10 are sitting behind it .
UPD:
Thanks for the criticism and comments. It is interesting that after writing the article, only 22 out of 46 antivirus companies still detect malware.
UPD2:
thanks to shanker and ApeCoder for commenting on the doubtfulness of whether this is really an exploit.
This Winlocker got into the system by exploiting the vulnerability CVE-2012-4969.
Its analysis from lavasoft can be found here.
Everything described in the article applies to Windows-based systems.
Instead of joining
It so happened historically that other members of my family are sitting at the computer besides me. Once turning it on in the morning, WinLocker’s regards knocked on my monitor ... well, how could this happen, I thought, because I had an antivirus with the very latest databases that missed this crap ... and someone else who was sitting might have launched it. And yes, the browser was IE9.
I managed Winlocker, and even asked how many antiviruses it was catching at that moment (only 1).
There is no blue pill that would take and protect you from exloit. If it is, then, in 70% of cases it was very carefully thought out (hello, metasploit and others like him) and, alas, the operating system and antivirus (if any) are defenseless ...
But what to do with the remaining 30%
Get to the point
Up to this point, I knew several ways to prevent infection:
- use HIDS (usually proactive protection is used - when your antivirus / firewall monitors the system and says that such a file wants to do something)
- use a more reliable browser (Chrome?)
- sandbox (or is it already deprecated?)
- corporate customers, of course, can use something else like Honey-pots to catch a new unknown malware during traffic analysis
- Microsoft toolkit - EMET (thanks, Speedimon ) - a program that prevents exploitation of software vulnerabilities
- Of course, there may also be an IPS system binding
I refused to use the methods described above (in particular, HIDS).
Group Policy
After all, there is one more
By analyzing WinLocker, it was clearly visible that it was downloaded automatically into a folder
%Temp% (у меня Win7 -> %appdata%\..\Local\Temp), from where it was launched using an autorun registry entry. The answer lay on the surface. - so prohibit the launch of files from the TEMP folder!
We take 4 simple steps:
- Open Group Policy Systems (gpedit.msc)
- Computer Configuration - Security Settings - Software Restriction Policies
- Create an additional rule for the path
- We enter the path we need, select the security level Forbidden - and voila! Now the program will never start from this path
Read, write access will be, but there will be no access to execute - even though you are sitting with administrator rights - it was personally checked by me when checking the startup of the same Winlocker from the Temp folder.
If you need to run something, you can always change the security level for this policy.
I hope this additional method helps someone ... In addition, looking at the log of Windows log applications by the source SoftwareRestrictionPolicies (event code 866), I can clearly see that it was not in vain for my PC, because inexperienced users using
UPD:
Thanks for the criticism and comments. It is interesting that after writing the article, only 22 out of 46 antivirus companies still detect malware.
UPD2:
thanks to shanker and ApeCoder for commenting on the doubtfulness of whether this is really an exploit.
This Winlocker got into the system by exploiting the vulnerability CVE-2012-4969.
Its analysis from lavasoft can be found here.