Author Topic: comodo against ChineseRarypt  (Read 5249 times)

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 26525
Re: comodo against ChineseRarypt
« Reply #15 on: August 09, 2019, 11:27:00 AM »
Indeed. The bypass was not reproduced on both 6870 and 6882 by futuretech with default settings. There is no need to enable HIPS.
« Last Edit: August 09, 2019, 11:41:26 AM by EricJH »

Offline NDABBRU

  • Comodo's Hero
  • *****
  • Posts: 504
Re: comodo against ChineseRarypt
« Reply #16 on: August 09, 2019, 11:34:04 AM »
Indeed. The bypass was not reproduced on both 6870 and 6882 by futuretech with default settings. There is no need to enable HIPS. I mentioned that

Great! Thank you! ;) :-TU
Nunzio

Offline Nilhar

  • Comodo Family Member
  • ***
  • Posts: 86
Re: comodo against ChineseRarypt
« Reply #17 on: August 09, 2019, 01:17:24 PM »
Good to know guys!

So, as I was suspected this video test is not clear/good and it seems that it has been done on unknown purpose....

[at]futuretech and [at]EricJH, Thank you for your tests and explanation!

Offline B-boy/StyLe/

  • Comodo Family Member
  • ***
  • Posts: 61
Re: comodo against ChineseRarypt
« Reply #18 on: August 11, 2019, 05:06:37 AM »
What ever version of CIS was used, it is clear it was not using default settings, I also tried with 6780 and I still didn't see files on the desktop get deleted nor did I see the dropped text file get added either. So I have come to the conclusion that default settings were not used, in particular the 'Do not virtualize access to the specified files/folders' was modified to include the Desktop folder. So regardless of CIS version used, CIS will protect against this even under default settings.

I found it strange that only files located on the desktop were being modified and the ransom note was successfully being saved to the desktop, but all other files were protected. So it is either an intentional change to the do not virtualize containment setting, or an incompatibility with another security software that was installed alongside CIS during the test.

To answer the question of using protected data folders, HIPS does not need to be enabled for protected data folders to work. Also resetting the sandbox wouldn't do anything to bring back files that were modified or deleted that were being excluded from virtualization.

So you tested with the sample from the video? Maybe this one?

https://www.virustotal.com/gui/file/58b009308c929c7d16ca44e08d83040526f8d41c656bfadde3de80e81937198f/detection

Offline futuretech

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5127
Re: comodo against ChineseRarypt
« Reply #19 on: August 11, 2019, 02:52:05 PM »
So you tested with the sample from the video? Maybe this one?

https://www.virustotal.com/gui/file/58b009308c929c7d16ca44e08d83040526f8d41c656bfadde3de80e81937198f/detection
Yes, also note that you need to have winrar installed specifically the 64-bit version of winrar if you are using a 64-bit Windows version.

Offline Matt Liam

  • Newbie
  • *
  • Posts: 4
Re: comodo against ChineseRarypt
« Reply #20 on: August 11, 2019, 08:56:40 PM »
The video description says the test was done using the latest CIS version of 12.0.0.6882 but in the video, you can see the virusscope recognizer is 12.0.0.6780, so it is kinda misleading. I have the sample used and I tested againts 12.0.0.6882, and I didn't see any files get deleted like in the video and the how to decrypt your files txt document was not saved to the real desktop. So maybe the issue did affect 6870 but is now fixed in 6882, which might mean the sample used the vulnerabilities that were disclosed that affected 6870 to bypass the sandbox.

Hey could you tell me where can I download the sample and run the test please?

Offline cruelsister

  • Comodo Loves me
  • ****
  • Posts: 121
Re: comodo against ChineseRarypt
« Reply #21 on: August 14, 2019, 08:43:56 PM »
It's odd that this malware is presented as ransomware. Yes, it does drop ransomware notes in a few places, but otherwise it is a scriptor that deletes personal files (jpg's, doc's, etc). Recovery is quite easy using an search and undelete application like EaseUS.

A much more elegant ransomware that actually does plop files into password protected archive is something like https://www.virustotal.com/gui/file/c285e376201e2941154ec1a9acd8658cd5e0ea975c694a3fe3e9a9897efc2680/detection

Odd also is that a specific build of CIS would allow anything to be deleted as previous builds never did and the current application also protects. The initial malware file is sandboxed, as is the resultant spawn (rar.exe, taskkill, certultil, at, dllhost, etc.)

Finally it is a good idea to let the firewall show popups (unlike in the video) for stuff that should not be connecting out. certutil.exe attempting a connection to somewhere in China (Hangzhou?) is never a good thing.

Offline DrAlrek

  • Comodo Loves me
  • ****
  • Posts: 125
Re: comodo against ChineseRarypt
« Reply #22 on: April 25, 2020, 03:38:43 PM »
Thanks for the analysis of this test in the video of Juan Diaz.
Obviously assuming that this is a true ransoware ... so in conclusion, even not enabling HIPS protection and with CIS or CAV default settings, can you be calm?

I have HIPS enabled with the option to "do not show popup alerts" set to "block requests" no issues.
ProactiveSecurity
AV: Heur to medium, auto-quarantine, Lite database
HIPS/FW: SafeMode AutoBlock on.
Container: autoblock, but sandbox Chrome&Firefox
Cloud lookup: off, removed unused entries from vendor list
VirusScope: monitor all, auto-quarantine

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek