Odd type of malware

Is CIS able to prevent this if D+ and AutoSandbox are
enabled?

Anyone…? :frowning:

I’ve requested a sample, if they share it then I can test it and give you an answer.

Until then my guess would be: HIPS - Would alert that cmd.exe is trying to execute the .pdf and would also alert for everything the .pdf does; Autosandbox/BB - would sandbox the .pdf as cmd.exe tries to execute it. Do note that it’s just my guess, given the sample I could test my theory.

I guess you’re right, Sanya, but only if one hasn’t incidentally set cmd.exe to be remembered as “allowed”. :azn:

Kind regards, REBOL. :slight_smile:

The “Allowed” preset should still alert about running executables (at least in Proactive configuration) and even then HIPS would give alerts about what the .pdf file is trying to do.

Maybe it “should”, “should’ve done” or even is / was “supposed to do” that, but at certain (seldom) moments in time (been using Comodo Firewall since 2006 or so, call me an unknowing veteran now ;)) it’s left me alone because of some “hacking person >:-D” being somewhat “wiser” than me, maybe. :embarassed:

Kind regards, REBOL.

I have received a sample of the malware and I’ll test my theories, I’ll also make a video of my testing and upload it when I’m done.

Edit: Here’s the video: Desktop 05 21 2014 20 45 41 01 - YouTube

I’m no malware analyst so I can’t tell you what the malware is doing really** but what I can tell you is that HIPS is active for it and BB is active for it so this is in no means bypassing CIS, besides that it is also detected by CIS, had to exclude it to do the tests.

**However more information about it can be found here: https://malwr.com/analysis/ZTUxMTk4ZTIwZGNhNDFkZjg3NmRiNjQ0NDQ0YmUyNmQ/#