About a ransomware

a256886572008 · September 7, 2013, 2:37am

This one. ;D

https://forums.comodo.com/news-announcements-feedback-cis/about-a-ransomware-t96429.0.html

kjdemuth · September 7, 2013, 1:21pm

Here is another break down from CWsandbox. https://mwanalysis.org/?site=1&page=details&id=1012118&password=ggokihwnvc

Citizen_K · September 7, 2013, 11:42pm

Thx. Is the malware from cruelsister the same one as yours? The passwords are different. If so I will merge this topic with yours.

I looked up the malware on VT by its hash. It gets detected by Comodo as a trojan.

It is not clear by your description what happens when the malware gets run with CIS running and with what setting(s) it gets past CIS.

Please be more descriptive and start a separate topic with a proper topic start. That way this topic will not go astray and your topic will get proper exposure.

cruelsister · September 9, 2013, 12:25am

Eric- You can merge the topics if you wish- I was unaware of the previous thread. My sample is different only to the extent that I wrote the script and backdoored it to a valid installer; done more as a proof of concept (that any malware of this type is FUD) than to present a different malware class. But note that this is not the same malware that KJ has presented above.

But as I wasn’t initially clear about what exactly occurs, I’ll do so now. My sample is a simple script (can be done either as a batch file or a vbs script) that is backdoored to a legitimate installer. When the installer exe is run it will trigger the script. The script will wait until either the legitimate application is installed or until the user exits the install routine prior to its completion. With a little more effort the malicious commands can be incorporated into a valid application’s Restart routine. A colleague of mine has done just this with the Symantec Endpoint Protection installer.

The script does 2 things- it will change the User, Admin Windows logon password to whatever is specified in the script, then call up shutdown.exe to shut the computer down. When the computer is restarted one is presented with the logon screen. It makes no system changes other than what is stated (no registry changes, no dll or dat files dropped). CIS at default will fail. CIS at default with auto-sandbox at the Full V setting Fails. CIS at default with either Limited, Restricted or Untrusted auto-sandbox settings will stop it,

Citizen_K · September 11, 2013, 12:29am

Merged as per request.

cruelsister · September 27, 2013, 12:18pm

Sadly the 6.3 version is still susceptible to this trojan. Under Full V and Partially Limited Sandbox levels with HIPS at Safe Mode the malicious changes go undetected.

Solarlynx · September 27, 2013, 2:30pm

Is it still undetected if in HIPS settings “Set popup alerts to verbose mode” is checked?

Chiron494 · September 27, 2013, 3:56pm

Please create a bug report for this so I can bring it to the devs attention as quickly as possible.

thug4real · September 29, 2013, 9:52am

This really help against rasomware?

Solarlynx · September 29, 2013, 2:32pm

I wish I knew.

B-boy_StyLe · September 29, 2013, 9:28pm

It look like this one:
https://forums.comodo.com/news-announcements-feedback-cis/comodo-v5-v6-users-count-poll-t93703.0.html;msg675618#msg675618

Chiron494 · March 7, 2014, 12:51am

If this is still not fixed with CIS version 7.0.313494.4115 please create a bug report for it.

Thanks.