Malware Sample Bypasses Auto-Sandbox + Disables HIPS
SHA256: 277c5d85c9b002be4b541a4c518ee3ef83877e77d113b3ea82f4c3be31b36d2e
File name: PO859585958595.exe (executes .bat file)
SHA256: eab54269e37992b78173956fe8c67dab7bbcb935852875b95b9bbc80d399b508
File name: ivepa.exe (dropped file - Users\xyz\AppData\Roaming - random_name.exe - different name every install)
NOTE: Installer is detected by signature at this time, but dropped files is not.
NOTE: Malware sample was tested with AV turned off to observe auto-sandbox, HIPS and configuration’s ability to protect system.
Can you reproduce the problem & if so how reliably?:
Every time - at will
If you can, exact steps to reproduce. If not, exactly what you did & what happened:
** Disable AV Module **
1: Run sample.
2: Sample will not be auto-sandboxed.
3: Sample will disable HIPS.
4: Sample will disable anti-executable\default-deny configuration; any installer\application can be run and cannot be blocked.
5: User cannot block dropped file by changing file rating to “Malicious” after it is executed.
6: Dropped file can extract license keys.
Once malware is run it permanently disables the user’s ability to enforce CIS antiexecutable\default-deny configuration.
NOTE: This sample disables Windows firewall, UAC - as well as causes other brands of security software to malfunction.
One or two sentences explaining what actually happened:
Executed Bladabindi\ZBot variant. Sample was not auto-sandboxed. HIPS was disabled. Sample could run despite user changing file rating to “Malicious” in local database. Anti-executable\default-deny configuration was disabled; any installer\app could run instead of being blocked by CIS.
One or two sentences explaining what you expected to happen:
I expected CIS modules to be immune to attack, disabling and\or other tampering by malware sample. In short, I expected CIS to protect the system.
If a software compatibility problem have you tried the advice to make programs work with CIS?:
Not Applicable.
Any software except CIS/OS involved? If so - name, & exact version:
Yes. Malware sample attached.
Any other information, eg your guess at the cause, how you tried to fix it etc:
Well-crafted piece of malware.
B. YOUR SETUP
Exact CIS version & configuration:
8.2.0.4508 - Proactive Security with Enhanced Protection Mode enabed.
Modules enabled & level. D+/HIPS, Autosandbox/BBlocker, Firewall, & AV:
All.
Have you made any other changes to the default config? (egs here.):
Yes. Configuration file attached.
Have you updated (without uninstall) from CIS 5, 6 or 7?:
No.
[b]if so, have you tried a clean reinstall - if not please do?[/b]:
Current installation is clean.
Have you imported a config from a previous version of CIS:
No.
[b]if so, have you tried a standard config - if not please do[/b]:
Malware's ability to impair CIS is configuration independent; various configurations\settings tested against sample.
Malware's ability to impair CIS is system independent; tested on Intel\AMD, i3, i5, A8, A10, desktop, laptop.
OS version, SP, 32/64 bit, UAC setting, account type, V.Machine used:
Windows 8.1 x86-64 OEM (Toshiba), “Always Notify,” Administrator, No VM used.
Other security/s’box software a) currently installed b) installed since OS, including initial trial security software included with system:
a=None. b=None.
C. ATTACH REQUIRED FILES
- Configuration file
- Anti-Virus Log
- Defense+ Log
- Malware Sample (zipped\password “infected”)
- Configuration Changes Log (changed file rating to “Malicious” - CIS did\could not block)
[attachment deleted by admin]