Interesting idea.. Hide your virus from the scanners by running it inside a VM that is being run by a legit process..
Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems
With antivirus tools increasingly wise to common infection tricks, one group of extortionists has taken the unusual step of stashing their ransomware inside its own virtual machine. According to Vikas Singh, Gabor Szappanos, and Mark Loman at Sophos, criminals have slotted the file-scrambling Ragnar Locker nasty into a virtual …
COMMENTS
-
-
Saturday 23rd May 2020 02:05 GMT ThatOne
Still, installing a 70 MB program plus a 200+MB virtual machine to hide a 50KB virus is slightly overkill IMHO...
Also, normal users might wonder what the heck is VirtualBox doing on their computer all of a sudden. Hardly a stealthy approach. Which means that, even if the virus itself is hard to detect, the infection is pretty easy to spot, not to mention it might be possible for company administrators to simply block any new/additional installation of any hypervisor on company computers, thus blocking not only this, but any similar future virus.
-
-
Saturday 23rd May 2020 11:47 GMT ThatOne
> Are you not overrating "normal users" ???
You have a point there... :-D
But then again the "normal" normal users don't have anything worth blackmailing them about (holiday pictures?), so I guess the target of this system would be companies, which would (might (should)) keep a distracted eye on what's going on on their computer park.
I'm definitely not convinced that smuggling stuff using a carnival float is the optimal method. Somebody might notice it, and wonder what is is doing there, at this time of year.
-
-
-
-
-
Friday 22nd May 2020 18:06 GMT amanfromMars 1
Re: Turning the tables
Using a VM to isolate and study viruses is an old trick. Looks like the young dogs are learning old tricks ..... don't you hate it when you lose your account.
Using a VM to manufacture and manipulate a virus is novel though, don't you hate it when you lose your account.
That's surely a new trick for young dogs and old lags alike to go rabid over?
-
-
Saturday 23rd May 2020 07:40 GMT amanfromMars 1
Re: Turning the tables
They're all understandable, DJV, although not necessarily to everybody. And whenever some matters are dangerous to know and quite rightly intelligently made available for only a few made of sterner sterling stuff able to successfully handle and exploit the info and intel, is the pool of enlightenment relatively small and massively terrifying to those and/or that excluded.
-
-
-
-
Monday 25th May 2020 13:58 GMT amanfromMars 1
Re: Just what is needed?
I've just been on these fora too long. Oddly, much of what aMfM posts is comprehensible to me. Weird, off the wall, disturbing even, but comprehensible. Alistair
A Slick Fit, Alistair, for Stealthy Intelligence Service Providers Enamoured of Exercise with the likes of these thoughts? :-) .......
We need some true wild cards, artists, people who never went to university and fought their way out of an appalling hell hole, weirdos from William Gibson novels like that girl hired by Bigend as a brand ‘diviner’ who feels sick at the sight of Tommy Hilfiger or that Chinese-Cuban free runner from a crime family hired by the KGB. If you want to figure out what characters around Putin might do, or how international criminal gangs might exploit holes in our border security, you don’t want more Oxbridge English graduates who chat about Lacan at dinner parties with TV producers and spread fake news about fake news. ..... The Circus with Many Rings is Hiring
And the following is sweet and sour heavy rock music to the ears of many nowadays in the Almighty Age of 0days, I'd bet ...
We’re particularly interested in deep experts on TV and digital. We also are interested in people who have worked in movies or on advertising campaigns. There are some very interesting possibilities in the intersection of technology and story telling — if you’ve done something weird, this may be the place for you.
And no ..... as far as I know, none of the above has been BasicAlly AI Machine generated courtesy of a full-sized GPT-2 model, called 1558M? although one would never ever know whenever it be the case.
Would human controllers seek then to present that practical transformation and virtual transubstantiation as a problem for creation of totally unnecessary self-destructive conflicts in which they themselves are neither able nor able to be enabled with others to defend and reign over everything victorious? Would they be so retarded and clueless?
Do you fear and despair the honest answer is a resounding and unambiguous Yes? :-)
-
-
-
-
-
-
-
-
Friday 22nd May 2020 19:30 GMT bombastic bob
Use of SMBv1 for XP compat may be at the core
Since the VM is (apparently) running a version of Windowx XP, I have to wonder whether or not the BLOCKING of SMBv1 would stop it dead in its tracks?
SMBv1 is known to have serious vulnerabilities due to weak encryption. In every version of windows since Vista it should be possible to turn SMBv1 compatibility OFF [and this includes any Samba servers or NAS drives]. Unless you need to run XP machines on your network with file sharing enabled, it's probably a good idea to do this anyway.
I would be interested, though, in knowing whether "disable SMBv1" is a possible mitigation for this ransomware.
-
Monday 25th May 2020 13:54 GMT Joe Montana
Re: Use of SMBv1 for XP compat may be at the core
Encryption is not the reason to deprecate SMBv1... SMBv2 doesn't implement encryption either, and it's optional for newer versions of SMBv3.
The problem is the inherent complexity and age of the protocol, with smbv2/v3 being much cleaner and simpler.
However they are also not without problems, on windows the protocol is deeply embedded into the os and runs with a high privilege level, the protocol allows a lot more than just file sharing, and there are still weaknesses with the authentication system - especially ntlm.
-
Friday 22nd May 2020 20:47 GMT Anonymous Coward
Good idea
I like this method, I think we could improve it by switching it to a tightly compiled Linux distro.
A smaller footprint should help make it more difficult to detect running in the background.
You could build a tiny distro specifically for the VM, including only absolutely the modules necessary to operate, nothing more, nothing less. Heavily reducing the ram and storage footprint, thus less obvious.
Because we're stimulating hardware in a VM, that should be dead simple. Stick the ability to mount NTFS and FAT32 in there, and we're good to go.
Although, it may be worth seeing if we can use an existing hypervisor on the system, dumping a new one just for the ransomware seems pointless when one already exists.
A hidden VM configuration on an existing hypervisor would work a treat, and would probably remain unnoticed while it performs it's task, or longer if we also siphoned some user data for ourselves.
Ofc, if not available dump our own legit-looking hypervisor instead.
The advantage is, if it was done so that the virus code and os are linux based, it would be more difficult for your average Windows AV to pickup.
That said, viruses and ransomware are bad. Don't do it. I'm not endorsing this behaviour in any way. Simply some random ideas.
-
This post has been deleted by its author
-
-
Saturday 23rd May 2020 07:42 GMT Pier Reviewer
If you don’t care about security, the bad guys care about you
Internet facing RDP... Jesus. I love it when you find it on jobs. It’s an easy win. It’s insane that people don’t put it behind a VPN (that requires MFA).
Ofc that alone isn’t a fix for ransomware. There is no single fix, which is why companies keep getting reamed. They’d evidently rather risk paying millions than definitely spend money avoiding the risk, even if it basically guarantees they won’t be badly affected. It’s 100% the board’s fault. They could force a change, but costs reduce their dividends. Better to risk it and make secret payments to the criminals if you get hit rather than reduce your take home pay innit?
The fix? Nothing new or exciting. Regular, tested off-site backups, maintain a register of installed software and audit it regularly, patch regularly, MFA for all sensitive services and accounts etc.
-
Tuesday 26th May 2020 07:24 GMT Sanguma
well, well, well
three holes in the ground. With water at the bottom and rain coming down.
I'm thinking that is should be possible to roll this back the way that enterprising developer did with that phone call scammer chappie. Now they've been so kind as to give us some hints as to where their whereabouts are, or at least their hardware assets are, shurly one could track it down and - turnabout is fair play.
What do people think? Is it possible to infect the ransomware chappies with ransomware?
-
Tuesday 26th May 2020 09:06 GMT Julian 8
Wonder if it would work on an existing vbox installation ?
Stopping apps from running from %appdata% maybe useful in this respect, though that on its own is a nightmare (being the family IT guy and trying to convince them all not to be admins and then stopping crap apps from installing and running from %appdata% anyway - even MS kills me on this and a non domain does not make this easy to work)
-
Wednesday 27th May 2020 15:02 GMT Scalefusion MDM
Cyber threats and security risks have evolved to another level and this is increasing as a grave concern to businesses. Enterprise mobility is one more important factor, that is very much adding up the risks for businesses, as because with enterprises deploying thousands of mobile device fleets to workforces, the devices become as vulnerable points for increasing security threats for businesses. A mobile threat defence mechanism is essential to mitigate such risks.