Hopefully, Ransomware will reach everyone
It’s Good Friday, it’s been raining all day long, I’m a bit dizzy and certainly pissed off by this Windows thing.
This laptop is overly modest with regards to the CPU, and this bloody Windows 10 seems to have been designed for SSD, not for HDD. As a result, I just don’t want a security solution that would add to the burden of the OS. With 20 tabs open in either of Firefox or Chrome, and a few more things, gone are almost 3 GB of RAM, and playing a video–not in Flash!–can occasionally kill the CPU too. I never tried the NoScript extension, but I imagine most websites would simply show almost nothing–go figure, nowadays CSS is not enough, they need JS to “skin” the contents.
Frankly, Windows Defender in Windows 10 includes MSE, and it’s reasonably good once again. After it has been considered by various “malware specialists” as only catching about 78% of the prevalent malware, it got noticeably better lately. Well, even if it had 88% or 94%, is this enough?
My problem is not with classical malware–viruses, trojans, adware, whatnot. I know not to click blindly on links or files, and with an allegedly patched system, the risk of a side-download that would execute by itself, or of a crafted SWF, PDF, etc. that would exploit a vulnerability is, well, minimal.
What I fear is ransomware, such as the CryptoLocker family. You see, I’ve never really been infected by anything, but should I catch a ransomware… kaboom! All the documents encrypted and unusable. Moreover, some of the people who got that unlucky managed to screw at the same time their Cloud-saved copies of the local files–OneDrive, GDrive, the like. So the idea of a backup in the Cloud is not necessarily fail-safe if the sync is permanently enabled.
Ransomware has been lately spreading through Microsoft Office macros, usually Word macros–but I expect PowerPoint and Excel to be equally vulnerable. Who was that moron who decided, decades ago, that a document must be able to have executable parts in it? Not only that guy has screwed the planet forever, but he also created the huge mass of captive users who need to use Microsoft Office for its macros (that can’t run in LibreOffice and the like).
A problem with obfuscated macros in Office documents is that many AV products (let’s call them this way) can’t be bothered to detect them. The same products also couldn’t care less of another plague invented by some mentally retarded from Microsoft: VBS (Windows Script Host scripts), which can also be obfuscated, and Microsoft even created an obfuscation tool (“to help protect intellectual property”), but not an unobfuscation counterpart. Third-party unobfuscation tools exist, but the unobfuscation is only partial: just like with obfuscated JS, some of the code is actually created upon execution, to make a code analysis unpractical. Occasionally, a few products manage to detect some variants of the trojans that spread through obfuscated VBS, but the detection is unreliable.
Banning all Office macros and all VBS scripts would be the only sensible thing to do. (That, and declaring Adobe Flash as a major vulnerability…)
Before getting to AV product names, let’s mention a few other strengthening methods.
I can’t use Microsoft’s mitigation toolkit, called EMET, because I have a number of apps that crash because of it, and I don’t have the motivation to fiddle with it until everything’s right.
AppLocker is a killer, which means I couldn’t waste my time to configure each and every program I want to allow. That’s for corporate environments, where most PCs are likely to have a very few authorized programs–mostly Office and browsers, plus some in-house tools, if any.
Software Restriction Policies are a great idea… except that they’re a PITA to create and, being about Local Computer Policies, not Group Policies, the Local Group Policy Editor (gpedit.msc) doesn’t let you export or import them. This being said, I’m not entirely sure that using the Group Policy Management Console (gpmc.msc) is much more practical than editing local policies. Microsoft’s administrative tools are a collection of crap meant to create a market for the expensive and useless certifications where people learn to create a rule in 200 clicks, because there’s no way to just write a few lines of text for that. So a home computer, not being part of an Active Directory, is more prone to malware attacks because it’s more difficult to edit its security policies!
And still, SRS are an important tool in fighting ransomware and some of the zero-day malware. Take a look at this article on Cryptolocker virus protection (also here). It lists a basic number of folders where normally there shouldn’t be any legitimate binary, yet ransomware just loves to get there–because it’s within the rights of a regular user account–and to run from there while encrypting a user’s documents!
The list is very far from being comprehensive. Similar lists have been posted in other places, e.g. by Bitdefender here and here, especially as the Cryptowall vaccine has been discontinued. Those lists are pathetically unstructured and even full of errors. Either way, when you read such lists, make sure you remember that system paths can be written in more than one way: %userprofile% is the same as C:\Users\%username%\; %AppData% means C:\Users\%username%\Appdata\Roaming\; %LocalAppData% equals C:\Users\%username%\Appdata\Local\; and don’t forget that %LocalAppData%\*\*.exe also includes %temp%\*.exe.
I once tried to create my own set of SRS rules by hand, but it’s difficult to create them in the Local Group Policy Editor. I gave up after creating a dozen: I hate to click, and click, and click… I examined Stefan Kanthak’s NT6_SAFER.INF as a way to insert SRS rules into the Registry: ugly, unpractical to edit.
There is a free fix to that, albeit I kind of hate it: CryptoPrevent, by Foolish IT. The free edition is quite enough, there is no need to pay to get automatic updates–it’s not an antivirus, dammit! The rules change only once in a while.
What does CryptoPrevent do? It writes 350+ group policy object rules into the registry in order to prevent executables in specific locations from running. It also blocks some double-extension binaries.
The problem with CryptoPrevent is that it doesn’t fully and properly implement these Software Restrictions Policies. It artificially implants them in a single place in Registry (under HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths), which makes them run, but without showing up in the Local Group Policy Editor! Extremely inconvenient (to show up, they should have been inserted in a few other places too). One cannot disable them selectively, but only through CryptoPrevent’s GUI, in a non-transparent way.
In my case, I got about 380 rules of a few kinds:
- ca 200 rules to block double extensions such as *.docx*.cmd, *.bmp*.js, *.mp3*.pif, etc.
- ca 150 rules to block *.bat, *.cmd, *.com, *.exe, *.js, *.jse, *.pif, *.scr files from running in folders and subfolders of %AppData%, %LocalAppData%, %userprofile%, %programdata%, %allusersprofile% and the like, plus the Recycle Bin, the Start Menu, C:\Users\.
- a few dozens of rules to block the execution of the genuine vssadmin.exe and of whatever calls itself by any of the names of svchost.exe, bcdedit.exe, cipher.exe, lsassvrtdbks.exe, lsassw86s.exe, scsvserv.exe, syskey.exe (genuine or fake).
A bit of overkill, right? Still, a mostly complete solution, as it has two other important features: an option to automatically create rules to authorize any legitimate program that already exists in such locations (so I don’t need to manually whitelist e.g. %LocalAppData%\RadioSure\RadioSure.exe, %LocalAppData%\atom\*.exe, %LocalAppData%\atom\*\atom.exe and %LocalAppData%\Sublime Text 3\Update\*.exe); and a long list of hashes of binaries that are to be authorized regardless of their location.
I’ll think again about using this tool. I don’t like so many rules… aren’t they slowing down my modestly-specced system?
Going to more elaborate anti-ransomware tools, I would advise you against Malwarebytes Anti-Ransomware. Beta or not, it’s more than pathetic! Its heuristic and/or HIPS rules are so dumb that it flagged perfectly fine software as ransomware and it deleted it without asking and without quarantining! Such a piece of crap…
A good one is however HitmanPro.Alert “with Cryptoguard”–it’s effective, but it costs $24.95/year. Too much.
As I’m monitoring some malware forums and sites, I noticed however that some AV products seem to be quite responsive when a brand-new ransomware hits the fan. Sometimes, the Cloud component of products like Avira (free) or Kapsersky (paid) manage to block zero-day malware of the crypto-ransom-shit kind. Most AV solutions are usually rather slow to react, and they need something like 12+ hours to get signatures of the new ransomware.
Speaking of “classical” AV products, I long stopped believing in “the three A”: Avira, AVG, Avast. Let’s say that, should I need to use one of them, I’d still choose Avira for it’s still the lightest of all three, and with good detection rates, but none of the three is to be trusted (and I’m not even mentioning the scandal with AVG admitting to pass user data to third parties); also, the GUI is horrendously unpractical in all of them.
A few things I hate with most AV solutions:
- When they give the same generic names to both über-dangerous ransomware and keygens or other false positives: how can one know it’s about tough malware when the detection says Win32:Malware-gen (Avast), Generic Suspicious or Trj/CI.A (Panda), Trojan.Generic.15195360 or Trojan.GenericKD.3087083 (Bitdefender)? For the very same pieces of malware, other products are giving really relevant names!
- When an AV, upon detecting of a malware that has just been downloaded or extracted from an archive, instead of just deleting it on the spot, plays one of the following games: (a) it wants to delete the file after a reboot; (b) it deletes the file, but then it performs a “quick scan” that can’t be stopped; (c) it deletes the file, but then it needs anything from 10 seconds to 2 minutes to “search the system for possible traces”; (d) it “analyzes the system” for possible damage BEFORE deleting the infected files, so that they are still available for 10 seconds or more! Any such case is making me crazy. I understand that for some malware there are patterns to look for in the Registry or on the disk but, for goodness’ sake, what’s so bloody difficult to delete the identified malware file FIRST? If the file cannot be deleted, then yes, a reboot is necessary. If other traces have been found, other actions might be required. Such products however don’t even try to delete the respective files prior to applying the other “recipes” they know about! Many products play the (a) game, including Windows Defender, Avira, Avast, COMODO, Webroot, etc. Game (b) is played by Avira, Webroot and others. Game (c) is played by any product that takes too much time to delete a few files, but Windows Defender, Avast, AVG and Kaspersky are among them. And (d) is something I encountered e.g. with Kaspersky and with 360 Total Security.
- When an AV that has been instructed to ask before taking any action, still quarantines or deletes some detected files, even when they’re false positives. (Panda, anyone?)
- When an AV that has been instructed to ask before taking any action doesn’t have an easy way to add an ignored detection to the list of exclusions. Products that make adding exceptions easy right when a FP has been detected include Kaspersky, Emsisoft, 360 TS/TSE, and to some extent Avira and AVG.
- When an AV that has been instructed not to perform any scan when the computer seems idle, still does it when it feels like.
- When an AV (or IS, whatever) blocks a URL simply because it’s listed in an (often outdated) directory of “rotten URLs” instead of blocking it because it has scanned the contents of the page and it has found actual malware!
Getting over the last-resort solution that is Avira Free (which, by the way, should be downloaded from here, so that to avoid downloading the useless Avira Launcher–use the last link; and change the language in the URL if needed: “de” and “fr” can replace “en”), what’s reasonably good out there?
On the commercial side, the last months made me appreciate Kaspersky–too bad it’s a little too heavy for this hardware. For the price of a single-DVD CHIP edition (5.40 €) I got a 12-month (6+6, as it needs a reactivation) license of Kaspersky Total Security 2015 (labeled “CHIP Edition”). It’s a good one, however KIS and KTS have y design the annoying feature of announcing you each and every time they classify a program as trustworthy.
I’d rather recommend the simpler Kaspersky Anti-Virus: it’s less annoying, and it still filters your Web traffic and your e-mails! I was impressed by KAV 2016, and the French edition has a 3-month trial period! Kaspersky tends to flag all Office documents with obfuscated macros; it also dislikes obfuscated JS when referenced in Web pages. Pretty solid. Note that filtering Firefox is a bit lighter than the filtering of Chrome, for which KAV inserts in each received HTML page a JS that contacts Kaspersky’s servers.
The HIPS or behavioral features of Kaspersky are quite solid too. I don’t know how they compare to Emsisoft’s, or whether whether they include the equivalent of some Software Restriction Policies, but they’re not bad.
I’ve also tried KAV 126.96.36.199 Technical Preview (3-month trial too) and found no visible bugs, so the 2017 edition should be equally good. Still, a bit heavy for this system.
On the free side, I’m struggling with, and torn between Qihoo’s 360 TS and 360 TSE. This deserves a longer discussion.
As much as I don’t trust the Chinese, 360 has a few advantages: it’s light, it includes HIPS (something that Avira lacks), it has pretty good detection rates with its own engines (360 QVMII AI Engine and 360 Cloud Scan Engine), and it can also use signatures from Avira and Bitdefender. Note that Avira’s Cloud detections and some of Bitdefender’s technologies are not licensed–only the signatures.
There are a few problems though. At first, 360 TSE didn’t let me use Avira and/or Bitdefender for the active protection, but only for the on-demand scan. The current version seems to perform just like the “full” 360 TS, namely third-party engines can also be used for the on-access protection. This seemed to be good news, because I simply hate the TS and its unrequired abilities to clean and speed up the system, etc. I just want an AV with HIPS and sandbox (just in case), something that TSE just has.
360 TSE version 188.8.131.521 has a peculiar bug though, something not present in the full 360 TS version 184.108.40.2060: either its Cloud engine doesn’t work at all, or it chooses to skip some types of files, namely the obfuscated VBS (virus.vbs.runner.i) and the Office documents with obfuscated macros (virus.office.obfuscated.1). For instance, I had to uninstall TSE and reinstall TS to get this detection:
Unless they fix the smaller TSE, I’m stuck with the full TS if I need full detection of everything.
A second note: when enabling any of Avira or Bitdefender (or both) for the active protection, 360 gets fat (e.g. from 18 MB of RAM to almost 300 MB!) and slower. So when I’m considering 360 TS/TSE, it’s for the Chinese engines, not for the extra ones!
Either way, it’s important to know that 360 TS/TSE first uses 360 QVMII and 360 Cloud Scan and refers to Avira and Bitdefender if and only if its own engines don’t trigger any detection! Once a malware is detected “the Chinese way,” it’s labeled accordingly, even if this means HEUR/QVM05.1.Malware.Gen, HEUR/QVM19.1.Malware.Gen or HEUR/QVM41.2.Malware.Gen, and even if Avira could have had a more relevant name!
Fortunately enough, and against my expectations, the number of FP is minimal–some people might not encounter a single FP! Yes, it’s what I hate the most–generic detection names–but it’s pretty reliable. If 360 QVMII and 360 Cloud Scan detected everything I’ve thrown at, why bother with adding Avira and Bitdefender? (Oh, for the last-minute ransomware that Avira’s and Bitdefender’s signatures might also miss, unless used in a genuine Avira product that includes a further Cloud detection, or a genuine Bitdefender product that includes specific HIPS rules and further protection rules?) Not to mention that using 3 engines only increases the number of false positives…
Let’s say I choose the lightweight and free side–360 TS/TSE, with or without CryptoPrevent added. What is it that I’d still miss in terms of protection?
As I have determined at some point in the past, there is no reliable protection against keyloggers and loggers of any other type–spyware that captures the webcam, the microphone, the clipboard, or that takes screenshots. Don’t believe the claims made by the security vendors: they cannot reliable protect against *loggers, especially not on 64-bit Windows 10, and especially as the stupid Microsoft made API hijacking so easy by design! Just test for yourself and see your security solution fail.
Zemana AntiLogger Free is the only free solution effective against keyloggers–but nothing more. Premium is $29.99 a year–wow. The other working product is SpyShelter Premium (23.95 €)–the free edition only works on 32-bit systems, where it only protects against keyloggers anyway. Too much to pay for security, eh? How many products from different vendors should one use?
What did I fail to consider? As products, Panda and COMODO should be avoided: they don’t protect you much. Nano Antivirus Free [EDIT: link removed] is a bit heavy and lacks HIPS, without offering much more than Microsoft’s built-in WD. Sandboxie? No, thanks, my browsers tend to crash even without running in a sandbox!
I also gave up using famous tools such as AdwCleaner, RogueKiller and JRT. They flag and delete startup entries and browser extensions that are 100% legitimate. Just because their developers never heard of a particular commercial software doesn’t make it malware.
I’m a more than exasperated by the crappiness of everything in the Windows security department. And not only Windows…
Should you want to scan Android APKs on Windows, most AV solutions are mediocre: they either miss a lot of adware, or they raise an unacceptable number of FP. What’s worse, the way a vendor’s AV performs under Windows is not an indication of how its Android product performs–and vice versa.
As always, and despite VT’s insistence that it’s not a comparative AV tool, uploading files to VirusTotal is the right thing to do when in doubt. There one can compare the detection names, which sometimes can make the whole difference. Or maybe to Jotti (it’s easier using JottiQ), but Jotti doesn’t reanalyze a file when it’s reuploaded, so you’re stuck with obsolete detections.
I’m so very much sick of this. A correct security model would probably use containers and isolate storage–the way they’re implemented in iOS and Windows Phone. Once an app cannot access another’s app data or system areas, there’s little harm to be done. Still, the necessity to access shared documents is a liability and should be carefully designed. iOS seems to have blocked since 8.3 even the access to “sandboxed” (read-only) data belonging to other apps, so that only File Sharing-enabled apps can export data to other apps. Note that a document should belong to an app, not to a user account!
But iOS is out of question for me. I don’t own any kind of tablet and I make a clear distinction between what I do on a smartphone (that would be Android for various reasons, despite the lame security record) and what I do on a laptop. So here I am with this bloody Windows 10.
What prevents me from going full-speed into the Linux realm (Manjaro Cinnamon? Ubuntu MATE?) is the dependence upon a few apps that are Windows-only or whose Windows versions are better. When a piece of software has its own bugs on its native platform, why would you run it under WINE? To make it crash? To make it show even more bugs? To make it run much slower? By the way, not every Windows program can run under WINE…
Dammit, I’m going to do something more meaningful–I’m going to create a Goodreads account. This way, I’ll have a chance to remember what I’ve read in the last couple of years. Have you noticed how reading e-books makes it much easier to completely forgot what you’ve read than reading on paper?
As I wrote in the title, hopefully ransomware will reach everyone. Should this happen, people will realize there’s much more life outside this horrendous web of computers…
OK, let’s forget about HitmanPro.Alert and Malwarebytes Anti-Ransomware. Learn about a new kind of ransomware, Petya, that also encrypts your Master Boot Record:
And here’s how the aforementioned anti-ransomware solutions fail lamentably, while WinAntiRansom blocks it:
WinAntiRansom ($29.95 lifetime license, coupons: bobsfriends for 50% off, Take20Now for 20% off; VAT to be added in the EU) is by the guys behind WinPatrol:
Oh, the funny thing is that Petya seems to be aiming at the HR departments of German companies:
WinAntiRansom is however not such a convenient solution: it works by forbidding everything, unless you specifically allow each and every program you trust. However, unlike e.g. VoodooShield, WinAntiRansom allows A MORE granular editing of permissions–what kind of resources can a binary access.
On the other hand, I suppose VoodooShield can be defeated if a previously authorized binary suffers from a code injection or is compromised in a way that doesn’t trigger a new analysis.
I won’t be using any such program. They’re ugly and impractical. And there is no such thing as security in the IT world anyway.
Hi, you beat me to mentioning WinAntiRansom.
But, you are incorrect in stating that it blocks everything unless you specifically allow each and every program you trust. Their site talks about an artificial intelligence engine that that watches programs, I think allowing programs just gets them left alone.
I am running it and do not have all programs allowed and so far so good. When I installed it, it found over 300 programs on my computer and automatically set them to allowed, so it was pretty easy use right from the start. Best thing is, I can’t even tell it is running other than when it blocks something.
Well, you’re right–in the meantime, I’ve tried WinAntiRansom myself, but I didn’t like it.
They’re still very misleading. When they criticize CryptoPrevent for using “old-fashioned hash detections,” they fail to mention what is WinAntiRansom using in order to whitelist the programs that are already installed on a system!
Either way, as it happens to me each and every time I evaluate security products in the attempt to enhance the safety of my Windows and to mitigate the risks, I got pissed off by each and every “add-on,” so I’m now only using a “plain anti-virus.”
What’s worse is that Qihoo’s bugs also annoyed me to the point that I uninstalled their Total Security. At times, while creating an empty file (e.g. right-click, New, Text Document), 360 TS was delaying it by 2-3 seconds right after I pressed ENTER to acknowledge the file name; disabling and re-enabling the active protection usually fixed this… for a while.
I’m back to the French edition of KAV 2016. To my surprise, instead of counting down the trial days from where the previous installation was left, the new install gave me 91 days anew. OK, I’ve previously cleaned all traces of Kaspersky (disk, Registry) and I’m not using an account with them, but I wonder why aren’t they storing on their servers some kind of a signature of this computer…
I guess I’ll stick to a “decent protection” instead of a “super-secure configuration” that includes several security products.