The End of My Search for What Can’t Be Found
It happens to me more than once a year to change the antivirus-cum-antimalware solution. This is because all of them suck, yet I need protection. With the ransomware epidemic of 2015-2016, this necessity is even more obvious.
Truth be told, I never really got infected but, should an infection with a ransomware happen, this might prove catastrophic, given that sometimes it takes me months before I make backup copies of everything that’s valuable. Most malware infections can be mitigated, but ransomware is a different kind of beast.
And the way Microsoft has designed its fucked-up operating system, ransomware is merely a disaster waiting to happen:
- Windows is designed to allow the execution of binaries from paths such as %temp%, %AppData%, %LocalAppData%, %userprofile%, %programdata%, %allusersprofile%, and everywhere else.
- Windows is designed to execute stupid Office macros that can “do things” not to the document itelf, but to the system.
This being said, signature-based malware detection is futile. There are days when I receive e-mails with zipped 0-day ransomware scripts even more than once a day–but there are also days of total silence.
The funny thing is that either of Kaspersky and ESET (and any of their security solutions, even the “simple” antivirus product) would block such a zipped script, but not because they recognize its malevolence: it’s just a general policy of not allowing such attachments. Should I unblock the attachment and unzip the script, in most cases I’d notice that the respective ransomware variant is not yet recognized, but it will become so in the next 48 h. So the 0-day protection can only be obtained by blocking everything?!
The Chinese Qihoo 360 Total Security has been criticized in the past for the heuristic of its own QVM II engine had the tendency to block almost all the obfuscated scripts and macros. In my view, all obfuscated scripts should be blocked by all the major security vendors, until a reliable way of signing such scripts is developed. But nobody asked me.
In fact, I disabled Windows Script Host on my laptop, and so far I didn’t have the need to re-enable it for a legitimate script to run. I have for the purpose of disabling and enabling WSH two tiny .reg files:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"="0"
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings] "Enabled"="1"
At the same time, this is not much: I can still get ransomware, I guess.
After some time with Kaspersky Total Security 15, Kaspersky Anti-Virus 16, ESET Smart Security 9, ESET NOD32 Anti-Virus 10 Beta, and Kaspersky Anti-Virus 17 (I manage to get 3-month French trials of KAV), I got sick of them. Why is that?
Because I am really pissed off when such a security product–quite reliable otherwise–only blocks a file not because it has scanned it, but because it was on a website that happens to be blacklisted, and especially as such a site is only one of the so many sites that might host malicious files, but most of the hosted files are not malicious. Also, because I don’t want to let anyone interfere with my browser’s traffic–nowadays, a browser tends to crash anyway when too many tabs are open and some JS manages to screw it, so I don’t need to make my browser even more unstable than it already is.
More than one month ago, I made an experiment. I’ve got an e-mail containing a ZIP that included an obfuscated JS that actually downloads a version of Locky. It doesn’t matter that the EXE to be downloaded can’t be downloaded anymore, what matters is that the JS is rotten and it tries to do things it shouldn’t be let do, such as using hundreds of lines to obfuscate some URLs and various operations, and also this kind of stuff:
var SomeStupidName = new ActiveXObject("Scripting.FileSystemObject"); var SomeOtherStupidName = new ActiveXObject("WScript.Shell");
I’ve uploaded the JS to VirusTotal. Initially, 3 obscure antiviruses flagged it as suspicious. Some 20 hours later, 25 products flagged it, including Kaspersky, Bitdefender and ESET. One more day later, 30 products are flagging it, this time even Microsoft and Qihoo-360’s own engine (not Bitdefender/Avira) knowing of it.
Then, I edited the file and renamed the variables, then I reuploaded the JS to see how smart a signature those security products have. Upfront, only 18 products flagged it! The useless security solutions that failed to recognize the JS after the name of the variables was changed included AVG, Avast, Avira, ESET, Microsoft, Qihoo 360 (own signatures only), Sophos and more.
I repeated the experiment with several other downloaders of ransomware, over a couple of weeks. What I noticed–to my surprise!–is that the only security solution that learn to adapt to new malware strains was… Qihoo 360! Without going back to its old habit to block everything, it got its obfuscated scripts heuristic adapted to cover minor changes, so that sometimes it offered 0-day protection while others didn’t! In the case of the tested files, the improved detections of virus.vbs.runner.i and virus.office.obfuscated.1 were made in the cloud, not locally, so maybe it was still signature-based, but I also noticed some fine-tuning in their HEUR-something detections.
Then, of course, it’s the behavior-based protection–let’s call it HIPS for simplicity. Fighting ransomware can’t be done with “standard” behavior-based protection, unless you can afford a limited number of encrypted files that can’t be recovered. Qihoo’s HIPS covers quite well code injection and several other mechanisms which, when they’re blocked, are incapacitating a ransomware.
I simply hate the Chinese antivirus Android apps, but on Windows I come back often to Qihoo 360 TS or TSE (usually with added Bitdefender signatures) precisely for its HIPS capabilities in a free and lightweight product.
What about the various anti-ransomware software solutions, one might ask. Well, let’s count some:
- HitmanPro.Alert is commercial, and it’s not as invincible as it claims to be.
- Malwarebytes Anti-Ransomware is a piece of shit that blocked and deleted legitimate software on my laptop.
- Bitdefender Anti-Ransomware is useless, it mostly works by blocking the execution from some locations.
- RansomFree by Cybereason is a new piece of useless crap that starts from the assumption that the writers of ransomware are a bunch of morons: “RansomFree starts by creating randomly-named folders on the infected system, which will act as honeypots. These folders are named with characters including ~ and !, as they are low on the ASCII table, and will be the first ones to be encrypted by the ransomware.” No, it doesn’t necessarily work this way.
- Kaspersky Anti-Ransomware Tool for Business is free and I tended to trust it, but it’s actually a sort of a fraud.
Here you have some videos I want you to watch. They all belong to a chick from NYC that goes by the handle of cruelsister on MalwareTips, same cruelsister on WildersSecurity, and of cruelsister1 on YouTube. They’re all about testing against 0-day ransomware:
- Malwarebytes Anti Ransomware
- ESET SmartSecurity
- Kaspersky AntiRansomware for Business beta Part 1 and Kaspersky AntiRansomware for Business beta Part 2
- RansomFree by Cybereason and RansomFree An addendum
- BitDefender Internet Security, BitDefender AV Plus, and BitDefender Free
- Avira Internet Security and Avira Free
- Avast Free and Avast CyberCapture
- Qihoo Total Security- An initial test and Qihoo Total Security- a Mechanistic Protection Test
Let me give you a quick summary of the 15 above videos: everyone failed–but Qihoo!
Now, how did Qihoo manage to protect against ransomware that passed the signature-based detection? Elementary, dear Watson, it detected the attempts to perform a code injection or to obtain specific kinds of unrestricted access! (By “mechanistic,” she means behavior-based or HIPS.)
Is Qihoo 360 Total Security or Total Security Essential the one fix to them all, the true panacea? Hell, no!
Because there’s also this video to watch: RanSim Ransomware Simulator. This is about a tool meant to simulate the actions of several kinds of ransomware (there are 10 tests in all); and Qihoo fails all the ten tests! The only solution that detects RanSim‘s attempts to “start doing things” is Comodo Firewall 10. Cruelsister’s preferred security setup is Qihoo 360 TS plus Comodo Firewall.
There are a few more things to be added. Firstly, RanSim doesn’t try to inject code; it just creates some files, encrypts them, and notices if anyone is preventing it to do so. I’m not sure in which way it employs 10 different mechanisms that are specific to different ransomware types, it’s just not detected by Qihoo. Secondly, Comodo Firewall is meant to block (and ask about) everything that is unknown to it and, as all Comodo products, includes HIPS capabilities that are normally part of an antivirus, not of a firewall. Thirdly, everything Comodo is a pain in the ass to configure, and I gave up after a while–too many exceptions to add, too many things to unblock, even files to remove from the quarantine (WTF is this, Bitdefender?).
So in the end, unlike Cruelsister, I didn’t choose to use Comodo’s HIPS-enhanced firewall, but only Qihoo’s TS/TSE (I’m currently bothered that TSE is still at version 22.214.171.1240, while TS is at 126.96.36.1995).
As I said, I never got infected, so using such a protection is only for my peace of mind.
But indeed, Qihoo 360 is such an ugly thing!
HINT: Should you want to test RanSim, make sure the program itself isn’t blocked (this is the case e.g. with Kaspersky). Add RanSim’s launcher.exe to the trusted files, so that you’ll be able to test your vulnerability to the supplementary binaries and scripts that are created and launched by RanSim once it’s allowed to run.