Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HitmanPro.Alert CryptoGuard prevents files from being taken hostage


  • Please log in to reply
216 replies to this topic

#1 erikloman

erikloman

    Authorized SurfRight Rep


  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:17 PM

Posted 06 November 2013 - 04:34 AM

Yesterday we released a new build of HitmanPro.Alert (free tool) which includes a universal solution against crypto ransomware like CryptoLocker, Dorifel (aka XDocCrypt) and others.
 
This new feature, called CryptoGuard, monitors the file system for suspicious file operations (CryptoGuard is a driver, installed by HitmanPro.Alert). When suspicious behavior is detected, the malicious code is blocked (write, delete, rename is revoked) and an Alert is presented to the user. So even while ransomware is active, it can't harm your files.
 
CryptoLocker-Alert.png
 
CryptoGuard works silently in the background at the file system level, keeping track of processes modifying your personal files. CryptoGuard works autonomously, so no user interaction is required.
 
Compared to CryptoPrevent
We've received several questions regarding how CryptoGuard compares to CryptoPrevent. In short, they are totally different. In fact, they can be used to complement each other.
 
CryptoPrevent is a tool that writes 200+ group policy object rules into the registry in order to prevent executables in specific locations from running. Typical locations set by CryptoPrevent are %appdata% and %localappdata%.
 
But malware is not restricted to the above locations. Malware runs as an exploit in your web browser, it can inject itself into running processes (e.g. explorer.exe, svchost.exe, etc.). Malware can copy itself to the desktop or startup folder on your start menu. And so on ...
 
This is where CryptoGuard differs from CryptoPrevent.
 
CryptoGuard doesn't look at where the ransomware is running, it looks at what it is doing to the file system.
 
More information
We've put up a page with more information on our new CryptoGuard feature in HitmanPro.Alert.
Note that HitmanPro.Alert is a separate tool. It is different from the HitmanPro anti-malware application.
http://www.hitmanpro.com/cryptoguard
 
Demonstration video

Lastly, a video says more than a thousand words:


BC AdBot (Login to Remove)

 


#2 ratbuddy

ratbuddy

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 06 November 2013 - 08:11 AM

Wondered when someone would get round to detecting this type of behavior. How much write overhead does the driver introduce?



#3 Joe_BubbA

Joe_BubbA

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 06 November 2013 - 08:54 AM

^^^ Ditto...



#4 lorisarvendu

lorisarvendu

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:09:17 PM

Posted 06 November 2013 - 08:58 AM

Up until now I've only heard of infection on a PC that is already part of a botnet, or from a compromised email.  Am I right that in this video the payload is delivered from a web page?



#5 itsMeRandy

itsMeRandy

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 06 November 2013 - 09:15 AM

let me know how "user" friendly it is. 



#6 SleepyDude

SleepyDude

  • Malware Response Team
  • 3,083 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:09:17 PM

Posted 06 November 2013 - 09:16 AM

Up until now I've only heard of infection on a PC that is already part of a botnet, or from a compromised email.  Am I right that in this video the payload is delivered from a web page?

 

Well you can get infected by Zbot on pages with exploit kits for Java and/or Flash player and Zbot can download and install CryptoLocker.


• Please do not PM me asking for support. Post on the forums instead it will increases the chances of getting help for your problem by one of us.
• Posts in the Malware section that are not replied to within 4 days will be closed. PM me or a moderator to reactivate.
• Please post your final results, good or bad. We like to know! Thank you!

 
Proud graduate of GeekU and member of UNITE
___
Rui

 
 


#7 Joe_BubbA

Joe_BubbA

  • Members
  • 102 posts
  • OFFLINE
  •  
  • Local time:02:17 PM

Posted 06 November 2013 - 09:19 AM

Up until now I've only heard of infection on a PC that is already part of a botnet, or from a compromised email.  Am I right that in this video the payload is delivered from a web page?

Certainly appears that way... and it would seem to back up Ratbuddy's claims.  IIRC, he also visited a TV show download website when he got infected....

 

 

 

let me know how "user" friendly it is.

Seems to be running fine so far on my desktop and laptop....(FF).  Got a weird "1053 error" on my laptop, but after reboot all seems to be fine.  Am also running CryptoPrevent 4.0 (autoupdates) on both computers.


Edited by Joe_BubbA, 06 November 2013 - 09:22 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:17 PM

Posted 06 November 2013 - 09:44 AM

Wondered when someone would get round to detecting this type of behavior.

Actually Emsisoft Anti-Malware has been detecting this behavior for a while now.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Dusterman

Dusterman

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Denver, CO USA
  • Local time:01:17 PM

Posted 06 November 2013 - 10:08 AM

Please let me [ us ] know more about "your" program.
.
As it stands now ...... when I click your posted link it attempts to take me to another website.
.
So until I can find the time to research your info,

 

I will watch your progress from here.

. :thumbup2:



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:17 PM

Posted 06 November 2013 - 10:25 AM

@ erikloman

I have moved this topic to a more appropriate area.

Also please read this: Announcement: Product Topics and how to create them
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 ratbuddy

ratbuddy

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 06 November 2013 - 01:12 PM

 

Up until now I've only heard of infection on a PC that is already part of a botnet, or from a compromised email.  Am I right that in this video the payload is delivered from a web page?

Certainly appears that way... and it would seem to back up Ratbuddy's claims.  IIRC, he also visited a TV show download website when he got infected....

 

 

 

 

Nope, I didn't get infected. My mom's computer did, and I'm not sure where it came from. Well, I'm sure it came from her having Java 1.6 patch 11 or so installed, but I don't know what site infected the computer. She helpfully decided to clear the browser history and temporary files two days before the Cryptolocker message came up. She didn't have any email attachments, and she uses Gmail anyway, which I think blocks executable files.



#12 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:17 PM

Posted 06 November 2013 - 04:55 PM

Erik can you tell me more about Hitman.Alert and how CryptoGuard is part of it? Are they the same thing or is CryptoGuard a program under the Hitman.Alert umbrella?

#13 erikloman

erikloman

    Authorized SurfRight Rep

  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:17 PM

Posted 06 November 2013 - 05:21 PM

Erik can you tell me more about Hitman.Alert and how CryptoGuard is part of it? Are they the same thing or is CryptoGuard a program under the Hitman.Alert umbrella?

 

HitmanPro.Alert is our free tool (1.8MB) that alerts the user when banking malware has compromised their web browser.

 

We've added CryptoGuard as a feature to this tool/platform since Alert already provides an alerting mechanism to the end user. Technically, CryptoGuard is a filter driver that is installed by HitmanPro.Alert. For reference, Process Monitor (Sysinternals) also uses a filter driver to monitor file system events.

 

Past months we received an increasing number of reports of computers being infected with crypto ransomware while there was no real solution other than keeping your AVs up-to-date. We all know how good they work against zero-day attacks: it varies a lot.

 

We decided to take a different approach (blocking the right binaries is really hard) and came up with CryptoGuard. Instead of looking at the binary, look at what it is doing.

 

So yes, CryptoGuard is a feature under the HitmanPro.Alert umbrella.


Edited by erikloman, 06 November 2013 - 05:22 PM.


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:17 PM

Posted 06 November 2013 - 05:59 PM

OK thanks. So if they install this software they not only gain the benefit of the cryptoguard but of the banking malware alerts?

#15 erikloman

erikloman

    Authorized SurfRight Rep

  • Topic Starter

  • Members
  • 65 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:17 PM

Posted 06 November 2013 - 06:09 PM

OK thanks. So if they install this software they not only gain the benefit of the cryptoguard but of the banking malware alerts?

 

Yes. Alert will warn immediately when it sees that critical web browser APIs (like cryptography and network APIs) have been compromised by banking malware like Zeus, SpyEye, Sinowal (aka Mebroot and Torpig), Citadel, Cridex, Carberp, Shylock, Tinba, etc.

 

In addition Alert vaccinates the computer by setting a few markers that some malware families look for when infecting a computer. With these markers the computer looks like a research computer and some malware families won't deploy. See also this article: https://community.rapid7.com/community/infosec/blog/2013/05/13/vaccinating-systems-against-vm-aware-malware

 

See this Alert settings dialog for a brief overview:

 

alert25-settings.png
 
More information on the browser Intruder detection can be found here:

Edited by erikloman, 06 November 2013 - 06:11 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users