DeppGaurd weakness!!

aamiraamir Posts: 11
in F-Secure SAFE

Hi

i agree that DeepGaurd is one of the best Behavior Blocker out there but,

it is so weak against scripts whose payloads are not a PE/exe file, in this cases DeepGuard can't stop the script

Specially against powershell, .vbs, Javascripts and etc (it fails against some .exe too)

If you don't plan to make it stronger, it can do nothing against new threats

in a test, a .vbs RANSOMWARE encrypted all the files and DeepGaurd did nothing

I can send you screenshots if you want

 

Like

Comments

  • aamiraamir Posts: 11

    DeepGaurd can be Bypassed this way easily!

    (test done by my friend in Malwaretips forum)

     

    one weakness I've found in F-Secure and other Behavior Blockers is that the most common way to escape the behavior blocker is by using a trusted (but not super well known) process to do your dirty work.

    If you use something too popular like Powershell or cmd.exe, behavior blockers are smart, especially thanks to AMSI. However, if you use something just mildly popular like a Node.JS runtime, a copy of Cygwin/MinGW, or in this case, 7-Zip, it seems to be blanket whitelisted by behavior blockers.

    This piece of fake "malware", which I'm calling TrojanZipperPOC, does this:

    1. Find a copy of 7-zip. It prefers "C:\Program Files\7-Zip\7z.exe", as long as you have installed a native copy of 7-zip (e.g. 64-bit on 64-bit Windows). Otherwise it uses a 7z.exe in your current folder, which I've bundled as simply a copy of my 7-zip folder on my development machine. Both copies of 7-zip are official shipping versions which means they're both signed as well as considered high-reputation by cloud lookup.
    2. Looks for "My Documents\test" (to restrict it from being ACTUAL ransomware), loops through every file in there.
    3. Runs "7z.exe a -tzip -pransom -sdel FOO.encrypted FOO" for each file you have. This puts it in a zip file with password "ransom" and instructs 7zip to delete the original file.

    All the files got encrypted even when Ransomware protection is enabled

    Conclusions:

    This is a really really trivial way of commandeering a known process to do your dirty work. It's not hard to trace the fact that 7z.exe was launched directly by an untrusted process, so I consider this to be a solvable vulnerability.

    It wouldn't be impossible to distance the untrusted process further from 7z.exe. For example, scheduled tasks or startup items, or using a process to launch a process, etc etc etc. So consider this a dumb "5 minute" approach (that's literally how long it took for me to write this) to replicate a in-the-wild ransomware strategy.
     
    Make DeepGaurd stronger...
    waiting for a response.
    Like
  • New_Kid_2020New_Kid_2020 Posts: 5

    I don't care how technical one wants to get, the fact remains that certain Ransomeware cannot be stopped. Yesterday one actually infiltrated a Kaspersky users system and locked in. The latest I read was it is unlikely to be decrypted because of its unique flavor.

     

    I keep all important files backed up and let nature take it's course. Then it's not so end of the world. 

    Jaims
    1Like
  • JaimsJaims Posts: 441 Moderator

    Hi @aamir

     

    Thank you for sharing your suggestions!
     
    From your very first post, our lab team opened an investigate on the 3 techniques that you have described and we are also looking at the known VBS Ransomware, evaluating our existing detections for it and improving on areas that we are still lacking on.
     
    However, please note that our product does not depend on Deepguard alone. No single solution is sufficient to block real-world threats. That is why we have multiple layers of protection - from checking the network, to file until behavior using local engines and cloud technologies.
     
    Thanks also for your valuable inputs with the 7-zip example. Those techniques are always considered in our detection iterations. However, we need to take into cognizance the legitimate use cases for this application. Aggressively blocking software with ransomware-like behavior without other checks will cause lots of false positives which will significantly impact the usability of our products. In addition, there are traces of the password used to archive the files which may be easily recovered by looking into event logs or reversing the malware itself.
     
    Provided below are our whitepapers about Deepguard and how it works with our other layers:
    https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163346/F-Secure_DeepGuard.pdf
    UkkoLakshaamirNew_Kid_2020
    4Like
  • aamiraamir Posts: 11
    Thank you James
    I understand that F-secure dosen't just rely on DeepGaurd and just wanted to inform you that DeepGaurd can be bypassed this way
    After all, I really appreciate that you didn't deny it (like other companies) and are working on improving DeepGaurd and other parts
    Like
This discussion has been closed.