-
add to favourites
Without going into the details
Wednesday, October 7, 2020
We never get tired of repeating the fact that all of an anti-virus’s components are important for system security. But users are confident that it’s enough to just have an anti-virus that scans files when they are being launched or downloaded. It supposedly scans everything worth checking. Unfortunately, hackers also know about this opinion and make sure that their bogus files contain no malicious code when they are being downloaded. The code is planted into them later. Sounds like magic? No, it's a payload construction technique. Here is an example.
Menlo Security published a review describing the HTML smuggling technique being used by attackers to bypass security solutions (including sandboxes).
First, let's explain this phenomenon in technical terms. Attackers use a binary JavaScript blob to bypass security solutions (they deliver the file to the endpoint via a browser). Once the user clicks on the link, there are multiple levels of redirection before the user lands on an HTML page. The landing page invokes a JavaScript onload that initializes data for a blob object from a base64-encoded variable. The archive is transmitted as a data stream and therefore evades security checks. A ZIP file is dynamically constructed from the blob object with the MIME type “octet/stream”.
When invoked (a user visits the webpage), the JSCRIPT file performs the following actions:
- Downloads a ZIP file. And the file has the extension .jpg, but it's a ZIP file. The ZIP file is downloaded to the Public Documents folder, and two files are extracted from the ZIP archive: Avira.exe and rundll.exe. The Avira.exe file is renamed using a random name. The rundll.exe file is also renamed using a random name, and its filename extension changes to .bmp.
The extracted Avira.exe file was digitally signed, and its size was 500MB.
And now, let's render this description in simpler words. A bitstream, rather than a file, is transmitted to the user's end. Actually, any file being downloaded is transmitted as a sequence of bytes. However, in this case security software can be circumvented because the file is smuggled in the guise of a data stream forwarded by a script. Once all the data has been transmitted, it is then converted into an archive from which the files are extracted.
Because of this, should one choose to examine the JavaScript file with a multi-engine scanner, they'll most probably end up with a reply stating that the file is malware-free. The malicious payload is only extracted during execution, and no multi-engine scanner ever launches the files they check (for more on the subject, we highly recommend that users also read this issue). As for this specific file, no user will even be able to upload it to a multi-engine website—because of its bloated 500 MB size, which matches the multi-engine scanners' file size limit.
Is it possible to expose such a trojan? Yes. Actually, it can be done while the data is being downloaded—if the anti-virus you're using can parse bitstreams and assemble them into files. But there's no guarantee of success: a zip-archive can be password-protected, and no anti-virus will be able to extract data from it. However, anti-virus features that monitor running processes and applications can still save the day. For example, if an encryption ransomware trojan starts in a system, Dr.Web preventive protection will most probably detect it.
The Anti-virus Times recommends
Don't forget the simple truth: there are no useless components in an anti-virus. Each of them is responsible for maintain their defence line, and they are all important.
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png "Shared 1 times")
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Niuxin
22:45:26 2020-10-13
Philip
03:07:04 2020-10-08
Most people say do not buy a "Security Suite" because it locks you into the company that supplies you with that "Security Suite" = antivirus + password manager + firewall. The antivirus anti-malware firewall is the important part. A two-way firewall can be annoying at first because you have to teach it what programs you want to allow to make Internet connections without asking you.
For example Adobe Photoshop Elements, makes an Internet connection and sends a log file and a small data file to show them your use of that program what you are doing with it. With a two-way firewall you simply block Adobe from making an Internet connection until you decide you want it to make that connection.
Some people say they have nothing to hide but they have curtains on their front room window and they lock away their private documents or hide them away. Those who really have nothing to "hide" = protect have nothing..
An antivirus plus two-way firewall is the important part of any security product.
There is not a lot you can do about government departments constant hunger to monitor every part of your life. You know the saying "you are free to do as they say." Government spying usually come directly from your Internet provider or from a program that performs a function you need but it makes an Internet connection to download other functions to control your computer to monitor your every activity.
A two-way firewall and antivirus anti-malware product is the first defence. The next problem you have do you trust the antivirus product and its firewall not to allow government snooping on your every activity.
Regardless of what country in the world you live in the saying is still true "you are free to do as they say." And God forbid you do not do as they say!
Put the cat among the pigeons.
Неуёмный Обыватель
01:48:21 2020-10-08
Lia00
00:32:12 2020-10-08
Hacen Debbab
00:31:05 2020-10-08
Masha
21:27:02 2020-10-07
Татьяна
17:23:46 2020-10-07
GREEN
12:34:26 2020-10-07
And this is good news, at least when it comes to Dr.Web.
Only one thing is alarming:
"... if an encryption Trojan is launched on the system, Dr.Web Preventive Protection will most likely detect it"
But so far this antivirus has never failed!
And this pleases even more ...
Пaвeл
07:40:10 2020-10-07