-
add to favourites
Preventative means effective!
Wednesday, October 11, 2017
WikiLeaks published another batch of information about some CIA tools (i.e., malware) used to harvest data on machines running Windows XP and 7. A couple of these “helpers” look quite interesting.
The component BadMFS is a covert file system that stores other malware components in an encrypted and obfuscated format.
Windows Transitory File System is the fifth component. According to WikiLeaks, it was designed as an alternative to BadMFS. The component used temporary files and didn't rely on the local file system.
Some may wonder why malicious programs would need a file system of their own when they can always write data into an ordinary file or transmit it over the Internet.
It's because of the preventive protection component: even if a malicious program manages to launch (e.g., because a user added an entire disk drive or all the traffic of certain applications to a list of scanning exceptions), its process will be scrutinized by this anti-virus component. The new program's activity will most certainly be monitored by the preventive protection. And the CIA found a way around that.
They created only one file containing a file system of its own. Under Linux, standard disk utilities can be used to format the disk space within one file. Creating a virtual disk under Windows is more difficult, but the utilities exist to do that.
As a result, preventive protection routines won't detect anything suspicious because most actions will be performed inside the file and will be regarded as standard file operations.
Storages of this kind can conceal malware components and stolen data.
Carberp’s successor, Trojan.Bolik.1, uses a similar virtual file system that is stored in a special file. The Trojan saves the file to one of the system directories or to the user folder. This file system allows the malware to covertly store the information it needs to operate on the infected machine.
Furthermore, attackers can encrypt the file system so that any attempts to extract information from its storage will be in vain. The malware program Regin, which creates its own encrypted virtual file system (EVFS), does the same thing. To encrypt EVFS, the malware uses the block cipher RC5. Alternately, it can place a storage outside the file system by moving a disk partition’s border. For example, TDL 3/4 rootkits created their TDLFS file system in sectors at the disk's end.
#Windows #malware #Trojan #preventive_protectionThe Anti-virus Times recommends
Cybercriminals and their “creations” have many ways of evading an anti-virus. However, such malicious programs can still be exposed and disarmed.
- No malicious file can launch without first appearing in a system—miracles do not happen. So install security updates as well as updates for the anti-virus components responsible for scanning inbound data. In the case of Dr.Web, these components are Dr.Web SpIDer Gate and Dr.Web SpIDer Mail.
- No matter how good a malicious program is at hiding, its activity will be detected. So using preventive protection is also vital. The Dr.Web anti-viruses for Windows that incorporate this feature include Dr.Web Security Space, Dr.Web Anti-virus and Dr.Web KATANA.
![[Twitter]](http://st.drweb.com/static/new-www/social/no_radius/twitter.png "Shared 0 times")
Tell us what you think
To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.
Comments
Неуёмный Обыватель
18:07:48 2018-07-24
vasvet
11:53:25 2018-07-15