Other issues in this category (34)
Without going into the details
Wednesday, October 7, 2020
We never get tired of repeating the fact that all of an anti-virus’s components are important for system security. But users are confident that it’s enough to just have an anti-virus that scans files when they are being launched or downloaded. It supposedly scans everything worth checking. Unfortunately, hackers also know about this opinion and make sure that their bogus files contain no malicious code when they are being downloaded. The code is planted into them later. Sounds like magic? No, it's a payload construction technique. Here is an example.
Menlo Security published a review describing the HTML smuggling technique being used by attackers to bypass security solutions (including sandboxes).
When invoked (a user visits the webpage), the JSCRIPT file performs the following actions:
- Downloads a ZIP file. And the file has the extension .jpg, but it's a ZIP file. The ZIP file is downloaded to the Public Documents folder, and two files are extracted from the ZIP archive: Avira.exe and rundll.exe. The Avira.exe file is renamed using a random name. The rundll.exe file is also renamed using a random name, and its filename extension changes to .bmp.
The extracted Avira.exe file was digitally signed, and its size was 500MB.
And now, let's render this description in simpler words. A bitstream, rather than a file, is transmitted to the user's end. Actually, any file being downloaded is transmitted as a sequence of bytes. However, in this case security software can be circumvented because the file is smuggled in the guise of a data stream forwarded by a script. Once all the data has been transmitted, it is then converted into an archive from which the files are extracted.
Is it possible to expose such a trojan? Yes. Actually, it can be done while the data is being downloaded—if the anti-virus you're using can parse bitstreams and assemble them into files. But there's no guarantee of success: a zip-archive can be password-protected, and no anti-virus will be able to extract data from it. However, anti-virus features that monitor running processes and applications can still save the day. For example, if an encryption ransomware trojan starts in a system, Dr.Web preventive protection will most probably detect it.
The Anti-virus Times recommends
Don't forget the simple truth: there are no useless components in an anti-virus. Each of them is responsible for maintain their defence line, and they are all important.