Discussion in 'Application Software' started by harkaz, Sep 9, 2016.
You need to login to view this posts content.
This type of video always possess the same defect. Video was not made to display text. Text we show off video. Video shown actions, we shown what in text it is difficult or slow to be said.
After the aesthetic discussion of media, thank you so much for sharing this technique.
How is it possible to defend this kind of threat? Is there any way of mitigation? There are some new practice that we have to avoid this kind of problem? Assuming that the system is already compromised.
Thank you very much, cheers
I'm not certain what the best defense approach would be. Creating a driver/service that would monitor the attempted modifications to that registry key and immediately revert them would be sufficient. Probably we will see this functionality integrated in antimalware software.
Assuming the system is compromised, there is always the option of shutting down abruptly and booting into recovery environment, then load the offline registry and scan for the exploit in the certificate stores. Then use an offline virus scanner to eradicate the virus, if that's possible.
Maybe I'll have to create some tools to help people eradicating this threat.
If it requires administrative privileges then it's not a security issue and don't expect a "patch" this decade.
You can achieve the exact same thing by deleting the CryptSvc registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc
Since you have administrative privileges you could also just delete your boot loader, patch system files, hijack SSL connections, encrypt your entire hard-drive etc...
No, this is not the same. It stops secure communication and integrity monitoring (returns a system-level error code) but will not hang the caller application, be it UAC/Applocker/AV software - which is the most important aspect of this attack. Yes, an administrator can do many things. But they are easily detected by the sophisticated protection systems present in mission-critical systems. Let's say I try to intercept a system call via hooking. Sooner or later, heuristics will detect me and throw me out of control, even if I'm admin, unless I have taken action to prevent the security system from functioning. Ransomware can be easily detected (including zero-day ones) by the latest artificial-intelligence antimalware software. With this attack I can easily and persistently paralyze the AV system. There is no need to create a new virus, that could potentially give more information about me as an attacker - I can use well-known malware to do the trick. The major challenge is getting admin access. I believe that stolen digital certificates or insiders will do the trick in many cases; no need for pricey and potentially unreliable memory corruption exploits...
Delete the bootloader / Patch system files.. Most critical systems do not reboot often, so there would be no instant impact. Plus, this is easily detectable and fixed, if OS structures are used. Unless in ring 0 or beyond, it's very difficult to increase stealth (and effectiveness) of your rootkit.
This zero-day technique, unless patched, could substantially increase the stealth of a user-mode rootkit.