Login to account Create an account  


Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Things that go 'weird' in a computer
#1
I'm pretty old.  I've been around since the Imsai 8080 was the "big" thing featured in the movie "Wargames."  For me, the dream of building my own computer was seen as a "What the hell?" kind of interest.  My first machine ran on a 6502, and I was personally affronted when a certain machine code was 'sold' to a startup called Microsoft for something called 'Windows.'

Since then things have come a long way, ever complicated by commerce, and now we all operate with the need for overlapping security against exploitation of the code we run on the systems we use.  So I get a little paranoid now and again.

When my computer seems to be 'extra' active while idling, or unusual communication ports are opening up and closing, when graphics seem glitched for no reason... I worry.

Now it is clear that there are as many ways to exploit a computer as one could imagine, I found this:

From ArsTechnica: Researchers spot cryptojacking attack that disables endpoint protections
Subtitled: A key component: Installing known vulnerable drivers from Avast and IOBit.
 

Malware recently spotted in the wild uses sophisticated measures to disable antivirus protections, destroy evidence of infection, and permanently infect machines with cryptocurrency-mining software, researchers said Tuesday.

Key to making the unusually complex system of malware operate is a function in the main payload, named GhostEngine, that disables Microsoft Defender or any other antivirus or endpoint-protection software that may be running on the targeted computer. It also hides any evidence of compromise. “The first objective of the GhostEngine malware is to incapacitate endpoint security solutions and disable specific Windows event logs, such as Security and System logs, which record process creation and service registration,” said researchers from Elastic Security Labs, who discovered the attacks.

When it first executes, GhostEngine scans machines for any EDR, or endpoint protection and response, software that may be running. If it finds any, it loads drivers known to contain vulnerabilities that allow attackers to gain access to the kernel, the core of all operating systems that’s heavily restricted to prevent tampering. One of the vulnerable drivers is an anti-rootkit file from Avast named aswArPots.sys. GhostEngine uses it to terminate the EDR security agent. A malicious file named smartscreen.exe then uses a driver from IObit named iobitunlockers.sys to delete the security agent binary.

“Once the vulnerable drivers are loaded, detection opportunities decrease significantly, and organizations must find compromised endpoints that stop transmitting logs to their SIEM,” the researchers wrote, using the abbreviation for security information and event management. Their research overlaps with recent findings from Antiy.



As it turns out the vulnerability is exploited by shoehorning in code via an antiviral software dll.  Suddenly your machine is crypto mining for someone else.  Makes sense, right?  Your hardware, your electricity expense, your time... usurped so someone else can make money for free... 

Yeah... welcome to the machine.
Reply
#2
I turn off my pc when not actively using it. 

I reinstall os regularly.
Reply
#3
if you think thats scary I can make fileless malware that runs in your registry and injects into memory to bypass edr. Almost all malware now are two stage malware, it started with macros in word and has progressed since then, technically it started in pdf but not two stage. That was in 2011 or so when we were encoding files using shikataganai to obfuscate it. Back then the only thing that caught it was trend micro, but if you change the signature you change the malware. Antivirus can only protect against known signatures. Other methods are watching behaviors like powershell. Windows defender now a days is starting to block powershell scripts about damn time but years too damn late. The truth is nothing's ever safe, nothing ever will be, and i'm fairly positive holes are put into software on purpose for government use. What was the Internet after all before it was released to the public?

"I thought what I'd do was, I'd pretend I was one of those deaf-mutes."
Reply



Forum Jump: