Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
captain_to_fire

Windows 10 (Build 16232) will try to combat ransomware by locking up your data

Recommended Posts

22 minutes ago, vorticalbox said:

so how does this exactly protect my files? Do i have to allow programs i install to be allowed to write to the folders? 

 

 

 

From my understanding yes, you have to white list the programs that can access specified folders.  In theory an encryption virus/malware would have to find a way to white list itself through defender.  While that is not impossible,  it does mean malware has to find/use two exploits, one into the OS and the other into defender. 

 

I'm, hoping this works across networks too, so I can share folders and make backups of networked PC's without having to carry around a portable HDD.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites
6 hours ago, hey_yo_ said:

I was hoping you can shed some light into this @GoodBytes. I tried to enable that developer setting which restricts Windows 10 to Store apps only. I enabled that and even rebooted my PC.

 

But even with that feature enabled, I was still able to run an .exe file. It only triggered a UAC prompt but other than that, it was still able to execute. I was hoping I'll get a prompt that will tell me apps outside the Windows store would be blocked but I didn't. 

 

Unless Blizzard is now releasing their games on the Windows Store, I think Microsoft implemented a broken security feature.

Wrong setting. On the main screen screen of the Settings panel, go under Apps > Apps & Feature, at the top, under "Installing Apps", there is a drop down box.

 

Image1.png.24bcc6094fef3a475f3a3ae92f57b297.png

 

No restart needed, it applies instantly.

As you ran StarCraft already, that is too late for it, it will always run. Try an executable you never executed before.

 

Link to post
Share on other sites
2 hours ago, mr moose said:

 

From my understanding yes, you have to white list the programs that can access specified folders.  In theory an encryption virus/malware would have to find a way to white list itself through defender.  While that is not impossible,  it does mean malware has to find/use two exploits, one into the OS and the other into defender. 

 

I'm, hoping this works across networks too, so I can share folders and make backups of networked PC's without having to carry around a portable HDD.

wouldn't it be easier to mimic an allowed application? 

 

 

 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
17 minutes ago, vorticalbox said:

wouldn't it be easier to mimic an allowed application? 

 

 

 

Depends on how defender determines the application is legit.  I have no idea about the technical side of it though. 

 

I would assume there are plenty of ways to make it hard for that to happen.   I can't see any reason why it would be inherently easy to bypass.


QuicK and DirtY. Read the CoC it's like a guide on how not to be moron.  Also I don't have an issue with the VS series.

Link to post
Share on other sites
24 minutes ago, mr moose said:

Depends on how defender determines the application is legit.  I have no idea about the technical side of it though. 

 

I would assume there are plenty of ways to make it hard for that to happen.   I can't see any reason why it would be inherently easy to bypass.

I hope that's the case, i would assume check sums to happen for applications. 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
21 minutes ago, vorticalbox said:

I hope that's the case, i would assume check sums to happen for applications. 

Seeing on how the feature to block any further exe's from running when you lock the system to Store works, I would think they use the same system.

In a test, I have 2 exe in the same folder. One I ran for the first time ever at that point, and the other never before. I locked my system to Store app only. I tested to see if it worked. The first exe ran, the other is blocked. Normal. Now, I copied the name of the exe I could run, delete the file, and rename the other exe with the same name as the first. I wanted to see if it just goes by file name, or file name path, but nope it still didn't ran. Windows clearly keeps track of exe's ran seem to do something more involved (maybe a checksum or something) to identify an executable.

 

In this experiment, both exe's were different version of FileZilla setup. One, I adjured before and the other I just acquired from their site. They both have the same digital signature linked in the exe.

Link to post
Share on other sites
Posted · Original PosterOP
2 hours ago, GoodBytes said:

No restart needed, it applies instantly.

As you ran StarCraft already, that is too late for it, it will always run. Try an executable you never executed before.

I'll try that. Thanks. 

55 minutes ago, vorticalbox said:

wouldn't it be easier to mimic an allowed application? 

While I think it's premature to judge it at this point and I'm hoping that it will be as good as what Microsoft claims, what you posted is actually one of my concerns. What if a malware author was able to impersonate a digital signature or what if a ransomware was able to find a vector through a vulnerability in a legit application like Microsoft Word? I'm sure Word is whitelisted to allow changes in .docx files but what if someone crafted a malicious VBA or worse a macro and a naive user in an office of networked computers opened an email spoofed as legit and also opened a malicious word file? Since Microsoft Word is whitelisted, it will execute the ransomware and encrypts all Word files. Then that small office with 10 employees are pretty much screwed since it the ransomware can also encrypt network attached storage and file servers. 

 

But again, this is just me speculating and I hope Microsoft considered such possibility. 


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
28 minutes ago, hey_yo_ said:

While I think it's premature to judge it at this point and I'm hoping that it will be as good as what Microsoft claims, what you posted is actually one of my concerns. What if a malware author was able to impersonate a digital signature or what if a ransomware was able to find a vector through a vulnerability in a legit application like Microsoft Word? I'm sure Word is whitelisted to allow changes in .docx files but what if someone crafted a malicious VBA or worse a macro and a naive user in an office of networked computers opened an email spoofed as legit and also opened a malicious word file? Since Microsoft Word is whitelisted, it will execute the ransomware and encrypts all Word files. Then that small office with 10 employees are pretty much screwed since it the ransomware can also encrypt network attached storage and file servers. 

I don't know how it will work either, but my biggest worry would be the malware just hooking into explorer.exe. That will most likely have far fewer restrictions than any other program on the system.

Link to post
Share on other sites
48 minutes ago, LAwLz said:

I don't know how it will work either, but my biggest worry would be the malware just hooking into explorer.exe. That will most likely have far fewer restrictions than any other program on the system.

this is my worry too, just zip everything in a password zip and then delete everything. 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
On 02/07/2017 at 4:19 PM, vorticalbox said:

this is my worry too, just zip everything in a password zip and then delete everything. 

which then begs the question why people aren't doing this as a form of malware at this time, because this is command line - no admin privileges needed. add password randomly generated and upload password to server via SFTP - delete original password file - reboot machine and run a code that looks like checkdisk but wipes the drive of "free space"  making recovery of deleted files impossible but from a backup, and this would include the deleted password.

run from a batch script with the silent / yes to all / never notify switches and bobs your uncle.  then before shut down new Text File is created on the desktop - reading the ransom...

This wouldn't get picked up by an antivirus at all...  and all this from file explorer and command line...

Yeah @vorticalbox That is a worry.


EDIT: Perhaps someone at Linus media group could check this out and make a video on it's possibility in windows 10 as a project?

 

Link to post
Share on other sites

Hold my beer while I conjure up a way to circumvent this.

 

In all seriousness, this is cool, but I'm afraid many users won't know what it does, how to use it or that it even exists =\


Remember kids, the only difference between screwing around and science is writing it down. - Adam Savage

 

PHOΞNIX Ryzen 5 1600 @ 3.75GHz | Corsair LPX 16Gb DDR4 @ 2933 | MSI B350 Tomahawk | Sapphire RX 480 Nitro+ 8Gb | Intel 535 120Gb | Western Digital WD5000AAKS x2 | Cooler Master HAF XB Evo | Corsair H80 + Corsair SP120 | Cooler Master 120mm AF | Corsair SP120 | Icy Box IB-172SK-B | OCZ CX500W | Acer GF246 24" + AOC <some model> 21.5" | Steelseries Apex 350 | Steelseries Diablo 3 | Steelseries Syberia RAW Prism | Corsair HS-1 | Akai AM-A1

D.VA coming soon™ xoxo

Sapphire Acer Aspire 1410 Celeron 743 | 3Gb DDR2-667 | 120Gb HDD | Windows 10 Home x32

Vault Tec Celeron 420 | 2Gb DDR2-667 | Storage pending | Open Media Vault

gh0st Asus K50IJ T3100 | 2Gb DDR2-667 | 40Gb HDD | Ubuntu 17.04

Diskord Apple MacBook A1181 Mid-2007 Core2Duo T7400 @2.16GHz | 4Gb DDR2-667 | 120Gb HDD | Windows 10 Pro x32

Firebird//Phoeniix FX-4320 | Gigabyte 990X-Gaming SLI | Asus GTS 450 | 16Gb DDR3-1600 | 2x Intel 535 250Gb | 4x 10Tb Western Digital Red | 600W Segotep custom refurb unit | Windows 10 Pro x64 // offisite backup and dad's PC

 

Saint Olms Apple iPhone 6 16Gb Gold

Archon Microsoft Lumia 640 LTE

Gulliver Nokia Lumia 1320

Werkfern Nokia Lumia 520

Hydromancer Acer Liquid Z220

Link to post
Share on other sites
Posted · Original PosterOP
46 minutes ago, revsilverspine said:

Hold my beer while I conjure up a way to circumvent this.

 

In all seriousness, this is cool, but I'm afraid many users won't know what it does, how to use it or that it even exists =\

It will probably be enabled by default


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
34 minutes ago, hey_yo_ said:

It will probably be enabled by default

I'd assume if it were enabled by default it would cover at least Documents, Pictures, Music and whatever other default libraries Windows has.

I wonder if it would cover OneDrive, since I have it set up to save files directly there (I go through a shitload of storage just for my Documents folder)


Remember kids, the only difference between screwing around and science is writing it down. - Adam Savage

 

PHOΞNIX Ryzen 5 1600 @ 3.75GHz | Corsair LPX 16Gb DDR4 @ 2933 | MSI B350 Tomahawk | Sapphire RX 480 Nitro+ 8Gb | Intel 535 120Gb | Western Digital WD5000AAKS x2 | Cooler Master HAF XB Evo | Corsair H80 + Corsair SP120 | Cooler Master 120mm AF | Corsair SP120 | Icy Box IB-172SK-B | OCZ CX500W | Acer GF246 24" + AOC <some model> 21.5" | Steelseries Apex 350 | Steelseries Diablo 3 | Steelseries Syberia RAW Prism | Corsair HS-1 | Akai AM-A1

D.VA coming soon™ xoxo

Sapphire Acer Aspire 1410 Celeron 743 | 3Gb DDR2-667 | 120Gb HDD | Windows 10 Home x32

Vault Tec Celeron 420 | 2Gb DDR2-667 | Storage pending | Open Media Vault

gh0st Asus K50IJ T3100 | 2Gb DDR2-667 | 40Gb HDD | Ubuntu 17.04

Diskord Apple MacBook A1181 Mid-2007 Core2Duo T7400 @2.16GHz | 4Gb DDR2-667 | 120Gb HDD | Windows 10 Pro x32

Firebird//Phoeniix FX-4320 | Gigabyte 990X-Gaming SLI | Asus GTS 450 | 16Gb DDR3-1600 | 2x Intel 535 250Gb | 4x 10Tb Western Digital Red | 600W Segotep custom refurb unit | Windows 10 Pro x64 // offisite backup and dad's PC

 

Saint Olms Apple iPhone 6 16Gb Gold

Archon Microsoft Lumia 640 LTE

Gulliver Nokia Lumia 1320

Werkfern Nokia Lumia 520

Hydromancer Acer Liquid Z220

Link to post
Share on other sites
1 hour ago, Metal_Kitty said:

which then begs the question why people aren't doing this as a form of malware at this time, because this is command line - no admin privileges needed. add password randomly generated and upload password to server via SFTP - delete original password file - reboot machine and run a code that looks like checkdisk but wipes the drive of "free space"  making recovery of deleted files impossible but from a backup, and this would include the deleted password.

run from a batch script with the silent / yes to all / never notify switches and bobs your uncle.  then before shut down new Text File is created on the desktop - reading the ransom...

This wouldn't get picked up by an antivirus at all...  and all this from file explorer and command line...

Yeah @vorticalbox That is a worry.


EDIT: Perhaps someone at Linus media group could check this out and make a video on it's possibility in windows 10 as a project?

 

i assume things like explore and cmd/powershell would be allowed by default, this is how i would make ransomware. It's slightly better for the user you could maybe brute force a zip file would take a while lol

 

its probably because they want more than the ransom, a bot net, which they can do much more with. The ransom is purely a distraction for something much bigger. 

 

Spoiler

dear NSA, purely hypothetical. 

 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
2 hours ago, Metal_Kitty said:

because this is command line - no admin privileges needed.

cmd still need admin privileges for a lot of things. Including making chances to files on C: (outside of a few specific folders).

 

2 hours ago, Metal_Kitty said:

This wouldn't get picked up by an antivirus at all...  and all this from file explorer and command line...

Modern AVs checks for that too.

Link to post
Share on other sites
5 minutes ago, LAwLz said:

cmd still need admin privileges for a lot of things. Including making chances to files on C: (outside of a few specific folders).

not for documents which is what these target. 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
9 minutes ago, vorticalbox said:

not for documents which is what these target. 

Anything in the main "c:\Users\USERNAME\"   Folder that isn't a system service, so User created files in Desktop, Documents, Downloads, (Possibly Onedrive - if Sync is enabled and Onedrive share is on the C:\ Partition!) Pictures, and Videos,

because of the nature of the way it works, it may even be possible to do the same on other partitions as well.


*************
EDIT :   Onedrive Sync!

if this was able to do this with the onedrive folder that is located on C:\ Would this then reference the deletion of the files and zip archive online - or the other way round? would Onedrive resync whats on the Cloud back to the Desktop?

Link to post
Share on other sites
36 minutes ago, Metal_Kitty said:

Something else that I think ought to be put to the test, I am sure a number of modern AV's might over look it!

I seriously doubt there are any AVs which will not check a cmd window accessing all your files at the same time.

 

Anyway, things doesn't work the way you think they do. There are far better ways of doing things.

Link to post
Share on other sites

They will check a cmd window yes, but ESET for example - will only take notice of it if a win32 system file is edited, - if User files are edited, then it's going to ignore. especially if all it's doing is zipping the files up

 

 

Link to post
Share on other sites
4 hours ago, Metal_Kitty said:

Anything in the main "c:\Users\USERNAME\"   Folder that isn't a system service, so User created files in Desktop, Documents, Downloads, (Possibly Onedrive - if Sync is enabled and Onedrive share is on the C:\ Partition!) Pictures, and Videos,

because of the nature of the way it works, it may even be possible to do the same on other partitions as well.


*************
EDIT :   Onedrive Sync!

if this was able to do this with the onedrive folder that is located on C:\ Would this then reference the deletion of the files and zip archive online - or the other way round? would Onedrive resync whats on the Cloud back to the Desktop?

the pc is the main folder, what's deleted there is deleted online. 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
1 hour ago, Metal_Kitty said:

Ouch... (Thank god for offline Backups :D )

 

yeah I'm currently working on setting up zfs on my ubuntu install which will then back up to my nas and by currently i mean I've backed up all my data just need to find time to install mint because i fancy a change lol

 

 


                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
Posted · Original PosterOP
13 hours ago, revsilverspine said:

I'd assume if it were enabled by default it would cover at least Documents, Pictures, Music and whatever other default libraries Windows has.

I wonder if it would cover OneDrive, since I have it set up to save files directly there (I go through a shitload of storage just for my Documents folder)

From Microsoft's website

Quote

For Microsoft Office files stored, synced, or backed up to OneDrive

Here's another

Quote

There are several ways we try to help keep your files safe in OneDrive. Your files aren’t shared with other people unless you save them in the Public folder or choose to share them. To help protect your OneDrive files from hardware failure, we save multiple copies of each file on different drives and servers.

 


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites
Posted · Original PosterOP
On 7/4/2017 at 5:19 PM, vorticalbox said:

dear NSA, purely hypothetical. 

I'm pretty sure the NSA is working something similar to bypass this protection. They have access to the Windows source code and will once again keep the CVE to themselves instead of publicly reporting it so that Microsoft can create security patches.


There is more that meets the eye
I see the soul that is inside

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×