Windows 10 (Build 16232) will try to combat ransomware by locking up your data

[mr moose]

22 minutes ago, vorticalbox said:

so how does this exactly protect my files? Do i have to allow programs i install to be allowed to write to the folders? 

 

 

 

From my understanding yes, you have to white list the programs that can access specified folders.  In theory an encryption virus/malware would have to find a way to white list itself through defender.  While that is not impossible,  it does mean malware has to find/use two exploits, one into the OS and the other into defender. 

 

I'm, hoping this works across networks too, so I can share folders and make backups of networked PC's without having to carry around a portable HDD.

[GoodBytes]

6 hours ago, hey_yo_ said:

I was hoping you can shed some light into this @GoodBytes. I tried to enable that developer setting which restricts Windows 10 to Store apps only. I enabled that and even rebooted my PC.

 

But even with that feature enabled, I was still able to run an .exe file. It only triggered a UAC prompt but other than that, it was still able to execute. I was hoping I'll get a prompt that will tell me apps outside the Windows store would be blocked but I didn't. 

 

Unless Blizzard is now releasing their games on the Windows Store, I think Microsoft implemented a broken security feature.

Wrong setting. On the main screen screen of the Settings panel, go under Apps > Apps & Feature, at the top, under "Installing Apps", there is a drop down box.

 

 

No restart needed, it applies instantly.

As you ran StarCraft already, that is too late for it, it will always run. Try an executable you never executed before.

 

[vorticalbox]

2 hours ago, mr moose said:

 

From my understanding yes, you have to white list the programs that can access specified folders.  In theory an encryption virus/malware would have to find a way to white list itself through defender.  While that is not impossible,  it does mean malware has to find/use two exploits, one into the OS and the other into defender. 

 

I'm, hoping this works across networks too, so I can share folders and make backups of networked PC's without having to carry around a portable HDD.

wouldn't it be easier to mimic an allowed application? 

 

 

 

[mr moose]

17 minutes ago, vorticalbox said:

wouldn't it be easier to mimic an allowed application? 

 

 

 

Depends on how defender determines the application is legit.  I have no idea about the technical side of it though. 

 

I would assume there are plenty of ways to make it hard for that to happen.   I can't see any reason why it would be inherently easy to bypass.

[vorticalbox]

24 minutes ago, mr moose said:

Depends on how defender determines the application is legit.  I have no idea about the technical side of it though. 

 

I would assume there are plenty of ways to make it hard for that to happen.   I can't see any reason why it would be inherently easy to bypass.

I hope that's the case, i would assume check sums to happen for applications. 

[GoodBytes]

21 minutes ago, vorticalbox said:

I hope that's the case, i would assume check sums to happen for applications. 

Seeing on how the feature to block any further exe's from running when you lock the system to Store works, I would think they use the same system.

In a test, I have 2 exe in the same folder. One I ran for the first time ever at that point, and the other never before. I locked my system to Store app only. I tested to see if it worked. The first exe ran, the other is blocked. Normal. Now, I copied the name of the exe I could run, delete the file, and rename the other exe with the same name as the first. I wanted to see if it just goes by file name, or file name path, but nope it still didn't ran. Windows clearly keeps track of exe's ran seem to do something more involved (maybe a checksum or something) to identify an executable.

 

In this experiment, both exe's were different version of FileZilla setup. One, I adjured before and the other I just acquired from their site. They both have the same digital signature linked in the exe.

[captain_to_fire]

2 hours ago, GoodBytes said:

No restart needed, it applies instantly.

As you ran StarCraft already, that is too late for it, it will always run. Try an executable you never executed before.

I'll try that. Thanks. 

55 minutes ago, vorticalbox said:

wouldn't it be easier to mimic an allowed application? 

While I think it's premature to judge it at this point and I'm hoping that it will be as good as what Microsoft claims, what you posted is actually one of my concerns. What if a malware author was able to impersonate a digital signature or what if a ransomware was able to find a vector through a vulnerability in a legit application like Microsoft Word? I'm sure Word is whitelisted to allow changes in .docx files but what if someone crafted a malicious VBA or worse a macro and a naive user in an office of networked computers opened an email spoofed as legit and also opened a malicious word file? Since Microsoft Word is whitelisted, it will execute the ransomware and encrypts all Word files. Then that small office with 10 employees are pretty much screwed since it the ransomware can also encrypt network attached storage and file servers. 

 

But again, this is just me speculating and I hope Microsoft considered such possibility. 

[LAwLz]

28 minutes ago, hey_yo_ said:

While I think it's premature to judge it at this point and I'm hoping that it will be as good as what Microsoft claims, what you posted is actually one of my concerns. What if a malware author was able to impersonate a digital signature or what if a ransomware was able to find a vector through a vulnerability in a legit application like Microsoft Word? I'm sure Word is whitelisted to allow changes in .docx files but what if someone crafted a malicious VBA or worse a macro and a naive user in an office of networked computers opened an email spoofed as legit and also opened a malicious word file? Since Microsoft Word is whitelisted, it will execute the ransomware and encrypts all Word files. Then that small office with 10 employees are pretty much screwed since it the ransomware can also encrypt network attached storage and file servers. 

I don't know how it will work either, but my biggest worry would be the malware just hooking into explorer.exe. That will most likely have far fewer restrictions than any other program on the system.

[vorticalbox]

48 minutes ago, LAwLz said:

I don't know how it will work either, but my biggest worry would be the malware just hooking into explorer.exe. That will most likely have far fewer restrictions than any other program on the system.

this is my worry too, just zip everything in a password zip and then delete everything. 

[Metal_Kitty]

On 02/07/2017 at 4:19 PM, vorticalbox said:

this is my worry too, just zip everything in a password zip and then delete everything. 

which then begs the question why people aren't doing this as a form of malware at this time, because this is command line - no admin privileges needed. add password randomly generated and upload password to server via SFTP - delete original password file - reboot machine and run a code that looks like checkdisk but wipes the drive of "free space"  making recovery of deleted files impossible but from a backup, and this would include the deleted password.

run from a batch script with the silent / yes to all / never notify switches and bobs your uncle.  then before shut down new Text File is created on the desktop - reading the ransom...

This wouldn't get picked up by an antivirus at all...  and all this from file explorer and command line...

Yeah @vorticalbox That is a worry.


EDIT: Perhaps someone at Linus media group could check this out and make a video on it's possibility in windows 10 as a project?

 

[You_are_a_cunt]

Hold my beer while I conjure up a way to circumvent this.

 

In all seriousness, this is cool, but I'm afraid many users won't know what it does, how to use it or that it even exists =\

[captain_to_fire]

46 minutes ago, revsilverspine said:

Hold my beer while I conjure up a way to circumvent this.

 

In all seriousness, this is cool, but I'm afraid many users won't know what it does, how to use it or that it even exists =\

It will probably be enabled by default

[You_are_a_cunt]

34 minutes ago, hey_yo_ said:

It will probably be enabled by default

I'd assume if it were enabled by default it would cover at least Documents, Pictures, Music and whatever other default libraries Windows has.

I wonder if it would cover OneDrive, since I have it set up to save files directly there (I go through a shitload of storage just for my Documents folder)

[vorticalbox]

1 hour ago, Metal_Kitty said:

which then begs the question why people aren't doing this as a form of malware at this time, because this is command line - no admin privileges needed. add password randomly generated and upload password to server via SFTP - delete original password file - reboot machine and run a code that looks like checkdisk but wipes the drive of "free space"  making recovery of deleted files impossible but from a backup, and this would include the deleted password.

run from a batch script with the silent / yes to all / never notify switches and bobs your uncle.  then before shut down new Text File is created on the desktop - reading the ransom...

This wouldn't get picked up by an antivirus at all...  and all this from file explorer and command line...

Yeah @vorticalbox That is a worry.


EDIT: Perhaps someone at Linus media group could check this out and make a video on it's possibility in windows 10 as a project?

 

i assume things like explore and cmd/powershell would be allowed by default, this is how i would make ransomware. It's slightly better for the user you could maybe brute force a zip file would take a while lol

 

its probably because they want more than the ransom, a bot net, which they can do much more with. The ransom is purely a distraction for something much bigger. 

 

Spoiler

dear NSA, purely hypothetical. 

 

[LAwLz]

2 hours ago, Metal_Kitty said:

because this is command line - no admin privileges needed.

cmd still need admin privileges for a lot of things. Including making chances to files on C: (outside of a few specific folders).

 

2 hours ago, Metal_Kitty said:

This wouldn't get picked up by an antivirus at all...  and all this from file explorer and command line...

Modern AVs checks for that too.

[Metal_Kitty]

3 minutes ago, LAwLz said:

Modern AVs checks for that too.

Something else that I think ought to be put to the test, I am sure a number of modern AV's might over look it!

[vorticalbox]

5 minutes ago, LAwLz said:

cmd still need admin privileges for a lot of things. Including making chances to files on C: (outside of a few specific folders).

not for documents which is what these target. 

[Metal_Kitty]

9 minutes ago, vorticalbox said:

not for documents which is what these target. 

Anything in the main "c:\Users\USERNAME\"   Folder that isn't a system service, so User created files in Desktop, Documents, Downloads, (Possibly Onedrive - if Sync is enabled and Onedrive share is on the C:\ Partition!) Pictures, and Videos,

because of the nature of the way it works, it may even be possible to do the same on other partitions as well.


*************
EDIT :   Onedrive Sync!

if this was able to do this with the onedrive folder that is located on C:\ Would this then reference the deletion of the files and zip archive online - or the other way round? would Onedrive resync whats on the Cloud back to the Desktop?

[LAwLz]

36 minutes ago, Metal_Kitty said:

Something else that I think ought to be put to the test, I am sure a number of modern AV's might over look it!

I seriously doubt there are any AVs which will not check a cmd window accessing all your files at the same time.

 

Anyway, things doesn't work the way you think they do. There are far better ways of doing things.

[Metal_Kitty]

They will check a cmd window yes, but ESET for example - will only take notice of it if a win32 system file is edited, - if User files are edited, then it's going to ignore. especially if all it's doing is zipping the files up

 

 

[vorticalbox]

4 hours ago, Metal_Kitty said:

Anything in the main "c:\Users\USERNAME\"   Folder that isn't a system service, so User created files in Desktop, Documents, Downloads, (Possibly Onedrive - if Sync is enabled and Onedrive share is on the C:\ Partition!) Pictures, and Videos,

because of the nature of the way it works, it may even be possible to do the same on other partitions as well.


*************
EDIT :   Onedrive Sync!

if this was able to do this with the onedrive folder that is located on C:\ Would this then reference the deletion of the files and zip archive online - or the other way round? would Onedrive resync whats on the Cloud back to the Desktop?

the pc is the main folder, what's deleted there is deleted online. 

[Metal_Kitty]

7 minutes ago, vorticalbox said:

the pc is the main folder, what's deleted there is deleted online. 

Ouch... (Thank god for offline Backups )

 

[vorticalbox]

1 hour ago, Metal_Kitty said:

Ouch... (Thank god for offline Backups )

 

yeah I'm currently working on setting up zfs on my ubuntu install which will then back up to my nas and by currently i mean I've backed up all my data just need to find time to install mint because i fancy a change lol

 

 

[captain_to_fire]

13 hours ago, revsilverspine said:

I'd assume if it were enabled by default it would cover at least Documents, Pictures, Music and whatever other default libraries Windows has.

I wonder if it would cover OneDrive, since I have it set up to save files directly there (I go through a shitload of storage just for my Documents folder)

From Microsoft's website: 

Quote

For Microsoft Office files stored, synced, or backed up to OneDrive

• OneDrive creates a version of Microsoft Office files when you save or change the file as part of its security features. 

Here's another: 

Quote

There are several ways we try to help keep your files safe in OneDrive. Your files aren’t shared with other people unless you save them in the Public folder or choose to share them. To help protect your OneDrive files from hardware failure, we save multiple copies of each file on different drives and servers.

 

[captain_to_fire]

On 7/4/2017 at 5:19 PM, vorticalbox said:

dear NSA, purely hypothetical. 

I'm pretty sure the NSA is working something similar to bypass this protection. They have access to the Windows source code and will once again keep the CVE to themselves instead of publicly reporting it so that Microsoft can create security patches.