Jump to content

Hypothetical Chameleon extension: Protecting against fire with fire

Recommended Posts

I had an interesting idea: What about protecting Malwarebytes components, through an experimental extension to the Chameleon system, using all of the same tricks that Malware itself often uses for self-defense, plus a few more I thought of myself? Packers, multiple forms of obfuscation, dummy processes and registry keys, code virtualization (using a Cryptographically-secure Pseudo-RNG), dynamic recompilation, active boobytraps, maze-like FileSystem/Registry setup, modular/cross-OS component installation, Isolated/Encrypted "Mini-Pagefiles", the works. You could also go a step further in reliability by using the .NET Core runtimes instead of the traditional .NET framework, in order to prevent damaged or out-of-date .NET framework components on your system from being an obstacle to the program functioning correctly, and you could probably also use cloud-accelerated machine learning to perform extensive low-level optimizations of the compiled code.

Maybe peer-to-peer cloud integrations should be implemented too (as an in-house, online-backed equivalent to Windows Resource Protection), as well as a secure and low-profile means for all of these protection systems, decoy processes, and such to communicate with eachother without revealing their identities to outside programs (hard-coded asymmetric encryption, for example), that way they will know what to do whenever it's time to update, uninstall, perform a repair, change settings (as requested by the user), and so forth. And then of course, there's the idea of a built-in (and heavily encrypted) counterpart to the HOSTS file for reaching official Malwarebytes servers/services, along with internally enforcing the use of IPv6, DNSSEC, HTTP/3, and/or a combination VPN/Proxy on any connections directly between the Malwarebytes servers and MBAM components.

When taken all together, this could mitigate tampering, reverse-engineering, targeted attacks, and so on. And who knows? Maybe this could even prevent a second coming of the IOBit incident...

Any thoughts on this? If so, then please share them below. 🦊

P.S.: If you want more details on what I mean by a maze-like setup with the FileSystem and Registry, then just send me a private message. My precise concept is still extremely work-in-progress, and highly confidential, but it does involve mixing back-up components with decoy files, along with some additional boobytraps of my own design.

Link to post
Share on other sites

While I could certainly see the benefits to some of these ideas, it would also be really risky to do most of them as they would be very likely to trigger false positives in other security applications.  What Malwarebytes already has with the self-protection driver is really quite robust, and while the Developers are aware of a few ways around it, they all require administrative or SYSTEM level/root access/privileges/permissions, and once a threat has gotten that level of access to a system it's pretty much game over anyway and it means that Malwarebytes didn't even detect the threat (otherwise it wouldn't have even been able to enter memory, much less gain admin or better permissions already) and they need not concern themselves with Malwarebytes' presence at that point as they can pretty much do what they want, which is why prevention is so much more important.

As for anything resembling Windows Resource Protection, this is something we've discussed on multiple occasions, but to my knowledge the idea was dropped due to the limitations imposed by Microsoft's EULAs and IP/copyright laws (we cannot host any MS files for distribution without their expressed permission, which they would never provide, even if they were just backups of a user's own copies from their own system).

Honestly, if things are to the point that you're thinking about replacing system files and jumping through all those hoops just to keep your security software in memory and operational, it's probably time to throw in the towel and just pave the drive and reinstall Windows because any threat that nasty could have easily opened any number of backdoors into the system and done who knows what to the system to compromise its security and stability, so backing up essential data and going back to square one with a fresh install of the OS would probably be a more practical option than attempting to reverse whatever they might have done to the system (especially if you don't have anything monitoring for all changes to the filesystem and registry, which while possible, is quite computationally expensive, not to mention disk space consuming and could just as easily be accomplished via System Restore or any number of third party backup solutions like Macrium or Ghost etc.).

Link to post
Share on other sites

Oh, we already have that, though honestly most of the malware that targets us would prevent our processes from entering memory in the first place so we wouldn't have the opportunity to replace/restore our files anyway.  That's why the self-protection driver is so focused on preventing access to our files, processes, folders and registry keys, because as soon as they are able to break the program and get it out of memory, the fight is lost and you have to either go outside Windows, log into a second account (if the malware doesn't run system-wide, as some don't), or log into Safe Mode assuming the malware doesn't run there either.

These days though, most such threats just passively block Malwarebytes rather than trying to defeat it if protection is active because of how difficult it is to defeat the self-protection (not to mention how good our detection is, which stops most such threats before they even get as far as executing anyway, much less actually running and trying to shut us down).  Most of the time when we see infected users having trouble running Malwarebytes, they got infected first and then tried installing Malwarebytes to remove the threat or they only have the free version without any protection (which explains how they got infected in the first place).  Malwarebytes actually makes a LOT of sales that way by getting infected, using Malwarebytes to clean up the system (sometimes with assistance from Support or one of the helpers here on the forums), and they decide to purchase it because of its utility in detecting and removing the threats that got passed their existing protection.  This is why Malwarebytes is so widely known for excellent remediation capabilities because its removal tech is pretty much second to none.

Link to post
Share on other sites

Well, hypothetical scenario; if Malware specifically targeting MBAM prevented an MBAM process from entering memory... that's where some of these "sleeper agent" type processes would activate... because they'd be unrecognizable to anything except eachother and to Malwarebytes itself (since they'd have multiple channels of secure communication amongst themselves and with the parent MBAM processes), and they'd go on high alert when Malwarebytes suddenly stopped responding to their semi-irregular status queries and whatnot. And these processes would also be unrecognizable to the Malware because they'd be heavily obfuscated in all the same ways as the Malware itself. Sure, there would be false positives from other Anti-Malware solutions that detect them, but I'm certain that there would eventually even be ways around that as well.

Simply put, the term I used at the beginning of this post, "sleeper agent", is quite accurate here. As far as other Malware is concerned, it's essentially fellow Malware modified to fight for the good guys, and would thus be hiding in plain sight, completely undetectable to the Malware that wasn't designed to look for it... and like the Malware it's fighting, this stuff would keep changing form to avoid detection, while still securely announcing its presence and identity to legitimate Malwarebytes processes and fellow sleeper agent processes.

Link to post
Share on other sites

That's just a lot of hoops to jump through when I know for a fact that much simpler solutions are just as effective (or even more so) at getting programs to run in hostile environments.  Trying to hide like malware wouldn't work against the threats that lock a system down to the point that only essential Windows core processes are allowed to run (a common method to prevent security apps from launching), however these are easily evaded by using system file names to get into memory; names like explorer.exe and winlogon.exe among others (I was the creator of the batch file/techniques that were eventually adapted into what became Malwarebytes Chameleon back in the Malwarebytes 1.x days and worked directly with the Developers who created Chameleon in designing how it would work, and to this day I know of virtually no threats that are able to stop Malwarebytes from launching on a system when that Chameleon technology is used, however there hasn't been much need for it in recent years so it has yet to be adapted to Malwarebytes 3.x save for the core self-protection driver in the Premium version).

Link to post
Share on other sites

The fact that the full Chameleon system hasn't been updated to 3.x actually concerns me a little bit, even if the need for it is seemingly absent. The fact it's out of date can still potentially cause trouble when it actually matters. I still feel like there could be a lot of room for improvement though.. there's always ways you can make your defense systems more robust, sneakier, and smarter, and on the other side of the coin, there's always an unknown threat that's gonna try to outsmart you in some fashion.

At the bare minimum, it would be interesting if you had managed to capture samples of Malware and developed Chameleon processes that spoofed their process names and the like, or even spoofed process names of things that would likely be monitored by spyware such as Steam, Discord, Chrome, etc... And I think using packers, encryption and other forms of obfuscation on Chameleon processes would be another helpful layer of security.

So, I hope that you guys at least consider my input here. Chameleon should at the very least be maintained more regularly.

Link to post
Share on other sites

Again, if they did that our files would get flagged by AVs and other security programs that use aggressive heuristics (even Malwarebytes sometimes uses such methods to detect threats which is one of the reasons it's so effective).  It would also be a bad idea because, believe it or not, the bad guys have been known to download and run some AV/AM scanners (ones that obviously don't detect the threat attacking the system) to remove any "competing" malware from the system to ensure they get complete control (especially important for botnets to ensure that the infected systems become part of their own botnet, not someone else's so that they reap the profits/benefits).

I'm certain that if the need arises they'll update Chameleon and integrate it into Malwarebytes again, however for the moment it would be a waste of resources because it is not needed currently, so the product and the users are better served by devoting their time and efforts to more relevant pursuits like improving detections and enhancing Malwarebytes' protection and remediation capabilities (not to mention bugfixes and UI enhancements for improved usability and UX).

I too was concerned when I discovered they hadn't brought Chameleon forward with version 3.0, however it's been more than 2 years now and there still hasn't been a single threat that I'm aware of which required it in order to get Malwarebytes installed and running on an infected system.  The bad guys have moved on to other things, and the days of the AV blocking rogues and Trojans are in the past.  Now their focus is primarily on exploits, ransomware, tech support scams, PUPs, and the occasional password stealer and that's about it.  Every day fewer threats target PCs as mobile devices and IoT platforms become more common and the bad guys are now targeting easy income via massive scam call centers rather than constantly trying to outwit AV/AM developers with new clever tactics that consistently have a short shelf-life due to the good guys adapting to their tactics as soon as they capture samples (which makes sense since they likely spent days, weeks, or even months working on them just to have them defeated within a short period of time as soon as the good guys see what they're doing and develop effective countermeasures).  It just makes sense from a financial perspective not to pour so many resources into technological tactics that they know won't generate as much income as a simple, semi-random rotating URL/spam & SEO campaign for a fake tech support service, IRS scam, credit card scam or server data breach to collect peoples' info, either to use for credit fraud, cold calls, spam emails, or even just to sell on the dark web, none of which require advanced AV/AM killing tech to accomplish and profit from on a massive scale.

I'm sure that some of the bad guys think a new vulnerability is great, and represents a golden opportunity to get paid by exploiting it, but the more time that passes as they see the holes get plugged up by software and hardware vendors and as the security vendors figure out how to protect better against 0-day exploits, the more likely they are to throw in the towel on such endeavors and just move on to basic scams which can be just as profitable if not more so without devoting all that time, brain power and energy into some nifty new malware tech that will only be defeated in a matter of weeks, days or even hours.

You must remember that malware and scams are big business these days, netting millions and even billions of dollars every year, and these organizations behind these threats and attacks run their operations based on ROI the same as legit software and security vendors do, and just like pretty much any successful business does by assessing the profit potential vs cost/effort for a given attack/scam etc. and whatever proves the least costly, requires the least amount of effort and returns the greatest profit wins, and that's why things have changed so much in recent times, especially since it's no longer just a Windows world out there and the effort required to infect multiple platforms with a single infection increases the difficulty and complexity by several orders of magnitude so it just makes sense that they wouldn't tend to devote many resources to it.

Are there still threats targeting PCs?  Of course, but these days the numbers and types of threats are very few compared to what they once were, and the bad guys aren't interested in wasting their resources by going to war with AV/AM vendors any more, especially when Windows PCs are only a fraction of the potential victim/target devices/platforms out there on the web (and the numbers are dwindling more and more every year as more people move exclusively/almost exclusively to mobile platforms which are also increasing in power and capabilities with each new device released).

TL;DR version: Windows PCs are no longer the only/primary target of the bad guys so devoting so many resources to fight the AV/AM vendors by targeting them isn't nearly as profitable/worthwhile as it used to be in years past and if the need for Chameleon or technology like it does arise again, Malwarebytes will resurrect it for Malwarebytes 3 or develop something to fill the need, but until then their main focus is on dealing with the threats/types of threats that are actually out there like exploits, tech support scams, phishing, PUPs and other prominent/relevant threats today.

Edited by exile360
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.