Google Search

[LeGamerInfini]

Hello Miss/Mister and thank you very much,

 

‼️ I HAVE TO WARN CYBERSECURITY OF SOMETHING IMPORTANT THAT I NOTICED : WHEN YOU DO ANY GOOGLE SEARCH THERE ARE VERY, VERY, OFTEN DANGEROUS SITES IN THE LAST PAGES OF THE SEARCH. FOR EXAMPLE :

https://www.google.be/search?q=porn+tube&sxsrf=AJOqlzV78SO-DI7EXyUBaJ5R0QOdn-xDwQ:1673927521693&ei=YRvGY4fuKZ2s5NoPnoO_yAs&start=100&sa=N&ved=2ahUKEwjHor362c38AhUdFlkFHZ7BD7kQ8tMDegQIBxAG&biw=1398&bih=817&dpr=1 

 

[David H. Lipman]

This is not a malicious URL that can be added to a Malwarebytes product so I moved this thread to General Chat which is open to discussions.

Some notes ...

1. There are various techniques that actors may use to raise a malicious or nefarious URL to a higher search rank
2. Sex sells.  Sex in its many forms and representations is one of the oldest ploys for advertising and malvertising.  Sex is used very often in Social Engineering  and it is very effective.
3. Researchers are well aware that they can data-mine Google Searches for malicious and nefarious content as this is a well discussed subject matter and many Blogs and Articles are of numerous  documented schemes, events and campaigns.
4. Many forms of malicious and nefarious intent target Sex. 
   • To sell you a product. 
   • To goad one into a money scam. 
   • To make you a victim to pay for your sins. 
   • To infect you with malware.

 

 

 

Edited January 17, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[David H. Lipman]

Please see ...

 

[noknojon]

Hello David and any other Experts in this subject.

Are you able (at this time) to tell me if MBAM scans deep enough to find these hidden "end of code" add-ons.

I do a deep scan with ESET Online every month just to cover these types of programs, but that takes up to 1hour depending on current circumstanstances.

MBAM still scans in 5 minutes at the most. Is this enough.

Thank You

[David H. Lipman]

Can you be more specific on the question of...

Quote

hidden "end of code" add-ons

Thanx.

[nukecad]

I have both AdBlock and Malwarebytes Browser Guard extensions in my Firefox - and so I don't see any of those Google ads, fake ones or not.
OK they might show for half a second before being hidden by the adblockers.

I'm slightly surprised that that 'experienced' blogger who supposedly got infected and all his data and cryptocurrency stolen wasn't using any adblocker?
I'd be more inclined to believe that he deliberately went looking for malware thinking he could cope with it, and messed up.
(Or that he hasn't lost anything, and it's all a story/exaggeration to make a point?)

TBH even on a machine without any adblocking installed I wouldn't click on one of the Google ads, just scroll down and find the software developers own site for whatever I'm looking to download.

[David H. Lipman]

The term " 'experienced' blogger" means little.  All it means is that they write to a portal a lot.  It doesn't mean that are compu-literate and have Situational Awareness to use the software described to limit their exposure.

I'm not surprised at all as people run the gamut of experiences and knowledge.  Just like so many think all malware are "viruses".  The just don't know.

Edited January 25, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[noknojon]

OK David

The video (I believe one of the above) where you show that the end script is 'padding' for a longer script with many 00000000 lines after the main code.

You are led to believe it is a larger File that when you click Properties it shows the thumb attached. This is why I say I Deep Scan at times with ESET.

[David H. Lipman]

Got it.  Deliberately bloating an EXE aka; padding.  Yes this is an issue.  We see files like that all the time where they are bloated to thwart engine signature detection.

Often you can take a 700MB bloated EXE file and place it in a ZIP archive and achieve 99% compression.    You can see such a file below...

 

Unfortunately such a file is too big for MBAM and wouldn't be detected by signature.  However the paid-for version of MBAM employs its Anti Exploitation module on the malicious activity such a file may pose.  Therefore the paid-for version of MBAM wouldn't default to a static detection only.  Thus Right-Click Malwarebytes scan a file or folder or normal scan would not detect the file.  If the file is accidentally or deliberately launched then the dynamic activity would be examined and malicious activity thwarted.

Bottom line, a scan in the paid-for or free version will not detect the file but the paid-for version would protect the user if the Anti Exploitation module is Enabled.

NOTE:  The above file exampled in the Graphic of WinZIP is even too big for Virus Total.  To get the below Report, it had to be submitted in the ZIP file.
https://www.virustotal.com/gui/file/1b9467efa1ed6fc01bb75220b4fd46b3f5446d8bebddc1ad88466861081d0cde/detection

The characteristic of file bloating is in itself a heuristic of a malicious file.

EDIT:

Below shows the examination of the ~780MB file;  BrowserNew.exe  in the ZIP file.  This file was analyzed and it is another RedLine Stealer like what was mentioned in the YouTube video

 

 

 

 

Edited January 25, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[noknojon]

Thank you, David,

That makes it a bit clearer for me, and I can pass these problems on to clients and friends of mine who are never sure.

I still have a few clients who have followed me since XP days, and I hope they stay for a few more years.

J.

[David H. Lipman]

  @noknojon

[1PW]

Hello @David H. Lipman:

It appears as if the “powers that be” need to increase the maximum working filesize of their products and services to accommodate this bloating/padding technique.

In the meantime, isn't VirusTotal still mostly neutered by our uploading .zip and .rar containers?

Thank you.

[David H. Lipman]

I can not speak for Malwarebytes but it is my "understating" it is under discussion and consideration.

Submitting Archive files to Virus Total skews the results and the data generated is based upon the file(s) within archive container and not the malware or suspect files themselves.  There are heuristic detections that are based solely on types of files in an archive.  There are many types of Archive files.  ZIP and RAR being the most common and the standard ZIP file remains the PKzip format.  Thus these two types of archives are generally commonly covered by anti virus/anti malware (AV/AM) Engines in general and those implemented on Virus Total specifically.  However when one deviates from ZIP and RAR archives there is a less adoption by Virus Total specific AV/AM Engines which can further hinder results.  We see that in malicious emails where the less common formats are used as email attachments that contains malicious files.  This thwarts AV/AM detections on many email system.  Often we'll see such email attachments sent to Virus Total Report such as an ISO file.  It will show a low detection rate.  When the malware is extracted from the lesser used archive format and submitted, there will generally be a much higher detection rate.  This can also be true for some types of archive file formats that have many versions or variations such as CAB (CABinet) files.

In summation, it is always best to submit files in their native format and not within an archive file format to Virus Total.  However when a file is bloated beyond Virus Total's maximum submission file size, there is no choice but to submit the suspect file in a compressed file format archive with ZIP being the primary choice and RAR secondary.  It should also be done with a singular file in the archive and not multiple files.  Having multiple files in the archive also skews the results.

 

Edited January 25, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[sp123]

On 1/25/2023 at 12:14 PM, David H. Lipman said:

In summation, it is always best to submit files in their native format and not within an archive file format to Virus Total.

What about opening the malware in a hex editor and deleting the zeros before submitting it?

Does this skew the results or is there another problem with this approach that I am not aware of?

[David H. Lipman]

1 hour ago, sp123 said:

What about opening the malware in a hex editor and deleting the zeros before submitting it?

Does this skew the results or is there another problem with this approach that I am not aware of?

 

Good question.  

Yes.  It could also disable the malware as the code can be set to skip or jump from the header area to the address of the active code.  By removing the junk space the jump-to address could be outside the bounds of the code length or simply point to a bad entry point.  Another example would be to use UPX and recreate a compressed version executable (assuming it would work, it doesn't as the samples I have tested either error-out or are just too large).

The point would be futile as the resultant PE file would not be what is seen in-the-wild and signatures for an altered version would not work on the original at-large version.  This is why some known, and well detected, malware is run through some kind of well known or exotic software packer.  The PE file has changed without altering its inherent functionality causing the the previous high detection rate to drop significantly or not be detected at all.  If that newly packed PE file is released into the wild, AV/AM vendors would need to create all new signatures.

 

Reference:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/basic-packers-easy-as-pie/

https://www.mandiant.com/resources/blog/increased-use-of-delphi-packer-to-evade-malware-classification

 

Edited January 31, 2023 by David H. Lipman
Edited for content, clarity, spelling and/or grammar

[1PW]

On 1/31/2023 at 4:58 AM, sp123 said:

What about opening the malware in a hex editor and deleting the zeros before submitting it?

The more intelligent bad actors would soon know that real “zero-padding” will need to be 'enhanced' with random data/files, another executable, text, etc.