Malware can use this trick to Bypass Ransomware Defense in Anti-virus Solutions.
The ransomware first runs on your software and reads the protected files(cannot write, but just reads). Then it encrypts the entire content and pastes it into the clipboard. The ransomware then runs the notepad and then issues a paste command to paste the encrypted content of your protected file into the notepad. The ransomware then asks the notepad to save the file and overwrite the existing file and because notepad has access to the protected file, it overwrites your files and encrypts it.
Antivirus software providers are an essential part of cyberthreat defense. They always offer high-level securities against cybercriminals.
Researchers at the University of Luxemburg in collaboration with the Royal Holloway University of London, have found a security weakness in popular software applications. The flaw would have impacted the world's largest antivirus software systems and their customers.
Antivirus's full-time protection task against malware is like a game where malware like spyware, DOS attacks and with malformed packets, and many other malicious attacks try to circumvent the Antivirus's protection. However, Antivirus reacts by complementing signature-based protection and by behavioral analysis. Then again malware comes up with other techniques to hide and vice-versa. This becomes a cut-and-mouse game.
The first one consists of simulating mouse events to control AVs, namely, to send them mouse “clicks” to deactivate their protection. We prove that many AVs can be disabled in this way, and we call this class of attacks Ghost Control. The second one consists of controlling whitelisted applications, such as Notepad, by sending them keyboard events (such as “copy-and-paste”) to perform malicious operations on behalf of the malware.
The ransomware first runs on your software and reads the protected files(cannot write, but just reads). Then it encrypts the entire content and pastes it into the clipboard. The ransomware then runs the notepad and then issues a paste command to paste the encrypted content of your protected file into the notepad. The ransomware then asks the notepad to save the file and overwrite the existing file and because notepad has access to the protected file, it overwrites your files and encrypts it.
Ghost control attacks would lead to many malicious activities include turning off real-time protection and could perform many activities that a legitimate user has access to do. Of 29 Antivirus Softwares tested 14 of them were found vulnerable to Ghost Control Attacks and all 29 Softwares were found to be at risk of cut-and-mouse attacks. Out of the 14 vendors contacted, some have immediately released a fix to mitigate the vulnerability, while others acknowledged the issue and had promised to be removing the root cause of the weakness.
The findings portray that the security solutions which are aimed to protect the weaknesses of other Softwares may themselves suffer from weaknesses. This is why is important that the researchers remain capable to take nothing for granted. This research makes it clear that approaching cybersecurity from a holistic perspective is valuable. In addition, the disclosure and engagement with the impacted companies demonstrate how scientists can tackle these topics with the highest ethical standards.
Great work. Nice explanation
ReplyDeleteThank you
Delete