Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.

Malware Can Use This Trick to Bypass Ransomware Defense in Antivirus Solutions

June 1, 2021

Researchers have disclosed vital safety weaknesses in well-liked software program purposes that may very well be abused to deactivate their protections and take management of allow-listed purposes to carry out nefarious operations on behalf of the malware to defeat anti-ransomware defenses.

The dual assaults, detailed by lecturers from the College of Luxembourg and the College of London, are aimed toward circumventing the protected folder function supplied by antivirus applications to encrypt recordsdata (aka “Minimize-and-Mouse”) and disabling their real-time safety by simulating mouse “click on” occasions (aka “Ghost Management”).

“Antivirus software program suppliers at all times provide excessive ranges of safety, and they’re a necessary component within the on a regular basis battle towards criminals,” said Prof. Gabriele Lenzini, chief scientist on the Interdisciplinary Heart for Safety, Reliability, and Belief on the College of Luxembourg. “However they’re competing with criminals which now have increasingly more sources, energy, and dedication.”

password auditor

Put in a different way, shortcomings in malware mitigation software program couldn’t simply allow unauthorized code to show off their safety options, design flaws in Protected Folders resolution offered by antivirus distributors may very well be abused by, say, ransomware to alter the contents of recordsdata utilizing an that is provisioned write entry to the folder and encrypt person information, or a wipeware to irrevocably destroy private recordsdata of victims.

Protected Folders allow users to specify folders that require a further layer of safety towards damaging software program, thereby doubtlessly blocking any unsafe entry to the protected folders.

“A small set of whitelisted purposes is granted privileges to jot down to protected folders,” the researchers mentioned. “Nevertheless, whitelisted purposes themselves are usually not shielded from being misused by different purposes. This belief is due to this fact unjustified, since a malware can carry out operations on protected folders through the use of whitelisted purposes as intermediaries.”


An assault state of affairs devised by the researchers revealed that malicious code may very well be used to manage a trusted utility like Notepad to carry out write operations and encrypt the sufferer’s recordsdata saved within the protected folders. To this finish, the ransomware reads the recordsdata within the folders, encrypts them in reminiscence, and copies them to the system clipboard, following which the ransomware launches Notepad to overwrite the folder contents with the clipboard information.

Even worse, by leveraging Paint as a trusted utility, the researchers discovered that the aforementioned assault sequence may very well be used to overwrite person’s recordsdata with a randomly generated picture to destroy them completely.

Ghost Management assault, alternatively, may have severe penalties of its personal, as turning off real-time malware safety by simulating reputable person actions carried out on the person interface of an antivirus resolution may allow an adversary to drop and execute any rogue program from a distant server below their management.

Of the 29 antivirus options evaluated through the research, 14 of them have been discovered susceptible to the Ghost Management assault, whereas all 29 antivirus applications examined have been discovered to be in danger from the Minimize-and-Mouse assault. The researchers did not title the distributors who have been affected.


If something, the findings are a reminder that even safety options which might be explicitly designed to safeguard digital belongings from malware assaults can undergo from weaknesses themselves, thus defeating their very objective. Whilst antivirus software program suppliers proceed to step up defenses, malware authors have sneaked previous such obstacles by way of evasion and obfuscation techniques, to not point out even bypassing their behavioral detection utilizing adversarial inputs by way of poisoning assaults.

“Safe composability is a widely known drawback in safety engineering,” the researchers mentioned. “Elements that, when taken in isolation, provide a sure recognized assault floor do generate a wider floor when built-in right into a system. Elements work together each other and with different elements of the system create a dynamic with which an attacker can work together too and in ways in which weren’t foreseen by the designer.”

Posted in SecurityTags:
Write a comment