Malware beats Windows Defender: How you get hacked
HTML-код
- Опубликовано: 15 янв 2024
- Password stealer malware has been on the rise since last year, and these infostealers are consistently good at bypassing or beating Windows Defender. In this video I demonstrate one I received via email vs Windows Defender and talk about how your stolen data is used on the dark web.
Search the dark web to see what hackers know about you with today's sponsor: hi.flare.io/pcsecuritychannel...
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact 
Наука
I could have sworn I've seen something like this before, but instead of a sponsorship, it was for discord game testing scams. Insane how widespread it's getting.
Honestly, fell for one of those "Discord Game Testing" scams. Tried running the so-called "game," got hit with an error. Took me two days to realize it, checked all my accounts-no login, no spammy ads or malware. Lucky break, but still had to force logout and change all passwords. Lesson learned: steer clear of these scams, folks. A momentary lapse can lead to a world of trouble.
Discord game sponsorships are different, they wanted you to run an actual exe which predictably gives you malware
So I shouldn't advertise my game on discord?
@@fireninja8250 perhaps you still can, just don't ask them to run an exe file right away, or at least tell them to do the testings in a virtual machine.
what is insane that people will trust some random emails, not catch up on the weird email addresses, then download zip files, unzip them, and run additional programs requiring passwords - THAT is amazing, I mean - this isn't rm -rf and enter, there are red flags all through out that whole email convo, and still people fall for that crap
Listen guys, never ever run or open any files that are password protected. There is almost no reason to encrypt stuff like that other than malware or personal data.
Except if its expected to trigger antiviruses, like pirated software would
@@liforra Unless you antivirus triggers at hacktools, or keygens, it's probably for a good reason.
@@liforra pirated software does not mean you should interact with it. Pirated content is infected more often than not
@@fraznofire2508 honestly that is incorrect, i do actuallx pirate software and honestly, as long as youre a bit careful its really not that bad, but dont open isos those are suspicious because thexre usually not used as archive
As a experienced hacker, I must say that never ever open any file without checking with a reliable AV(not including Windows Defender).Even if it looks a like a legit Microsoft Windows file, still check it.We learnt that lesson with NoEscape.exe, which looks like Windows Defender itself.
"My operating system is TempleOS"
Can't hack the oracle
GEOS 2.0
linux is more than enough
@@n0tjak I would argue that you haven't really understood the video. It is very likely that they also have a payload for Linux, which would be pretty easy to generate since the user is effectively executing it, Linux trusts the user (mostly) and there are less defense mechanisms on Linux against this type of attack (since it was increadibly rare in the past)
@@wernerviehhauser94 true
this is a very effective way to get around not only Defender but also all the other sandbox-based solutions because what it effectively does is use the password you type in as the decryption key. Many sandboxes will try to interact with UI elements so a simple message box is not enough but asking for user input is because no sandbox out there will know the password. And the reason why it doesn't trip afterward is that defender does the bulk of its scanning before the file is run with only minimal heuristics at runtime.
But if you open this file in a sandbox, won't that still protect your system? Isn't that the purpose of a sandbox?
@@wannabedal-adx458 I'm not talking about the sandboxes that a user might use (like sandboxie), I'm talking about the automated malware analysts sandboxes that run the sample in a clean VM each time and record everything the sample is doing (like cape sandbox).
This is why we should always right click on a downloaded file and see properties to confirm that a file is what it claims to be (e.g. a PDF shouldn't be identified as an executable program)
Show file extensions should be on by default.
And don't enter a "password" to "unlock" a file.
@@raylopez99 password protect files are actually quite common. You just REALLY need to know where it's coming from, and best case scenario is you can open and edit it in a secure virtual environment.
@@youdontneedmyrealname Yeah I've played around with type 2 virtual environments but I've never had a legitimate password protected file sent to me for business, and I've worked in Silicon Valley on multi-billion dollar deals back in the days (90s and 00s). Maybe it's different now, I dunno I'm retired.
@@raylopez99 I work with medical records in my industry so encryption is a requirement for HIPAA compliance.
this stuff really scares me cuz of how many older folks fall for this
That’s why I installed Kaspersky on the pc from my grandmother
So do kids
older? I know people from almost every age group that have a high chance of falling for this and a lot of other seemingly easy to spot scams and malware. Not everyone is chronically online.
@@nezu_cc true, only being chronically online can you spot malware hehe
@@nezu_cc obviously dr obvious but older folks fall for way more often than anybody else
It seems pretty crazy that a recently downloaded application doing a specific action like, grab session tokens, wouldn't alert ~something~. I understand(glad even) them not scanning a file with a password but I can't think of many things that would do that specific action.
There's legit reasons for this, like if you're changing browsers and use its "import browser data" functionality. Although I do agree that there should be more in place to prevent these, it is a very fine line with high stakes, that must be tread carefully.
Indeed. I wonder why windows didn't say anything at all about running the unknown .exe?
@@theoldtruth1196 because it's not using administrator rights thus not requiring an Okay by the user and also not a certificate to show it's from a reputable source.
@@niccis1982They're talking about SmartScreen, not UAC.
don't the passwords are stored incrypted by some form? i understand cookies being not, but hmm?
I had such e-mails with the fake sponsorship. And I always wondered how it even works.
Thanks for showing me that.
Oh man how much i laugh when you said that the criminals are discussing about win11 being spyware and don't like competition 🤣🤣🤣 that's absolutely hilarious
Good, clear information. Very helpful. Glad you stressed that Defender will not protect you completely (in fact no software will) and that you need 'situational awareness'.
Thank you so much for your unbiased content. Please keep up the good work.
First red flag was the Email it was set from.
Some e-mail clients, particularly those made for mobile OSes (like iOS and Android) hide the sender e-mail address in order to provide what their UI/UX designers would see as a clean UI. However, many people who aren't tech-savvy, like my parents, wouldn't notice that it's possible to tap a not-so-obvious down arrow or the round profile picture to reveal the full e-mail address.
I've seen a few RUclips channels that have been hacked with this method. I guess the best way of protecting against this is to never log in to RUclips studio in the same computer that one uses to read the emails. Maybe a simple VM is enough, but definitely we need to be aware of these attacks.
Appreciate the info I’m just curious will you be making an updated video of the best antivirus that you can get or has that not been changed since 2023 because I’m kind of curious to get an unbiased rating again instead of just going to some other places that they might be biasedespecially with free antivirus would be awesome too
A lot of password protected files are common, and legit. For example, you want to buy the electronic forms of journal article, textbook or novel. So the PDF or whatever might be zipped and password protected. If you want to earn some money as a writer, it does not make sense to give full free access to all. Not everyone is honest enough to donate towards costs, etc.
I wonder, did other AVs caught it? I mean, Bitdefender/Kaspersky/ESET and such, using their behavioral model and other real time protection modules?
Intune Windows Defender will block it with ASR Attack Surface Reduction.
But who wouldn't get seriously alarmed by a password protected file AND the password in the SAME attachment? That defeats the purpose of pw protection unless you want to bypass security.
You would be surprised...
@@3polygons you're probably right and I shouldn't be surprised, knowing the average pc user.... but still
Often video games have this, but still a video game should be much larger
@@yspegel Have you ever worked in IT tech support? You would be surprised at the amount of people using computers who understand next to nothing about computers nor have any computer security training or knowledge. I work in school IT as an IT tech. We run several phishing campaigns per year and its astonishing how many people, even "higher ups" who fall for them. We've had several people flat out enter their email and password into one of our phishing campaigns because according to the email, they're supposed to "validate their account information".
if someone solely uses windows defender i always tell them to use configuredefender/group policy editor to increase the protection level to high plus or zero tolerance and the cloud check time to 60sec. defender’s actual behavioral capabilities have always been really weak
linux is better
Instead of doing that I would recommend using defenderUI to lock it down
Its just easier
@@enderagent every time, you're a self perpetuating meme.
@@archduke0000 I'm confused on what you are saying, I believe this is the first time we have encountered, unless you remember me from somewhere else? Do elaborate ❤
@@enderagent no, you're a waste of time. Copy paste troll spam somewhere else.
Ways to prevent getting hacked
Step 1: Don't Open Emails lul
when you tell the sender what kind of Operating System you have, like you might say Windows 11, you move to another Operating system, like Linux but in dual boot mode. And then open the Emails from there.
@@niezzayt3809use some locked down system like ios to open mails
It can also with other files and with BROWSER EXTENSIONS.
Use a whitelist, anything not on it is quarantined in a folder that only reads text/headers.
Relying an security software to protect you is like relying on a gun safety to protect you from an armed robber.
And it slows the fsck out of your computer, wasting resources and power.
@@cpufrost using "Whitelist" is still equal to "relying on" certain algorithm-which you might see it as software.
Whenever dealing with Emails, it's not only about security. It's about Social Engineering. How you manipulate your recipient is more important than the contents of the Email itself.
By pretending to lowering your guard can reveal the other party's true intentions.
Therefore, if a malware was designed to attack certain OS, it is way simpler to just open it in another OS where the malware is completely useless.
Great, _great_ video, Leo! 😊 Which (single) anti-malware anti-virus app would you recommend for use with Windows Defender?
@XenoD2 Indeed, it does !
@@XenoD2to my knowledge win defender will turn off win you install MB
Does Kaspersky’s heuristics detect it?
I'm actually curious to see if it gets detected by the modern antiviruses (Kaspersky, Malwarebytes, BitDefender etc).
Boosting this, would like to know as well
Thanks for the concise but insightful video!
Would it be possible to do an analysis of how this same scenario would play when passwords are behind browser's protections (Edge's Windows Hello or Firefox's Master Password) or when using Passkeys? Thanks!
edge has windows hello?
you mean to say microsoft edge wallet?
windows hello is a windows feature not a microsoft edge feature
@@anywaytechreview they mean that edge asks you to login using windows hello to reveal passwords
I once log in my school's computer (dumb move), after 15mn my account was logged in another country, that's how fast viruses steal the cookies and transform accounts into spammers. After that day, I never log on other people's computer even families.
I'm guessing the school you attended used Windows but didn't use Active Directory with policies set to not allow users to run their own software. Also, it could've been possible that you attended that school at a time when they were still using Windows XP, because I know that one of the school PCs did get infected with malware that spread via USB flash drives and ran using an Autorun exploit that I think was patched out in Windows Vista or 7, and I only noticed the malware due to bad coding that saw it open another Windows Explorer (File Explorer) window with the folder pane open.
I also did get my Facebook account hacked once (back before they added 2FA support), particularly with it sending and accepting friend requests with people I don't know in real life, but it turned out that some bullies looked at me typing my password, and I only found out that it was done by bullies when a classmate tipped me off in person. I then changed my password and remotely logged them out. I can only imagine where those bullies are now.
This video makes it seem like you're discrediting Windows Defender, but you didn't really show whether other antiviruses can catch this thing. Code obfuscation techniques can disguise malware signatures, allowing them to evade some antivirus detection. You showed Norton giving a generic warning, but that's not the same as detecting the actual threat. It'd be good to see how some other antivirus programs handle this - does it sneak past them too? Maybe it's an issue for more than just Windows Defender. No antivirus is perfect, so comparing a few could give people a better idea of how hard this kind of attack is to catch.
basically this
Finally, someone with critical thinking
Thank you! He also spotted the email header was not genuine and at 1:30 you can see so many grammar mistakes in the email - "All right, let's get to jobs" - JOBS? / "read WITH the Magix contract" - WITH? (common when it's scammers, not the case when its from a legit company like Magix). Those should have been enough signs to stop in his tracks without pursuing this anything further.
And where is the VirusTotal scan of the exe file? That way we can see how the other antiviruses works against this threat.
I have seen this password protected attacks in the past . At some point in the process people need to realize ,, " Wait a Minute ! " . I delete all these things without delay . I do not collaborate with any message that involves many steps or has links to the " Best new video " or " The great new shampoo " etc etc. I do not need an email to find out these things when there are hundreds of other avenues to use. :O) thanks for the share . ( The brain is meant to be used )
But the passwords only leaked if you saved them on the browser? Or are they being able to hit bitwarden and getting from the add-on??
Good question
what sandbox product do you use to run the malware tests ? do you use VirtualBox with a host adapter?
I love how Outlook already suggests responses before i even opened my mails...
I don't know about the recent OS implementation. I guess that decryption and code execution are separate processes so anti-malware can intercept execution of the decrypted code. Is it right? If I remember correctly, code pages are RO (read-only) so, self-modified code became unusable at the some point of OS development (table jump style coding was also affected for a while).
Great video. You just made me like relying on windows defender a bit more. 2 minutes in, and i have seen more flags thrown than a football game.
That's why I'd recommend a proper firewall (there are free ones) that catches every unusual outgoing connection and asks you if you want to allow it or not, because the most dangerous connections are not incoming but outgoing.
Hello there, I just watched the video and you said there's no reputation check in Windows Defender. However, there is a feature called Smart App Control which does rely on reputation. This could be avoided by having this feature enabled, right?
Does Kaspersky flag anything from that type of attack?
PC security channel, do you recommend adding another antivirus software to wins antivirus system like $Norton or kapersky free edition?? Thanks for this info, look forward to your future videos! Now subscribed 👍🏼 Thanks again 💯
Thanks, Leo, for this 2024 update on this sneaky tactics. Poor WD 😅 and if WD starts to include Rep based, it can be chaotic for many!!🎉
Great video as usual
To a wary user it doesn't look like big threat - there are multiple red flags.
But many dumb office workers would potentially eat the bait.
i tried to make an account via my hotmail & gmail accounts and the site said they dont accept addresses from them . what should I do?
Thanks! And how about Portmaster firewall? Does it protect better?
How exactly does the file work? What does it do? Is there any way to detect it? Is it a PDF, or does it have multiple extensions? I typically ignore attachments, unless I absolutely know who sent the attachment and why. However, if I happen to have any weird PDF's on my system, I'd like to know about them. I don't have any password protected ones. I'm pretty sure about that.
NO. That's not a PDF. That's an executable (application).exe The icon is a pdf. But the file extension is .EXE !!! 2:08
Did you even watch the whole thing, it's literally written there by him.
@@FrostlifeV That's not what he said at 2:08
@@FrostlifeVOP is right
Yes, I thought I was losing it, video should be corrected. He makes it seem like a PDF will execute if you put the password in and steal your cookies. I literally had to freeze it a few times to make sure it was an EXE and not a PDF when it's listed in the zip folder as an application and Leo said it was a PDF. I was like what exploit is this in PDF I have to look out for now? Also wish he stressed how every time you use windows to make sure file extensions are not hidden. It happens, still love the Channel.
@@jaydoubleyou780 exactly this. the filename is shown by norton and has exe extension. if It's a PDF exploiting software than it can be mitigated .. Anybody knowledgeable about computers should know never to run stray executable from random person. micrsoft makes it too easy for malicious to prey on the unsuspecting because they hide the file extension by default and again by not flagging an executable that grabs browser data as unexpected and possible harmful behavior. MS hates nirsoft tools but a random executable has free reign to do basically the same thing so it seems.
Leo how this work in Emsisoft Antimalware >>?? Do you think Emsisoft go take with Behavior blocker?
THANKS A LOT, GREAT CHANNEL
I was consider trying out flare, but I can’t find any pricing… Like, do they actually provide prices anywhere? Because I sure as hell can’t find it, yet in their FAQ they state they have a "transparent pricing model". Cool cool, maybe add a link on that FAQ to prices?
Makes it look sketchy as hell, so I’m out.
serious question, is it going to make a difference if we're not connected to the internet when we open this malware? and how about after we click it, we do an offline scan? would it be detected as malware?
You are awesome Thank you!! 💯
Watching the video, I had a question. I use Bitwarden for password security in the browser. Is it possible for a virus to steal my passwords in this case?
How good is this with Malwarebytes..
Does not accept email addresses from Rogers, Live, Yahoo. What good is it?
I am working on my Secruity+ and the hacks nowadays are getting so good especially with AI this going be hard af job.
Brilliant! Encrypt the payload and have the user enter the encryption key. AV wouldn't detect anything but the decoder stub and seemingly random data even with sandboxing.
Is it also possible to pull data from the Bitwarsen plug-in, for example. Or is something like that rarely the target of attack?
And if I log out, it doesn't matter because the token will then be deleted and even if the password is known, 2fa is still active, right?
no 2fa and a strong password is not te solution because the steal the whole session So the get a file (cookie) who say ur loged in. The onli thing is logout everytime. Thats why FB and google wont do anything because then the can not track you anymore. Good luck. I was hacked bu a bad extension. If the stole the bitwarden extension login pass i dont know. Good question.
the moment i log out their session is over right. Because it's the same login token ? But they still keep the Passwort ?@@Alextelefoon
If you use the extension in a browser you are at risk. Always run the program and cut and paste in to sites.
@@OH2023-cj9if even if log out automatically every time I close the browser?
Leo you mentiones that this info stealer steals username & pass form the browser ....iven i you have independant password manager like lastpass?....can you simulate this malware with bitdefender, kaspersky, sophos home..can you do a video if these cybersecurity products can block or top the intrusion of sending and receving traffic.... i hiley presciate if you can make a vid as mentioned..thanks for the awareness Leo!!
Could you do a browser security tier list?
How does this work with Defender Security Baseline being pushed by InTune to prevent process spawning?
It'll be fun to reverse engineer the payload, any chance there will be a video about that?
You can see where your emails are coming from when you hover your mouse in Windows 11 with Xfinity and google email but not on the phone. Is there a way on Android to see what the sender id is? My relatives that use their phones a lot have run into trouble with email before on their phones.
Assuming you mean the official Gmail app, then that, the official Outlook app, and Apple 'Mail' (iOS) hide the e-mail address and only show the sender name. The user is expected to tap on the round profile picture to the left or a not-so-obvious down arrow to reveal the full address.
Not sure if anyone mentioned, but it say Application under the Type when looking in the file Explorer
nowadays brower protection and antivirus sepcific to avoid these malwares but even it in place they malwares get inside in enterprise but still siem tools might detect these hardware even in firewall dose these even those there will be detections or leftover might present , any way a great vidoe
So, what other anti-malware tool(s) could have protected against this kind of threat, if any? Thanks for posting!!!
Kaspersky and most likely Bitdefender
@@draculemihawk10i think you are talking about the premium plan of kaspersky, but what about the free plan?
Well it's obviously not a pdf, it's an executable application, so don't open it
those do not scan password protected files either do they?@@draculemihawk10
make sure to check every file you download to make sure its actually what you think it is.
dont run unknown filetypes, and REALLY dont run unknown exe files
Thanks a lot, I'm been reciving mount of this type of email.
What about Kaspersky? Curious if AVs like those do catch it
“farbar recovery scan tool English”, hello I just got downlod this file automatic and don’t know why, I got Malwarebytes and avg install together i also got Hitmanpro but I just got this file installed automatically and also when I just checked with virustotal I just detected the file as a malware. What should I do? Does the file is a third party extention for hitmanpro? Or what I’m not sure because this has not happend to me before so I do not know what to do
Does applying more strict options for security (such as what DefenderUI more easily exposes) in defender result in catching this?
I supposed a larger question is, why can anything else read the browser's data, without requiring a privileged escalation prompt or outright browser/system exploit? Shouldn't this be exactly the sort of thing which is only readable by the program it belongs to by default?
I have a dedicated folder for downloading any suspicious emails, and NTFS permissions are set to deny execute (ALL) in that folder. It's not much, but it's one extra onion layer.
How come the actual password stealing payload didn't trigger the AV once it was decrypted and running?
I believe it's because the malware exploits Windows Defender only scanning the file before running and initially running. The fake password prompt tricks the user into triggering the malware infection on command after Windows Defender had finished scanning.
@@kbhasi Ah, that makes sense yeah.
How it elevate permissions? Did not see any prompt.
all i need to do is read the third line of the email and i know, ''What is MAGIX? Is the easiest way to create music on a computer'' broken english is a immediate red flag, even without that thou i wouldn't open a link from an email i didn't know, especially if its just a bunch of random letters and numbers
Will configure defender or asr rules help in this matter? BTW, i only see your testimonial in flare.
Yes, ASR will prevent it..
Could you please test that malware on kaspersky and bitdefender ?
What kind of website is app flare? I was about to register but it doesn't even accept gmail address lol
some time ago I click on the pdf attachment of a scam email, I had avast av back then, It said it was pishing virus, but when I clicked on the pdf It automatically open on microsoft edge. after some time I reseted the pc and changed all my passwords, Am I safe? sorry for bad english
So how do they do it , what's the catch ?
can you be a little bit more technical, is the password protected pdf launching an encrypted LaZagne? Is it using Powershell at any point? Im surprised they need to ask the OS, seems a bit dumb
this would explain why im getting so many scam emails
How many years later and Email is still a way that people get hacked? Education must never stop.
Ooh, I love Magix Music Maker for PS2! "I'm 'bout to break in!"
Does it work against the "new outlook" app?
Bro really uses malware fake sponsors give him to test and make videos on. This is how you fight back.
How do they get in to your accounts without the actual passwords?
Maybe talk to your sponsor and tell them to be a bit more clear on the pricing, god forbid let ppl know what it costs before registering.
Can u test the malwarebytes Google extension please?
Hmm...how can I try Flare if it doesn't accept Gmail email addresses?
Well the Flare trial didn't go so well it refuses any gmail email address. Or hotmail, or Outlook, or Proton brb buying a server, installing Linux, and creating my own email server....
with every day pass ,the chance of your pc infected in increasing , now it all need to open password protected zip file to get hacked 😫
Believe 2FAs should block access to accounts?
I have a blank grabber on my PC that I'm testing on myself, and oddly enough, I could not extract the exe file from a password protected zip file. But that could be due to having a shitty script
I have a question, how to safely run no escape malware on virtualbox?, thanks a lot
Q: if one Windows PC on a home wifi network is compromised by someone opening one of these PDF attachments, are other Windows PCs on the same wifi network at risk of infection?
hey , can you please have a video of this malware gets detected by other anti virus ? thinking about buying anti virus
Paid versions often try to justify their cost by adding on features that aren't often all that useful. Try some of the free versions of antivirus solutions. In testing they are just as good as the paid versions often, just with less stuff added.
It also means that you'll have at least some idea of how resource intensive an antivirus product is, or if you find it irritating, for example if there are a lot of false positives.
Damn, I did this attack over 15 years ago with a zip of "private images" of a popular guy in school. Every girl fell for it.
but why the antivirus don't scan the code while its being executed instead?
How does it execute even though it is password protected? I'm not too familiar with Windows executable files but I think its because the PDF contains a payload or its just a password protected exe disguised as a PDF.
An actual pdf would be password protected and the reader would ask for it. In this case it's probably password protected to run the actual payload, and not to "unprotect" the document.
I'm not an expert in cybersecurity by any means, but I have a theory that the actual payload to "hack" your device is encrypted, and so it's unintelligible so the antivirus can't tell what it does (because to it, it seems like a bunch of garbage data). And when you enter the password, it tries to decrypt the payload using that password, and after verification, the decrypted payload is executed.
@@VoAviation Would a PDF viewer voluntarily execute an encrypted "so called PDF" file?
@@chiroyce A PDF viewer would do nothing (or throw an error) because this is an EXE file disguised as a PDF. It does not actually have any PDF inside that the reader can read.
As far as I'm aware that's all correct. It's just an exe with a pdf icon (not actually a pdf that any pdf reader can recognise). And all that exe does is open another exe that is encrypted/password-protected which is how it can avoid detections.
I have Defender already disabled, so I guess I'll take that as win!
can you make an updated 2024 version of "Free Security Tools Everyone Should Use" , and also test MiTeC Task Manager DeLuxe free?
Completely innocuous ...
How naive someone has to be to be hit by this?
Can you do Kaspersky Plus vs WannaCry please?
from now ,i will never open password protected zip files
What if all apps use One Time Password that changes every time and sent to your mobile as text message .. unless they hack your phone which is bit difficult, the computer info will be useless ..
most malware creators have put windows defender bypasses built-in, since it is enabled by default.