Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemSecurity & Malware
All Forum Topics
Options

41 Posts

01-16-2016

United States of America

59 Signins

651 Page Views

  • Posts: 41
  • Registered: ‎01-16-2016
  • Location: United States of America
  • Views: 651
  • Message 1 of 13

Exploit attempt during installation of LAN driver

2016-01-16, 21:32 PM

Hello!  I was attempting to get a LAN driver via Lenovo's System Update utility, version 5.7.0.19 when I got smacked with something nasty.  I don't see where to attach a screenshot of my shield's report but it's an "Anti-VM mitigation" with the Lenovo product named as the application.  Ironically, right before I initiated this, I read an article on Lenovo's having revamped its Solution Center software due to remote code execution vulnerabilities.  I thought this software wouldn't be affected but I was mistaken.  This is a K450e desktop running Windows 10, if it it's relevant.

 

1.  Is the above version the most current one?  If not, what is the latest version?

2.  Does anyone have a more detailed explanation about this exploit?  I also had a stack/pivot exploit mitigated about four weeks ago during a routine reinstall of Windows 8.1 :smileymad:and not too sure what that is either. 

 

Hopefully, Lenovo sees that probably all its software programs are potentially exploitable, based on this one incident.

 

I really appreciate any information.  No malware downloaded, by the way.

 

Edit:  This occurred during installation of a deferred download, not during the download itself.  I apologize.

 

tNtftb

Reply
Answer
Options

2789 Posts

05-01-2010

United States of America

13017 Signins

149623 Page Views

  • Posts: 2789
  • Registered: ‎05-01-2010
  • Location: United States of America
  • Views: 149623

Re: Exploit attempt during installation of LAN driver

2016-01-17, 17:46 PM


Virtual Machines (VMs) are used by analysts to infect their test computers. By doing that can do reverse engineering and contain the malware in a closed or VM environment. Anti-VM techniques are what malware uses to detect whether a system is running a Sandbox/Virtual Machine/VM environment. If no VM is detected, the malware installs on the system.

 

HitmanPro and HitmanPro.Alert are good products. Its Virtual Machine Simulation "Vaccination" is designed to make VM-aware malware believe it is attacking a sandbox/VM. That would cause the malware to self-terminate. In the last year or so this detection has been added to security products because of ransomware. I doubt that the products you mention are ransomware. I'm not sure whether HitmanPro was flagging LSC or the file that it was attempting to download. You may want to ask at HitmanPro's forum. They have one at Wilders Security.

Depending on whether your K450e has been tested by Lenovo, yes, there may be a few needed tweaks. 

I don't know why you wouldn't want to keep OKR. Someone else may want to comment on that.






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-Present
I am not employed by Microsoft or Lenovo.

Using Browser Search to Find Your Answers In Lenovo and Moto Community
Reply

Replies(12)
Options

2789 Posts

05-01-2010

United States of America

13017 Signins

149623 Page Views

  • Posts: 2789
  • Registered: ‎05-01-2010
  • Location: United States of America
  • Views: 149623
  • Message 2 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-17, 15:31 PM

Hello,

 

What is the security product that your "shield" is a component of?

 

"Hopefully, Lenovo sees that probably all its software programs are potentially exploitable, based on this one incident."

 

Have you tried downloading the LAN driver without using LSC? I run a lot of security, but I manually download from Lenovo's Support page. I have not had a problem.






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-Present
I am not employed by Microsoft or Lenovo.

Using Browser Search to Find Your Answers In Lenovo and Moto Community
Reply
Options

41 Posts

01-16-2016

United States of America

59 Signins

651 Page Views

  • Posts: 41
  • Registered: ‎01-16-2016
  • Location: United States of America
  • Views: 651
  • Message 3 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-17, 15:51 PM

Ah, thank you for responding. I have HitmanPro Alert and this is very effective alongside my firewall suite.  Because it's  part of the operating system, the block was recorded in Event Viewer and I don't know how to extract that report or load a screenshot of this serious finding.

 

Where on the Support Page do you find the drivers and other things, because Windows 10 sure wasn't fully operational for me, you have to scrounge around for the finishing touches, it seems.   I'm also looking to uninstall most if not all of the Lenovo software; however, when I go to uninstall the Lenovo Optimizer, it tells me the exe is running and to close that first.  I dont' know how to disable that exe, maybe someone on these forums knows that?

 

Maybe I'll reinstall some of Lenovo's software at some later point, but it seems a little hairy to use any of them right now.

 

Does anyone know what an "Anti-VM" exploit is?  Would really appreciate some info, thanks.

 

tNtftb'

 

Reply
Options

41 Posts

01-16-2016

United States of America

59 Signins

651 Page Views

  • Posts: 41
  • Registered: ‎01-16-2016
  • Location: United States of America
  • Views: 651
  • Message 4 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-17, 17:06 PM

Scratch the request for help with uninstallations, that's done with. I'll rummage around on the Support Pages, and see what I can accomplish with getting that driver.   Would like further info/help with following:

 

1.  The stack/pivot exploit (blocked) contained ransomware :smileymad:, according to Event Viewer, namely red errors with all the typically targeted areas like Media Player and Volume Shadow Copy Service.  I can't find much of anything about this Anti-VM.  What is this?

 

2.  Should the One Key Recovery be kept?  I read some conflicting ideas about this, some find it useful, others don't.

 

 

Thank you!

 

tNtftb

Reply
Answer
Options

2789 Posts

05-01-2010

United States of America

13017 Signins

149623 Page Views

  • Posts: 2789
  • Registered: ‎05-01-2010
  • Location: United States of America
  • Views: 149623
  • Message 5 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-17, 17:46 PM


Virtual Machines (VMs) are used by analysts to infect their test computers. By doing that can do reverse engineering and contain the malware in a closed or VM environment. Anti-VM techniques are what malware uses to detect whether a system is running a Sandbox/Virtual Machine/VM environment. If no VM is detected, the malware installs on the system.

 

HitmanPro and HitmanPro.Alert are good products. Its Virtual Machine Simulation "Vaccination" is designed to make VM-aware malware believe it is attacking a sandbox/VM. That would cause the malware to self-terminate. In the last year or so this detection has been added to security products because of ransomware. I doubt that the products you mention are ransomware. I'm not sure whether HitmanPro was flagging LSC or the file that it was attempting to download. You may want to ask at HitmanPro's forum. They have one at Wilders Security.

Depending on whether your K450e has been tested by Lenovo, yes, there may be a few needed tweaks. 

I don't know why you wouldn't want to keep OKR. Someone else may want to comment on that.






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-Present
I am not employed by Microsoft or Lenovo.

Using Browser Search to Find Your Answers In Lenovo and Moto Community

0 person found this solution to be helpful.

This helped me too

Reply
Options

41 Posts

01-16-2016

United States of America

59 Signins

651 Page Views

  • Posts: 41
  • Registered: ‎01-16-2016
  • Location: United States of America
  • Views: 651
  • Message 6 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-17, 18:22 PM

Ah, got it!  Really interesting, so helpful to me.  OK, I'm going to post this in the Wilders Security forum, it's worth pursuing to me. No, I didn't think the Anti-VM contained any encrypting malware, as there were no errors associated with that in Event Viewer.  With the stack/pivot, however, there was a line of red all the way down the page, horrible.  Yet no malware ever made it onto my machine, "just" some damage to my 8.1 operating system.  Hence, the Windows 10.  I see now why no malware got on here this time from your explanation. When I post this on the Wilders forum, I will load the report and one can then determine what exactly the vector was in the attack:  the driver file, Lenovo software, whatever.

 

HitmanPro Alert + Emsisoft Internet Security= great security and light on my machine

 

Plus, having some on-demand scanners like ESET doesn't hurt either.

 

OK, well, I guess the OneKey Recovery stays for now. 

 

Your input is great!  Really appreciate this, thank you.

 

tNtftb

 

 

 

 

Reply
Options

2789 Posts

05-01-2010

United States of America

13017 Signins

149623 Page Views

  • Posts: 2789
  • Registered: ‎05-01-2010
  • Location: United States of America
  • Views: 149623
  • Message 7 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-17, 20:42 PM

You're welcome. Thank you for the feedback. Posting on the HitmanPro forum sounds like a good plan. Their staff can be more specific than I as far as that particular alert.






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-Present
I am not employed by Microsoft or Lenovo.

Using Browser Search to Find Your Answers In Lenovo and Moto Community
Reply
Options

41 Posts

01-16-2016

United States of America

59 Signins

651 Page Views

  • Posts: 41
  • Registered: ‎01-16-2016
  • Location: United States of America
  • Views: 651
  • Message 8 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-19, 16:56 PM

OK, as stated, the issue is posted in Wilders Security forum, subforum "Other Anti-Malware" then HitmanPro discussion.  My post starts on page 335 and there's a lot of cross-talk.  Basically, there's a possibility this Anti-VM detection is a false-positive but I'm still pushing for further attention to this issue.  Let HitmanPro research it then, and make the appropriate adjustments, it's not like only one or two people are using Lenovo software like the hardware scan,  and consequences can be grave if any of the software is still vulnerable and you're not adequately protected..

 

Have a look!

 

tNtftb

Reply
Options

2789 Posts

05-01-2010

United States of America

13017 Signins

149623 Page Views

  • Posts: 2789
  • Registered: ‎05-01-2010
  • Location: United States of America
  • Views: 149623
  • Message 9 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-19, 18:48 PM


I'm glad that you posted over there. We do not know yet if this a false positive. Here is the LINK to the HitmanPro.Alert discussion - just in case other Lenovo Community Members want to follow the topic.






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-Present
I am not employed by Microsoft or Lenovo.

Using Browser Search to Find Your Answers In Lenovo and Moto Community
Reply
Options

2789 Posts

05-01-2010

United States of America

13017 Signins

149623 Page Views

  • Posts: 2789
  • Registered: ‎05-01-2010
  • Location: United States of America
  • Views: 149623
  • Message 10 of 13

Re: Exploit attempt during installation of LAN driver

2016-01-21, 2:09 AM


You are right about Lenovo apps being useful to some users depending on needs. The moderator at Wilders offered to share his security setup. I did not want to take the discussion off topic, but I will be glad to suggest a security setup as well, so let us know in this Lenovo forum if you have any questions about that.. It seems as though you are already quite knowledgeable. As far as another comment in that discussion, you can no longer do Windows Updates "selectively" if you are running Windows 10 Home. Pro is slightly better because WU can be deferred for a while, but it's not like Windows 8.1.






Microsoft MVP Consumer Security 2006-2016 / Windows Insider MVP 2016-Present
I am not employed by Microsoft or Lenovo.

Using Browser Search to Find Your Answers In Lenovo and Moto Community
Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms