Terminator Malware disables crowdstrike, sophos and claims to kill any antivirus using a maliciously modified Zemana driver in System32.
Get Crowdsec : www.crowdsec.net/?mtm_campaig... (sponsor)
Buy the best antivirus: thepcsecuritychannel.com/best...
Join the discussion on Discord: discord.tpsc.tech/
Get your business endpoints tested by us: tpsc.tech/
Contact us for business: thepcsecuritychannel.com/contact
So shocking that there's groups of people who are highly intelligent, but instead of using that for humanity, they decide to do this.
These people do end up forcing "improvements" typically
Some people just want to watch the world burn
They’re not even highly intelligent. Anyone with an internet connection can learn to write a kernel driver, map it to a vulnerable signed driver, and build a robust root kit. The reason it’s “news” is because most of them are too incompetent to actually do this
It may be that society, their school, or their parents failed to give them the proper guidance or should have appreciated them without comparing them to others.
It makes beyond a shit ton of money
I remember in old, good days on my WIN98 i had a security program that was blocking every executable file. Only after explicit permission (one time or always) they were executable. Even secondary files sometimes requiriered permission. Well, it made the PC secure but difficult to use.
That sounds like Vista's UAC
It might not be as accessible as what you describe but MS reactivated the Applocker feature in Windows again, at least for version starting with Professional upwards. So you can, if you know, which applications should run on your system, set up Local Security Policies that define what application can run and which cannot. Might be a starting point…
Norton was like that... was picky but yeah safer i would say... but if you do the same as that antivirus do, you are the antivirus and its all good
Was it TeaTimer?
@@mrrobotvpn5012 It was over 15 years ago. I don't remember it anymore.
Had it on my system. Emsisoft originally flagged the 2 .sys drivers, but after i sent them samples they dropped the malware designation. Subsequent scans with Emsisoft, HMPro, NPE and Kaspersky VRT were all negative. There were no running processes and since I used Zemana portable a few years ago I didn't think much of it until this video. I subsequently scanned it with MBAM and quarantined them. Thanks Leo.
this is absolutely fantastic to know. I'm still learning a lot of what feels like basics in tech safety. and I always feel like I'm learning something new from you :)
I find it frightening that someone might combine AI with viruses to create intelligent malware that can adapt to changes and exploit people's weaknesses.
It's not a might it's when.
@@ShawnStrickland Pretty much 😕
Thats a common missconception that ai exists in the first place. Some might wrongly assume viruses are already doing that when in reality they are only doing what they are told to do. Same for any "AI" up there. True AI does not exist.
But you could also use AI to detect and prevent exploits; I still believe malware will always be 1 step ahead though
@@jett4603 Fun Fact or not so fun. We are never ahead of maleware! A firewall only stops something it knows that is a virus. Meaning if a new maleware is uploaded to the market your Firewall probably will not be able to detect it untill it is to late (like your immune system). However there are bait pc's that record this and give the Info on the maleware to big Firewall distributers (IP Fire or smth). (Atleast that is what I still remember from half a year ago when I had a module on firewalls.)
I use AV all the time, I have heard many people say that it is a waste of time, but I disagree, The AV may not be perfect but it at least adds some form of protection against Malware. Having a small AV is still going to be better than having none at all. Think of an AV like a Car Seat-Belt, it may not save your life in a car crash but it will for sure help in doing so, and hopefully it will save your life (Hence why you should ALWAYS wear your seat-belt). And as for people who say "use your common sense", everyone can fall for these Malware/Virus attacks, even Linus as you probably know got his channel hijacked proving my point. Common sense is not perfect at all, the best thing you can do is be vigilant and cautious with what you are doing.
It makes sense if you know how security works on a PC ie: you are a security specialist. Otherwise any website can be infected with malware without Google actually mentioning it. It makes no sense to disable your AV if you are a regular user.
I would still use an AV on my PC even if I was the most knowledgeable Malware Specialist on the planet, a bit of extra protection is better than none at all. But yeah, I agree with the rest, It is scary that Google themselves are spreading Malware by promoting fake websites (such as the OBS clone that steals your info). You really can't trust anything these days unless you already know what you are doing, this is why when my friends/family ever need help with software, I will do it for them since I know what to look out for.
Linux Defender
diligent is another word you could use, but you are definitely right, it is safe to use antivirus even if you may not need it
Great comment!
This only works if you disable UAC. Backup offline and often in case of disaster.
u sure?
most people are not stupid enough to disable UAC.
@@neilwilson5785 Most people are too stupid to find UAC.
I had done this when I thought I knew better, but then after learning a bunch more, I understand it’s better to atleast get notified if something is requesting admin privileges. I have it in the lowest setting, so it doesn’t break my workflow, but it’s abrupt enough that I don’t mindlessly accept it.
@@neilwilson5785 haha hahhahaha hahaa
Seriously I find it odd that people disable UAC, Smart Screen & then complain when shit goes wrong. Seriously though, there is another example of a company that needs to pay for abusing driver level files & doing so poorly so that it gets used.
Its easier to fool people than to make them understand they are stupid
The situation we're in right now is far better than what it was. It was the fact that Windows usually got bad rep when it comes to security instead of the oh-so-useless Security Center, then starting from 8 they beefed up by having Windows Defender be the default, and further in 10 they update the thing even adding layers like Smartscreen.
smart screen pretty much never works. It alerts you about 90% of files because it thinks they are suspicious. So you soon start to allow everything without thinking. Not to mention that this is sending all your files names into cloud. UAC is also annoying because many software and games require admin to work properly so advanced user trying to use basic account would have to enter password 20+ times per day.
@@artorias550 " that this is sending all your files names into cloud" The same as how every executable got digitally signed and certified, and outside of Windows, basically how every app being marked as "safe for public deployment" including and especially mobile apps. UAC is and you're living in 2007-2008, since 2009 very few if any apps require true admin access and those that did has only Yes/No answers, which brings the risk to the users alone.
@@artorias550 I think Windows need to add some sort of setting for UAC that enables like a 5-10 second delay before you can press yes, on any user so you have to sit there and stare at the prompt to make sure you actually read what you're accepting.
You know what would be even scarier? ...if Terminator created an impostor process with the same name, icon, and memory usage as each antivirus process it terminated, so you couldn't notice their absence from a glance at the task manager. It might be way easier than the previous steps, it would not involve tampering with antivirus files. Although it might involve writing a new application to disk and launching it, which sounds like the hardest thing to get away with if even one thing like windows defender is still functioning. I imagine any new thing the virus does has a risk of detection, so if its goal is anything other than to lie in wait like a keylogger, it should sprint to the goal.
Process ID and launch time could still be used to identify that something nefarious happened.
That was as old as XP itself, it was infamous around 2010s as an impostor service control host
for anyone wondering how the driver was abused at all: it was simply a driver that you can consider 'vulnerable' there are hundreds, maybe thousands of these drivers laying around in the wild, and it is simply due to them having some exposed way to access the driver. this eventually leads to them being able to directly invoke kernel functions from usermode or perform r/w operations as if they were kernel, this is dangerous. this has been used multiple times in what people call 'kernel driver manual mappers' or used in game cheating to bypass usermode restrictions of kernelmode anti-cheats like Easy Anti-Cheat or Battleye. microsoft themselves and anti-viruses like Avast have tried themselves to purposely catch these vulnerable drivers being loaded, and they have added MANY vulnerable drivers, just the developer of this malware simply found one that was not blacklisted by AVs yet, and used it. definitely interesting it being used in malware since i've only seen it be truly used in game cheats.
They did what I needed back when sophos was causing me issues and it wouldn't uninstall 🤣
Hey bro u should do a video of a Expired Kaspersky License vs Malwares! It would be a very interesting video cause my subscription ended like a month ago and I would like to know if it’s protecting my PC since there’s no other video like that in KZhead rn. Thank you and keep the content! It’s awesome and entertaining to watch
From my experience, you can always trust Kaspersky. Their product is superior, just my opinion🙂
Well, if you have admin you can do what you like anyway, so getting the User to run it is going to be their trick for sure.
This is pretty new because it bypasses AV self protection modules.
Good video Sophos now encouraged users / admins like they always did btw to install the client as a user not under an administrator account also for sophos home premium plus if you would have a windows login or pin you would need to know this before you are even able to turn self defences off on the machine and as you also said keep them out anyways but true it’s kind of new that it is possible this way and also they will never know the password to my admin dashboard with 2fa
I don't think so. Getting a user to run something with their own (probably Admin) permissions is not very difficult at all. There are many different techniques that disguise executables as other types of files, and someone not paying attention could casually grant administrative privileges. Its actually not uncommon, and now your antivirus is essentially useless with this because it can kill it once your compromised. Your antivirus cant do shit. Basically it proves that antivirus above the grade of what comes integrated with mircosoft are nearly a waste of time, because they can be directly killed the moment a mistake is made. You need to be even MORE careful about what types of files you run and exactly why there is an admin request popup on your screens. Never trust an outside file. Run everything through virustotal.
Thanks for the great effort
Covered on Malwarebytes June 6, on Trendmicro May 2, and Bleeping Computer on May 31. Lots of people posting questions about why their antivirus is blocking this “driver” after these publications. Apparently using Google is too hard for some people.
Wow, just found it on my system..I don't know if this is a remnant file from when I installed Zemana years ago, as the file date is from 2018, and I don't know if it's just been sitting there or not, but yeah.. I don't remember my AV shutting off though, so I guess there's that.
this is why you never ever use an admin account for day-to-day use
I use nothing else. But common sense is still required as you normally don't run every exe as admin after downloading, especially if you didn't download it intentionally. The admin account still asks you to run your exe's as admin if it requires some admin access and you still need to set the checkmark to "run as admin" to do so. We even had a game/program that wouldn't run on a normal account (don't remember the name), even when "run as admin" was checked. It really required an admin account for some reason.
@powerpc6037 there are ways to bypass UAC and run as admin using certain API calls. The user will get absolutely zero indications that this has happened unless they are specifically monitoring the related processes. The only way to prevent this is to use a non admin account.
Yup this is the Way...
Yet another reason to never use an interactive logon session where the owning identity holds local admin rights.
I love how of ALL AV, McAfee actually detects it 😂😂🤦♂🤦♂
Other AVs may also be able to detect it. As vt analysis may not be the exact way of telling whether an AV is detecting it or not. Its been detected by Eset as well.
I have a question if you install an software and ends being a is malware software right. And supposed it sends all chrome history of the session to the hacker does that count like a cookie? like he can do stuff on their computer or not. Like my already logged on session mess with or the to login etc. maybe im not making sense. I’ll appreciate it :)
This is relatively simple to make - for a specific vendor - even without reverse engineering the AV/EDR itself. Just there are many vendors. But for someone selling this that would not be a problem. The issue is it will get detected after it's found in the wild, and then standard cat n mouse game. Most of the self-protection I've seen so far in commercial AV was laughable. At least as long as you don't just lock down all administrative access - which is not viable.
Interesting, why do you think it is laughable? I thought MS made some progress with the whole AMSI/ELAM process allowing AV drivers to load before everything else and protecting malware from replacing it etc.
For enterprise locking down administrative access is the default, if you need admin credentials you ask someone to do it for you with justification.
@@pcsecuritychannel that would be ELAM, AMSI is something that allows scanning scripts (like powershell) before executing them (and often causes more problems than solves). yeah, entering kernel space might be an issue, but most of those detections, incl proper hooking, are not implemented in the driver, instead they control the driver. ELAM is more of a way for early protection before the system services can do their job as they're not running yet. if you have admin privileges you can mess up those services, incl sending shutdown/pause command to any ongoing monitoring inside the driver - for most products. though I don't know how that works in enterprise grade EDRs, I've only ever used one, and didn't try to do anything untoward to it at the time :)
@@TheFPSPower true, but then again the malware in the vid wouldn't work then either. unless it only needs admin priv to drop the zemana driver, then it would work if you already had it
@@pcsecuritychannelall you have to do is get kernel access. All this does is manually map its code to a vulnerable kernel driver. Windows defender doesn’t even hook the most basic Win32 API calls, so I find it hard to believe they’re able to actively hunt down day one malware that’s running in root 0
An interesting EDR/AV bypass technique that is being used by ransomware operators currently is using legitimate antirootkit tools, like TDSSKiller, PowerTool, GMER, etc. As EDR/AV is effectively a rootkit, this approach can work well. I wonder if this Zemana AntiMalware driver technique is similar. One of my tasks when I start work tomorrow will be hunting for this Zemana driver, and adding custom detections to our EDR should it appear... and yes, we use one of the EDR's this thing terminates!!
I wonder if core isolation can detect this driver as an issue
Can a make a separate video on crowdsec for personal windows user or Linux user
Surprised this is possible. I always assumed that if a process is run as protected (which antiviruses run at) then it required the process itself to terminate it (which had to be signed by the same certificate as the antivirus itself) precisely for this reason?
All you need is to find a vulnerable driver and exploit it. If you put together a small group of really smart and malicious losers with too much freetime and alcohol, they can find one in less than one month.
OK ,so what's your advice then ? If something which has established superb performance over the years (like Sophos has done) ,can be bypassed and shutdown ... well ... what end-users can do to protect themselves then? --I really considered Sophos as the "pinnacle" of protection all these years , when i see something like Sophos being shutdown (0:40) it's like i'm witnessing a *security-nightmare* !!
I wonder if it works better than Sophos own SophosZap to kill broken installs ;D
Can You test ClamAV and compare it with Avast, Comodo... other free AVs?
How is the driver loaded at runtime? I know there are ways to do it, but most of the require vulnerable drivers, to be loaded, so this should be detectable, anticheats in videogames also detect it. I also started only downloading from trusted sources.
Hello, I have a process in the task manager that is called "Book vopeme" and it runs a service called "Gnomebeatmapme" I believe it is malware I tried killing it before using the process explorer, I tried deleting the files, I tried deleting the registry keys but I can't access them and tried cleanbooting the laptop but I couldn't even disable the service and it shows up as unknown in virus total what should I do?
Thanks for this video
Can you please compare free abtivirus to the premium basic oferings ? like avast free vs bitdefender free and agains bitdefender antivirus plus
I mean trying to shut down comodo firewall as admin is impossible you can shut down the GUI but the kernel process still runs obeying its rules. You have to uninstall it even then you need a tool to get rid of it all. But imagine when they have malware that uninstalls your AV/FW turns off UAC in the background with no GUI windows now that will be something.
the registy exclusions thing is a thing i discovered 2 years ago but never said XD and i put malware and stuff
Unless I missed it, or did not understand it, I did not see what it is that a victim would have done to get infected.
You have to click yes to a pop up in order to get infected, but if you don’t notice any suspicious drivers in your system32 folder and your AV is still up and running, you’re not compromised
Since it is just an .exe there are a variety of ways to deliver a payload to a victim. It could easily be disguised into something like a game crack or cd key generator, in a classic way. Or you could use one of those fancy new pdf urls to trick people into running an exe. Lots of ways, unfortunately.
@@felicityc True. But we have an entire video warning about the dangers of this malware, and they gave no warning on how someone becomes a victim of this malware. For those that are not computer savoy, they are left worried about this malware, without a clue on how to avoid being a victim of this malware.
Also, would Comodo sandbox thwart this from destroying system?
This won’t work with WDAC and running as a standard user, which most corps are now doing.
I received 3 days ago a random email with a .ics file (iCalendar) and I didnt opened it, just flagged it as spam. I did some research and i found out that a .ics file could have an URL from a website/server which is running viruses to install. Please make a video or remind people to not open random unknown emails with attachments. Usually, unknown random emails contain lots of numbers and letters in the message. The message is harmless but the attachment is the bomb.
Does this still turn off let's say ESET when you have a password you have to put in to make any changes or uninstall it in the AV itself?
I’m basically a noob when it comes to such things, but why for the love of god does it take the AV vendors so damn long to just blacklist this? I mean at this point it’s out for over a month and still only at 8 detections according to Virus Total
since it requires the checkmark "run as admin", I guess most AV depend on your common sense to not run unknown exe's, especially with that checkmark enabled after some download is complete, and won't bother to implement actions to blacklist it
@@powerpc6037 I set UAC to the highest level possible now just to be safe
can it run on winehq linux 😮
Kudos for being a Rossmann fan
So... It needs to ask you run as admin.. then it can do anything... Just like any other program that runs as admin. What's surprising?
When are you going to test antimalware software again ?
What about COMODO?
I heard that the creator of this later was arrested?
Its sad people focus on attacking alot more then defending.😒
What happens when a version like this virus disables UAC and survives an OS reinstall, lives in the motherboard's bios, etc.
How much memory in the BIOS?
Is that even a thing these days? I thought it wasn’t possible anymore.
how much memory is ur bios ? 100mb? xD well if they can make small enough to fit in ur bios memory
Wow good idea😊
I think I have this how do i get rid of it im so scared Edit: i factory resetted, it seems to be gone
Damn I need this just to uninstall Norton
I once tried to uninstall my Libre Office. It keeps saying that the msi file doesn't exist anymore and won't continue the uninstall. I gave up for a long time and then when I come back to this stubborn program, I just downloaded an arbitrary msi and put it in the right folder, renamed it to the required name and then Boom, the uninstall process suddenly went smoothly LOL.
Can you record content of *Pegasus Spyware* ?
I talked about it in the antivirus for your phone video.
now the things are going dangerous, i was thinking as long as you have any premium antivirus running ,you are safe 😢😢😢 now that time is not far enough when people says " if you want to stay safe ,dont use internet""😤😤😤
Anti-virus doesn't block 100%. It will always be a cat and mouse game. Funny you say, don't use internet. When I was a kid, I actually wrote a small malicious script (it would eject your disk drive at random intervals, yeah I was bit of a rascal back then). You can spread stuff like that offline too you know through social engineering. If I remember correctly, on Windows XP, I was actually able to inject it into the Windows startup too. A couple friends got somewhat mad at me. lol
@@SunnyWu you are saying , you are not safe in any way ? be it online or offline ??
Round 2 I will see them both my audio wasn’t bad the first time but nice quick fix for those who had problems with the audio
Why does no one mention comodo firewall its defense function scans these files in the cloud they picked this up ages ago.
The company hasn't updated since 2021.
@@SunnyWu Actually it has and still works good. Say hello to Winny the poo for me Mr CCP LOL
I have a old laptop around 10 years so it saw some action. The windows defender flagged zamguard64.sys in system32 today as a serious threat detecting the trojan:Win64/Spyboy!MSR is this a potential threat or does it mean that I got infected with that virus already? No folders were encrypted or anything. And besides starting with only ms services and running a full scan what should I do?
P.S. Please don't use it to make malware))) Respect the three ).
You think bad actors are gonna listen?
You only say that if you are one of 3 mindsets. 1. A complete & utter fool 2. Covering your ass legally because you know what it can do 3. Covering your ass legally, while winking at the true purpose.
It's like those people who post copyrighted content on KZhead and say "copyright infringement not intended" or people who put "for educational purposes" on a dangerous video. lol
Terminator.sys wont load with secureboot and tpm 2.0
I wonder if Kaspersky free can stop the terminator Malware. I use both Kaspersky free and Malwarebytes free. Kaspersky has kept my system clean. Malwarebytes confirms no malware on my system. Kaspersky will want you to remove Malwarebytes, but they both work fine on my system.
Let's say i got the malware and i dont want my data i just want to remove the virus and make my computer run again with no problems what should I do?
Then reset it. If you want some data, you can copy it into a USB and scan the USB with an antivirus without admin rights
You could reinstall the OS or start from an USB drive with an antivirus and try to clean your system.
so how to avoid getting infected?
just dont disable UAC
Use a condom.
The best method is don't download anything you do not already know what it is and where its coming from. I've been online since 1992 and had a virus 1 time ever and it was in the very beginning of computers. Ever since then I am exceptionally careful of what I click on and what I download.
Or rather find a reliable source to download from. I am from Vietnam and I once downloaded Grammarly premium from an an unknown source and my laptop was infected. But I also downloaded a lot of cracked software from Vietnamese sites and they never scam me, the cracked software always works. So you know my moral story, only trust my Vietnamese site when it comes to cracked software (I heard that these sites got the software from the Russian sites and then upload it to their page, but whatever).
Bitdefender Total Security Vs Kaspersky total security Vs Terminator Malware
What about McAfee?
ask the guy from @Terminator-le1ye , he showed that Kaspersky gets disabled 
@@andyspark5192 link please
As you can see in the video McAfee is able to detect this threat.
So now we should start protecting the Antivirus from virus? 🥺
The terminator terminates
Well, of course. If you have admin privileges you can do anything. That's why you should do all of your normal activities as a user.
6:45 ...got "Distracted"
LOL i actually called my PC The Terminator
Mcafee : HA! You cant kill me , if i trash the OS first
So the "meme" Mcafee is one of very few who was updated quickly to detect this. And Malwarebytes. Hmmm. BD and Kaspersky as of the time of this comment still just let it fly on through.
Kills Defender? Sound great, where can I download it?
You should never trust anything that takes admin privileges anyways
2nd time asking to make a video on djvu/stop ransomware and .ooza extension ransomware
It won’t work with Deep Instinct. Lol! Technology has moved on.
Simple fix Delete task manager
I dont understand why literally every program needs admin rights
It's to prevent attackers running malicious programs, collecting your data, corrupting your files, executing programs in your task manager, changing your computer's settings without your notice. If you have an AV, it will detect most of these threats.
I back up my entire computer system every 2 weeks. In the event of malware or ransomware infects my computer--I can just wipe out my hard drive and restore it. Simple fix!
@@yougoonie3338 That already happens to those using -Amazon- *Scamazon* devices, at least it happened to one guy. Source: "Amazon accuses customer of racism & shuts down their smart home - ENOUGH CLOUD JUNK!" video by Louis Rossmann
That's so unconvenient for Microsoft and the NSA. Now they have to close the security hole and create another one. You evil security researchers...shame on you.
Hmmm . . .let's see what we've got here . . . $ cd "C:\Windows\System32" -bash: cd: C:\Windows\System32: No such file or directory
Dear TPSC, I hope this letter finds you well. I'm writing to express my excitement about your upcoming video on creating a custom Windows 10 and Windows 11 Lite ISO file for low-spec laptops. Your expertise will undoubtedly empower countless individuals to optimize their computing experiences. Thank you for your dedication and contribution to the technology community. Best regards, Rasal Kumar Shaw
First one yo thanks for the good content
👍
It's horrible wow
This only works if UAC is disable. Don't get fooled
I dont wanna see these videos fofff
You deserved to be hacked if you are using Sophos.
SHOULDN'T SOMETHING AS CRITICAL AS TASK MANAGER BE PASSWORD PROTECTED, AT LEAST AS AN OPTION???
There is a GPO to disable task manager available. However this doesn't prevent users from using commands such as Taskkill to achieve the same.
The only AI we can trust.
The only bad thing about something like this is someone taking that code and improving it. It happens all the time, the whole black hat market is full of people that will backstab you. Thus stuff like this is more likely to fall apart since nobody helps anybody.
"Russian hackers". Oh dear...
Early nice
Antivirus that can be turned off or doesn't stop every virus is worthless and a class action lawsuit should be brought against every last manufacturer of the software. What is the point in buying antivirus software?
milionth:)
Not first :)
So the best antivirus is your common sense
first :)
dislike works yeah
First If you’re a real one then you know it’s a reupload.
It seems you're last.
First!.exe
First
How did you comment 6 minutes ahead of the video's upload time
@@officalcassiopeia im a malware