Can Malwarebytes protect from malicious Batch programs?

[Bun]

I opened a Batch program and it started deleting files on :C. The batch was obfuscated, so I wasn't able to decode or read what it does. I found it when it started deleting my files when it had some access denied errors.  It did deleted a good amount of my files that made the programs on my desktop unavailable (missing) . On start up, it made another batch that shuts down my PC on boot up. Although my PC is still functioning, I do not want this to happen again. I have Malwarebytes Premium on Windows 10. Is there an option or program that can warn me when a program is trying to delete my files before it happens?

Thanks.

[AdvancedSetup]

No, we don't parse batch files. When you say it was obfuscated that doesn't seem to make sense. Batch files need to run the exact specified commands known to the system. If it was an EXE that then decompressed or was a VBScript file, those support obfuscation. Do you have more details or a copy of the file?

We do detect certain batch files known to be part of an attack threat but that is so low key and rarely used we don't see it much.

 

 

[Bun]

Sorry for the late reply :(. I finally recovered my old hard drive after that pesky batch destroyed it. I think I do have a copy of the bat file, should I upload it here?

[AdvancedSetup]

Yes, please zip it up or rename the extension to .txt first.

Thanks

 

[Bun]

Okay, another .bat program like this happened to my friend last week that made me remembered this back. This is 4mb, pretty big, idk if it can be deobfuscated.

hxxps://drive.google.com/open?id=0Bxptc4WBfjERbXVEcTlVZ0NDUUU

Thanks.

Oh, I forgot to say, if I remember when I opened the batch file, it asked for an ip of the website and username. I think I was trying to get myself unban from a website. I plug those in and pressed ENTER. I had Malwarebytes 2 premium at that time.

Edited January 31, 2017 by AdvancedSetup
removed live link to potentially dangerous file

[AdvancedSetup]

An interesting huge mess of a batch file. I'll point our Research Team here but not sure there is that much we can do about it. It's running valid batch commands.

Thank you

 

[shadowwar]

Where did this come from and where was it located on your pc?

I removed all the garbage from the file and was left with 45 lines.

This removes the .minecraft directories and c drive root directory with the RD command.

All the mojang stuff it says is just distraction for it to delete the files. It never contacts out of the pc.

Rule of thumb if something promises to unban you, its Malware. Its simply almost impossible from the pc end.

 

 

 

[Amaroq_Starwind]

If malicious Batch Files and/or Power Shell scripts haven't already been addressed globally, I think a quick and dirty solution would be to try actively sanitizing such scripts if they contain suspicious commands, like for example, rd c:\*\. This is just one of many instances where Data Sanitation would be very important...

[exile360]

Malwarebytes already protects against malicious scripting through exploits (which is the prominent way such tools are executed, including batch files, VBS files and others).  A case like this is an extreme edge case, and especially these days most users know better than to download and run unknown batch files from the internet.  At one time we did consider disabling batch files and other script file types as a system hardening security precaution, however we decided against this since again, these cases where no exploit or Trojan is used to download/execute the script are extremely rare and because these days most users know better than to run such files from untrusted sources (if at all) due to the potential for harm (there are literally internet memes that have existed for years about tricking users into executing batch scripts containing commands like "format C:" etc., and countless media outlets, both technical and mainstream have warned against downloading/executing such files for years).

Sanitization wouldn't do anything in this case since there is technically nothing overtly malicious about removing a directory via a standard Windows command, even if it is attempting to remove everything in the root of C:\ (which is bad scripting anyway, so whoever wrote it wasn't very smart as they should have used something more universal for scenarios where Windows is installed on a drive other than C:\ such as %SYSTEMDRIVE%).  If anyone tried to write a sanitation algorithm to detect malicious scripts of this type, it would take countless years and would never be complete given the sheer diversity of methods and targets that could be used to badly cripple a system and/or annoy someone (for instance, consuming all system resources just by launching an unlimited number of completely harmless threads/tasks to consume all CPU and RAM in order to bring the system to a halt; you could accomplish this with nothing more than notepad, calculator, or even just Explorer windows/instances).  There was a time when such "attacks" were quite common, however those days are long past now that the primary motivation for threats is financial gain.  Back when it was just hackers and college kids playing pranks and trying to see what they could do with cleverly written scripts this type of lame attack was quite common, but today threats are virtually never so transparent or destructive without some kind of incentive for profit (hence the demise of file infectors and the like and the rise and dominance of ransomware and similar threats).

Edited December 6, 2018 by exile360