0

Let's say a malicious actor publishes a piece of software that calls a screenshot function (e.g. Graphics.CopyFromScreen() or the UIAutomation Framework in .NET) every so often, but doesn't notify the user of that. I download and install that software.

Assuming that the software is signed with a valid publisher certificate, I have a few questions around that:

  • Would that screengrabbing behaviour be detected by an(y) Antivirus solution?
  • If yes, do legitimate screengrabbing programs need exceptions in an antivirus program to allow that behaviour?
  • If no, will at least the exfiltration of the data be detected by the AntiVirus software? (I guess the exfiltration can happen in so many different ways that it's a bit of an arms race to see that bytes are being sent that encapsulate/encode the screengrab and not some form of telemetry, for example)

I've been googling for a while but can't seem to find anything on the topic.

marvelade
  • 11
  • 1

2 Answers2

1

Screengrabs are not malicious in and of themselves. So, there is no need for anti-virus or anti-malware to be suspicious of that behaviour. Every OS has some sort of screenshot program. But unusual screengrabbing can increase the "score" for suspicion.

What anti-virus or anti-malware will do is look at the behaviour in context and comparison to all the other behaviour it has, or if it is a known bad binary, it will detect it.

I used to run a commercial, non-malicious PC spying package that took a screenshot every time someone hit the enter key or clicked the mouse. (This was a very specific use case for a specific threat on a single machine, and the machine had a poster informing users of this). I needed to whitelist the package's processes in the anti-malware software we used because it was the combination of behaviours (screengrab hooked in the background to the keyboard and mouse actions in all processes and not just the screengrab program) that was suspicious.

schroeder
  • 123,438
  • 55
  • 284
  • 319
0

Your answer pointwise:

  1. There are many ways to grab screen and screen capture as such is not considered a malicious activity. So even if your executable is not signed, most of the AVs should not complain at all.

  2. If theoretically, your AV is blocking the screengrab operation only, you need to understand what exactly flagged your AV. E.g. AVs could trigger an alert if the Graphics.CopyFromScreen() API is flagged as a malicious API. If you still want to allow your app to run, your valid publisher certificate can be provided to the AV vendor so that any API calls originating from your signed process will not be treated maliciously.

  3. Detecting data exfiltration is not easy at all. Unless your data is being sent to a domain which is already a known suspicious URL or is present in the list of blocked URLs, only then will AV will alert or block such exfiltration attempts

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ashutosh Raina
  • 369
  • 3
  • 8