VoodooShield/Cyberlock

Does VS use dot net, or are you just typing random things??

 

https://www.wilderssecurity.com/threads/voodooshield.313706/page-286#post-2496593

 

hehehe, VS uses a total of 4-7 languages(I would have to count to be sure), but mostly .net since it is native to windows.

Off the top of my head, VS uses VB.net, C#.net, C++, and even pascal for the installer, but I am sure I am forgetting a few languages that VS uses.

I think I am getting close to figuring out the freeze bug... it turns out that after increasing the number of concurrent threads, there were some issues in the VoodooShieldService.

It normally would not take this much time to isolate a bug, but as you guys have seen, it usually takes 2 or so days for VS to freeze, so that makes it quite difficult to reproduce the issue, especially when there is no logging to go by.

I have not heard back from Vlad yet, but I suspect that he would have to look at the code to be able to give me an idea of what might be causing the issue. I am just going to keep adding log entries until we figure out where the bug is... that is really about all we can do in this situation. I bet it will be something very simple in the end. In a way it is good because this "thorough ddebugging" has uncovered a few other bugs... so soon we will be in great shape.

BTW, has anyone tried the stand alone version of VoodooAi? If so, what do you think? From what I have seen, I think it is just about right. Thank you!

 

Where can I download it (may be add to your signature?)

 

#10513
www.voodooshield.com/Download/InstallVoodooAiPortable90.exe

 

Thank you Kees and Mood... I will add it to my signature right now!

 

Just a quick note that VS BETA v3.26 seems to run just fine on my system (Win10 x64 w/ WSA, MBAM, MCShield). I have not run Chrome since installing this version but will test and report back.

 

Cool, thank you for letting me know! I am patiently waiting for VS to freeze again so I can hopefully trap the error this time! Once we can isolate the bug, I am certain it will be super easy to fix.

 

@mood: Thanks for the link.

@VoodooShield: First impressions

1. I assumed it needed outbound connection. Info on what protocol and port to allow in firewall would be nice
2. Tried three programs a Microsoft signed and two unsigned. I got confused on the rating and the slider position.
3. An hourglass or moving progress bar with the tekst "rating uploaded programs" would be helpfull

Picture explains it all I hope

 

Cool, thank you Kees... I will check out what ports are required.

The results (actual numbers) appear to be correct, but I think the "," is messing everything up... everything is set to use a "." . What are your Region Settings in the Windows Control Panel set to on your computer? I can set mine to that and fix this bug. Cool, thank you, I can add a progress bar as well. Thank you!

 

I just scanned 403 installers with VoodooAi, using the default balanced sensitivity. There was no malware amongst the installers, but there were some PUPs and no doubt some would have used OpenCandy or something similar to install unwanted extras.

Out of all the installers, 75 were detected. Some of these could be classed as unwanted software, but some had no reason to be detected (even the installer for VoodooShield 3.0.4.0 was detected), and as mentioned previously there was no malware.

 

Cool, thank you for testing Roger! I will get the blacklist scan results and compare all of the files and post a spreadsheet with all of the results. Yeah, I noticed that the old VS installers tested really high... the reason is because they are being detected as having an invalid digital signature... which is something, as the VoodooShield developer, that I need to fix on my end in VoodooShield.

 

BTW, do I have your permission to post the file names of the installers? If not, I can just post the numbers... I do not want to post anything that might be considered private. The data is being scanned right now with the blacklist... it will take a little while. Then I will go through and sort all of the data and see what we find!

 

I will say that this test will be interesting because there is a lot of greyware in these samples... but I have faith in VoodooAi, I have tested the heck out of it, so I know what it is capable of. Then again, if the results turn out bad, we can always tweak VoodooAi and make it better . Either way, this will be one heck of a test... it is a phenomenal / tough sample set to kinda put VoodooAi through a stress test . We might even want to compare the old algorithms to the new ones that Roger uses... just to see how much it has improved (or if it even did improve), if Roger would be willing to upload these 403 samples using the old version of VoodooAi. Just a thought!

 

Yes, that's fine Dan.

 

Cool, thank you!

OMG, there was a lot of greyware in that sample set... it was a great test for VoodooAi, since greyware is always by far the most difficult type of file to analyze. Like, if a file is a Microsoft Windows OS file, that is obviously a safe file. Also, it is easy to determine that a really bad ransomware file is malware. But with greyware, sometimes you simply never know... even if you scan with VT, VoodooAi and run it in Cuckoo sandbox... although whenever there is a file there the blacklist scan and VoodooAi do not agree, I analyze it with Cuckoo and basically 2 out of 3 wins (for the most part) .

Anyway, here are the results... I could only identify 3 samples where VoodooAi clearly missed the mark... but I think given the sample set, 99.25% is very, very good for VoodooAi. There are a few other samples where one could make a compelling case that VoodooAi missed, but we would have to run them through cuckoo to find out for sure, and honestly it probably is not worth either of our time.

In the end, there were not 75 detections... there were 14 unsafe detections... keep in mind suspicious does not mean unsafe. And of those 14 unsafe detections, 8 of them had invalid digital signatures... I am not saying that they did not have digital signatures, I am saying that they had digital signatures, but they were invalid for one reason or another, which is a major signature of malware. The VoodooShield installer has always tested safe, but recently something weird happened with our old digital signature, and now it is being called invalid... I will have to figure that out. Also, looking at the raw VoodooAi data, I can easily see why VoodooAi would think that these files were unsafe... Developers have a duty to help the security community by following certain coding practices, so that the security community can more easily distinguish malware from benign software, but unfortunately, they do not always fulfill their responsibilities.

Here are the results, please let me know what you think! And consider renaming the folder with all of the installers to "Greyware"! Just kidding .

www.voodooshield.com/artwork/RogerTest.xlsx

 

I guess what I am saying is that if a file has 10+ or so hits on the blacklist scan OR VoodooAi is above .9000... then SOMETHING is wrong with that file. Well, actually, if the VoodooAi scored probability is above 0.5000, then something is wrong with that file most likely. Anyway, that is why you need both the blacklist scan and VoodooAi... they make a phenomenal combo. I would LOVE to see someone who could find something that could slip through both.

 

Dan, I've just had a quick look at the spreadsheet.

The file uploader_setup.exe whic is detected as unsafe is NoVirusThanks Uploader.

There are a items listed as suspicious which ideally should be listed as safe. However, I do realise that the label "suspicious" does not necessarily imply that a file is bad.

 

Hmmm, that is odd because most of the time NoVirusThanks software tests very, very clean with VoodooAi since they are great coders and write great software. I downloaded the portable version, thinking it would test lower, but it tested even higher . The reason I wanted to try the portable version is because most software installers have DEP and ASLR disabled (I am not sure why all of the major installer software does this... there must be a reason), and so this is already 2 strikes against the file, as far as the 30-50 features VoodooAi uses.

Basically what I am saying is that VoodooAi will always have a more difficult time with installers as opposed to standard portable executables, especially if they are not signed, which is the case with uploader_setup.exe along with the portable version. But given the fact that most malware are not installers (yeah, I have seen some that are), but most are not, this actually works out pretty well for VoodooAi because it is more adept at analyzing standard portable executables then it is analyzing installers.

Another major factor that can cause VoodooAi to be higher than usual is if the file is overly obfuscated... it is okay to use reasonable obfuscation, but a lot of malware is obfuscated into oblivion, so VoodooAi sees this as a strong indicator of malware.

VoodooAi certainly is not perfect, but it is extremely adept in catching zero days and unknown malware... and that is the whole purpose. Plus, I think it is a good thing to let the user know that if a file is super clean, or is suspicious. The more informed they are, the greater the chance they will make the correct decision on whether to allow a file or not. Thank you!

 

The file path is generated during automatic maintenance during system idle. The numerical string is randomly generated during maintenance - either manual or automatic.

The file path must be whitelisted -- I suppose using a wildcard * or ??............. - etc in place of the numeric string.

 

I have one CCleaner packed with CTB Locker and AI show it is clean file (Download fake CCleaner):

 

Is CCSetup506_Slim.exe an offline installer or does it download the ransomware executable ?

Could also be the way it is packed...

 

I put together ccleaner and CTB Locker with IExpress (i think, it was 1 year ago).

 

I've never messed with IExpress, but my guess would be that the self-extracting file is digitally signed with the Piriform cert ?

I don't know... just a guess. Perhaps there are other file attributes assigned to the setup file during creation with IExpress so that it flies under AI's radar.

Perhaps all file attributes are completely stripped away when creating a setup file using IExpress ?

If you run the self-extracting setup, then the ransomware should be detected upon execution.

 

It's now a old ransomware and mighty not even work but in picture below you can see Virus total score and sign (Malwr.com analysis).