VoodooShield/Cyberlock

Yeah, Dan was going to deal with dismhost.exe in the cloud, but perhaps that is a way for him to handle it. Dan?

 

I need to get to bed, but I wanted to reply to this real quick .

Are you sure the file will execute? According to malwr, it is not a valid executable file... "Error: Analysis failed: The package "modules.packages.exe" start function raised an error: Unable to execute the initial process, analysis aborted."

If it will not execute, VoodooAi will consider it safe, here is why.... I mentioned this a while back on this thread when I was testing Cylance, and I noticed that they skipped A LOT of files in my malware packs... like 20-30% or so... so basically they were calling these files safe, even though the VT hits here high. I was scratching my head trying to figure out why, then I discovered that the files would not execute. So the more I thought about it, I finally figured out that they probably skip these files since they are not going to execute anyway, and it is a great way to reduce the number of false positives. So that is what I did with the new algorithms / models. I only used files that were valid PE files, that would actually execute in the training data sets.

That being said... this could be a really cool test! If you could figure out a way to pack some ransomware into a legit file, and make it executable, you might be able to trick VoodooAi. If so, I should be able to tweak it a little to counteract this. But, keep in mind, if you do figure out a way to pack a file and make it executable, you will basically be monkeying around with the PE header, and I suspect VoodooAi will detect this immediately... that is what it does, it looks for indications that the file has been monkeyed with, and all of the little tricks that malware authors use to pack and obfuscate their malware, so that it can bypass traditional security software. But try it and see... that would be really cool! Thank you!

 

That file was working OK when I made it and you are right, now it does not work any more.
I will try to make a new one and do the test.
Tnx

 

I remember now....you have to run that file as Administrator

 

Region: Dutch, Netherlands

 

I record quick video with VoodooShield BETA v.326 and this new fake Skype (packed with Ransomware) that I made.
It is just for fun and maybe can help with something.
!IT'S NOT REAL TEST!

LINK:

https://youtu.be/dIdjBZ5R7is

 

@Djigi and @VoodooShield

Nice demo, which raises some questions about the analysis logic. Also the advice to the user could be more explicit, with more automated result handling to minimize user error.

A research at an University showed (I don't have the link anymore) that a VT detection of 4 and higher already provided a 96% guarantee of being true malware (so 4% FP chance), with 5 detections this was nearly 98%. When they stripped out the results of 5 bad performing engines (helas I don't recall which ones), then the prediction precision increased to over 99% when five AV engines classified it as malware, it was indeed malware.

That research also manipulated the top 20 used attack vectors of exploit kits (they claimed to cover over 95% of the number of intrusions). Running those samples through VT only resulted in 70 to 90 percent detection of the (adopted) malware. The less a malware family was seen in the wild the lower the detection rate. The more a malware was seen in the wild, the better AV's were capable of determing new variants with their generic fingerprints, heuristics and behavior analysis.

Question: Is VS always doing a blacklist check at VT?

 

I've just scanned another 600+ installers. Once again there was a lot of greyware and no actual threats. There were 49 unsafe files identified out of 612.

 

Hi Dan

Just running VSAIPortable with VS 2.6 generated the following 'warning' from VS:




Now I know what it means but I suspect that a number may be concerned that VS is not reporting this as Safe (as in all the way to the left of the 'spectrum') if you see what I mean?

Just thought I would point this out.

Regards, Baldrick

 

Hi Dan,

I don’t know if this is of any help or not but I just ran 160 malware samples past VoodooAi. All were live with no false positives.

I know it’s only a small sample but VoodooAi classified all but one as suspicious, equivalent to a success rate of 99.994%.http://2016-06-11 17_07_51-VoodooShield Scan.jpg

I am not quite sure why VoodooAi failed to identify the so-called “safe” file as malicious as VS/VT flagged it up as 39/56.

 

AppTimer from Passmark, right?

On Balanced 100 I get VAi Unsafe 0.9160 & Slider on Unsafe.

Note - I think the Sensitivity slider doesn't works correctly or a bug or dont know?
I find that currently the correct way to test standalone VAi is to set Sensitivity slider then browse files i.e if you tested a file on Balanced & want to test the same file on Reckless/Paranoid, you cannot simply move the Sensitivity to Reckless/Paranoid, you will see wrong results i.e you change the Sensitivity level you have to browse file again to see correct results.

 

correct

 

Cool, thank you for the help hjlbx! Yeah, dismhost is extremely difficult for VS to deal with, but once I add all of the variants to the VoodooAi cloud, it will automatically be allowed. One of the issues is that some of the variants of the file are not even signed by Microsoft. If they were all signed, it would be a lot easier to deal with because we could perform a few checks on the file, like check to see if it is signed my Microsoft, and then auto allow it. But it is kind of the perfect storm for false positives since the path and hash both change, and some of the dismhost files are not signed.

 

Yeah, I think the only way to really fix the dismhost issue is to add all of the varients to the VoodooAi cloud, thank you!

 

Yeah, I tried that, but the payload doesn't execute because it needs admin rights as well. VoodooAi did detect the payload properly . Thank you!

 

Cool, thank you... I will fix this bug asap .

 

Cool, thank you for testing! I really want you guys to test the heck out of VS and VoodooAi before we submit it to the various AV testing labs, just in case I missed something (which I probably did ). I watched the video, and from what I can tell, VS / VoodooAi performed as expected... is that your understanding as well? Although, we need to make sure that the payload is scanned by the blacklist and VoodooAi before it is auto allowed by the Parent Process feature, just in case the initial file is detected as clean by the blacklist and VoodooAi... you can never be too safe .

 

Yeah, that is what I meant to say . I will make sure that the child processes / payloads are scanned by the blacklist and VoodooAi before they are automatically allowed by the Parent Process feature. I tested both payloads from the CCleaner and Skype packed installers, and they both were detected as Unsafe by VoodooAi. Thank you!

 

Thank you for the info Kees... I have always wondered about this, so it is great to know. VS's false positive detection uses 5 as the "magic number", but that was just a guess on my part, but now that I know for sure, it looks like 5 is the number we should probably be using. Thanks again, this really helps a lot!

 

Thank you Roger! It sounds like this batch was kind of similar to the initial batch... if that is the case, then there is really no reason for me to look closer at the data. But if you think I should, please let me know! Like if you think VoodooAi might have not performed properly, please let me know and I will review the data.

 

Thank you Baldrick! Yeah, that is mainly because the stand alone version of VoodooAi is a quick and dirty POC, so it does not yet quite follow all of the proper coding standards. If it turns into more of an app that will be widely used, I will tie up all of the loose ends and do everything right.

 

Cool, thank you Gillor for testing! When you say "suspicious"... were most of the files detected as "unsafe" or "suspicious"? Also, please keep in mind that a file packed with simple adware should probably not test as high as a really bad ransomware file, so it all depends on how bad the malware is that you are testing.

As far as the miss goes... yeah, VoodooAi is not perfect, it was a clear miss! Then again, that is why we use the computer lock, blacklist scan and VoodooAi all together... it is a great combo . Thank you!

 

Yeah, there is a small bug in the stand alone version of VoodooAi, with the Sensitivity control... it has to do with Regional Settings, I will fix it soon, thank you!

 

Man, I am disappointed in Passmark... they know better then to not sign their files .

 

Cool, thank you, I will check it out. I took a brief look at it a few days ago, but that code has not changed since Vlad worked on VS. But that should actually work... that is a great idea, I had no idea that is how he was handling the dismhost issue. I do remember that on 1-2 occasions, we thought the dismhost issue was fixed using this method (as I mentioned I had no idea what the method was), but for some reason it broke again. But I will take a look at it and see if we can get it to work using this method.