VoodooShield/Cyberlock

Ummmmm, I better not at this point
It is making me nauseous seeing this re-hashed like this, can I go to the park too ? ~Comment removed.~

 

This!...I enter this tread to follow posts about VS not other products.

 

I totally agree you guys, this is really starting to get old .

 

yes, it is for me what is DP. Once you are hit by a bullet, doesn't matter if you stop the bleeding or not, you were hit. Just avoid to be hit

seems the case.

i guess


Just a difference of perspective, nothing dramatic between Dan and me
Anyway i just wanted to clarify the exploit chain, not to prove that a product was able to protect the system or not. It really doesn't matter much now, since patches make it obsolete.
Not saying it only worked on win7 lol

 

Guys, where does a VS noob begin his adventure? Thanks.

Feel free to PM.

 

Install and enjoy!

You could put VS in Autopilot Mode for a week to 'train' VS if you wish. Or just leave it in Autopilot Mode.

 

You don't mean it, lets do this again, from the top boys rofl
Dan you have the patience of a Saint and I respect that in you, I think in real life I would be honored to call you friend, so I could pull a Gibbs and do the "back of the head" thing ( I sure hope your familiar with the show NCIS, or thats gonna come off as a weird reference.) lol

 

Yeah, I agree, we are all friends here… the question is, who can party the hardest? I highly doubt that it is me, but hopefully we will find out soon.

The funny thing is, a few months ago I was a little frustrated with a “special project” I was working on, and guest said to me in a private conversation, something like “this is your lifes work”. All of the passion that I had lost came back immediately, so it was really cool… I just feel bad that might come back to haunt him .

I think we are getting to the end of the first part of our journey, and I am excited for what’s to come.

Thank you guys .

 

No problem my brother from another mother
On the partying thing, you have seen a pic of me, I am a fun loving party till ya drop kind of guy.
I am also a father so I have changed a lot over the years, but that party gene is still in my blood, I am just more selective of
"who" I party with these days, there is nothing like a good party, in the company of "good" people, those are some of the best
times and make for the best memories.

 

yes it is what i said
Dan and me have an "history" together since the birth of VS. Now i like the direction he took for VS. and i hope he will succeed.
So whatever other people say about me, i won't care because Dan knows me better than any of them; and i will keep saying what i think is the best for VS, then after Dan will decide.
If i believe Dan is wrong or mistaken/misunderstood about something, i will say it loud.
And as people said "we punish hard people we like, we ignore those we don't care"

 

Good evening @vodooshield , why don't you translate your software into other languages?

 

I have done a lot of reading trying to connect all the pieces of the puzzle, and believe it or not, I'm still not sure who is right and wrong. What is most likely is that when EB exploits the system via the SMB driver, DP will get loaded as a malicious thread inside the lsass.exe process. But DP is only a malware loader, it needs to load the actual payload/malware, like a RAT or ransomware.

So via DP (malicious thread) you can make lsass.exe run a child process which is the payload. In this case it was the WannaCry ransomware. I believe in the video that Dan made, VS and ERP probably blocked the Meterpreter payload, but in this specific attack it would have blocked the WannaCry payload. So if this all is correct, VS did not block DP itself.

 

+10

 

@Rasheed187

You posted this 39 minutes ago: OK thanks for clearing things up. I guess it was indeed outside of AG's scope, on the other hand, other tools did manage to at least block the payload when the EternalBlue exploit managed to load the DoublePulsar backdoor.

https://www.wilderssecurity.com/threads/appguard-4-x-32-64-bit.355206/page-300#post-2682165

Then you posted this 20 minutes later (59 minutes ago): I have done a lot of reading trying to connect all the pieces of the puzzle, and believe it or not, I'm still not sure who is right and wrong. What is most likely is that when EB exploits the system via the SMB driver, DP will get loaded as a malicious thread inside the lsass.exe process. But DP is only a malware loader, it needs to load the actual payload/malware, like a RAT or ransomware.

So via DP (malicious thread) you can make lsass.exe run a child process which is the payload. In this case it was the WannaCry ransomware. I believe in the video that Dan made, VS and ERP probably blocked the Meterpreter payload, but in this specific attack it would have blocked the WannaCry payload. So if this all is correct, VS did not block DP itself.

https://www.wilderssecurity.com/threads/voodooshield.313706/page-665#post-2682158

Most people would LOVE to end this discussion, and your above posts is igniting the fires.

The issue is clearly defined in the MRG Article:

https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nextgen-protections/

"It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.


Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.


If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this"

What they are saying (and what I have been saying) is this... (copied from one of my MT's posts)

DP is the fileless / in-memory payload that they are referring to. What they are saying is that if a blackhat enhances and adapts DP to run ransomware code, then it is game over.

It really is as simple as that.

 

Yes, it would be nice to end the discussion, but things are still not completely clear. From a technical point of view it would be interesting to understand all of the details. So I'm not igniting anything, and don't get me wrong I thought it was impressive to see that VS could block the payload. But it's not clear which payload it blocked.

But my question to you is, if DP is a file-less or in-memory backdoor, why would you need rundll32.exe to load it? Like I said, I've read that WannaCry was basically directly executed via the exploited lsass.exe process, without the usage of rundll32.exe, cmd.exe or any other system process. This would mean that DP is already running inside lsass.exe, as a malicious thread. So I assume that if DP is blocked from running, then lsass.exe should never spawn any child process, do you understand what I mean?

 

Fair enough . When you see rundll32.exe fully spawn (not simply suspended) as a child process of lsass.exe (and see that a session has been created), you know that DP has succeeded. If rundll32.exe is blocked as a child process of lsass.exe, then the attack was NOT successful, so EB failed as well.

The concern is that if an attack like this is able to install a kernel level malicious payload like DP, DP can be modified to do other things, and this is why MRG is concerned. Please read the MRG conclusion one more time, and hopefully you will see what I mean. If it is still not clear, please email me at support at voodooshield.com and I will answer any question you have.

To be clear, I am not suggesting that any of the 4 products in the initial test would have allowed WannaCry to be installed... that is not the concern, and the main reason I did not include WannaCry in the initial test (besides the fact that it would have created a lot of unnecessary work).

The concern is that malicious payloads (DP) of exploits (EB) were not blocked in A LOT of the tests performed by MRG and myself. Knowing this... again, please read MRG's conclusion.

 

And to be even more clear... VS did not handle this attack absolutely perfectly either. Sure, it blocked DP (the malicious backdoor), but there a couple of things that it can certainly do better (in case the next attack is even worse), and they are easy fixes. I am just trying to figure out the absolute best way to handle one of the issues, without affecting the user experience, since there are several different was to fix them. I would go into more detail about these issues, but I have spent enough time on this issue, and they are difficult for me to explain.

 

Dan Happy to see Xvirus now has VoodooAI. Only problem is Windows Defender flags the new download as a severe Trojan. And WD does not allow you to un quarantine it. He said he would submit to MS.

 

Yes, you already mentioned this many times before. BTW, I did edit my post, perhaps you missed it, see quote. But my other question is, what is the purpose of rundll32.exe, to do what exactly? Is it to load DP as a malicious thread running inside the lsass.exe process? Or is it to load the Meterpreter payload?

In the video you can clearly see that once VS blocks rundll32.exe from running, it states: "EternalBlue success!" + "exploit completed, but no session created". Isn't it likely that this means that DP couldn't run the Meterpreter payload? If so, this means that VS is capable to block payloads delivered via DP, not DP itself. Does this make sense?

 

Yeah, I am excited to try it! Dani pm'ed me a brief description of his implementation, and it sounded like it is going to be really cool! It looks like it might turn out to be an amazing combo!

I downloaded it earlier, then I was sidetracked... I am so far behind on a lot of stuff, it is not even funny .

 

Then stop trying to explain to the few about wannacry just say no.
I can't install it till I turn off WD real time. I was testing some malware the other day in VB with VS, WD, Vipre, Malwarbytes 3.0. I got this nasty Ransom.Virlock Aka Trojan. Virlock. It kept replicating so fast in Windows temp folder WD and Malwarbytes never stopped. Malwarbytes just kept scanning and detection the same thing.
I had to kill that snapshot and start over. Never saw that before. It didn't seem to be doing anything other than mass replication.

 

I have read many different articles on this, and I am not sure what is correct and what is not. What I do know is that the main DP payload is Doublepulsar-1.3.1.exe. Since there was not a command line that was thrown, I imagine that rundll32.exe was not called from a command line. But somehow they spawn rundll32.exe, and the hash of the blocked rundll32.exe matches the hash of the real rundll32.exe, so I am not exactly sure what happens. I initially thought that the rundll32.exe that we see was simply a renamed version of Doublepulsar-1.3.1.exe... but this turned out to not be the case since the hash matches.

I was hoping that this would be explained in the Sophos video, but from what I remember, it is not.

https://www.youtube.com/watch?v=agFgibQydzg

In the end, all that matters is the all of the malicious payloads that were spawned by lsass were blocked.

 

Interesting... you should send that sample to CS and see if she wants to test it.

 

I would have to go back and find it since the sample was on Virtual box. I can try. It was a recent download from testmy av but I can not remember the date. It was so annoying I could not use my computer for the popups.