WannaCry Exploit Could Infect Windows 10

Discussion in 'malware problems & news' started by itman, Jun 6, 2017.

  1. guest

    guest Guest

    the rumor is that the attacker wanted just rise the price of bitcoins, he didn't expect to be paid, more system encrypted = more people will buy bitcoins.

    like you increase the demand of goods to sell them higher prices.
     
  2. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    I can just imagine the conversation in a covert operations meeting at corporate hq.
    Surely the public will realize it was us.
    Of course they wont, the masses are entirely stupid they will believe what we tell them to believe. It was random criminals and anyone who thinks otherwise can't prove it.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I doubt that this was about the money. What were the attackers motives? Who knows.
    I also don't think that it was a "sophisticated" attack. It was just using some exploits (which attacker did not develop on their own) which allowed it to spread like worm. Besides that wormability, I don't find it very sophisticated. Though, it might have been released to public to soon, as some are suggesting, and might still be a work-in-progress when released.
     
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    there is an obvious motive. If this was any other kind of crime the cops would be all over it. If you have a motive your a suspect.
    Who would have a motive in attacking outdated Windows operating systems without actually damaging data on them. Just enough to show how vulnerable they are while the latest OS just sails on through.
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    If you do not even know the difference between an exploit and a payload, then I just wasted a bunch of time trying to explain this to you.

    VS does not block exploits (EB)... it blocks the payloads (DP) that the exploits execute.
     
  6. guest

    guest Guest

    Thank you i know...
    So VS can prevent in-memory Kernel payload to be installed? really? because it is what you are saying since the beginning...
    Just say yes or no, that is the main point of my debate with you about VS.
     
    Last edited by a moderator: Jun 18, 2017
  7. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    ....and then they can step upto be the hero and release patches to unlock the affected systems and save the world from the big bad hackers. Beautiful, deserves an oscar.
     
  8. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    If you all would realize what i'm saying is how it is you would also realize there are no software solutions to prevent the next player from doing what they do. You have to implement entirely different measures. One of them being never use a conventional drive to host the OS on machines that have network access. Use cd/dvd rom OS and never connect a drive that has private data to it. Use seperate machine with no network interfaces to work with private data. That is the only way. All other bases are owned.
     
  9. guest

    guest Guest

    you have Linux live CD for that purpose :)
     
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    That question is extremely deceptive and you know it.

    In the EB / DP attack, yes, VS blocked the kernel level payload DP. I have said that from the very beginning, and my argument has not changed one bit since the beginning.

    Now, is it possible that someone can develop an exploit that does not require a payload, and as a result, VS will not block it? Maybe, but it is highly unlikely... mainly because exploits are extremely limited on the amount of memory that is allocated to them. Basically, in order to do something interesting (malicious), the exploit is required to execute a payload... and when it does, VS will block it.

    But who knows what the blackhats will come up with next.

    If you have other questions, there are other people you can ask.
     
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    absolutely. I believe there is a way to make a windows one too but it is more difficult.
     
  12. guest

    guest Guest

    I dont say "block", i asked if VS can prevent a payload to be installed ? answer properly please...

    1- so VS can prevent in-memory kernel payloads to be installed and ran at NT AUTHORITY\SYSTEM level , yes or no?
    2- So in DP case, because of VS , DP cant be installed and thus can't inject anything into lsass.exe, yes or no?
     
    Last edited by a moderator: Jun 18, 2017
  13. guest

    guest Guest

    there is one with WinXP/7 but it was illegal
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    LOL, Dan and guest you are killing me. You're basically repeating the same discussion from the VS thread. :D

    That's why I said let's drop the discussion, because the problem is that we visualize things in a different way. But that's why it would be interesting to see if VS can also block Peddlecheap. Because that would make things more clear. So Dan, it's probably best to test it ASAP.

    Another interesting thing, is this article about in-memory ransomware that never drops to disk. I highly doubt that anti-executable can block this, perhaps MRG can do some testing.

    http://blog.secdo.com/multiple-groups-exploiting-eternalblue-weeks-before-wannacry
     
  15. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    502
    Location:
    UK
    This reminds me of that wedding dress that caused so many arguments a while back... some people saw it as gold and others as white... and yet they were all looking at the exact same thing.

    How the human brain/mind is able to process a shifted perception of the same data is very interesting.

    This is a function of the various levels of consciousness that can have a possible 24 different ways to see the same thing, but most of us at this point in time of the evolutionery cycle only experience a much smaller number of these perception anomalies.
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes I did read the article, but now I'm still confused. I thought PeddleCheap and DoublePulsar were two different payloads. PC is a trojan, while DP is a malware loader. So I don't see why they make the comparison. BTW, this is another interesting article:

    https://blog.ensilo.com/nsa-tools-vs-ensilo

    Yes exactly. Especially with these kind of complex attacks, it's not always easy to process everything in the correct way.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    They are. And I went to lengths to explain the difference between the two. @VoodooShield is testing with PeddleCheap. Appears VoodooShield can block PeddleCheap. I see no prove that it can stop DoublePulsar.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Another point about DoublePulsar. The only activity that it is being performing in user mode is the memory based reflective loading of a non-reflective .dll into the parent process. All other of its activities are being performed in kernel mode.

    Note what is important. The injection of the .dll into the child process is being done in kernel mode. The only way to detect memory based reflective .dll malicious activity is when the .dll is injected the child process. That can only be done if the attacker process is running in user mode. Again, DoublePulsar is running in kernel mode when the injection into the child process is being performed.

    The test utility does all its processing in user mode. Therefore, it would be possible to detect when the .dll is injected the child process if a security solution was monitoring every process for such activity.

    As far as I am aware of, no conventional security solution is going to flag as malicious activity any activity done by a parent process against its created child process including the loading of a .dll from it. A "next gen" solution might detect this activity as "abnormal" if it had previously monitored the parent process as to what .dlls in normally loads. And I believe that activity is done at process startup and is not continuously monitored thereafter.

    -EDIT-

    Also the below except from the previously posted github.com article readme file noting that the APC calls to load the .dll are being done by DoublePulsar in kernel mode making that activity undetectable by any security solution:
     
    Last edited: Jun 18, 2017
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, I know... I truly have repeated myself 30 times.

    He either does not want to understand the attack, is not capable of understanding the attack, or is wasting my time.

    I actually have a better idea... instead of me testing everything, why don't you guys run a test or two? Instead of arguing about it, run the test... then you will see exactly what is what, and it will all make sense to you.
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, the ironic thing is that the exact opposite of what you said is true. There is PLENTY of evidence that VS blocks DoublePulsar... simply because it it unable to create the session and the tools are unavailable after VS blocks it. Whereas there is no direct evidence whether VS can block PeddleCheap.

    Why don't you guys just test for yourself so that you can truly understand how these types of attacks work?
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, I see what you are saying, but there is truly nothing to debate... there is nothing subjective in the tests or the attack. For example, an exploit is an exploit and a payload is a payload... one cannot effectively argue that a payload is an exploit.

    We would not have this issue if they ran the tests for themselves.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    1- Absolutely... as long as the attack is within the scope of application control.
    2- Absolutely... as long as the attack is within the scope of application control.

    ALL application control utilities should block such attacks... that is the "one job" that they are supposed to perform. If they do not, then they have failed.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Well then, I guess someone needs to test this out.

    Load an unpatched version of Win 7 x64 on your test rig . Then run the actual Shadowbroker's EternalBlue/DoublePulsar exploit with VoodooShield installed and post your results.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I already tested with the metaploit port, and VS blocked DP, as clearly demonstrated in my videos.

    Are you suggesting that someone also test the Fuzzbunch+Eternalblue+Doublepulsar+Peddlecheap port? If so, I am in the process of setting up that test, but I ran into a roadblock, so I am waiting to see if better documentation becomes available in the next couple of days.

    In the end, it really does not matter, because the attack is either within the scope of application control, or it is not. If it is within the scope of application control, then VS should block it. If it is not within the scope of application control, then no application control utility will not block it... the only things that might block it would be an anti-exploit product or a Windows patch.
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Non-applicable since the Metasploit version does not use the actual reflective .dll technique used by the "real" DoublePulsar exploit. Most security solutions can detect the "misbehaving" rundll32.exe activity done in the Metasploit version.

    BTW - you stated previously that VoodooShield would not detect Peddle Cheap which by the way does do reflective .dll injection but with a far less sophisticated method than DoublePulsar. Even if with some "finagling" you got VoodooShield to detect PeddleCheap activity, that would not prove that it could detect the DoublePulsar reflective .dll loading.

    Suggest you contact AV-C which did test AV solutions against WannaCry ransomware activity. You will have to verify with AV-C that the sample they used for testing employed DoublePulsar since all attacks didn't. What we need verified is that VS can detect EternalBlue/DoublePulsar activity.

    BTW - vendor testing against their own products as a POC is a no-no for obvious reasons.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.