VoodooShield/Cyberlock

Here is a beta version of the stand alone portable version of VoodooAi. It really is not an installer… what it does is copy a portable version of VoodooAi to your desktop (or wherever you choose).

There are 2 versions of VoodooAi included in this “installer”, one for Windows 7 and below, and one for Windows 8 and above, that way .Net is not needed for Windows 7 and above. Windows XP and Vista will require .net 3.5, which it will install during the “installation”.

Since VoodooAi is only one portable file, there is no uninstaller (so it will not be listed in Programs and Features), and there is no desktop shortcut. Basically, it just copies the portable version to your desktop so you can drag and drop a file to it without it being opened first. Then of course once it is open, you can drag and drop up to 10 files at a time for analysis.

VoodooAi is not perfect (Machine Learning and Ai never will be), but I think you guys will be impressed with its abilities, and as we add more random training data over the next few months, it will continue to increase in accuracy and precision. Also, it is not intended to replace the 57 engine blacklist scan (since a full malware analysis with 57 different engines will always be more accurate), but it will be valuable for new and unknown files.

Since the training data had massive amounts of malicious files, VoodooAi does a remarkable job at detecting “really bad” malware samples, but we still need more clean files for it to do as well with safe files, although it is doing pretty well with safe files as it is. I tested 1000 random really bad malware samples and all but 5 were correctly detected.

So basically, if VoodooAi detects a file as Safe, it is most likely safe.

If the file is detected as Unsafe, it is most likely unsafe.

If the files is detected as Suspicious, it is probably greyware, or the developer of that software either obfuscated the code with tools that a lot of hackers use, or did not implement all of the standard coding practices. For example, if DEP or ASLR were not implemented, then that moves the needle toward Unsafe.

Ultimately, it will be extremely helpful in VoodooShield to help the user decide on whether to block or allow a new or unknown file. The 57 blacklist scan should override VoodooAi if the results do not match, but if we did that at this point, that would kind of be considered “cheating”, but at some point, it would be nice to have the option to automatically override VoodooAi with the 57 blacklist scan so that the user is not confused when there are conflicting results… kind of like an automatic decision. Thank you!

www.voodooshield.com/artwork/InstallVoodooAiPortable.exe

 

Here are the initial results from the samples you guys have submitted the last few hours, and the results are extremely promising, although, it is way too early to draw conclusions. But it is nice to see the results of truly random samples turn out so well.

VoodooAi matched 100% with VT (after automatically adjusting with VoodooShield's false positive detection), with the exception of 1 file (SandboxieInstall64-509-1.exe)... it was a very close call though because it was almost detected as safe, it was detected as suspicious just by a touch.

www.voodooshield.com/artwork/InitialResults.PNG

Thanks again for all of your guys help! When you get a chance, please throw more samples at it... I am anxiously waiting to see the results!

 

Cool...will give this version a good going over.

Baldrick

 

Thank you Baldrick!

BTW, something weird just happened with a batch of 7 files that were uploaded (file_system_protector_setup.exe was one of the files)... the probabilities were HUGE, so something went wrong. Each of the 3 algorithm probabilities should range between 0.0000 and 1.0000... but each of the probabilities in each of these 7 samples were like 521825396825397.06, so something went wrong... I am guessing it might be a Non-English version of windows or something that is causing the issue.

Anyway, if anyone notices something like this, please let me know... the probabilities should look like this...

http://www.voodooshield.com/artwork/CorrectResults.PNG

(Not massive numbers like this: 521825396825397.06).

 

Next beta soon, Dan?

 

Hehehe, apparently . I really thought all of the bugs were worked out... that is why is spent so much time going over and over it to make sure . But no matter how careful you are, something ALWAYS comes up . It is working for most samples, so that is good... although I see a lot of plain 0's and 1's. Time will tell though, it should be an easy fix.

I am thinking it is a Non-English version of Windows that is causing the problem... I guess we will find out soon enough.

Is there a chance that a firewall might obfuscate or encrypt the metadata that is sent to Azure? I am not that familiar with firewalls at all, but that might be a possibility as well.

 

I just ran this in one of my snapshots that doesn't have VS installed. I guess that is OK.

 

Dan, it seems quite a lot of files I scanned with VoodooAi are unsafe. Most are programs I have installed on both my machines.

False Positives me thinks.

 

Yeah, exactly, thank you!

 

Hmmm, I am not seeing hardly any unsafe results in general in the last couple of hours, except there was another batch of 5 that had the crazy high probabilities like I posted earlier... the first file that was analyzed in that batch was "libjpeg-turbo-1.4.2-vc64.exe", was that yours?

 

BTW, there are not that many portable apps in the training data set, so I am happy that it did well . There are also not a lot of drivers at all, so there will be some false positives on driver installers until we can add a lot of these to the training data.

 

Not that one. I had only just scanned some files before posting, say about 20 minutes ago.

 

Dan,

I am in a snapshot running VS 2.86....I suppose I have to run AI separately for the moment?

 

Glad to help.

 

Here are most of the submitted samples in the last couple of hours. The 0's at the top are all Microsoft Windows files, so they are mostly 0. The next batch is what I cannot figure out... these crazy high numbers. I have been working on VoodooAi for 5-6 months, and I have never seen numbers like this before... I am sure there is a simple explanation. Below the batch of crazy high numbers are most of the results from last couple of hours... as you can see, there are a few that are high, but most are quite low.

http://www.voodooshield.com/artwork/Odd.PNG

 

I hope to have it up and running in 2.0 for XP soon!!! I think Vlad has already finished the VS 3.0 integration!

 

The scan results of mine weren't anywhere near that high either, so some of the 0.9's and 0.8's may of been mine. I only scanned half a dozen or so.

 

Hmmm, do you remember which files you scanned? If not, can you try again with different files, if you get unusually high results, please let me know what the file names are?

One thing to keep in mind... I was soooo frustrated for a few days that this one file (some kind of USB installer) kept being detected as unsafe... it was driving me crazy. Then I scanned it with VirusTotal, and sure enough, 20 hits .

Also, a while back, CET sent me some files from www.matousec.com... they were the Security Software Testing Suite 64 (SSTS64). I added them to the training data as unsafe files, only to find out months later that they all have 0 hits on VT .

So long story short... if VoodooAi is detecting something as suspicious (and ESPECIALLY unsafe), but and that is unexpected to you, then you might want to scan it with VT just to make sure . It has happened to me SEVERAL times the last couple of months.

Edit: Also, if you have all of your installers and files grouped into folders, like I imagine most computer people do, if there is a batch of files that are testing unusually high, you might try a different batch. For example, if you were to test a big batch of driver installers right now, the results would probably be pretty high. In a real world scenario, this is not an issue though, because they are truly random samples and not in batches. Also, I have a lot of super old .exe files... they test relatively high as well... but I am not about to add them to the training data set because they are not representative of files that VoodooAi will encounter. Once we have several tens of millions of files in the training data, then I can add them without breaking anything .

 

Hmmm, very odd... they did not make it into the database then for some reason (another bug to track down ).

If you do see some strange results, please let me know the file names and I will look into it. Thank you!

 

All files the files I scanned with Ai have been scanned safe at VT, Dan.

Here are some I scanned.

instspeedfan451.exe

Repair_Windows.exe

weather-tracker.exe = mostly safe at VT

ghostery-ie.exe

To name a few.

 

Thanks.

BTW, I just tried to launch AI, and it was blocked several times...

 

Cool, thank you for taking the time to do that!

All 4 files were detected as Suspicious... we might need to tweak it so that the upper limit for Safe files is 0.75. Also, keep in mind, these files might have toolbars or something in the installer (I have not checked).

But please notice, that the weather-tracker almost reached the 0.95 lower limit for Unsafe files, and it was the only file that had a hit on VT.

www.voodooshield.com/artwork/Results2.PNG

Like I was saying, VooodooAi seems to excel at detecting the really bad files, like ransomeware... but they greyware will always be a little difficult for it, even when we have a massive training data set, that is just the way Machine Learning / Ai is.

Also, I would rather play it safe and have a few files detected as Suspicious, rather than let some ransomware slip through. I cannot think of a reason when ANYONE absolutely has to run or install a new program. It is better to call the file suspicious so they can investigate it more. Plus, when integrated into VS, the user will have the benefit of the 57 engine blacklist scan as the primary recommendation.

On the test of 1000 random super bad viruses, VoodooAi only missed 5 of them (99.5% accurate), and to me that is still not good enough. Then again, my 3 favorite blacklist scanners scored 36.2%, 71.6% and 78.4% on the same sample set.

In short, with so much greyware out there, we NEED to lock our computers . Thanks again!

 

BTW, just quickly looking through the data, here is a great example on how VoodooAi will be extremely valuable.

Someone analyzed "SlimDrivers-setup.exe" with the hash of 9759fa90685d3e0d8e4566e0b90cb92ccb9e0dc896ddd1e88127d34481d63665.

It must be a new build of SlimDrivers because it was not yet in the VT database, but when I have tested a lot of their products in the past, they usually receive a lot of hits on VT.

VoodooAi detected it as Unsafe, so that is cool .

Don't get me wrong, I am not doing a victory dance, hehehe, but the results look to be very promising, especially after we tweak it a little more. I do think we might be able to raise the upper limit for safe files to .75 or so, and that will help tremendously with false positives. But we will not know until more data comes in. It will actually be pretty easy to calculate where we should set the upper limit for safe files once we see the data.

Also, keep in mind... tools like ComboFix and ADWCleaner are phenomenal tools, but tools like these have to "dig deep" into the OS seem to have high VoodooAi results. Maybe that is a good thing, because it is probably better for IT people to run these types of programs, and not the average user.

 

Hmmm, that is really odd, there must be a reason. Is that the only program that this happens with?