VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Dan

    I agree....

    1. People need to be careful when they claim something is by passed, to be sure the software in question is actually bypassed. Sandboxie gets hit with this all the time, because people don't understand what the software does or how it works.

    and

    2. If you really think the software was bypassed, then take it privately to the vendor first as opposed to a public post. If the vendor ignores you then that's different.

    My $.02

    Pete
     
  2. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,979
    YW, DAN :) ..."The lady's not for turning"....but, I am for Turing! ;)

    P.S. I am ready to test the new KMD filter version.
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,979
    It is called Synchronicity, Dan...:)
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    @ VoodooShield

    Like he said, he used Metasploit, and payloads can also be in-memory, they never touch the disk. Anti-exe apps like VS, EXE Radar and AppGuard can't stop those kind of payloads, you need anti-exploit for that. So yes, VS was bypassed, but it was never designed to block "in-memory" payloads.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Depending on what is going on, Appguards Memory Guard, may block
     
  6. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Whoever said that this was a memory only payload? I am assuming that it was not, as uncommon as they are. I mean, what hacker in their right mind would waste a perfect good exploit that they spent several months developing, on some malware that a simple reboot is all that is required for removal (since it didn't touch the disk). Exploits are rare and expensive... They would not waste all that time and money on this.

    But for the sake of argument, let's assume that it was a memory only exploit... It does not matter if it touched the disk or not... All that matters is if a new, non-white listed process was allowed to be created or not.

    If you have an example of a memory only exploit, please let me know, I would love to try it out. I have only read about 1, several months ago on the malwarebytes blog. The reality is that hacking and writing viruses is a business, and they want their product to remain on the system after a reboot.

    VS does not stop tracking cookies either, so I am assuming that is a bypass then, right? EMET does not stop a user from clicking on a malicious email attachment, so is that a bypass as well? And obviously, this is MUCH more common

    That is like buying a pair of sunglasses to protect you from the sun, and then being upset that you got a sunburn.

    Edit: Poweliks... that is the memory only exploit that everyone talks about... the only one apparently.

    Edit 2: And I assure you, if memory only malware becomes a real issue, rather than simply a buzzword used for marketing purposes, VS will implement the necessary protections.
     
    Last edited: Sep 28, 2015
  7. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
  8. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,104
    Location:
    .
    Hi siketa,
    Thanks
     
  9. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I stand corrected, it was a little over 2 years ago. I apologize, I am busy trying to get VS 3.0 ready to take the time to look up specific dates for my responses... for questions that I should not even bother answering in the first place.

    Here is what I should have said.

    With the exception of the targeted attack that Fabian designed for the working prototype VS 1.0 version in July of 2013, no one has EVER bypassed VS because of a design flaw. And this design flaw was fixed with the release of VS 2.0. BTW, I need to mention that Fabian designed the targeted attack as a favor to us, and I appreciate his help in doing so.

    Given enough time, ANY software is theoretically susceptible to a targeted attack. And there is a HUGE difference between a targeted attack and the general attacks that we see in the real world everyday.

    My point is this. People either love VS or hate VS, for the most part there is no in between. I have begged everyone, especially our haters to find a way to bypass VS, mainly because it will help us harden it. Don't you think that my haters have tried and tried to bypass VS? I truly would LOVE to see someone bypass it, because there is not a chance that I developed the perfect computer lock pretty much on my own. That, or maybe there is such a thing as luck of the Irish.
     
    Last edited: Sep 29, 2015
  10. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    It was a targeted attack.
     
  11. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,718
    Location:
    Gaia
    No need to apologize, Danny boy!
    Just wanted to correct this info so it could potentially be of use to someone.... :)
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I see, thank you, I appreciate that!

    Vlad is going to be releasing VS 3.0 very, very soon. I am thinking today or tomorrow... then he will probably respond to the posts and I will probably take a break from wilders for a while;). It was fun defending against all of these attacks for a while... I was literally laughing out loud while writing my responses, but now it is kind of boring to be honest (defending against the attacks).
     
    Last edited: Sep 29, 2015
  13. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    This is exciting news, Dan. I am incredibly happy for you and for everything that you've accomplished. And without a doubt, everyone here would agree, you need a vacation. Or at least some time away from the things that you normally work very hard with. You need some time to rest up so that you don't stifle and of your future creativity. You've got to give that creative mind a break from time to time. And I am very glad that you've got Vlad on board as well, it sounds as though everything is going phenomenally well there. Keep up the great work (after some well deserved time off)! :thumb:
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you, I appreciate that! Yeah, no one is happier that Vlad is on board than I am ;). In a day or so you will see what I mean ;).
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Do you ever have that feeling while you are working on a project or something, and you are like "man, I know I am forgetting something." And it kind drives you crazy until you figure out what it is that you are forgetting? Or maybe something is at the tip of your tongue, but you cannot quite figure it out? That drives you crazy as well.

    Well, imagine dealing with that for 2-3 years ;). THAT is why I want someone to bypass VS.
     
  16. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,331
    Location:
    USN Retired 1969 ~ 1992
    Yeah Dan I know what you mean. I get that almost every day! I guess for me that's old age. :argh: :argh:
     
  17. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @VoodooShield @ProTruckDriver Thank goodness for Sticky Notes! I don't know what I would do without sticky notes, both physical sticky notes and also digital sticky notes all over computer. :D
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,929
    Location:
    The Netherlands
    I'm assuming it is, because VS would easily block disk based payloads. If I'm correct, with Metasploit it's possible to use "exotic" exploits which will work in-memory. Like I said, anti-exe won't stop this. I agree with the fact that in real life, you almost never see these kind of exploits. But to cover all bases I would advice, anti-exe + anti-exploit + HIPS.

    I'm not following you, because in theory, in-memory malware can do damage without actually having to create new processes. But keep in mind that my post was not meant to criticize VS, I just wanted to clarify stuff.

    Yes correct, people that don't understand the difference between in-memory and disk based exploits will see it as a bypass. But you clearly do, so perhaps it's not fair to label it as a "bypass".
     
  19. bjm_

    bjm_ Registered Member

    Joined:
    May 22, 2009
    Posts:
    4,104
    Location:
    .
    Yeah, for sure. It was still an interesting read.
    Great to see you consistently challenging all comers. Admire and Respect to you and VS.
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I read a lot of stuff on poweliks last night, and VS would block on several different levels.

    But to keep it simple... Does poweliks attempt to create a process? If the answer is yes, then VS would block it.

    How can "in-memory malware can do damage without actually having to create new processes" as you suggested? If you have some info on this, please let me know, I would be really curious.
     
  21. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    This person did say he or she would create a bypass for money. Right?
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Yawn. It is so easy to say I could create a bypass if you pay me a million bucks, knowing full well no one will do it. All it proves is they know how to play poker.
     
  23. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,059
    :thumb::thumb: Well said.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am curious if he can write a real world, non-targeted attack that will bypass VS. If that is the case, then VS 2.0 is clearly bypassable by everyone's definition. I guess we will see ;).
     
  25. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, please see the other thread. Hehehe, we should probably just post on this thread or something ;).
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.