VoodooShield ?

I don't have any problems with calling VS "anti-exploit", even though it's a payload blocker (disk based), and doesn't stop the actual exploit like MBAE and HMPA do. However, in this case old versions of HMPA would not have blocked the exploit, and that's why anti-executable like EXE Radar and VS might come in handy.

What payload did rundll32.exe deliver?

 

Hey Dan, can we get just a estimate on a release date target for the next version
of VoodooShield ? Thanks buddy.

 

it's doublepulsar part, it create the permanent backdoor.

 

in your example I assume you have created P:\ with imdisk, and V:\ not , is that correct? because I don't see V:\ in Imdisk virtual disk driver

and you have run cent from V:\

I can see my ramdisk in explorer same as in your example, there isn't C:\Device\.. directory

I tried creating ramdisk with Imdisk virtual disk driver, Imdisk ramdisk, via cmd and even installing original imdisk (non-GUI), nothing has worked

also which OS you're using? In win 7 I have no problem, only with win 10

 

If you want to run VS alongside CFW does one need to uncheck child processes, or not?

 

OK so rundll32.exe was used to start the DoublePulsar backdoor. So would AE have blocked this kernel component? And I suppose WannaCry could have been also started directly via lsass.exe, or was DoublePulsar needed for this? I'm sorry but I'm a bit confused.

 

in fact rundll32.exe isn't exploited but lsass.exe.
after some deeper research , we found out that EB drop a dll in the root of the system to abuse smb1.0/2.0
Via EB, we upload DoublePulsar (the dropper) injecting itself into lsass.exe which child rundll32.exe , (Dan video stop here) , if we continue, rundll32.exe will load a shell (i.e: cmd.exe) which allow the attacker to have access to the target machine with "System" privileges level

the best explanation of the atatck i found is here:
https://hackernoon.com/eternalpulsar-a-practical-example-of-a-made-up-name-629737170a9e

 

blocking the dll should normally (if i understand well) forbid the upload of DP so terminate the attack.
I don't have the exploit but in theory if Lsass.exe is blocked to run , the attack should stop here. Problem is that Lsass.exe is a crucial process, blocking it may bork the OS in some point.

 

If Lsass.exe is blocked from running it will definitely bork the OS.

 

yes it is why those crafty malcoder chose it.

btw, edited my post above.

DoublePulsar is a backdoor and shellscript platform. Without DP , the attack fail.

in fact , @mWave was right here , VS & ERP didn't block DP to exploit the kernel, lsass.exe was already owned, VS/ERP blocked lsass.exe to spawn rundll32.exe.

 

So Question with the backdoor created on the system with appguard running with default setting was the system owed too or is this subject one sided and not
to be discussed here?

 

That is still a valuable way to mitigate the damage. You can try to stop malware from thousands of different doors they may come through, or monitor the one door in the end that they must all go through. That's more of the method of an AE. Layered Security is the key. It's easier to mitigate the damage in the end than to stop thousands of different attack vectors.

 

yes AG was owned too. In fact none of the product tested in Dan's video were able to block the kernel exploit.

 

Exact , and note that kernel exploits are the hardest things to block, especially delivered via an abused machine in the network (opposed to weaponized file).
Appguard LCC recommend to use AG alongside an AV and a firewall , AG is one of the possible layer as well as VS and other Anti-exes.

 

probably , i never used this tool.

 

i wish Dan could give us the rundll32 command line that both VS and NVT ERP blocked , would be very informative.

 

Correct. V:\ is a persistent RAMdisk mounted on boot by Softperfect RAMdisk software. I copied portable version of Cent browser to V:\ and launched it. VS detected it and it worked fine. The drive P:\ in the screenshot was just a test drive I created.

If that path doesn't exist then I'd say it's a problem with VS. On the other hand I've known some security software to create similarly named paths when running items sandboxed.

I'm using Windows 7. Take a look at this:

Imdisk-create-ramdisk-6gb-windows-10

I don't have a Windows 10 machine that I can test.

 

VS COMPLETELY blocked the installation of DP.

My extended response is in one of the comments of the original youtube video.

At least now you understand that the products where DP was installed was fully pwned.

We are half way there... now you just have to understand that VS blocked the EB exploit from installing DP... which is clearly demonstrated in my video, and in this link (that guest supplied): https://hackernoon.com/eternalpulsar-a-practical-example-of-a-made-up-name-629737170a9e

Then you will understand what really happened.

I really, really am tired of this. I am going to take an extended break from VS... I have a lot of business paperwork to work on anyway, that is going to take a lot of time.

When I return, if you guys finally figure out that VS blocked EB from installing DP, you do not need to apologize... but hopefully most of us will learn from this experience and grow up a little.

 

I know about Softperfect RAMdisk and there is no problem with VS, if I use it, but newer versions are not free
and I want to avoid it on on win 10, because I had few crashes when I was using insider preview

imdisk driver is quite limited (to support all windows NT versions) and main problem is that some queries are not supported, VS expect to get win32 path name (P:\) but will get native path name (\Device\ImDisk0\)

 

It might be a while... although I will probably release a new version soon with the 2 small fixes from the EB/DP test. VS blocked DP, but there are 2 things that I can improve on, and they are super easy fixes to implement... so why not? Thank you!

 

Who cares about those whining kiddies? Just do your thing Dan and don't let them bring you down!

 

+1