VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    I don't have any problems with calling VS "anti-exploit", even though it's a payload blocker (disk based), and doesn't stop the actual exploit like MBAE and HMPA do. However, in this case old versions of HMPA would not have blocked the exploit, and that's why anti-executable like EXE Radar and VS might come in handy.

    What payload did rundll32.exe deliver?
     
  2. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Hey Dan, can we get just a estimate on a release date target for the next version
    of VoodooShield ? Thanks buddy.
     
  3. guest

    guest Guest

    it's doublepulsar part, it create the permanent backdoor.
     
  4. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    in your example I assume you have created P:\ with imdisk, and V:\ not , is that correct? because I don't see V:\ in Imdisk virtual disk driver

    and you have run cent from V:\

    I can see my ramdisk in explorer same as in your example, there isn't C:\Device\.. directory

    I tried creating ramdisk with Imdisk virtual disk driver, Imdisk ramdisk, via cmd and even installing original imdisk (non-GUI), nothing has worked

    also which OS you're using? In win 7 I have no problem, only with win 10
     
  5. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    834
    Location:
    Melbourne, Australia
    If you want to run VS alongside CFW does one need to uncheck child processes, or not?
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,629
    Location:
    The Netherlands
    OK so rundll32.exe was used to start the DoublePulsar backdoor. So would AE have blocked this kernel component? And I suppose WannaCry could have been also started directly via lsass.exe, or was DoublePulsar needed for this? I'm sorry but I'm a bit confused.
     
  7. guest

    guest Guest

    in fact rundll32.exe isn't exploited but lsass.exe.
    after some deeper research , we found out that EB drop a dll in the root of the system to abuse smb1.0/2.0
    Via EB, we upload DoublePulsar (the dropper) injecting itself into lsass.exe which child rundll32.exe , (Dan video stop here) , if we continue, rundll32.exe will load a shell (i.e: cmd.exe) which allow the attacker to have access to the target machine with "System" privileges level

    the best explanation of the atatck i found is here:
    https://hackernoon.com/eternalpulsar-a-practical-example-of-a-made-up-name-629737170a9e
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    So if you can block the DLL, that it's game over?
     
  9. guest

    guest Guest

    blocking the dll should normally (if i understand well) forbid the upload of DP so terminate the attack.
    I don't have the exploit but in theory if Lsass.exe is blocked to run , the attack should stop here. Problem is that Lsass.exe is a crucial process, blocking it may bork the OS in some point.
     
  10. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,649
    Location:
    USA
    If Lsass.exe is blocked from running it will definitely bork the OS.
     
  11. guest

    guest Guest

    yes it is why those crafty malcoder chose it.

    btw, edited my post above.

    DoublePulsar is a backdoor and shellscript platform. Without DP , the attack fail.

    in fact , @mWave was right here , VS & ERP didn't block DP to exploit the kernel, lsass.exe was already owned, VS/ERP blocked lsass.exe to spawn rundll32.exe.
     
    Last edited by a moderator: May 31, 2017
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I wasn't thinking about blocking Lsass.ex. I was thinking MZwritescanner would detect the dll, and block it from running
     
  13. Nitty Kutchie

    Nitty Kutchie Registered Member

    Joined:
    Apr 10, 2015
    Posts:
    160
    So Question with the backdoor created on the system with appguard running with default setting was the system owed too or is this subject one sided and not
    to be discussed here?:cautious:
     
  14. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,649
    Location:
    USA
    That is still a valuable way to mitigate the damage. You can try to stop malware from thousands of different doors they may come through, or monitor the one door in the end that they must all go through. That's more of the method of an AE. Layered Security is the key. It's easier to mitigate the damage in the end than to stop thousands of different attack vectors.
     
  15. guest

    guest Guest

    yes AG was owned too. In fact none of the product tested in Dan's video were able to block the kernel exploit.
     
  16. guest

    guest Guest

    Exact , and note that kernel exploits are the hardest things to block, especially delivered via an abused machine in the network (opposed to weaponized file).
    Appguard LCC recommend to use AG alongside an AV and a firewall , AG is one of the possible layer as well as VS and other Anti-exes.
     
  17. guest

    guest Guest

    probably , i never used this tool.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    No it works, so I assume it would block this attack.
     
  19. guest

    guest Guest

    i wish Dan could give us the rundll32 command line that both VS and NVT ERP blocked , would be very informative.
     
    Last edited by a moderator: May 31, 2017
  20. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    171
    Location:
    London UK
    Correct. V:\ is a persistent RAMdisk mounted on boot by Softperfect RAMdisk software. I copied portable version of Cent browser to V:\ and launched it. VS detected it and it worked fine. The drive P:\ in the screenshot was just a test drive I created.

    If that path doesn't exist then I'd say it's a problem with VS. On the other hand I've known some security software to create similarly named paths when running items sandboxed.

    I'm using Windows 7. Take a look at this:

    Imdisk-create-ramdisk-6gb-windows-10

    I don't have a Windows 10 machine that I can test.

     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    VS COMPLETELY blocked the installation of DP.

    My extended response is in one of the comments of the original youtube video.

    At least now you understand that the products where DP was installed was fully pwned.

    We are half way there... now you just have to understand that VS blocked the EB exploit from installing DP... which is clearly demonstrated in my video, and in this link (that guest supplied): https://hackernoon.com/eternalpulsar-a-practical-example-of-a-made-up-name-629737170a9e

    Then you will understand what really happened.

    I really, really am tired of this. I am going to take an extended break from VS... I have a lot of business paperwork to work on anyway, that is going to take a lot of time.

    When I return, if you guys finally figure out that VS blocked EB from installing DP, you do not need to apologize... but hopefully most of us will learn from this experience and grow up a little.
     
  22. oZone

    oZone Registered Member

    Joined:
    Jan 18, 2017
    Posts:
    33
    Location:
    Earth
    I know about Softperfect RAMdisk and there is no problem with VS, if I use it, but newer versions are not free
    and I want to avoid it on on win 10, because I had few crashes when I was using insider preview

    imdisk driver is quite limited (to support all windows NT versions) and main problem is that some queries are not supported, VS expect to get win32 path name (P:\) but will get native path name (\Device\ImDisk0\)
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    It might be a while... although I will probably release a new version soon with the 2 small fixes from the EB/DP test. VS blocked DP, but there are 2 things that I can improve on, and they are super easy fixes to implement... so why not? Thank you!
     
  24. pablozi

    pablozi Registered Member

    Joined:
    Oct 24, 2010
    Posts:
    215
    Location:
    nowhere
    Who cares about those whining kiddies? Just do your thing Dan and don't let them bring you down!
     
  25. Gandalf_The_Grey

    Gandalf_The_Grey Registered Member

    Joined:
    Jan 31, 2012
    Posts:
    859
    Location:
    The Netherlands
    +1
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.