VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Thanks for the link, and yes I know that lsass.exe was exploited, but I was surprised that it needed rundll32.exe to execute the DoublePulse payload. But perhaps that's not relevant because I suppose any child process that is spawned via lsass.exe would have been blocked with anti-executable like VS and ERP, so this was a nice demonstration of the effectiveness of these kind of tools.

    Doesn't AG block child processes spawned by system processes like lsass.exe from running?

    Thanks for the info. To clarify, I didn't doubt it, I was just trying to figure things out, so I'm not one of those whining kids. :D
     
  2. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    :thumb::thumb:
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you, but no one is bringing me down ;). Besides, they are pretty close to understand what really happened (and I do not mind finishing the job of helping them realize what happened)... hopefully they will test for themselves next time and we can save everyone a lot of time and frustration.

    All I can say... Pete and guest are going to owe me A LOT of beers in Vegas. I will pay for their airfare and hotel, and they can buy my drinks. They will be spending more money then me ;).
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    BTW, this information is not going to help anyone at all... but since it was requested...

    For the VS DP block, the parent process was c:\windows\system32\lsass.exe
    And the command line was: rundll32.exe

    It is a very long story, but this is one of the two things that I have to fix... basically, I never expected the command line to only be rundll32.exe (pretty tricky if you ask me). So I just need to insert a small if then statement and basically say... if the commandline = "rundll32.exe" then do this...

    Either way DP was blocked, so our "anti-exploit" mechanism is working correctly, but it will take all of 3 minutes to do this right.

    When this is all said and done... we can figure out the name for our "anti-exploit" feature. My opinion? If VS's works for this attack, but specialty products do not, it is probably okay to keep the name as it is. But we can figure that out later. Thank you!
     
  5. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    It's totally cool, I want the truth to come out ;).
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    LOL, good one. BTW, what I don't understand is that when lsass.exe is exploited, does it always have to spawn a child process in order to run a malicious payload? The reason I ask is because I assumed a payload can also be in-memory, running from inside the exploited process. With that I mean, it can then perform malicious behavior from inside the exploited process with system privileges.
     
  7. VecchioScarpone

    VecchioScarpone Registered Member

    Joined:
    Aug 29, 2015
    Posts:
    332
    Location:
    Down Under the Southern Cross
    [QUOTE
    All I can say... Pete and guest are going to owe me A LOT of beers in Vegas. I will pay for their airfare and hotel, and they can buy my drinks. They will be spending more money then me ;).[/QUOTE]

    http://www.pic4ever.com/images/funny.gif
     
  8. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Sure thing, Thanks brother. ;)
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Yes I agree, it's an anti-exploit feature for sure. The way I see it, is that tools like VS and ERP can not block in-memory payloads, but they can block disk based payloads that are triggered by exploits. You need a tool like HMPA to block in-memory payloads, but you rarely see malware that is running completely in-memory. The best thing is probably to combine both anti-executable with anti-exploit.
     
  10. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Crap, you and me both brother. Get some rest :)
     
  11. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This is PURE SPECULATION, and I will not know until I test, but I would suspect that VS would block an in-memory attack, the exact same way it would block something that writes to disk... even for an attack as nasty as this. Basically, just because something is persistent (writes to disk), does not mean that it does not create a new process. Having said that, I am hoping that mWave will test with EB and find something that will get through.

    If anyone else finds such an attack, I would be happy to test and post the results whether VS fails or not.

    5-6 years ago, I would get upset when someone would demonstrate a proper bypass of VS... but now I welcome it, and would be highly thankful that they spent the time to help me make VS better and more secure. The only thing that is annoying to me is when people brag that they can bypass ANY security software, without actually demonstrating a proper bypass. The reason it is annoying is that it can take 10-20 hours of my time... and it is all for nothing.
     
  12. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hehehe, I think I will ;).
     
  13. Iangh

    Iangh Registered Member

    Joined:
    Jul 13, 2005
    Posts:
    775
    Location:
    Melbourne, Australia
    I think there needs to be two threads:

    one for the geeks that know what they are talking about to discuss the intricacies of VS blocking/allowing this, that or t'other (when Mwave, guest and crew get going I sit here bemusing my lack of knowledge);

    another for noobs like me, the existing thread, that post product questions, like the one I posted about CFW. Direct me to video reviews showing what a great job VS did, and other simple stuff. If it's something complicated ask CS to explain it. Seriously, keep it simple.

    Any new, noob customer that had come to this thread over the past day would have gone away clouded in FUD thinking VS is not for me.

    The other thing I suggest, Dan, is that you never again announce you are taking a break from VS because some people ain't getting your point. Not a good signal to your target market: noobs who need their PC locked.
     
  14. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    146
    Location:
    London UK
    Okay back to Imdisk. I just mounted a drive (P:\) and VS detects the path okay. I didn't keep Cent Btowser handy so used Iron to test as I already had a copy,

    VoodooShield Iron.jpg

    [05-31-2017 22:51:06] [INFO ] - Allowed: ironportable.exe, p:\ironportable\ironportable.exe
    [05-31-2017 22:51:30] [INFO ] - Process allowed by Parent Process: p:\ironportable\iron\chrome.exe
    [05-31-2017 22:51:35] [INFO ] - Process blocked by Custom Folders: p:\ironportable\iron\chrome.exe
    [05-31-2017 22:52:12] [INFO ] - Blocked: p:\ironportable\iron\chrome.exe
    [05-31-2017 22:52:27] [INFO ] - Process allowed by User Clicking Allow or Install: p:\ironportable\iron\chrome.exe
    [05-31-2017 22:52:27] [INFO ] - Allowed: chrome.exe, p:\ironportable\iron\chrome.exe
    [05-31-2017 22:52:29] [INFO ] - Process allowed by Current Whitelist Snapshot: p:\ironportable\iron\chromexe

    To create P:/ I did this:

    Navigated to system32 and opened an admin command prompt (Shift+Right Click menu). Used the following command:

    imdisk -a -s 512M -m P: -p "/fs:ntfs /q /y"

    A 512Mb NTFS formatted drive appears in explorer with drive letter P:\

    Interesting that VS sees the drive

    VoodooShield Iron.jpg

    VoodooShield ImDisk P.jpg

    but Puran File Recovery does not.

    Computer.jpg



    If you compare the following info for P:\ Imdisk vs V:\ Softperfect RamDisk it does seem to indicate a problem with Imdisk but I can't explain it!

    SIV64X.jpg
     
  15. VecchioScarpone

    VecchioScarpone Registered Member

    Joined:
    Aug 29, 2015
    Posts:
    332
    Location:
    Down Under the Southern Cross
    +1:thumb:
     
  16. clubhouse1

    clubhouse1 Registered Member

    Joined:
    Sep 26, 2013
    Posts:
    1,124
    Location:
    UK

    I think they should remember "Action speaks louder than words"
     
  17. guest

    guest Guest

    SRP/anti-exe are post-exploit protections, anti-exe are not anti-exploits like EMET or HMPA...they block what this exploits may do after , like uploading and executing ransomware , keyloggers.
    The reason AppGuard did not block the exploit is that AppGuard does not apply a policy to the kernel.

    in the screenshot below, that is how DP work.

    1- DP target is lsass.exe (photo 1 & 2 ) but DP as the "rundll" functions to load additional dlls or a shell (like cmd.exe) via rundll32.exe (which will be blocked by VS and ERP in Dan video )
    2- Dll is injected and succeeded (photo 3)

    as you see rundll32.exe is not used as primary attack vector , it is lsass.exe , and VS, ERP doesn't block it to be injected, however they block it to to spawn other dlls via rundll32.exe.
    VS is a fine piece of software, for me the top 3 anti-exe but surely not an full fledged anti-exploit; if it was, lsass.eexe would not spawn rundll32.exe the one be blocked by VS. we see it in the video.

    Now AG, ERP, VS and others can block some exploits loaded via executable (powershell, etc...) but not the kind of kernel exploit like DP. This doesn't mean those products are bad, but they just aren't made for it; if Dan wan't add some EMET style exploit protection to VS , it will good for VS' users but i doubt he will do it.

    i'm not whining too, i don't have stock options in those companies, im just beta tester and i just like things to be explained clearly so average user don't get the wrong idea that some products does things they can't or not supposed to do.

    I will stop here about DP, after all it is VS thread not DP one.
     

    Attached Files:

  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Pete and guest, if this turns out to be true (which it looks like it is)... this is exactly why I was concerned about the EB/DP threat. I had a sneaking suspicion that something like this happened, since the attack spread like wildfire, but I did not want to speculate. BTW, from what I could tell... CET was curious like me, and questioned how this attack spread so fast... like "how the heck did it spread so fast?". Now we know.

    https://www.infosecurity-magazine.com/news/wannacry-didnt-start-with-phishing/

    Also, keep in mind, the last year or two, we have been hearing more and more about router vulnerabilities. There was a recent one just a few months ago... a big one.
     
    Last edited: May 31, 2017
  19. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I am only going to explain this one other way. When you watch my test video, during the VS test you clearly see rundll32.exe being killed, and you ALSO clearly see how the session is not created. Those are 2 100% absolute indications that DP failed.

    For the products where the attack succeeded, when I manually exit out of the session, the child process rundll32.exe of lsass.exe closes... it closes DP.

    If you tested this attack, you would understand this immediately. It is not like this is something that is questionable or disputable... in any way.

    For example, when I open firefox on my computer... firefox.exe shows up in the task manager. When I close firefox, it disappears from the task manager.

    This is not an analogy... the evidence is literally that conclusive.
     
    Last edited: May 31, 2017
  20. guest

    guest Guest

    DP uses reflective dll injection in-memory only - and I am highly suspect it doesn't use any vulnerable processes to inject itself to lsass.exe, so it is why it can't be blocked by anti-exe but by anti-exploits. This attack is nasty and simple...we have to worry , worse is coming.

    i don't dispute this, what i say is that lsass.exe was already owned. if not we won't have the rundll32.exe being launched. DP is about lsass.exe being injected and used as a backdoor, rundll32.exe is a "tool" used by exploited lsass.exe to run a shell or whatever to interact with the attacker.

    check the screenshots, above, all is about lsass.exe, rundll is just a function of DP.
     
  21. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Well, if lsass.exe is pwned, then why did VS block DP?

    Please do not get me wrong... I am not saying that VS is perfect, but this is why we need to stay vigilant and adapt. For now, it appears that blocking directly after the first stage is acceptable, but who knows what people will come up with one day. I am rooting for mWave to come up with something... and I am not joking at all about that.

    Hopefully now that you see that this is a true concern, and a BFD, you will also understand that I was not grandstanding or lowering my standards in any way. I knew people's initial reaction would not be great... but I also knew that once they understood how big of a deal this attack was, and how very, very few security products actually defend against this type of attack, that they would understand my real intentions. I knew it was a BFD (especially considering the malwarebytes article above)... and it was worth it to me to get you guys to realize how big of a deal this is, and how much worse it could potentially become (like you were saying). So if people were mad at me for a few days... well everyone will get over it.

    The alternative is that I could have not said anything, and we all bury our heads in the sand.

    Anyway, so now you know. Here is a quick and dirty video that shows the attack in a little more detail (just AG and VS).

    https://youtu.be/9bE_6ny6yVk

    I really am done with this for now... this has been an exhausting 4-5 days.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,536
    Location:
    USA
    Dan, I think I have a super easy solution for those that says VS makes false claims with it's Anti-Exploit feature. I can't remember the exact name for the feature in the UI since I don't have VS installed right now due to doing some exercises for my Networking, and Database courses. I keep having to roll my machine back.

    I was thinking you could call VS's Exploit feature, "Exploit Mitigation" since mitigation of exploits can be using any effective method to mitigate the threat. If you want to call the Feature Anti-Exploit I don't see a problem with it myself (not sure about others) as long as you explain that SRP is being used. I would use this description right next the feature in the UI (uses SRP to enhance protection against Exploits). Users that don't know what SRP is are not the ones complaining, and those that do have a deeper understanding of Security don't really have any basis for an argument because you are being very clear in the method you are using to mitigate exploits.

    I would just give SRP as a description of the feature like I have below so that you don't give out specific information that hackers can use against your product.

    IMO, Whitelisting in combination with SRP is the most effective means for combating any threat, including exploits. SRP when done right is extremely effective in mitigating exploits.

    Well, it's only advice, and you may look at what I have below, and think of something even better. I think the key is a brief explanation that SRP is the mechanism being used. I don't believe it's necessary that you give out the SRP policy being used, that will just be helping out the hackers.

    Exploit Mitigation (Uses SRP to Enhance Protection Against Exploits)
    Anti-Exploit (Uses SRP to Enhance Protection Against Exploits)

    Edited 6/1/17 @ 12:06
     
    Last edited: Jun 1, 2017
  23. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,000
    During the VS section of the video it was stated "Exploit completed, but no session was created"

    Doesn't this confirm what guest was saying?
     
  24. guest

    guest Guest

    VS blocked DP to spawn (via rundll32.exe) a shell allowing Kali to interact with the target system, you get it?

    yes it is acceptable, like AG would block any executable (malicious exe, etc...) uploaded to the target system, VS & ERP (because of their default policy) just does it one step ahead than AG, that is it.
    The true goal of AG/VS/ERP isn't to stop the kernel exploit itself but stop what this exploit may execute subsequently based on policies.
    in the videos lsass.exe is a system process (rundll32 is running NT AUTHORITY\SYSTEM) and AppGuard Consumer does not protect it (only business does) . All the malicious code is being executed in memory in a nonstandard way. Then kernel is compromised. AppGuard does not touch the kernel. How can you apply policy to the kernel with PatchGuard ? even VS can't.

    i knew from the start bro, but the way your video was made wasn't very fair for all products. because you stopped at the kernel exploit, where AG has nothing to do with. if you wen't further then uploading a malicious exe into the target system and tried to launch it , then it will be fair.
    Your video should show the whole attack , not just a part of it and also mentioned that the exploit need specific conditions in place.

    dont stop here after launching the shell (cmd) , you had to use it and upload a malicious file and run it , that is the goal of the whole attack, not just creating a shell...it is pointless if to do so...
     
    Last edited by a moderator: Jun 1, 2017
  25. guest

    guest Guest

    Exactly ! the exploit was successful but further attempt to continue the attack (launching the shell aka cmd.exe) is stopped .

    as you can see the interpretation varies from a video to another one, the whole picture must be shown , not just a part of it , doing so is like manipulating the interpretation.
    This is the whole point i was trying to demonstrate. i don't care which one is better, i just wan't the things be made correctly and be fair.

    A proper video should go even further to the point the attacker via Kali upload a malicious file (say a ransomware like Wanacry does) via the shell to the target system ; then i'm sure any anti-exe/SRP will block the ransomware to execute.
     
    Last edited by a moderator: Jun 1, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.