VoodooShield ?

Discussion in 'other anti-malware software' started by CloneRanger, Dec 7, 2011.

  1. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    993
    @Rasheed187

    Have you looked at the thread that Dan linked? It's possible your questions have already been answered there. Also considering how this discussion has gotten it might be best for you to post all your questions over at Malwaretips.
     
  2. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    697
    Location:
    Europe
    It's a long time that I've not been here. Is the beta v3.59 coming with all the features or is it a limited beta version ? No key needed ?
     
  3. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    The attack is actually extremely complex (and I do not claim to understand the entire thing ;)), but basically, when you see rundll32.exe spawn as a child process of lsass.exe, then you know DP has succeeded in being installed. Keep in mind, during the VS test, VS suspended the process while the mini user prompt was being displayed... you can tell it is suspended in this case because the memory utilization for rundll32.exe stays at 88kb. When the memory utilization for rundll32.exe ramps up to 8,000kb or so, then you know the machine is pwned.

    Yeah, guest said a lot of batty stuff there for awhile (hehehe, just kidding guest). mWave point was that in the test video for VS... the logging shows that EB succeeded. The thing is, it might have succeeded to a certain extent, but it certainly did not succeed enough to do the one thing is was supposed to do, which was to install DP. But mWave does have a point... and that is why I suggested that use EB as a starting point, and see if he can figure a way to spawn a malicious payload other than DP, since it failed. Maybe using fileless malware or whatever. It might be possible, but I would think it would be extremely difficult since EB and DP were so nasty.

    Azure has a great point (thank you Azure)... there are a lot of answers in the other thread, and it would be kind of silly to repeat the same thing over and over. But if you have any questions that have not been answered by someone, please let me know. Thank you!
     
  4. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Hey Ashanta, how are you? Long time no see! Yeah, you can run VS free if you want, but I would be happy to set you up a license... just email me at support at voodooshield.com and I will set that up for you, thank you!
     
  5. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    @VoodooShield
    Have a good weekend Dan, you deserve it brother.
     
  6. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    12,756
    Location:
    Ontario, Canada
    Amen!
     
  7. guest

    guest Guest

    yep better do it there or via PM. because this thread isn't the place to talk about it despite VS being mentioned.
     
  8. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    Howdy Helix, good to see you brother :)
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    But that's the thing. What happens if you do let rundll32.exe run? Is it then loading malware on the system? I think most of the confusion comes from the fact that some like guest and myself assumed that because DP is an in-memory payload, it's already active inside lsass.exe, with that I mean, you won't see it as a child process. I wish someone would explain this.

    But you say that in order for DP to become active, EternalBlue should first spawn rundll32.exe, this remains unclear, we need an exploit expert to clear things up. Also, if VS didn't block DP, it's no surprise because it's not designed to block in-memory payloads. What is important, is if it can block malware loaded by this in-memory backdoor, and it seems to be capable of doing this.

    LOL, now I understand why Dan says he's tired, I didn't realize it was being discussed over there too. But no, I'm not going to sign up, one security forum is more than enough, I also don't like the look and feel of MalwareTips. Also, it's still not clear if Dan or guest was right.
     
  10. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    390
    Location:
    united kingdom
    Voodooshield blocked Metrepreter from installing the Double-Pulsar backdoor on the exploited PC. That's all I need to know. The rest IMO is just noise.

    PS. Thanks Dan for making VS awesome.
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    That's the thing what isn't clear. You probably need DP to load the Meterpreter backdoor, not the other way around. Just do a bit of reading and you will see what I mean. Also, this isn't about which product is better or not, it's about clearing things up. It's clear that VS would interfere with this type of attack, Dan has proven this, and I have to thank him for testing and making the video. Finally we can see the type of stuff we are talking about (exploits and payloads) like almost every year, in real action. :thumb:
     
  12. askmark

    askmark Registered Member

    Joined:
    Jul 7, 2016
    Posts:
    390
    Location:
    united kingdom
    Yes, I agree, and VS stopped DP from being loaded. Fact.

    It may not be about which product is better, but as a VS user, thats what I'm interested in knowing about. Other products should be discussed in their own thread.

    Agree :thumb:
     
  13. _CyberGhosT_

    _CyberGhosT_ Registered Member

    Joined:
    Mar 2, 2015
    Posts:
    457
    Location:
    MalwareTips "Your Security Advisor"
    +10 :thumb:
     
  14. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    This article is crystal clear: https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nextgen-protections/

    "It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great."

    askmark said it best (thank you Mark): "Voodooshield blocked Metrepreter from installing the Double-Pulsar backdoor on the exploited PC. That's all I need to know. The rest IMO is just noise."

    I was actually concerned about this being a potential issue on May 15th, but there was simply not enough information at the time (and even today we do not have all of the pieces of the puzzle): https://www.wilderssecurity.com/threads/voodooshield.313706/page-645#post-2675722

    But when I read the MRG article above and realized that they were quite concerned about this issue, that was when I had the horrible sinking feeling in my stomach, and decided to test VS so I would know for sure. Now that malware authors have witnessed firsthand how effective this type of attack can be, there will almost certainly be copycats.

    There is not a single security product on the market that is currently so perfect that it will stop every single attack for the next, say 10 years, and there will almost certainly be attacks that bypass VS. That is why we need to test and patch.

    So it is not a question of whether a security product is bypassed or not, it is a question of whether the product is patched or not.
     
  15. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Thank you Mark, and everyone else for all of your help!
     
  16. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I totally agree!
     
  17. guest

    guest Guest

    Just for clarification:
    rundll32.exe is loaded by DP, not the opposite. No Anti-Exe/SRP can stop DP to exploit lsass.exe, only rundll32.exe is blocked by VS, so it can't connect to the attacker platform and a shell (cmd.exe ) being created.

    lsass.exe is always exploited (that is the DP exploit part), what can be blocked is what come after that.
     
  18. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    I assume that your "rundll32.exe is loaded by DP" was directed at Rasheed187... you might want to clarify next time.

    guest, there is something inherently flawed and completely wrong in this statement: "No Anti-Exe/SRP can stop DP to exploit lsass.exe, only rundll32.exe is blocked by VS". It might be helpful for you to figure out what is wrong with that statement, while I go to the park with Molly. Or if anyone else sees what is wrong with that statement, please post. Thank you!
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,522
    Hmm. Unless I am missing something, ERP would alert to just rundll32 if it's in the vulnerable list. It will only not alert on rundll32.exe if the whole command string is whitelisted.
     
  20. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    I didn't see anything about ERP in that article, only HitmanPro.Alert
     
  21. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    993
    Okay, I think I got what the issue is.

    I think both Dan(@VoodooShield ) and @guest have a different definition of what an exploit is.

    (Correct me if I'm wrong.)

    For guest, the exploit is simply injecting code into a process. When that happens the exploit is successful for him.

    For Dan, in addition to code injection, the process must then spawn a child process for the exploit to be successful for him.


    If this is the issue, then one of you might one want to contact the HitmanPro.Alert developers, I believe they should be able to define what an exploit is.
     
  22. C_64

    C_64 Registered Member

    Joined:
    Jan 6, 2017
    Posts:
    12
    Location:
    Estonia
    Hmm...interesting, yes very interesting indeed. But, just came to passing by and say thanks to Dan for his great work! Have a awesome weekend everybody!
     
  23. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    And what I was saying earlier in post #16592, when I was referring to guest saying "No Anti-Exe/SRP can stop DP to exploit lsass.exe, only rundll32.exe is blocked by VS"...

    This is how the exploit EB works. You stop the exploit from spawning rundll32 and you stop the attack. In a very clean and effective way.

    guest's argument is centered around the attack vector, and my argument is centered around the actual mechanism.

    I think guest will admit that SRP and AE products should be able to stop an exploit from installing a kernel level backdoor, regardless what the attack vector is... simply because this is not the only attack vector.

    Basically, VS is not an anti-exploit product, but it is vital, at a minimum, to have a sound mechanism in place to stop malicious payloads like DP from executing.
     
    Last edited: Jun 3, 2017
  24. VoodooShield

    VoodooShield Registered Member

    Joined:
    Dec 9, 2011
    Posts:
    5,881
    Location:
    United States
    Very cool, thank you C_64, have an awesome weekend too!
     
  25. Ashanta

    Ashanta Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    697
    Location:
    Europe
    I'm fine, thank you. :) I sent you a PM.

     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.