VoodooShield/Cyberlock

That's what I've been saying all along. Based on what I've read, DP is a malware loader, so if you block payloads/malware that it's trying to load you have already blocked the attack. However, I'm not sure if DP can only deliver disk based payloads. And that's what MRG is worried about, they say it might be possible to develop in-memory ransomware, and I assume this won't spawn any child processes, so then there is nothing to block for anti-executable/white-listing tools.

And yes, I saw the Sophos video. You can clearly see that lsass.exe is executing WannaCry and I assume this happens via the DP backdoor. But honestly, I still don't understand all of the details. For example, the newest version of HMPA that has added protection against DP, will actually terminate lsass.exe to prevent injection by DP, so I assume preventing the DP injection is not as easy as simply blocking a child process from loading. In the video it seems to be focused on blocking WannaCry from encrypting files via CryptoGuard, so this means they didn't block the exploit itself.

 

Oy vey...Is it time to take the dog to the park again?

 

I do not believe that Doublepulsar-1.3.1.exe is written to disk in this attack (although I could be wrong about that), so that would probably qualify this attack as a fileless attack.

If VS blocked the malicious payload in this attack, there is no reason to believe that it will not stop similar attacks, but I am going to test every attack I can, just to make sure.

Remember, the central issue is whether the malicious payload DP is blocked or not, since it can be modified to be much more malicious. Also remember, EB / DP was designed to be a spy tool, and it was adapted into something even more malicious, in the case of the WannaCry outbreak.

So I reiterate... the concern is that a lot of security software did not block the malicious payload DP, which can be modified to do extremely malicious things.


From the MRG article...

"It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.

Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.

If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this

We are in the middle of contacting all AV vendors about the issue. Although we guess they already know this, they only forgot to notify the marketing department to check their communication."


Remember when you said "Finally we can see the type of stuff we are talking about (exploits and payloads) like almost every year, in real action."? This is a great example, and it is great that we finally have a chance to discuss this, using a real world attack scenario.

THIS WILL BE MY LAST RESPONSE ON THIS TOPIC. IF YOU HAVE ANY OTHER QUESIONS, PLEASE FEEL FREE TO EMAIL ME. EVERYONE IS GETTING TIRED OF THIS TOPIC!!!

 

That sounds like it might take a lot of effort. I guess if it piques her interest enough, she would be willing to trade a file of a different kind for it . Sorry CS, I will stop now .

 

Yep... we are going for a walk right now .

 

Yawn.

 

Hehehe, Pete, that was punny.

I am happy that this debate is completely over.

BTW, I think for the most part everyone was surprisingly civil.

This on the other hand, has the potential to become quite vicious ,

https://www.carbonblack.com/2017/05/31/carbon-blacks-open-letter-to-cylance-welcome-to-edr/

Enjoy .

 

wnnacry has been discussed to death, in fact it is dead...Lets wait for the next worldwide attack of a new variant to get excited and expert about.

 

I'm happy too

 

Cb is right, and that is going to stick in the craw of Cylance, I love an entertaining show

 

rundll32.exe is used to create a reverse connection to the attacker framework (on some vids/article, it is cmd.exe used as shell) so he can deliver other payloads (ransomwares, keyloggers, etc...).
However , the attacker may not need a connection, and instead just load a malware, so rundll32.exe may not be used.

you are exactly right. it is what i said from the start.

Code:

The "no session was created" message occurs if one of the following happens:

1) The exploit you use doesn't work against the target you selected. Could be the exploit is for a different version, there is a problem with the exploit code, or there is a problem with the target configuration.
2) The exploit you use was configured to use a payload that doesn't create  an interactive session. In this case, the framework has no way of knowing  whether the exploited worked, because it doesn't receive a connection  from the target when its successful (for example, running notepad). 

https://dev.metasploit.com/pipermail/framework/2007-May/002302.html

VS and ERP (from what i see on the vids) forced point 2 because they blocked rundll32.exe to execute properly.

Nothing except a pure anti-exploit like HMPA or product using similar feature can block lsass.exe to be injected. others (anti-exe/SRP) can't because they aren't designed to stop that.

i think all is very clear now , nothing much to add on the subject.

 

Hehehe, I do not think I am willing to go through that again .

 

you don't need , all is already explained properly based on facts

 

Hehehe, I was surprised how blunt the "letter" was. It makes our recent discussion appear as civil as a high school debate.

 

So what set you straight... was it my new Avatar on MT? . I did that just for you!

Now we just need to get you to realize that malware testing is usually performed with default settings, and there are other attack vectors than phishing attacks that drop a malicious payload .

 

BTW, I think most people realize that VS is not an Anti-Exploit product... it is a user-friendly toggling desktop shield gadget, that locks your computer when it is at risk, and it includes file insight to help the user make an informed decision.

 

nothing special, my point was verified so i'm good.

sure , i believe that a test must at least put in use the mechanism of what the software is supposed to do.

we all know that
it is why i wondered why you did an anti-exploit test using anti-exe/SRP in the first place... We knew from the start they may all fail...what we could expect and now knows, it is that some apps because of particular features they have, can hamper some following-effects.

 

And that's what makes its a winner!...I often wonder why users that flood this and other threads with their in depth knowledge on malware and how it attacks don't put their skills to use and create their own bullet proof software instead of telling those that have how to do it


Kinda reminds me of guys watching a boxing match and yelling at the screen telling a boxer how to fight!

 

None of the 4 products tested are specialty Anti-Exploit products, but some have Anti-Exploit features.

For example, VS's Anti-Exploit feature blocked DP, exactly as it was designed to do:

Enable VoodooShield anti-exploit protection for all web apps in all file / folder locations: When enabled, this feature automatically blocks all child processes of web app parent processes. In other words, this feature effectively blocks payloads dropped by exploits.

And here is another that was included in the test: http://www.voodooshield.com/artwork/AGAE.png

So it probably is not appropriate to suggest that anyone assumed that any of the products would fail... that is why you test.

Everyone was speculating and was curious what would happen, so I ran the tests... nothing more, nothing less.

 

You know, I often wonder the same thing .

"It's harder than it looks" -- Bon Scott.

 

May he rest in peace.

 

Hehehe, I actually thought of you when I posted that. G'day mate! Did I do it right? .

 

G'day Dan,

Yeah Mate, you got it right.

 

Plenty of arm chair quarterbacks, or backseat drivers, dime a dozen.
You nailed that on the head brother.
I am greatfull for all the dev's here that take the time out of their hectic schedules to inform communities like this,
it makes us all better for it.