A VoodooShield issue

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

TheMalwareMaster

Level 19
Verified
Jan 4, 2016
931
5,417
Operating System
Windows 10
Installed Antivirus
Default-Deny
#1
Good afternoon... I found a probable issue of VoodooShield. Usually, .lnk files are blocked immediatly after execution. This one, though, was able to start cmd.exe and powershell.exe. After that, it launched wscript. but that was blocked. What do you think? The sample is "orcamento" in this Malware Vault pack
https://malwaretips.com/threads/11-08-2017-20.74469/
VirusTotal: Antivirus scan for 779f0e75f2136979a0430c1aefbe0e663ef7762ea270b22bcaa2d1d65d9f6655 at 2017-08-17 05:37:52 UTC - VirusTotal
Malware Analysis: Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'linkagent.zip'

bypass.PNG bypass1.PNG bypass2.PNG
 

RoboMan

Level 19
Content Creator
AV-Tester
Jun 24, 2016
918
9,318
Operating System
Windows 10
Installed Antivirus
ESET
#4
Nice notice. The question relies in wether the file could bypass VoodooShield anti-executable technology or it was somehow highlighted as safe due to same system rules.
 
Likes: rockstarrocks

TheMalwareMaster

Level 19
Verified
Jan 4, 2016
931
5,417
Operating System
Windows 10
Installed Antivirus
Default-Deny
#5
With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
sample.PNG
 

RoboMan

Level 19
Content Creator
AV-Tester
Jun 24, 2016
918
9,318
Operating System
Windows 10
Installed Antivirus
ESET
#6
With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
View attachment 164399
Well, depending on your settings, CMD and PowerShell may be trusted apps and be allowed to run. The real problem is that VoodooShield let the lnk file execute and therefore open the mentioned programs.
 

_CyberGhosT_

Level 52
Verified
Aug 2, 2015
4,177
27,272
Operating System
Linux Mint
Installed Antivirus
Default-Deny
#7
With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
View attachment 164399
Adding a password brother to VS, requires that when things like CMD, Services, Taskmanager, PowerShell ect.
that you enter the password that was set in VS settings, and is a good option, keeps VS on it's toes.
I have had this setting forever so if I get asked from my VS password to launch something like PowerShell and I did not initiate it
I for damn sure will not allow it to launch.
Some are not aware that VS does this when you add a PW to it.
 
Feb 14, 2013
111
207
Operating System
Windows 10
Installed Antivirus
ESET
#8
With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
View attachment 164399
I don't know why a file of unknown or untrusted status would be allowed to launch resources from the System Space. That's not a good policy. I hope this is a bug. Thank you for your testing!
 

danb

From VoodooShield
Developer
May 31, 2017
465
2,102
Operating System
Windows 8.1
#9
Cool, thank you MM! Yeah, VS protected the computer in both cases, but I agree, it would be even better to stop the powershell call, before it even had a chance to run the script.

This will be fixed in VS 4.0, which will be ready asap. The rules wizard is taking A LOT more time than I even thought it would, but I am getting close. Thank you guys!
 
Jul 5, 2016
410
837
Operating System
Windows 10
Installed Antivirus
Malwarebytes
#10
Adding a password brother to VS, requires that when things like CMD, Services, Taskmanager, PowerShell ect.
that you enter the password that was set in VS settings, and is a good option, keeps VS on it's toes.
I have had this setting forever so if I get asked from my VS password to launch something like PowerShell and I did not initiate it
I for damn sure will not allow it to launch.
Some are not aware that VS does this when you add a PW to it.

Good to know. Although I was hoping Appguard would take care of that one for me.
 

TheMalwareMaster

Level 19
Verified
Jan 4, 2016
931
5,417
Operating System
Windows 10
Installed Antivirus
Default-Deny
#12
Cool, thank you MM! Yeah, VS protected the computer in both cases, but I agree, it would be even better to stop the powershell call, before it even had a chance to run the script.

This will be fixed in VS 4.0, which will be ready asap. The rules wizard is taking A LOT more time than I even thought it would, but I am getting close. Thank you guys!
If I can remember well @danb , in the previous versions VoodooShield was blocking cmd.exe, powershell.exe, regedit.exe to launch when it was ON. Now, it's no longer doing that. Why?
 
Likes: frogboy
Jul 5, 2016
410
837
Operating System
Windows 10
Installed Antivirus
Malwarebytes
#13
If I can remember well @danb , in the previous versions VoodooShield was blocking cmd.exe, powershell.exe, regedit.exe to launch when it was ON. Now, it's no longer doing that. Why?
It still blocks powershell and regedit but not cmd when it is on or off.
 
Likes: shmu26