A VoodooShield issue

Discussion in 'VoodooShield' started by TheMalwareMaster, Aug 20, 2017.

  1. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
    Good afternoon... I found a probable issue of VoodooShield. Usually, .lnk files are blocked immediatly after execution. This one, though, was able to start cmd.exe and powershell.exe. After that, it launched wscript. but that was blocked. What do you think? The sample is "orcamento" in this Malware Vault pack
    https://malwaretips.com/threads/11-08-2017-20.74469/
    VirusTotal: Antivirus scan for 779f0e75f2136979a0430c1aefbe0e663ef7762ea270b22bcaa2d1d65d9f6655 at 2017-08-17 05:37:52 UTC - VirusTotal
    Malware Analysis: Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'linkagent.zip'

    bypass.PNG bypass1.PNG bypass2.PNG
     
    RoboMan, frogboy, shukla44 and 3 others like this.
  2. shmu26

    shmu26 Level 53

    Jul 3, 2015
    4,285
    13,650
    Utopia
    So, what was the conclusion on this one? Bypass or not?
     
  3. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
  4. RoboMan

    RoboMan Level 17
    Content Creator

    Jun 24, 2016
    834
    8,409
    USA
    Windows 10
    ESET
    Nice notice. The question relies in wether the file could bypass VoodooShield anti-executable technology or it was somehow highlighted as safe due to same system rules.
     
    rockstarrocks likes this.
  5. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
    With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
    linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
    In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
    sample.PNG
     
    shmu26, _CyberGhosT_ and frogboy like this.
  6. RoboMan

    RoboMan Level 17
    Content Creator

    Jun 24, 2016
    834
    8,409
    USA
    Windows 10
    ESET
    Well, depending on your settings, CMD and PowerShell may be trusted apps and be allowed to run. The real problem is that VoodooShield let the lnk file execute and therefore open the mentioned programs.
     
  7. _CyberGhosT_

    _CyberGhosT_ Level 52
    Trusted

    Aug 2, 2015
    4,174
    27,493
    Retired
    Central US
    Linux Mint
    Default-Deny
    Adding a password brother to VS, requires that when things like CMD, Services, Taskmanager, PowerShell ect.
    that you enter the password that was set in VS settings, and is a good option, keeps VS on it's toes.
    I have had this setting forever so if I get asked from my VS password to launch something like PowerShell and I did not initiate it
    I for damn sure will not allow it to launch.
    Some are not aware that VS does this when you add a PW to it.
     
    simmerskool, terene, frogboy and 2 others like this.
  8. cutting_edgetech

    Feb 14, 2013
    108
    196
    IT Security
    ESET
    I don't know why a file of unknown or untrusted status would be allowed to launch resources from the System Space. That's not a good policy. I hope this is a bug. Thank you for your testing!
     
    BryanB and shmu26 like this.
  9. danb

    danb From VoodooShield
    Developer

    May 31, 2017
    465
    2,138
    Overland Park, KS
    Windows 8.1
    Cool, thank you MM! Yeah, VS protected the computer in both cases, but I agree, it would be even better to stop the powershell call, before it even had a chance to run the script.

    This will be fixed in VS 4.0, which will be ready asap. The rules wizard is taking A LOT more time than I even thought it would, but I am getting close. Thank you guys!
     
  10. boredog

    boredog Level 8

    Jul 5, 2016
    397
    832
    Retired
    usa
    Windows 10
    Malwarebytes

    Good to know. Although I was hoping Appguard would take care of that one for me.
     
    simmerskool, shmu26 and _CyberGhosT_ like this.
  11. VecchioScarpone

    VecchioScarpone Level 3

    Aug 19, 2017
    142
    436
    Retired
    Melbourne VIC
    #11 VecchioScarpone, Aug 22, 2017
    Last edited: Aug 22, 2017
    _CyberGhosT_ likes this.
  12. TheMalwareMaster

    TheMalwareMaster Level 19
    Trusted

    Jan 4, 2016
    931
    5,464
    Europe
    Windows 10
    Default-Deny
    If I can remember well @danb , in the previous versions VoodooShield was blocking cmd.exe, powershell.exe, regedit.exe to launch when it was ON. Now, it's no longer doing that. Why?
     
    frogboy likes this.
  13. boredog

    boredog Level 8

    Jul 5, 2016
    397
    832
    Retired
    usa
    Windows 10
    Malwarebytes
    It still blocks powershell and regedit but not cmd when it is on or off.
     
    shmu26 likes this.
Loading...
Similar Threads Forum Date
Q&A SRP vs VoodooShield General Security Discussions Friday at 1:24 AM
Q&A Cycling Update VooDooShield VoodooShield Dec 31, 2017
voodooshield and malware without files VoodooShield Dec 21, 2017