A VoodooShield issue

Status
Not open for further replies.
TheMalwareMaster

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
Good afternoon... I found a probable issue of VoodooShield. Usually, .lnk files are blocked immediatly after execution. This one, though, was able to start cmd.exe and powershell.exe. After that, it launched wscript. but that was blocked. What do you think? The sample is "orcamento" in this Malware Vault pack
https://malwaretips.com/threads/11-08-2017-20.74469/
VirusTotal: Antivirus scan for 779f0e75f2136979a0430c1aefbe0e663ef7762ea270b22bcaa2d1d65d9f6655 at 2017-08-17 05:37:52 UTC - VirusTotal
Malware Analysis: Free Automated Malware Analysis Service - powered by VxStream Sandbox - Viewing online file analysis results for 'linkagent.zip'

bypass.PNG bypass1.PNG bypass2.PNG
 
  • Like
Reactions: RoboMan, frogboy, shukla44 and 3 others
RoboMan

RoboMan

Level 36
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,503
Nice notice. The question relies in wether the file could bypass VoodooShield anti-executable technology or it was somehow highlighted as safe due to same system rules.
 
  • Like
Reactions: brambedkar59
TheMalwareMaster

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
sample.PNG
 
  • Like
Reactions: shmu26, _CyberGhosT_ and frogboy
RoboMan

RoboMan

Level 36
Verified
Top Poster
Content Creator
Well-known
Jun 24, 2016
2,503
TheMalwareMaster said:
With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
View attachment 164399
Click to expand...
Well, depending on your settings, CMD and PowerShell may be trusted apps and be allowed to run. The real problem is that VoodooShield let the lnk file execute and therefore open the mentioned programs.
 
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
TheMalwareMaster said:
With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
View attachment 164399
Click to expand...
Adding a password brother to VS, requires that when things like CMD, Services, Taskmanager, PowerShell ect.
that you enter the password that was set in VS settings, and is a good option, keeps VS on it's toes.
I have had this setting forever so if I get asked from my VS password to launch something like PowerShell and I did not initiate it
I for damn sure will not allow it to launch.
Some are not aware that VS does this when you add a PW to it.
 
  • Like
Reactions: simmerskool, Shadowave, frogboy and 2 others
cutting_edgetech

cutting_edgetech

Level 3
Verified
Feb 14, 2013
113
TheMalwareMaster said:
With the .lnk sample in this pack https://malwaretips.com/threads/27-7-17-13.73970/
linked to regsvr32.exe, VoodooShield immediatly blocks the command line. But it was linked to a different file than the previous one.
In the previous one, the attack is also blocked when attempting to launch a script. I was just wondering why VoodooShield let cmd and powershell run without problems
View attachment 164399
Click to expand...
I don't know why a file of unknown or untrusted status would be allowed to launch resources from the System Space. That's not a good policy. I hope this is a bug. Thank you for your testing!
 
  • Like
Reactions: vtqhtr413 and shmu26
danb

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,852
Cool, thank you MM! Yeah, VS protected the computer in both cases, but I agree, it would be even better to stop the powershell call, before it even had a chance to run the script.

This will be fixed in VS 4.0, which will be ready asap. The rules wizard is taking A LOT more time than I even thought it would, but I am getting close. Thank you guys!
 
  • Like
Reactions: russ0408, Gandalf_The_Grey, brod56 and 11 others
boredog

boredog

Level 9
Verified
Jul 5, 2016
416
_CyberGhosT_ said:
Adding a password brother to VS, requires that when things like CMD, Services, Taskmanager, PowerShell ect.
that you enter the password that was set in VS settings, and is a good option, keeps VS on it's toes.
I have had this setting forever so if I get asked from my VS password to launch something like PowerShell and I did not initiate it
I for damn sure will not allow it to launch.
Some are not aware that VS does this when you add a PW to it.
Click to expand...


Good to know. Although I was hoping Appguard would take care of that one for me.
 
  • Like
Reactions: simmerskool, shmu26 and _CyberGhosT_
TheMalwareMaster

TheMalwareMaster

Level 21
Thread author
Verified
Honorary Member
Top Poster
Well-known
Jan 4, 2016
1,022
danb said:
Cool, thank you MM! Yeah, VS protected the computer in both cases, but I agree, it would be even better to stop the powershell call, before it even had a chance to run the script.

This will be fixed in VS 4.0, which will be ready asap. The rules wizard is taking A LOT more time than I even thought it would, but I am getting close. Thank you guys!
Click to expand...
If I can remember well @danb , in the previous versions VoodooShield was blocking cmd.exe, powershell.exe, regedit.exe to launch when it was ON. Now, it's no longer doing that. Why?
 
  • Like
Reactions: frogboy
Status
Not open for further replies.

Similar threads

Lymphocyte
    • Like
    • +Reputation
Security News ESET repports that OilRig’s persistent attacks using cloud service-powered downloaders
Replies
0
Views
2,748
Security News
Lymphocyte
Lymphocyte
J
  • Locked
I need help with a Malware Spanish logs
Replies
2
Views
3,016
Windows Malware Removal Help & Support
nasdaq
nasdaq
A
  • Locked
I have a personal computer but chrome says "managed by your organisation"
Replies
3
Views
3,136
Windows Malware Removal Help & Support
struppigel
struppigel

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top