EMET 5.5 and Eternal Blue/Double Pulsar

[S3cur1ty 3nthu5145t]

Yeah, I agree, it took forever for EMET to load, sorry about that. Just imagine how long of a wait it was for me while I was testing the first time, since I did not know the outcome of the test .

If you provide me with the settings you recommend, I will test again (if we really feel that we need to). Please keep in mind that it takes a while to run this test because I will need to start with a fresh VM, install .net 4.5, install EMET, configure the settings, then run the test. If you truly believe we can adjust the settings in EMET so that it blocks this attack, I guess I can run one more test... but please understand, this is really getting old.

I am quite certain that no matter what settings we change, EMET will not block it. Hopefully MRG will test EMET... this should have been one of the first tests that I should have performed, but I did not think of doing so until AtlBo recommended it.

Also, please keep in mind, most home users do not run EMET, and if they do, odds are they probably do not configure the settings correctly.

I have installed MANY different AV products the last 18 years for my clients, and not ONCE did I change anything in the settings... pretty much NO ONE does, except for the wilders and MT users.

If you ask me, security software should properly protect the user out of the box, with all default settings. Typically, the reason why security vendors do not make the settings more aggressive out of the box is because then the software is a PITA to use. If you ask me, changing the default settings to a less aggressive posture is the absolute wrong way to fix the issue. To fix this issue properly, they should make the aggressive features more user-friendly.

Sorry for late response, i do not need any settings tested, i do not use Emet any more as im on windows 10 creators, there are many mitigation's in place already and im also running Appguard.

AltBo was the OP that requested information if any had it. I just merely pointed out that in your test, the protections were not enabled and that complete default settings were used. I was able to do so, as i am a former Emet user.

 

[Deleted member 178]

Umbra, you said "yes, it is for me what is DP. Once you are hit by a bullet, doesn't matter if you stop the bleeding or not, you were hit. Just avoid to be hit." here: VoodooShield ?

Great analogy... but VS is the bulletproof vest that stopped the the malicious payload DP dead in its tracks... even if EP was successful. It does not matter how many times you perform the attack... if VS is running DP will be blocked.

That is good for VS users, however i prefer disarm the shooter from his gun, so i won't need the bullet proof vest

I agree that security is all about layers, and it would not hurt to have specialized exploit protection. But either way, it is my opinion that SRP and AE products should block malicious payloads spawned from exploits, at a minimum.

and that is your mistake and wrong understanding of what is SRP. SRP aren't Anti-exe despite looking similar; until you realize the difference , all what you will say about SRP is wrong and confuse people.

- SRP (Software Restriction Policy) just auto-block execution of files based on its policy which must be tailored to the system. They block the executable file loading the payload , not the exploit , nor an exe exploited by the exploit.
SRP is about "software" (aka exe) , not exploits.

Spoiler: Appguard as SRP

In the case of Appguard Consumer, it block the execution of items from User Space (opposed to System Space : Windows, Program Files and some areas in Document & settings) and prevent them to read or modify the memory of other processes.

Spoiler: User-Space Attacks

User Space Attacks
Drive-by Download Attack
Attackers often use the applications you run to 'drop' malicious executables onto your hard drive. They also manipulate Windows settings to automatically launch these 'dropped' executables. This is often referred to as a "Drive-by Download" attack.

Spear Phishing Attack
Spear Phishing is a specially crafted e-mail that appears to be coming from a trusted source such as your Bank, a government organization or a credit company. The email usually contains legitimate looking web links that in reality will download malicious software, a document embedded with malicious code, or could exploit zero day vulnerabilities in your programs to infiltrate your computer.

Watering Hole Attack
"Watering Hole" attacks target reputable web sites browsed by members of targeted groups (employees of a particular company or a particular lobbying group for example). The attacker's goal is to collect proprietary information or to collect information about the group's members. Attackers modify trusted web sites so that when the site is visited your browser is exploited to infiltrate your systems and networks.

AppGuard protects a computer from all of these attacks by either containing or prohibiting programs and script files executing from user space (e.g., My Documents, Desktop, etc.) and non-system volumes (such as D:\, E:\ etc.).



User Space Attack Example:
When visiting a website, a flaw in Internet Explorer is exploited to 'drop' an executable called stealDATA.exe into a directory on your computer. It also changes a setting in Windows to automatically launch stealData.exe whenever you log in. AppGuard will stop this attack in the following ways:

• Because Internet Explorer is a Guarded Application, AppGuard will prevent it from changing any critical Windows settings.
• Depending on the Protection Level, the AppGuard 'user space' protection feature will either prevent the StealData executable from running or it will Guard StealData so that it cannot alter the Windows OS or access Private Folders.

It is not designed to block items in System Space because normally nothing malicious should be in System Space when you install AG. it is why AG is recommended to be installed right away in a clean system.
So unless an idiot allows the initial dropper, it can't run and deliver EB-DP in the machine because it is in the User Space.

- Anti-exe prompt in case any exe (wherever it is) is loaded , some of them have command line parser which allow monitoring of child.

Why EB-DP is successful on the vids , because the videos assume (for obvious reason to be able to demonstrate the attack ) that the dropper successfully compromised the network via another machine and EB-DP is propagating, it is not like that in real world.
You have to enter the network first , find a machine to deliver the dropper, execute the dropper, then EB-DP can propagate.

Now show me that you can penetrate any network from outside, deliver the dropper and execute it to load EB-DP. Just that isn't simple,
Now if in addition you add an anti-exe/SRP/HIPS/BB or even an AV , it is far more complicated.
And if you use Win10 or WIn7 patched , it won't even work.

 

[danb]

That is good for VS users, however i prefer disarm the shooter from his gun, so i won't need the bullet proof vest


and that is your mistake and wrong understanding of what is SRP. SRP aren't Anti-exe despite looking similar; until you realize the difference , all what you will say about SRP is wrong and confuse people.

- SRP (Software Restriction Policy) just auto-block execution of files based on its policy which must be tailored to the system. They block the executable file loading the payload , not the exploit , nor an exe exploited by the exploit.
SRP is about "software" (aka exe) , not exploits.

Spoiler: Appguard as SRP

In the case of Appguard Consumer, it block the execution of items from User Space (opposed to System Space : Windows, Program Files and some areas in Document & settings) and prevent them to read or modify the memory of other processes.

Spoiler: User-Space Attacks

User Space Attacks
Drive-by Download Attack
Attackers often use the applications you run to 'drop' malicious executables onto your hard drive. They also manipulate Windows settings to automatically launch these 'dropped' executables. This is often referred to as a "Drive-by Download" attack.

Spear Phishing Attack
Spear Phishing is a specially crafted e-mail that appears to be coming from a trusted source such as your Bank, a government organization or a credit company. The email usually contains legitimate looking web links that in reality will download malicious software, a document embedded with malicious code, or could exploit zero day vulnerabilities in your programs to infiltrate your computer.

Watering Hole Attack
"Watering Hole" attacks target reputable web sites browsed by members of targeted groups (employees of a particular company or a particular lobbying group for example). The attacker's goal is to collect proprietary information or to collect information about the group's members. Attackers modify trusted web sites so that when the site is visited your browser is exploited to infiltrate your systems and networks.

AppGuard protects a computer from all of these attacks by either containing or prohibiting programs and script files executing from user space (e.g., My Documents, Desktop, etc.) and non-system volumes (such as D:\, E:\ etc.).



User Space Attack Example:
When visiting a website, a flaw in Internet Explorer is exploited to 'drop' an executable called stealDATA.exe into a directory on your computer. It also changes a setting in Windows to automatically launch stealData.exe whenever you log in. AppGuard will stop this attack in the following ways:

• Because Internet Explorer is a Guarded Application, AppGuard will prevent it from changing any critical Windows settings.
• Depending on the Protection Level, the AppGuard 'user space' protection feature will either prevent the StealData executable from running or it will Guard StealData so that it cannot alter the Windows OS or access Private Folders.

It is not designed to block items in System Space because normally nothing malicious should be in System Space when you install AG. it is why AG is recommended to be installed right away in a clean system.
So unless an idiot allows the initial dropper, it can't run and deliver EB-DP in the machine because it is in the User Space.

- Anti-exe prompt in case any exe (wherever it is) is loaded , some of them have command line parser which allow monitoring of child.

Why EB-DP is successful on the vids , because the videos assume (for obvious reason to be able to demonstrate the attack ) that the dropper successfully compromised the network via another machine and EB-DP is propagating, it is not like that in real world.
You have to enter the network first , find a machine to deliver the dropper, execute the dropper, then EB-DP can propagate.

Now show me that you can penetrate any network from outside, deliver the dropper and execute it to load EB-DP. Just that isn't simple,
Now if in addition you add an anti-exe/SRP/HIPS/BB or even an AV , it is far more complicated.
And if you use Windows 10 or Windows 7 patched , it won't even work.

You mentioned on a few occasions that the enterprise version of AG would block the exploit EB from installing the kernel level malware payload DP. If this is the case, they already have a sound mechanism that will block this type of attack that they can add to all of their products, if they so choose.

Wouldn't you prefer that they did so? Instead of arguing about this for a week, why not just fix the issue?

I really am finished discussing this any further.

 

[Deleted member 178]

You mentioned on a few occasions that the enterprise version of AG would block the exploit EB from installing the kernel level malware payload DP. If this is the case, they already have a sound mechanism that will block this type of attack that they can add to all of their products, if they so choose.

Wouldn't you prefer that they did so? Instead of arguing about this for a week, why not just fix the issue?

I really am finished discussing this any further.

no business/enterprise version, (from what i heard) is used to protect servers - and pass-the-hash exploit is always a concern on servers. it will protect lsass.exe , not all the other processes.

if you protect all processes , the system won't boot lol

 

[danb]

no business/enterprise version, (from what i heard) is used to protect servers - and pass-the-hash exploit is always a concern on servers. it will protect lsass.exe , not all the other processes.

if you protect all processes , the system won't boot lol

VS protects all of these processes and it works great, without issues for a year or two.

Just keep in mind, now that the genie is out of the bottle, there will be more of these kinds of attacks. And actually as Windows 10 is hardened, I imagine these kinds of attacks will become quite common. We will see.

 

[S3cur1ty 3nthu5145t]

VS protects all of these processes and it works great, without issues for a year or two.

Just keep in mind, now that the genie is out of the bottle, there will be more of these kinds of attacks. And actually as Windows 10 is hardened, I imagine these kinds of attacks will become quite common. We will see.

No one is stating that VS is not good protection. I'm not sure but it seems you have a personal vendetta against Appguard, and are beating the dead horse beyond recognition.

In your first test, you did just as in this test, you tested a product that you have no experience with, and in doing so, misinformed your viewers. Appguard like Emet, needs to be configured. Never is it OK to test a product without understanding it. It would be like a user testing VS, clicking allow each time and stating the product failed miserably because the tester did not understand that he should be clicking block instead. I'm sure you would not be cool with that.

One thing I do hope you will finally realize, is that all users will be better protected with Appguard, NVT, ERP , or VS, and that yes, we are all on the same side.

 

[danb]

No one is stating that VS is not good protection. I'm not sure but it seems you have a personal vendetta against Appguard, and are beating the dead horse beyond recognition.

In your first test, you did just as in this test, you tested a product that you have no experience with, and in doing so, misinformed your viewers. Appguard like Emet, needs to be configured. Never is it OK to test a product without understanding it. It would be like a user testing VS, clicking allow each time and stating the product failed miserably because the tester did not understand that he should be clicking block instead. I'm sure you would not be cool with that.

One thing I do hope you will finally realize, is that all users will be better protected with Appguard, NVT, ERP , or VS, and that yes, we are all on the same side.

I have tried to end this conversation on several occasions, but every time I do, someone takes one last jab that needs to be addressed. THAT is beating a dead horse.

There are hundreds of security products on the market, and NO ONE knows all of the intricacies of every security product, which is one of the reasons security software should properly protect users "out of the box", in default settings.

What no one knows is that Umbra messaged me privately and told me how to manually configure the settings so that it would block DP from being installed. When I configured the settings as Umbra recommended, DP still was not blocked.

Even if manually adding lsass to the settings blocked DP from being installed, you cannot manually add 10,000 or so Windows processes... which is why they should all be protected with a sound mechanism.

Your example of the user clicking allow applies to every software.

This is not a personal vendetta against anyone, and there should not have been an extended discussion either way. Either 1) Umbra (and others) understood from the beginning that the malicious payload DP was not blocked, and realized that it was an issue, but believed that it would be difficult for me to demonstrate why this is an issue. Or 2) they did not realize that not blocking malicious payloads of exploits was an issue.

Both scenarios are equally disturbing, and there should not have been an extended discussion either way.

 

[whizkidraj]

I have tried to end this conversation on several occasions, but every time I do, someone takes one last jab that needs to be addressed. THAT is beating a dead horse.

There are hundreds of security products on the market, and NO ONE knows all of the intricacies of every security product, which is one of the reasons security software should properly protect users "out of the box", in default settings.

Both scenarios are equally disturbing, and there should not have been an extended discussion either way.

Agree. Now if I give some example relating to how a default setting should be the way to go, for example, I say in Windows OSes, we need to install certain external software or change it's default settings and customize it to make it better, but when it comes to comparison between Windows and Linux and other OSes, people mostly see that Windows is weak coz people see the default thing that Windows OS offers compared to Linux and other OSes.
And also about the never ending discussion too, rightly said, coz suppose I gave this above example and then another Windows user might come and give his example or try to insert his story in mine.

Configured settings too are important but we since we are not judging anything here and are on the same side, then as a user, I, too, would want the default thing to come first, coz softwares are and should be made according to how easy and how secure they feel even from the first use and without having to learn different settings and configurations of different software every time.

 

[Deleted member 178]

This is not a personal vendetta against anyone, and there should not have been an extended discussion either way. Either
1) Umbra (and others) understood from the beginning that the malicious payload DP was not blocked, and realized that it was an issue, but believed that it would be difficult for me to demonstrate why this is an issue. [
] 2) they did not realize that not blocking malicious payloads of exploits was an issue.

why bother blocking the payload when you block the container to deliver the payload...that what SRPs like Appguard excel at.
why bother block the bullet when you disarm the shooter of his gun beforehand...
why bother do an abortion when you just had to wear a condom...

All that came after is just useless debate from a situation that will never happen in real world...

i think i can't make it simpler.

 

[Deleted member 178]

Configured settings too are important but we since we are not judging anything here and are on the same side, then as a user, I, too, would want the default thing to come first, coz softwares are and should be made according to how easy and how secure they feel even from the first use and without having to learn different settings and configurations of different software every time.

No, the user have to adapt to the software he wants to use , if not he must find a more suitable software.
You adapt to drive a sport car , the car doesn't adapt to you...
You adapt to use an specialized OS, the OS doesn't adapt to you...

SRP is a specialized tool , no way it will be an Install & Forget type of softwares, it must be tweaked (based on what it is supposed to do) to deliver its full power.

Don't compare what it isn't comparable.

With all respect due to VS protection, user-friendliness and default efficiency, i will use Appguard 10 times over VS , because i have the power to get the best of it.
I don't care if people can or cannot handle a software out of the box , my only concern is only "can this software give me the granular protection i need?"

From me , there is only 5 apps i deem worth to be installed on my machine :

1- Appguard
2- ReHIPS
3- HMPA
4- Sandboxie
5- NVT ERP
6- VS

AG is on all my machines , The 2,3 and 4 are on my main machine. 4 is only here because it does something 2 can't yet until next build .

 

[AtlBo]

I feel like lost in the discussion is what did block EB/DP. It was basically 2 or 3 applications, ESET and Norton I think and maybe another. Firewall blocks. So, before Microsoft's patch, the only hope for stopping wannacry was either firewall protection of a high enough caliber to block EB/DP or a payload (wannacry) block like Voodoo Shield. In this scenario, VS did its job imo. The rest is up to MS and security suite package creators to work out. MS did their part with a patch, acknowledging that the spread vector should not have been available for attackers. Now, will we see more advanced port scanning from firewalls of security suites? Seems logical that we will, given how fast these malwares can spread. That is something I think we can look forward to in the next several years.

BTW...anyone thinking of installing ESET + Voodoo Shield ? Kind of interesting to think about. I have had some experience working with the ESET firewall via a friend, and there does seem to be a little bit of magic there.

 

[danb]

why bother blocking the payload when you block the container to deliver the payload...that what SRPs like Appguard excel at.
why bother block the bullet when you disarm the shooter of his gun beforehand...
why bother do an abortion when you just had to wear a condom...

All that came after is just useless debate from a situation that will never happen in real world...

i think i can't make it simpler.

MRG explained the issue in an extremely elegant way. Do not take my word for it... email and ask them. Or you can simply read their article... which alerted me to the issue in the first place.

MRG – ETERNALBLUE vs Internet Security Suites and nextgen protections

"It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.


Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.


If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this."

 

[danb]

What they are saying (and what I have been saying) is this...

DP is the fileless / in-memory payload that they are referring to. What they are saying is that if a blackhat enhances and adapts DP to run ransomware code, then it is game over. I have said this over and over again.

Speaking in general... if a vendor claims to block fileless malware, it is in their best interest, and the user's best interest that it is effectively blocked. Otherwise, it is in the user's best interest to add another layer of protection, that does block fileless malware.

And yes, if the scenario that MRG mentioned happens (which it most likely will), we will need to test VS again, just to make sure that the "Super DP" is blocked. I think it will be, but we need to test to be certain. If VS fails in this test, and if I am unable to patch the mechanism, then we will need to start looking into anti-exploit mechanisms, or recommending a specialized anti-exploit software that is able to effectively block the attack.

All you have to do is read the MRG article, it truly explains everything.

 

[Deleted member 178]

DP is the fileless / in-memory payload that they are referring to. What they are saying is that if a blackhat enhances and adapts DP to run ransomware code, then it is game over. I have said this over and over again.

of course, now tell me how DP can get into your system ? if you can't i will tell you.

Speaking in general... if a vendor claims to block fileless malware, it is in their best interest, and the user's best interest that it is effectively blocked. Otherwise, it is in the user's best interest to add another layer of protection, that does block fileless malware.

Indeed.
what i say is that VS (and ERP) block the execution of rundll32.exe (which will connect to the attacker's framework and is also responsible for the creation of the shell ), both don't prevent the injection of lsass.exe like HMPA did.

note: this article is too simple, it explain the very basics . obviously it is oriented to average users.

 

[AtlBo]

I have a question to put in here. How many vectors for running a malware payload are there, once the payload is on the PC and something like lsass.exe is compromised? Doesn't the malware still then require cmd.exe or PowerShell or wscript or cscript or rundll or one of the other vulnerables? If so, then VS devs don't have to concern themselves with how the script was able to get on the system in order to still block the actual payload. Granted it would be better, but I still think that is a MS/firewall providers thing and not a problem for VS to solve. I mean every system is equipped with a firewall, unmanaged tho it be, and with Defender. As long as that is the case, VS is doing its job imo. MS and IT will have to resolve the network problems...

 

[danb]

of course, now tell me how DP can get into your system ?


Indeed.
what i say is that VS block the execution of rundll32.exe (which connect to the framework and is responsible for the creation of the shell ), it doesn't prevent injection of lsass.exe like HMPA did.

note: this article is too simple, it explain the very basics . obviously it is oriented to average users.

Probably one of the first things the blackhats will do is to adapt this attack into a web exploit... but there are TONS of other attack vectors. How do you think WannaCry spread so quickly? There were not 300,000 people who clicked on a malicious phishing link, right? As I was saying, we will find out more and more about the actual attack vector in the weeks ahead.

True, and this certainly is not a dig at HMPA, but I believe their mechanism is specific to EB. It will probably block other attacks that are similar to EB, but it certainly does not block every single exploit that has been or will be created, right?

What VS does is to block the malicious payload DP, that way (at least in theory), it blocks ALL payloads of exploits. As stated above, if the blackhats find a way around this, and if I am unable to patch our mechanism, then we will need to start looking into anti-exploit mechanisms, or recommending a specialized anti-exploit software that is able to effectively block the attack.

The funny thing? This issue REALLY is that simple, and they explained it perfectly. Now, the intricacies of the attack are quite complex, but ultimately, if EB is able to spawn DP, you are screwed.

 

[S3cur1ty 3nthu5145t]

I have tried to end this conversation on several occasions, but every time I do, someone takes one last jab that needs to be addressed. THAT is beating a dead horse.

The pot calling the kettle black. You are trying to have last words in every discussion, even this thread which is about a product other then yours.

There are hundreds of security products on the market, and NO ONE knows all of the intricacies of every security product, which is one of the reasons security software should properly protect users "out of the box", in default settings.

Not all security is designed the same, something i can not stress enough when users start comparing and testing.

What no one knows is that Umbra messaged me privately and told me how to manually configure the settings so that it would block DP from being installed. When I configured the settings as Umbra recommended, DP still was not blocked.

Why is this a "know one knows" when you had no issue posting the test with no policies at default settings the first time.

Your example of the user clicking allow applies to every software.

My example was to point out that anyone testing should become familiar with the product and understand how it works. As a Developer you should not only know better, you should set the example.

This is not a personal vendetta against anyone

After posting that i viewed you not even having Emets protection enabled and testing it, you immediately posted a link over to Wilders on a conversation of Appguard in a couple threads here. What im viewing is a personal issue with this application or company. Not one person has questioned Voodooshields ability to block anything.

Both scenarios are equally disturbing, and there should not have been an extended discussion either way.

What i find disturbing has been your approach with all of this. While i like your product, i could not support a Developer that carries himself in this manor. In such a hurry to prove something to the world that your product has spoken of by itself, that you tested two applications that you do not even understand, and misinformed the general public here doing so.

I have nothing further to add to any of these conversations now that i have had my say as well, something we are all entitled too.

 

[danb]

The pot calling the kettle black. You are trying to have last words in every discussion, even this thread which is about a product other then yours.


Not all security is designed the same, something i can not stress enough when users start comparing and testing.


Why is this a "know one knows" when you had no issue posting the test with no policies at default settings the first time.


My example was to point out that anyone testing should become familiar with the product and understand how it works. As a Developer you should not only know better, you should set the example.


After posting that i viewed you not even having Emets protection enabled and testing it, you immediately posted a link over to Wilders on a conversation of Appguard in a couple threads here. What im viewing is a personal issue with this application or company. Not one person has questioned Voodooshields ability to block anything.



What i find disturbing has been your approach with all of this. While i like your product, i could not support a Developer that carries himself in this manor. In such a hurry to prove something to the world that your product has spoken of by itself, that you tested two applications that you do not even understand, and misinformed the general public here doing so.

I have nothing further to add to any of these conversations now that i have had my say as well, something we are all entitled too.

I am not sure why Umbra did not release the findings of the second test with adjusted settings. Obviously if I were to do so, it would look like I was attacking a competitor.

 

[AtlBo]

Somewhere in the world out there @cruelsister is laughing at us all saying 'Metasploit is useless against me' lol...

 

[BugCode]

Sorry for interference. I know this will be a ETERNAL exchange of views for few supergeek! Guy like me who barely can power on PC is really enjoyed this "stuff". Just saying, keep up guys your exchange of views, it is some reason little funny to watch without any knowledge here in the backround.

Thank you, i go back to stalking/lurking mode, keep up maintain this exchanges of views. It is eternal that for sure, like this cypersecurity stuff and beyond of that