EMET 5.5 and Eternal Blue/Double Pulsar

[danb]

Sorry for interference. I know this will be a ETERNAL exchange of views for few supergeek! Guy like me who barely can power on PC is really enjoyed this "stuff". Just saying, keep up guys your exchange of views, it is some reason little funny to watch without any knowledge here in the backround.

Thank you, i go back to stalking/lurking mode, keep up maintain this exchanges of views. It is eternal that for sure, like this cypersecurity stuff and beyond of that

Great point . Which is why it is wise to not resort to personal attacks, and hopefully I have done so, and acted in a manor that is appropriate.

I took the time to explain why this attack is an issue that all security vendors should be cognizant of. I was simply reiterating MRG's article... I was not attacking anyone.

 

[BugCode]

Yes and Dan, you must know, do not trying to make your product all kind of attack preventetion tool.[impossible] I have saying you [anonymously]with mail, that do not even try make product that will be secure you every kind of attack tactics. It is impossible and you should know that! When one "superexploit or similar" will destroy many of business maintenance and so on and when some product can reveal that attact system and prevent that, THERE WILL BE ALWAYS INCOMIIING! in backround, it is eternal!

 

[danb]

Yes and Dan, you must know, do not trying to make your product all kind of attack preventetion tool.[impossible] I have saying you [anonymously]with mail, that do not even try make product that will be secure you every kind of attack tactics. It is impossible and you should know that! When one "superexploit or similar" will destroy many of business maintenance and so on and when some product can reveal that attact system and prevent that, THERE WILL BE ALWAYS INCOMIIING! in backround, it is eternal!

If someone is going to make a "computer lock" and "Lockdown" the system, shouldn't they do their best to make the lock as tight as possible?

What is the downside to making the lock as robust as possible? Assuming that the lock remains user-friendly.

Yeah, I am excited to see what "superexploit or similar" nails VS... something will.

I think what people are forgetting is that A LOT of people were wondering what would happen in this attack with this class of products... hell, there were even dedicated threads on the topic.

But no one got off their ass and actually ran the test. I was curious as well, so I took the time to run the test. Some people do not like the result, so they attack me personally.

Believe me, I would be upset as well if the results were reversed. Then again, if this would have been the case, my focus would have been on patching the mechanism in VS, instead of attacking the person who took time to perform the test on a personal level (even if he is a developer).

 

[BugCode]

I know you are very wice man! But do not try please put your product all that [ultimate paranoid - lockdown go outside piece of software!] Or if you do it some day...i sure will buy your beer or cup of coffee with some donut! I like your product and many other product and i am not here to saying what everyone should use! Because like you and everyone should know, there will be always many options to choose and even combine with other products Its all for just make choise what suitable that dude and other choose different product and so on.

Thank you all!

EDIT: Or of course you should do that that is every developer dream!

 

[danb]

Somewhere in the world out there @cruelsister is laughing at us all saying 'Metasploit is useless against me' lol...

Hehehe, how funny. I was wondering if the blackhats or MRG have had time to review this "conversation" .

 

[Orion]

I think we are constantly beating a dead horse here.The exploits were made to spy by NSA/CIA and it is used by malware writers to infect machines from a already infected system across the network.

These tests make a lot sense for big endpoints and government based systems where nation state attacks involving these type of exploits will be used and if this is leaked expect the malware writers to start playing with them too.

At the end for the normal user its completely out of the equation since most AV's will stop the malicious payloads.But what happens when the malware has already settled is the question.It means its also necessary to detect whats underneath for most vendors.

Malware writers are not bothered spying on regular joes they will be interested in bigger and better targets.

This is a wake up call for the agencies to stop and start reporting or we will eventually have stuff leaked and even normal malware like win and screenlockers/emotet will start using these to propagate on home networks but again this will not end up in big profits for them as most people will just format their computers.

 

[Deleted member 178]

Great point . Which is why it is wise to not resort to personal attacks, and hopefully I have done so, by acting in a manor that is appropriate.

You didn't , you posted a video comparing several softs, without knowing how some products even works or what they are supposed to do ! (and without even consulting beforehand the people that knows about them)
You blamed many testers of VS in the past about the same damn thing you just did ...like the video of the guy shutting down VS via a script...

You made the videos including a particular soft because one of its user on another forum said something you didn't like, so you made the test to prove him wrong...you admitted it to me in PM.

Believe me, I would be upset as well if the results were reversed. Then again, if this would have been the case, my focus would have been on patching the mechanism in VS, instead of attacking the person who took time to perform the test on a personal level (even if he is a developer).

Problem is that you made a video that doesn't show the main attack vector the said application protect against.
You wrongly assume that the product will block the execution of the exploit itself when it wasn't made for this kind of attack; so your whole demonstration is wrong from the start.
so of course you are attacked...
As if i include VS in a test about network tools/firewalls...do you realize how stupid it is?

We don't attack VS , we attack your demonstration.

I took the time to explain why this attack is an issue that all security vendors should be cognizant of. I was simply reiterating MRG's article... I was not attacking anyone.

They all are aware of it, but some doesn't need to care because they have nothing to do with that , they just need to keep doing what they do .
You believe one soft must stop everything... can be true for suites, not for specialized tools . don't ask an anti-ransomware to block exploits

 

[danb]

You didn't , you posted a video comparing several softs, without knowing how some products even works or what they are supposed to do ! (and without even consulting beforehand the people that knows about them)
You blamed many testers of VS in the past about the same damn thing you just did ...like the video of the guy shutting down VS via a script...

You made the videos including a particular soft because one of its user on another forum said something you didn't like, so you made the test to prove him wrong...you admitted it to me in PM.


Problem is that you made a video that doesn't show the main attack vector the said application protect against.
You wrongly assume that the product will block the execution of the exploit itself when it wasn't made for this kind of attack; so your whole demonstration is wrong from the start.
You didn't understood the softs and made a video that show attacks the softs wasn't made to block...so of course you are attacked...
As if i include VS in a test about network/firewalls...do you realize how stupid it is?

We don't attack VS , we attack your demonstration.


They all are aware of it, but some doesn't need to care because they have nothing to do with that , they just need to keep doing what they do .
You believe one soft must stop everything... can be true for suites, not for specialized tools . don't ask an anti-ransomware to block exploits

And some people wonder why I respond to your final jab. Give me a break.

You said "You blamed many testers of VS in the past about the same damn thing you just did". Yeah, but THEY CLICKED THE ALLOW BUTTON!!!

The EB / DP attack required NO USER INTERACTION. How the hell do you not understand that?

The difference is Umbra... you told me how to configure the settings so I could retest "properly", and it still failed.

The more important question is, why did you then tell everyone "all you have to do is add lsass...", when IN FACT YOU KNEW THAT THIS DOES NOT STOP THE MALICIOUS PAYLOAD FROM BEING INSTALLED?

I would prefer to end this conversation, but we can keep going if you like. But if we do, White Cipher is going to take over, and he is not going to be nice .

 

[danb]

BTW, you already know the answer to the attack vector question: AppGuard 4.x 32/64 Bit

The attack vector argument is silly, and you know that. Are you arguing just to argue?

 

[Deleted member 178]

The EB / DP attack required NO USER INTERACTION. How the hell do you not understand that?

you didn't understood what i meant, learn to read... i talk about the initial dropper...

The difference is Umbra... you told me how to configure the settings so I could retest "properly", and it still failed.

yes testing it to verify if the attack use the conventional methods, then i figured that is doesn't, what is wrong , i didn't say AG block that part...you always pick a sentence out of context to fit your argument lol.

The more important question is, why did you then tell everyone "all you have to do is add lsass...", when IN FACT YOU KNEW THAT THIS DOES NOT STOP THE MALICIOUS PAYLOAD FROM BEING INSTALLED?

tell to everyone ? i dont remember ; told to you yes, to check if AG can block the spawn of rundll32.exe; anyway lsass.exe shouldn't be even added so who cares now?

The attack vector argument is silly,

are you serious? it is the most important point in security !
attack vectors is all that matters, block the vector , you block the attack to even start !

But if we do, White Cipher is going to take over, and he is not going to be nice .

ROFL ! "white Cipher" .... as if i care, what are you? a kid in the school playground wearing a cape and a mask trying to show he is a badass ? come on Dan be serious...
So if you want end the discussion stop replying all the time
(in fact i have lot of fun watching you fighting against everything i say )

 

[danb]

you didn't understood what i meant, learn to read... i talk about the initial dropper...


yes testing it to verify if the attack use the conventional methods, then i figured that is doesn't, what is wrong , i didn't say AG block that part...you always pick a sentence out of context to fit your argument lol.


tell to everyone ? i dont remember ; told to you yes, to check if AG can block the spawn of rundll32.exe; anyway lsass.exe shouldn't be even added so who cares now?


ROFL ! "white Cipher" .... as if i care, what are you? a kid in the school playground wearing a cape and a mask trying to show he is a badass ? come on Dan be serious...

so if you want end the discussion stop replying all the time

In all fairness, when Andy Ful found the script bug, I admitted there was a bug, and I fixed it. Although, I must admit that it took a time or two for us to figure out the best way to reproduce the error, but once we both could easily reproduced the bug, I admitted it publicly and fixed it in a day or two. When Av Gurus discovered the bug where VS was not protecting from archives, it took all of 5 seconds to reproduce the bug and 5 minutes to fix it. I was extremely appreciative that he found that bug for me. Although, creating two youtube videos on the bug might be overkill . And I hope he explains somewhere that the bug has now been fixed. If not, no biggie. All software has bugs.

I truly appreciate anyone and everyone finding vulnerabilities like this for me, and for other developers. One thing is for sure, I cannot find every single issue on my own... hell massive dev teams can't even do that.

Years ago, I would get upset if someone found a way to bypass VS. But I quickly realized that they were just trying to help... even if they were another dev from a competing product. As a matter of fact, I remember Fabian even saying something like "I understand why Dan is upset about this bypass, I used to get upset and think people were attacking me too". When I read that, it made me realize that he was just trying to help.

So now I welcome any and all legitimate bypasses... the only requirement is that the test not click the Allow button.

Hehehe, come on, you know you are laughing about White Cipher too . Please do not start another argument and try to prove to me that you are not laughing about it .

Cool, I am happy to end this conversation.

 

[Orion]

While I do agree to certain points stated by both parties the usual points about such testing is not emulating real world scenario (NOT nation state attack/larger scaled targeted attacks performed by professionals and hired hackers not the regular malware writers who hijack home user data for money)

If you can protect against infection vector you are stopping the malware chain for example with locky at one point they were using Dropbox to spread the js:downloader which I reported to some AV companies and they managed to come up with ways to detecting the Dropbox download without causing fps.This doesn't necessarily mean they detect the JS.But there is a little more broader spectrum they took into consideration while stopping the download by seeing where it comes from and what it contains and its rep etc.

No test can emulate real world scenarios.You cannot dismiss the fact that AV's will keep evolving and what people call traditional is no.more the same

You have to understand how a feature/product works to understand how it prevents a infection (assuming this is a regular malware infecting a home user).

There is little or no info on how these YouTube test beds are created and you are basically going in both legs inside the ocean without knowing how some programs function.

While I agree with the point that such holes are potential threat to everyone you also need to consider how much of this hole is being used in the regular world.It was used to spread the infection across the network not to spy which again is not a regular writers intention.Wannacry was made by people who targeted these enterprises by some malware writers somewhere in the world not by CIA/NSA.

In every AV conference,there are multiple suggestions made (even when we were at Avast's AV comparatives meeting in Prague) on how to do proper testing some of what I think makes sense.

No one inserts a stick containing different malware on it in the real world.This sort of testing is getting more and more problematic.If you are not testing the infection vector and not telling us how you created the testbed.

Yup it is good to stop the exploit but there are 100's more out there that you are unaware of.How do you stop them? You have to treat everything on a system as untrusted at paranoid level which is not suitable for regular users.

Most of us and even most endpoints have good IT dep. And do update their systems and considering Ep was patched 3months before it came out there is no excuse except ignorance.

If all products start detecting the entry of the exploit then malware writers will find different ways.Game Over.You need to detect the payload and its underlying binary which is important.

This is not a excuse or a attack.Its what you should be reading from any tests.

This is a exploit that is used at nation state level attacks.

 

[Orion]

Clicking allow or deny needs user to be aware and alert to be straight forward as a warning.

 

[Deleted member 178]

Just use a software for what it can do based on what it is supposed to do , don't try to make it what it isn't.