Video EternalBlue and DoublePulsar application whitelisting test

Status
Not open for further replies.

SHvFl

Level 35
Verified
Helper
Top poster
Content Creator
Well-known
Nov 19, 2014
2,338
The test is both interesting and stupid. It shows that if you manage to have malware running at your system then it's game over. What makes it stupid though is that the developer doesn't accept clicking allow in an alert to run a kill switch for his program that proves you can disable it with an allowed program but on the other hand this time because his product blocks the attack is fine having something already existing on the system. Wonder how it got on the system. Maybe the motherboard gave birth to the exploit before the test.
This video is just a promotion and nothing else. Just take the fact that if you manage to get malware in your system then nothing will save you.
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
D

Deleted member 178

let me explain what EtrenalBlue-Doublepulsar does via an analogy :

1- the criminal's (hacker) want his accomplice (malicious file) who own a shovel and pick (EB-DP) to enter the target building (Win7) from outside or another breached building (via SMB1.0 abuse)
2- then he want to go to the basement (the kernel) via the elevator (use of lsass.exe/rundll32.exe) and use his tools to make a hidden tunnel connecting to outside (the permanent kernel exploit backdoor aka doublepulsar) = called stage 1 or this video
3- this tunnel allow the criminal to later put a bomb (ransomware, keylogger, etc...) = stage 2, not shown on the video...

so with AG and other anti-exe (the security guard) , how the accomplice can get in and use his tools? he won't, he will be blocked by the guards.
How can the bomb be activated? it can't it will be blocked.

the video just show point 1 being ignored , assuming the accomplice is already in the building in front of the elevator...as if it can teleport ...come on gimme a break...

now does this is realistic or not? for me , not at all.
 

_CyberGhosT_

Level 53
Verified
Helper
Top poster
Content Creator
Well-known
Aug 2, 2015
4,301
Hey guys, you are very cruel to Dan. :(
I am not so cruel. The test showed, that Metasploit attack with EternalBlue & DoublePulsar exploits, cannot run the meterpreter payload on machine with VoodooShield Always ON mode. In my opinion, it does not prove much about EternalBlue & DoublePulsar exploits. This video was also commented on:
Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?
Your right, and I am sooo glad they are showing their true colors in public for all to see ;)
There are a few I message back and forth with that see it for what it is.
 

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,871
I probably shouldn't be commenting on this now as I'm on pain Meds for a twisted knee from running a and few glasses of wine (probably not something wise to do) but nonetheless:

1). Dan was being trolled by a few about metaploit bypasses and I think this culminated in his response with this video. It is a shame that he had to lower himself to do this, but the resulting video was well done (although I wish he consulted me as I had a Miles Davis Blues tune that would have fit nicely).

2). Umbra- I feel your pain (and like the analogies). As you intimate, topics such as this should be confined to places other than Home User forums (no offense to anyone out there!). The fact that such attacks are not only targeted but must have a number of things in place before being successful is something that is never discussed. A person concentrating on this topic is like someone worried about crossing 7th Ave in Manhattan on the Middle Night of Spring and getting hit by an Elephant, while ignoring that one may get creamed by a Taxi the rest of the year.

So I'm sure that some vendors (and I DON'T mean VS) will try to tout that they protect against such a specific attack, they will also ignore that they will be breached by a simple Worm coded by some Pre-Pubescent Blackhat Wannabe.
 
D

Deleted member 178

1). Dan was being trolled by a few about metaploit bypasses and I think this culminated in his response with this video. It is a shame that he had to lower himself to do this, but the resulting video was well done
yes , i discussed with him about the video, sadly he put it as a defensive response from a post praising AG... however i don't deny that the attack is working (but only if it get the proper conditions)

2). Umbra- I feel your pain (and like the analogies). As you intimate, topics such as this should be confined to places other than Home User forums (no offense to anyone out there!). The fact that such attacks are not only targeted but must have a number of things in place before being successful is something that is never discussed.
Exact, it doesn't show the whole picture, just a part of it. Average users won't understand (just by looking at the video) what is happening and what must have happened before , what they see is just a product bypassed; no explanations, nothing.
He should have PMed an Appguard representative before throwing the video out and should have mentioned that the video assume the exploit is coming from a breached system in the same network.
Lot of hidden elements, which make his video "quasi-biased"
You and me can do dozen of video like that or like this BlackCipher dude. i like your video, because you explain things.

A person concentrating on this topic is like someone worried about crossing 7th Ave in Manhattan on the Middle Night of Spring and getting hit by an Elephant, while ignoring that one may get creamed by a Taxi the rest of the year.
indeed , no home users with up-to-date OS will ever get hit by this exploit today.

So I'm sure that some vendors (and I DON'T mean VS) will try to tout that they protect against such a specific attack, they will also ignore that they will be breached by a simple Worm coded by some Pre-Pubescent Blackhat Wannabe.
Exact.
 

cruelsister

Level 39
Verified
Helper
Top poster
Content Creator
Well-known
Apr 13, 2013
2,871
Personally I love metasploit as it has gotten me a number of Gift Cards and Tee-Shirts at the many Breach Shows put on by various vendors. I particularly like my Palo Alto shirt which I wear when I run and look devastatingly HOT in (not being conceited here, just calling a Spade a Spade).
 

BugCode

Level 10
Verified
Well-known
Jan 9, 2017
468
Hehehe! Yeah lot of discussion got this clip. And for reason for sure. Yes and of course every Apps devs "defends" (if have some to show for real) what they apps can do and what not. @SHvFl said good "The test is both interesting and stupid" also "Maybe the motherboard gave birth to the exploit before the test." So afterall, i mean this kind of videos is more or less pure "useless" in my eye. If know something about this kind of things or not, it doesn't matter, video may looks for newbie wow this is must have app. But for real, this is more than exploit that thing. What to do beforehands is what for user must to know in first place.

I dont praise and defend any devs hows apps is this video, but this doesn't mean nothing, pls ban this kind of videos :p
Oh well, actually i don't know combuters life of the spirit NOTHING but always i like to quoted this one in the end "Every man is a potential genius until he does something." - Sir Herbert Beerbohm

What a heck i wrote, oh well nevermind, i just try to woke up! Please continue... :d
 

_CyberGhosT_

Level 53
Verified
Helper
Top poster
Content Creator
Well-known
Aug 2, 2015
4,301
I probably shouldn't be commenting on this now as I'm on pain Meds for a twisted knee from running a and few glasses of wine (probably not something wise to do) but nonetheless:

1). Dan was being trolled by a few about metaploit bypasses and I think this culminated in his response with this video. It is a shame that he had to lower himself to do this, but the resulting video was well done (although I wish he consulted me as I had a Miles Davis Blues tune that would have fit nicely).

2). Umbra- I feel your pain (and like the analogies). As you intimate, topics such as this should be confined to places other than Home User forums (no offense to anyone out there!). The fact that such attacks are not only targeted but must have a number of things in place before being successful is something that is never discussed. A person concentrating on this topic is like someone worried about crossing 7th Ave in Manhattan on the Middle Night of Spring and getting hit by an Elephant, while ignoring that one may get creamed by a Taxi the rest of the year.

So I'm sure that some vendors (and I DON'T mean VS) will try to tout that they protect against such a specific attack, they will also ignore that they will be breached by a simple Worm coded by some Pre-Pubescent Blackhat Wannabe.
Could not agree more CS, you need to post more while under the influence :p
On a serious note, hope your knee gets better soon. PeAcE
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
I have to defend again Dan's video. He showed that a payload (meterpreter) can be executed on target machines. One can replace the meterpreter DLL with any malware coded in the form of DLL. So in fact, the video proves that such malware files can be executed remotely using remote kernel exploit as a bridge.
My concern is of a different kind. Detailed analyses of EternalBlue & DoublePulsar code, strongly suggest that both avoid rundll32.exe to execute DLLs. If so, then blocking rundll32.exe does not block payload execution, except when the payload after start, loads additional DLL in the standard way (using rundll32.exe).

I also agree with @cruelsister that this subject may be too technical for Home User forums, and in fact, home users can hardly be targets (except when using large public networks).
 
Last edited:

_CyberGhosT_

Level 53
Verified
Helper
Top poster
Content Creator
Well-known
Aug 2, 2015
4,301
I have to defend again Dan's video. He showed that a payload (meterpreter) can be executed on target machines. One can replace the meterpreter DLL with any malware coded in the form of DLL. So in fact, the video proves that such malware files can be executed remotely using remote kernel exploit as a bridge.
My concern is of a different kind. Detailed analyses of EternalBlue & DoublePulsar code, strongly suggest that both avoid rundll32.exe to execute DLLs. If so, then blocking rundll32.exe does not block payload execution, except when the payload after start, loads additional DLL in the standard way (using rundll32.exe).

I also agree with @cruelsister that this subject may be too technical for Home User forums, and in fact, home users can hardly be targets (except when using large public networks).
I agree, and going after Dan either directly or indirectly on a forum he does not access or visit, where he can't respond is a cowardly move.
As stated over at WS this should be addressed with Dan via Email or PM on sites he frequents.
 

SHvFl

Level 35
Verified
Helper
Top poster
Content Creator
Well-known
Nov 19, 2014
2,338
I agree, and going after Dan either directly or indirectly on a forum he does not access or visit, where he can't respond is a cowardly move.
As stated over at WS this should be addressed with Dan via Email or PM on sites he frequents.
He actually asked to post here dude and it's not anyone fault except himself if he doesn't have an account here. The same things we posted here are posted on his topic on the other site anw.
You must agree to the fact that he made a video promoting his product and bashing on others with a scenario he didn't even accept as a bypass to his product in the past. Pretty low if you ask me.
 
May 22, 2017
251
As most of it has been beaten to death already, im going to just simply point out something i mentioned in another thread about grouping products together and testing with one size fits all. Appguard, is Not, a Anti-Exe, and can not be tested like a Security suite at default settings, rules need to be established. Just this alone marks the test as BS to me, and looks to be only a PR stunt. Very disappointing seeing a Developer do this, as enough of the youtube testers do already.

Either way, im not concerned, MS has patched this already.
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
He actually asked to post here dude and it's not anyone fault except himself if he doesn't have an account here. The same things we posted here are posted on his topic on the other site anw.
You must agree to the fact that he made a video promoting his product and bashing on others with a scenario he didn't even accept as a bypass to his product in the past. Pretty low if you ask me.

I can understand @SHvFl standpoint. But, this case is a special one. Many security vendors claimed that their security software can stop WannaCry - this was only a half truth, and also the form of promotion. And, there was the MalwareTips thread (opened by me) where I strongly suggested that anti-exe solutions cannot stop EternalBlue & DoublePulsar exploits, and many other security programs may also have problems with it. I proposed similar Metasploit test on this thread, when @Lockdown tried to simulate EternalBlue & DoublePulsar infection between two virtual machines. I discussed these problems with Dan by mail, but he seems to be tired now with this topic.
So, things are complicated, but anyway I'am glad, that Dan made his video (even when not agreeing with his interpretation).

Edit
I do not think that Dan's video shows that AppGuard is worse than VoodooShield, etc. Remote Kernel Exploits are Microsoft problems, and no one should expect that security programs will fully stop them.
I also do not agree that EternalBlue & DoublePulsar is a closed vulnerability. The malware code can quickly evolve, especially such a successful one.
 
Last edited:
Status
Not open for further replies.