App Review EternalBlue and DoublePulsar application whitelisting test

[SHvFl]

Respectfully, no it's not, know your history, he was banned here, he has alluded to this fact many times.

And him getting banned is my fault? You follow the rules or get banned. Pretty simple. It doesn't mean people should not post VS stuff on this forum because the developer can't participate for any reason. Most developers are not here. It doesn't change the fact of what i wrote though which is 100% based on truth.
He can't cherry pick when he wants an action to be considered ok based if VS is bypassed by it or not. If you click allow once his product can be disabled completely and have no control on the system but yet he doesn't consider it a bypass because you click allow on the payload. To add this exploit on the system he had to click allow so i don't see why this case is any different and this time is acceptable.

 

[mekelek]

And him getting banned is my fault? You follow the rules or get banned. Pretty simple. It doesn't mean people should not post VS stuff on this forum because the developer can't participate for any reason. Most developers are not here. It doesn't change the fact of what i wrote though which is 100% based on truth.
He can't cherry pick when he wants an action to be considered ok based if VS is bypassed by it or not. If you click allow once his product can be disabled completely and have no control on the system but yet he doesn't consider it a bypass because you click allow on the payload. To add this exploit on the system he had to click allow so i don't see why this case is any different and this time is acceptable.

why are you getting upset over the fact that someone is trying to show his product in the best spotlight?

 

[SHvFl]

why are you getting upset over the fact that someone is trying to show his product in the best spotlight?

I don't care if he shows his product in the Whitehouse but he is manipulating testing to serve his need to show VS is the best. Like it or not i will expose his tests discrepancies.

 

[mekelek]

I don't care if he shows his product in the Whitehouse but he is manipulating testing to serve his need to show VS is the best. Like it or not i will expose his tests discrepancies.

and that's totally fine, but you're getting mad over it. it's business bro, you would do the same.

 

[Deleted member 178]

I do not think that Dan's video shows that AppGuard is worse than VoodooShield, etc.

That was his goal, the video was a response because someone told him AG is better than VS, he told me himself. He is pissed by the fact people continuously saying AG is "awesome" or "better" than VS.
He wan't to make those people wrong, all had an hidden agenda from the start , the motive and the method.

 

[SHvFl]

and that's totally fine, but you're getting mad over it. it's business bro, you would do the same.

No, I wouldn't actually and trust me I am not mad. Anyway, i said what I wanted to say and there is no reason to continue this. I think I made myself clear.

 

[Deleted member 178]

After some research :

in fact rundll32.exe isn't exploited but lsass.exe.
after some deeper research , we found out that EB drop a dll in the root of the system to abuse smb1.0/2.0
Via EB, we upload DoublePulsar (the dropper) injecting itself into lsass.exe which child rundll32.exe , (Dan video stop here) , if we continue, rundll32.exe will load a shell (i.e: cmd.exe) which allow the attacker to have access to the target machine with "System" privileges level

the best explanation of the attack i found is here:
EternalPulsar — A practical example of a made up name

lsass.exe is a crucial process of windows and shouldn't be blocked to run.

in the video, VS & ERP didn't block DP to exploit the kernel, lsass.exe was already owned, VS & ERP blocked lsass.exe to spawn rundll32.exe.

so none of the products in the video , blocked the kernel exploit...

 

[Deleted member 178]

So basically VS wasn't better nor worst than the other... funny conclusion

 

[BugCode]

Hahaha! yes and now when i pretty much wake up now and i can say i have lot of respect Dan's hard work and we have talked his product many,many times like good friend to good friend so, no vilify of any kind of Dev Dan, respectfully. - BC

E: After many cups of daily coffee dose

 

[Andy Ful]

After some research :

in fact rundll32.exe isn't exploited but lsass.exe.
after some deeper research , we found out that EB drop a dll in the root of the system to abuse smb1.0/2.0
Via EB, we upload DoublePulsar (the dropper) injecting itself into lsass.exe which child rundll32.exe , (Dan video stop here) , if we continue, rundll32.exe will load a shell (i.e: cmd.exe) which allow the attacker to have access to the target machine with "System" privileges level

the best explanation of the attack i found is here:
EternalPulsar — A practical example of a made up name

lsass.exe is a crucial process of windows and shouldn't be blocked to run.

in the video, VS & ERP didn't block DP to exploit the kernel, lsass.exe was already owned, VS & ERP blocked lsass.exe to spawn rundll32.exe.

so none of the products in the video , blocked the kernel exploit...

Finally we agree.
As I said before, this video did not prove much about EternalBlue & DoublePulsar exploits.

 

[danb]

@Umbra

You are twisting and cherry picking my words. I am not “pissed by the fact people continuously saying AG is "awesome" or "better" than VS.” As I suggested in the video description, I am TIRED of people wildly speculating that one product will perform better than another product in certain tests.

If this was a promotional video to put VS in the best light, then I would not have included the ERP test, and I could have easily made the video MUCH more dramatic.

Even if this was a promotional video… there is absolutely nothing wrong with clearly demonstrating how your product is different from other products.

For example… BRN created this comparison matrix: http://www.voodooshield.com/artwork/agcm.png

In this video:

The difference is that my video passes the truth test, and theirs does not. If anyone believes that AG is the only product that will stop most or all of these threats, they simply are uninformed.

This was simply a test that was performed to answer the question proposed in this thread: Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?

Instead of speculating, why not just get off of your ass and run the test? Come on guys… 3 pages of speculation, and not a single test was performed… and we wonder why the malware epidemic is only getting worse. I was under the impression that Lockdown was not familiar enough with pen testing with Kali to get this attack to work… and I was curious what would happen, so I ran the freaking test.

Andy Ful said:
If you mastered enough Metasploit, that would be the simplest way to perform EternalBlue & DoublePulsar attack.

Lockdown said: It will take time to learn Kali Linux. Just focusing on Kali Linux instead of the standalones. So much is packed-into Kali.

Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?

And now we all know the result. It is that simple… isn’t that better than speculating?

What almost everyone is failing to realize is that if EB is able to install a kernel level backdoor (DP), it will have no problem creating a different malicious process.

The problem is that WannaCry demonstrated that adding a worm component to ransomware made it spread like wildfire… and everyone is ignoring the fact that malware authors are most likely going to be utilizing and enhancing this technique or similar techniques to create copycat malware… it happens almost every time.

It is hilarious when people say “oh, that has been patched by Microsoft, so we do not have to worry about it.” What they are completely misunderstanding is that this test perfectly demonstrates their mechanism does not block worm attacks like this. If you are going to be protecting a large enterprise with 10,000 endpoints... one of two things must be occur:

Your endpoint software is able to defend against this kind of attack

OR

All 10,000 endpoints remain uninfected 100% of the time. This included mobile devices brought in from the outside… you know, the ones you had on your home network the night before, while your kid was poking around on the internet.

ANYTHING else is a pretentious assumption that your software is absolutely perfect, and there will never be a breach.


@ SHvFl

We all know why I was banned from MT. An old admin, Littlebits wrote a fake review on VS without even installing it, when we first came out. I stood up to him (and tried to be as nice as possible, IMA), and he made sure I was banned. Either way, I will never let anyone bully me, whether they are an admin or not.

More importantly… clicking allow, or lowering the security level to install, disabled, or OFF in ANY security product does NOT demonstrate a bypass. This is not just for VS… this is for ANY security software… I have no idea why you do not understand this concept.

With that in mind… the EB/DP attack did not require ANY user interaction AT ALL… NOTHING. That is why this attack is different… and there will be copycat attacks.


@Everyone

VS blocked the attack, but there are a couple of things that it could certainly do better, and they are very easy to fix. This is true with ALL of the products, but if I would have demonstrated this, then it would have appeared as though I was picking on certain products.

The absolute truth is that when I heard how WannaCry was spreading like wildfire because of this worm component, I had a horrible, horrible sinking feeling in my stomach and was worried if I did everything correct in the code, and if VS actually blocked EB / DP / WC. If other security vendors are not concerned about this threat, that is their business.

I wish I had time to respond to everyone… but stuff like this takes crazy amounts of time. I actually am probably not going to have anytime to reply on any forum for quite some time. Besides, honestly, it gets kind of old when people speculate about a test… then you take time to do the research and perform the test properly, then when they see the results, if they do not like the outcome, you have to spend 3 days explaining stuff to them, that they could easily either research or test on their own.

No thanks… I would rather go to the park with Molly .

When MRG releases its final results, assuming that they further explain why this attack requires security software’s immediate attention, I am certain people will start to understand why I made the video.




Update…

I just wanted to thank Umbra for the gift. What he did was simultaneously demonstrate that what he has been saying all along is incorrect, and what I have been saying is correct.

Video Review - EternalBlue and DoublePulsar application whitelisting test

Here is a screenshot, in case he removes or edits the post: http://www.voodooshield.com/artwork/UmbrasGift.PNG

EternalPulsar — A practical example of a made up name

Umbra, do you see why I get annoyed when you, Pete and Jeff trash talk VS… when in fact you are 100% incorrect? I have many, many other documented instances that I have collected throughout the years.

 

[Andy Ful]

Hi @danb. You know what I think. It would be something good, If you manage to show that EternalBlue uses the standard way (via rundll.exe) to execute DoublePulsar. For now, I did not see any analysis, that mentioned that. So I am curious what will happen.
I also appreciate that you prefer testing over speculating.

Edit
Please try to forget, what happened before. Also, you do not have to defend VoodooShield to death. It is a good program and can defend itself.

 

[danb]

Hi @danb. You know what I think. It would be something good, If you manage to show that EternalBlue uses the standard way (via rundll.exe) to execute DoublePulsar. For now, I did not see any analysis, that mentioned that. So I am curious what will happen.
I also appreciate that you prefer testing over speculating.

Thank you for the suggestion... but the command line is simply "rundll32.exe".

I actually just replied to a similar post here: VoodooShield ?

BTW, sorry if I seemed a little grumpy yesterday... I just want people to test for themselves. It took 6 hours total to setup the Kali machine, modify the scripts to work without having to type in each command line separately, and to run the tests. But it has taken 20-30 hours to explain the results... when they are clearly demonstrated in the video. I was actually going to do a lot more testing, but probably not now .

 

[_CyberGhosT_]

And him getting banned is my fault?

You just personalized this with that statement for some reason, I did not suggest even once that
Dan getting banned had one thing to do with you, show me where I do ?
@danb
Thanks for showing up, now watch how the tone of this thread changes
Don't be a stranger here brother

 

[danb]

You just personalized this with that statement for some reason, I did not suggest even once that
Dan getting banned had one thing to do with you, show me where I do ?
@danb
Thanks for showing up, now watch how the tone of this thread changes
Don't be a stranger here brother

How did you recognize me . Darn it, if I knew that were the case, I would have used my new name... White Cipher . Hehehe.

 

[_CyberGhosT_]

How did you recognize me . Darn it, if I knew that were the case, I would have used my new name... White Cipher . Hehehe.

rofl

 

[Deleted member 178]

@danb lsass.exe is the exploited injected process , rundll.exe just a tool used by it. to block DP, lsass.exe must be protected not rundll32.exe. blocking rundll is not blocking DP

Bank = OS
DP = criminal
lsass.exe= employee of the bank
Rundll = talkie-walkie.

so the criminal enter the bank, kidnap an employee , disguise with his uniform, and now use his talkie-walkie to contact other criminals outside to say he is in .

easy to understand , no?

 

[Deleted member 178]

[I am TIRED of people wildly speculating that one product will perform better than another product in certain tests.

who said that ? not me.

The difference is that my video passes the truth test, and theirs does not. If anyone believes that AG is the only product that will stop most or all of these threats, they simply are uninformed.

Most? yes, all? not at all. nobody said that. AG deosn't block ALL malware and exploits , it block most of those we know.
Marketing is marketing, the day you undertsand that maybe you will start selling VS in a larger scale.

I dont understand why you want every products to protect about everything. it will never happen. tools are tools, suites are suites, each does what it is supposed to do , no more , no less; you vision of what a security product should be is not right.

What almost everyone is failing to realize is that if EB is able to install a kernel level backdoor (DP), it will have no problem creating a different malicious process.

and we saw it with VS that was also owned.

The problem is that WannaCry demonstrated that adding a worm component to ransomware made it spread like wildfire… and everyone is ignoring the fact that malware authors are most likely going to be utilizing and enhancing this technique or similar techniques to create copycat malware… it happens almost every time.

not the SRP/anti-exe job to protect against that, this is the network protection's job.
don't generalize and mix things unrelated.

With that in mind… the EB/DP attack did not require ANY user interaction AT ALL… NOTHING. That is why this attack is different… and there will be copycat attacks.

Nothing if in the same network . that is a big difference. as @cruelsister and me said earlier in the thread, EB-DP need specific conditions to run...if none of them are available the attack isn't working.

VS blocked the attack, but there are a couple of things that it could certainly do better, and they are very easy to fix. This is true with ALL of the products, but if I would have demonstrated this, then it would have appeared as though I was picking on certain products.

VS only blocked what the exploit was trying to do after being injected in lsass.exe. not the exploit Itself.

I just wanted to thank Umbra for the gift. What he did was simultaneously demonstrate that what he has been saying all along is incorrect, and what I have been saying is correct.

Video Review - EternalBlue and DoublePulsar application whitelisting test

Here is a screenshot, in case he removes or edits the post: http://www.voodooshield.com/artwork/UmbrasGift.PNG

EternalPulsar — A practical example of a made up name

Umbra, do you see why I get annoyed when you, Pete and Jeff trash talk VS… when in fact you are 100% incorrect? I have many, many other documented instances that I have collected throughout the years.

trash talk? are you kidding me? i promote VS all the time here people can tell it... but since you take it this way , i will stop , Good job Dan...you lost an ally...

Btw, you are a creepy stalker... collecting what people said in the past , it is sick...people can change mind or opinion...
by the way i wasn't wrong, you don't even undertsand EB-DP...you didn't even understood the article i posted ... you believe it is about rundll32.exe , lol ! you shoot yourself in your own foot.

We’re breaking security so lets just use lsass.exe which is conveniently the default, we’re again confirming the protocol that we’re attacking (nbt is also an option that needs to be explored further) and the architecture of the target machine.We get returns confirming that the DoublePulsar backdoor has staged correctly,

this is the kernel exploit

Point 1- lsass.exe exploited (VS and other softs in your video didn't prevented that)
Point 2- it spawn rundll32.exe (that is what VS and ERP blocked) and it makes a connection to the attacker system aka Kali (Linux OS from where the whole attack is staged)
point 3- then Runddl32.exe create a shell (cmd.exe) so the attacker using Kali have a method to interact with the exploited system and then upload other files.

so VS didn't blocked the kernel exploit 'lsass.exe being injected) , but blocked the subsequent steps (where rundll32.exe is involved) .

So Dan , JUST TRY TO UNDERSTAND WHAT YOU ARE DOING , damn it !

 

[simmerskool]

Dan sent me this and asked that I post it here. Hope it is still timely as it arrived several hours ago. Personally, I think the discussion here is easier to follow, and I understand both sides now better than reading the wilders thread. Please do not reply directly to me, I did not write it and I'm not posting it to defend it one way or the other. I do think back and forth of this discussion is a learning experience. /sk

@Umbra

You are twisting and cherry picking my words. I am not “pissed by the fact people
continuously saying AG is "awesome" or "better" than VS.” As I suggested in the
video description, I am TIRED of people wildly speculating that one product will
perform better than another product in certain tests.

If this was a promotional video to put VS in the best light, then I would not have
included the ERP test, and I could have easily made the video MUCH more dramatic.

Even if this was a promotional video… there is absolutely nothing wrong with clearly
demonstrating how your product is different from other products.

For example… BRN created this comparison matrix:
http://www.voodooshield.com/artwork/agcm.png

In this video:

The difference is that my video passes the truth test, and theirs does not. If
anyone believes that AG is the only product that will stop most or all of these
threats, they simply are uninformed.

This was simply a test that was performed to answer the question proposed in this
thread:
Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?

Instead of speculating, why not just get off of your ass and run the test? Come on
guys… 3 pages of speculation, and not a single test was performed… and we wonder why
the malware epidemic is only getting worse. I was under the impression that
Lockdown was not familiar enough with pen testing with Kali to get this attack to
work… and I was curious what would happen, so I ran the freaking test.

Andy Ful said: If you mastered enough Metasploit, that would be the simplest way to
perform EternalBlue & DoublePulsar attack.

Lockdown said: It will take time to learn Kali Linux. Just focusing on Kali Linux
instead of the standalones. So much is packed-into Kali.

Is that true, that default deny security solutions can stop the EternalBlue & DoublePulsar attacks?

And now we all know the result. It is that simple… isn’t that better than
speculating? Read the video description.

What almost everyone is failing to realize is that if EB is able to install a kernel
level backdoor (DP), it will have no problem creating a different malicious process.

The problem is that WannaCry demonstrated that adding a worm component to ransomware
made it spread like wildfire… and everyone is ignoring the fact that malware authors
are most likely going to be utilizing and enhancing this technique or similar
techniques to create copycat malware… it happens almost every time.

It is hilarious when people say “oh, that has been patched by Microsoft, so we do
not have to worry about it.” What they are completely misunderstanding is that this
test perfectly demonstrates their mechanism does not block worm attacks like this.
If you are going to be protecting a large enterprise with 10,000 endpoints... one of
two things must be occur:

1. Your endpoint software is able to defend against this kind of attack
OR
2. All 10,000 endpoints remain uninfected 100% of the time. This included mobile
devices brought in from the outside… you know, the ones you had on your home network
the night before, while your kid was poking around on the internet.

ANYTHING else is a pretentious assumption that your software is absolutely perfect,
and there will never be a breach.

@ SHvFl

We all know why I was banned from MT. An old admin, Littlebits wrote a fake review
on VS without even installing it, when we first came out. I stood up to him (and
tried to be as nice as possible, IMA), and he made sure I was banned. Either way, I
will never let anyone bully me, whether they are an admin or not.

More importantly… clicking allow, or lowering the security level to install,
disabled, or OFF in ANY security product does NOT demonstrate a bypass. This is not
just for VS… this is for ANY security software… I have no idea why you do not
understand this concept.

With that in mind… the EB/DP attack did not require ANY user interaction AT ALL…
NOTHING. That is why this attack is different… and there will be copycat attacks.

@Everyone

VS blocked the attack, but there are a couple of things that it could have certainly
done better (in this attack), and they are very easy to fix. This is true with ALL
of the products, but if I would have demonstrated this, then it would have appeared
as though I was picking on certain products.

The absolute truth is that when I heard how WannaCry was spreading like wildfire
because of this worm component, I had a horrible, horrible sinking feeling in my
stomach and was worried if I did everything correct in the code, and if VS actually
blocked EB / DP / WC. If other security vendors are not concerned about this
threat, that is their business.

I wish I had time to respond to everyone… but stuff like this takes crazy amounts of
time. I actually am probably not going to have anytime to reply on any forum for
quite some time. Besides, honestly, it gets kind of old when people speculate about
a test… then you take time to do the research and perform the test properly, then
when they see the results, if they do not like the outcome, you have to spend 3 days
explaining stuff to them, that they could easily either research or test on their
own.

No thanks… I would rather go to the park with Molly .

When MRG releases its final results, assuming that they further explain why this
attack requires security software vendor's immediate attention, I am certain people
will start to understand why I made the video.

 

[Deleted member 178]

@simmerskool already posted by him.