App Review EternalBlue and DoublePulsar application whitelisting test

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Status
Not open for further replies.
Umbra said:
That was his goal, the video was a response because someone told him AG is better than VS, he told me himself. He is pissed by the fact people continuously saying AG is "awesome" or "better" than VS.
He wan't to make those people wrong, all had an hidden agenda from the start , the motive and the method.
Click to expand...

well fwiw I came away from the discussion with better understandings, and added AG to pc with VS already installed. I even asked Dan if there were compatibility issues and he was "cool" with running both. I think Dan has best intentions even if the video is somewhat "flawed" from certain perspectives. :cool:
 
  • Like
Reactions: askmark, BugCode, Tiny and 3 others
simmerskool said:
well fwiw I came away from the discussion with better understandings, and added AG to pc with VS already installed. I even asked Dan if there were compatibility issues and he was "cool" with running both. I think Dan has best intentions even if the video is somewhat "flawed" from certain perspectives. :cool:
Click to expand...
Hehehe, how is is flawed? EVERYONE runs the test the exact same way... but when White Cipher runs the exact same test, boy, he really messed something up!!! ;)

Here are 4 examples of the same test.







 
  • Like
Reactions: askmark, Emmanuellws, silversurfer and 4 others
simmerskool said:
I think Dan has best intentions
Click to expand...
And that's what to focus on here, intentions here are clear, Dan's intensions are far from malicious
I can't say that for all participants and it's painting a very clear picture that I hope all are taking the
time to see and understand. There is a very vivid picture being painted here that goes beyond what
Dan's intent was.
Thanks to @Jack and the MT upper staff for letting this play out in a respectful manner
I think it is important to see this through.
 
  • Like
Reactions: askmark, silversurfer, BugCode and 5 others
danb said:
Besides, I am curious what she is going to think about the Malwarebytes article.
Click to expand...

Not to "inject" anything to a productive discussion, but this article takes me back to fears of even the late 90s. EB/DP is the vector for the ultimate nastiness if it was intialized as speculated. It's bad enough that it can corrupt critical lsass, but this is the one that can turn anyone's PC into anyone's PC and any time and for any amount of time.o_O

Thanks for all the comments. I am learning alot and hope we all are about how far PC security has to go, even if it has come so far over the last several years. Appreciate your comments Dan, not to cheat anyone out of their differences of opinion. It's a very competent debate imo...
 
  • Like
Reactions: askmark, BugCode, Andy Ful and 3 others
AtlBo said:
Not to "inject" anything to a productive discussion, but this article takes me back to fears of even the late 90s. EB/DP is the vector for the ultimate nastiness if it was intialized as speculated. It's bad enough that it can corrupt critical lsass, but this is the one that can turn anyone's PC into anyone's PC and any time and for any amount of time.o_O

Thanks for all the comments. I am learning alot and hope we all are about how far PC security has to go, even if it has come so far over the last several years. Appreciate your comments Dan, not to cheat anyone out of their differences of opinion. It's a very competent debate imo...
Click to expand...
Yeah, I hear what you are saying, and it certainly would have been preferable to stop the attack even sooner... before EB could do anything at all. But I am comforted by the fact that EB was unable to launch and install DP in the VS attack.

If you read the MRG article, they even accept detecting and terminating DP while it is fully running in memory as a block. And here is their conclusion... this is what we need to worry about:

Conclusion
It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.

Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.

If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this. We are in the middle of contacting all AV vendors about the issue. Although we guess they already know this, they only forgot to notify the marketing department to check their communication.

MRG – ETERNALBLUE vs Internet Security Suites and nextgen protections





On kind of a side note... when I was talking to mWave, I thought it might be a good idea for him to start with EB, and see what he could do to bypass VS:

VoodooShield ?
 
  • Like
Reactions: askmark, BugCode, _CyberGhosT_ and 4 others
_CyberGhosT_ said:
You just personalized this with that statement for some reason, I did not suggest even once that
Dan getting banned had one thing to do with you, show me where I do ?
@danb
Thanks for showing up, now watch how the tone of this thread changes ;)
Don't be a stranger here brother :)
Click to expand...

for the record, I was unaware that Dan was banned at MT. sounds like a thread that might be worth reading... :oops:
 
  • Like
Reactions: askmark, BugCode, _CyberGhosT_ and 2 others
danb said:
Umbra, you can attack me personally all you want.

You misread CS's last sentence. Besides, I am curious what she is going to think about the Malwarebytes article.

#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

This video shows you everything you need to know:
Click to expand...


danb said:
If you do not understand the video above, hopefully someone else can explain it to you... because obviously I am failing in doing so.

Also, as you and I discussed, adding lsass.exe AG, in the user space tab did not help... the result was the same.

VoodooShield ?

VoodooShield ?
Click to expand...

read my comments on wilders , im tired to type the same here.

you just failed to understand that the endgame is for the attacker to upload and RUN a malicious file in the target system (not just creating a shell) and AG will surely block it.
it is why BRN doesn't care of this exploit, because it is not supposed to block exploit, but protect the system of what may come after.
For info ,it is a kernel exploit and AG don't touch the kernel.
VS or AG can't manipulate (hence protect) the kernel because of patchguard.

Now if VS can stop the attack one step earlier than AG , good , but the whole purpose of this attack is to do what wanacry does : infect the system not just breach it.

you must know what a product does before criticizing it, and obviously you don't understood what AG does.
 
  • Like
Reactions: askmark, Andy Ful, simmerskool and 1 other person
Umbra said:
read my comments on wilders , im tired to type the same here.

you just failed to understand that the endgame is for the attacker to upload and RUN a malicious file in the target system (not just creating a shell) and AG will surely block it.
it is why BRN doesn't care of this exploit, because it is not supposed to block exploit, but protect the system of what may come after.
For info ,it is a kernel exploit and AG don't touch the kernel.
VS or AG can't manipulate (hence protect) the kernel because of patchguard.

Now if VS can stop the attack one step earlier than AG , good , but the whole purpose of this attack is to do what wanacry does : infect the system not just breach it.

you must know what a product does before criticizing it, and obviously you don't understood what AG does.
Click to expand...
DP is the malicious payload that ran as SYSTEM.

AG FAILED TO BLOCK DP.

VS BLOCKED DP.

How do you not understand that?
 
Last edited:
  • Like
Reactions: Andy Ful, _CyberGhosT_, AtlBo and 1 other person
danb said:
DP is the malicious payload that ran as SYSTEM.

AG FAILED TO BLOCK DP.

VS BLOCKED DP.

How do you not understand that?
Click to expand...
where VS block DP lol ?
lsass.exe was compromised already, you don't even understand your own attack...
DP is only about injecting into lsass.exe , the rest (rundll32.exe + cmd.exe) are the tools it uses after exploiting lsass.exe , this is what VS blocked, not lsass.exe. We can see it in the video !
If VS did, we won't see rundll32.exe trying to execute cmd and VS blocking it !
10 times i explained it to you...10 times you denied it.
you seems to be unwilling to admit VS was also bypassed, that is what is annoying with you, you deny facts when it come to VS...but it is ok when it affects others...you are so biased toward your product...
VS/AG/ERP don't have any pure exploit protection mechanism to protect against kernel exploits unless , they aren't HMPA or MBAE or EMET( unless you decide to add this to VS in the future)
 
Last edited by a moderator:
  • Like
Reactions: Andy Ful and AtlBo
If it failed to block that malicious payload,
Umbra said:
where VS block DP lol, lsass.exe was compromised already, you don't even undertsand your own attack... DP is only about injecting into lsass.exe , the rest (rundll32.exe + cmd.exe) are the tools it uses after exploiting lsass.exe , this is what VS blocked, not lsass.exe. we can see it in the video !
if VS did, we won't see rundll32.exe trying to execute cmd; 10 times i explained it to you...
you seems to be unwilling VS was also bypassed , that is what is annoying with you, you deny facts.
Click to expand...
Take a screenshot of either one of my 2 videos and show me where rundll32.exe ran as a child process of lsass.exe, with a memory utilization of 8,000kb or so. Sure, rundll32.exe was temporarily suspended at 88kb while VS / the user decided to run the payload or not... but this is the way VS works. If we had a lockdown mode like ERP, then you would not see rundll32.exe as a child process of lsass at all... but we do not have a "total block everything no matter what, and do not even prompt the user, just block the darn thing" mode ;).

And cmd.exe? What are you talking about?

In my most recent video, you do realize that there were two tests... first AG then VS, right?
 
  • Like
Reactions: askmark and AtlBo
danb said:
Sure, rundll32.exe was temporarily suspended at 88kb while VS / the user decided to run the payload or not... but this is the way VS works.
Click to expand...
so what create it ? the exploit right? so lsass.exe was injected already ? right? lsass.exe doen'st create rundll32.exe (coincidentally at the very same moment when DP was executed) all by itself for no reason? right?
 
Last edited by a moderator:
  • Like
Reactions: AtlBo
Enough! is enough! I love saying that in english even when I barely speak it. I think you guys should drop the ball shake hands and game over. This is not a battle, and it should not be a battle. I think this thread has explained a lot and we all can do our own math and make our own conclusions. I'm none to ask for this but let's keep the good spirit here at MT!.
 
  • Like
Reactions: askmark, BugCode, simmerskool and 1 other person
danb said:
There really is not point in talking to you about this if you are not willing to test for yourself.
Hopefully CS or MRG can explain to Umbra what is up.
Click to expand...
i don't need to test , i saw plenty of videos and read countless articles explaining that DP target is lsass.exe and just need to inject it before doing the other tasks.
you just won' admit it because i make you hurt that VS does nothing to prevent lsass.exe to be exploited. or maybe you just don't want lose face now while realizing you interpreted the attack wrongly from the start...
 
darko999 said:
Enough! is enough! I love saying that in english even when I barely talk it. I think you guys should drop the ball shake hands and game over. This is not a battle, and it should not be a battle. I think this thread has explained a lot and we all can do our own math and make our own conclusions. I'm none to ask for this but let's keep the good spirit here at MT!.
Click to expand...
exact. i said all i have to say , if he can't grasp the idea, i can't do much more.
People here know now how he is...and you all know already how i am.
 
You are confusing exploits with malicious payloads.

The fact that arbitrary malicious code was allowed to execute (as system), should be indication enough that there is an issue with the mechanism that is supposed to block arbitrary malicious code from running.
 
  • Like
Reactions: askmark
danb said:
You are confusing exploits with malicious payloads.
The fact that arbitrary malicious code was allowed to execute (as system), should be indication enough that there is an issue with the mechanism that is supposed to block arbitrary malicious code from running.
Click to expand...
DP runs in the kernel using a non-standard way of running code, so product can't block it ; it is not like DP is run from a file. do you understand?
if DP was ran from an executable, we won't even have this discussion.

Anyway since VS or AG cant avoid lsass.exe to be compromised, all you can do is band aid...so useless to discuss about what it will do next. i rather reformat the system.

if the user has an anti-exploit , it should be protected.
 
Last edited by a moderator:
  • Like
Reactions: Andy Ful
Status
Not open for further replies.

You may also like...