App Review EternalBlue and DoublePulsar application whitelisting test

[danb]

Umbra, you can attack me personally all you want.

You misread CS's last sentence. Besides, I am curious what she is going to think about the Malwarebytes article.

#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

This video shows you everything you need to know:

 

[danb]

If you do not understand the video above, hopefully someone else can explain it to you... because obviously I am failing in doing so.

Also, as you and I discussed, adding lsass.exe AG, in the user space tab did not help... the result was the same.

VoodooShield ?

VoodooShield ?

 

[simmerskool]

That was his goal, the video was a response because someone told him AG is better than VS, he told me himself. He is pissed by the fact people continuously saying AG is "awesome" or "better" than VS.
He wan't to make those people wrong, all had an hidden agenda from the start , the motive and the method.

well fwiw I came away from the discussion with better understandings, and added AG to pc with VS already installed. I even asked Dan if there were compatibility issues and he was "cool" with running both. I think Dan has best intentions even if the video is somewhat "flawed" from certain perspectives.

 

[danb]

well fwiw I came away from the discussion with better understandings, and added AG to pc with VS already installed. I even asked Dan if there were compatibility issues and he was "cool" with running both. I think Dan has best intentions even if the video is somewhat "flawed" from certain perspectives.

Hehehe, how is is flawed? EVERYONE runs the test the exact same way... but when White Cipher runs the exact same test, boy, he really messed something up!!!

Here are 4 examples of the same test.

 

[_CyberGhosT_]

I think Dan has best intentions

And that's what to focus on here, intentions here are clear, Dan's intensions are far from malicious
I can't say that for all participants and it's painting a very clear picture that I hope all are taking the
time to see and understand. There is a very vivid picture being painted here that goes beyond what
Dan's intent was.
Thanks to @Jack and the MT upper staff for letting this play out in a respectful manner
I think it is important to see this through.

 

[AtlBo]

Besides, I am curious what she is going to think about the Malwarebytes article.

Not to "inject" anything to a productive discussion, but this article takes me back to fears of even the late 90s. EB/DP is the vector for the ultimate nastiness if it was intialized as speculated. It's bad enough that it can corrupt critical lsass, but this is the one that can turn anyone's PC into anyone's PC and any time and for any amount of time.

Thanks for all the comments. I am learning alot and hope we all are about how far PC security has to go, even if it has come so far over the last several years. Appreciate your comments Dan, not to cheat anyone out of their differences of opinion. It's a very competent debate imo...

 

[danb]

Not to "inject" anything to a productive discussion, but this article takes me back to fears of even the late 90s. EB/DP is the vector for the ultimate nastiness if it was intialized as speculated. It's bad enough that it can corrupt critical lsass, but this is the one that can turn anyone's PC into anyone's PC and any time and for any amount of time.

Thanks for all the comments. I am learning alot and hope we all are about how far PC security has to go, even if it has come so far over the last several years. Appreciate your comments Dan, not to cheat anyone out of their differences of opinion. It's a very competent debate imo...

Yeah, I hear what you are saying, and it certainly would have been preferable to stop the attack even sooner... before EB could do anything at all. But I am comforted by the fact that EB was unable to launch and install DP in the VS attack.

If you read the MRG article, they even accept detecting and terminating DP while it is fully running in memory as a block. And here is their conclusion... this is what we need to worry about:

Conclusion
It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.

Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.

If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this. We are in the middle of contacting all AV vendors about the issue. Although we guess they already know this, they only forgot to notify the marketing department to check their communication.

MRG – ETERNALBLUE vs Internet Security Suites and nextgen protections





On kind of a side note... when I was talking to mWave, I thought it might be a good idea for him to start with EB, and see what he could do to bypass VS:

VoodooShield ?

 

[simmerskool]

You just personalized this with that statement for some reason, I did not suggest even once that
Dan getting banned had one thing to do with you, show me where I do ?
@danb
Thanks for showing up, now watch how the tone of this thread changes
Don't be a stranger here brother

for the record, I was unaware that Dan was banned at MT. sounds like a thread that might be worth reading...

 

[Deleted member 178]

Umbra, you can attack me personally all you want.

You misread CS's last sentence. Besides, I am curious what she is going to think about the Malwarebytes article.

#WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes

This video shows you everything you need to know:

If you do not understand the video above, hopefully someone else can explain it to you... because obviously I am failing in doing so.

Also, as you and I discussed, adding lsass.exe AG, in the user space tab did not help... the result was the same.

VoodooShield ?

VoodooShield ?

read my comments on wilders , im tired to type the same here.

you just failed to understand that the endgame is for the attacker to upload and RUN a malicious file in the target system (not just creating a shell) and AG will surely block it.
it is why BRN doesn't care of this exploit, because it is not supposed to block exploit, but protect the system of what may come after.
For info ,it is a kernel exploit and AG don't touch the kernel.
VS or AG can't manipulate (hence protect) the kernel because of patchguard.

Now if VS can stop the attack one step earlier than AG , good , but the whole purpose of this attack is to do what wanacry does : infect the system not just breach it.

you must know what a product does before criticizing it, and obviously you don't understood what AG does.

 

[danb]

for the record, I was unaware that Dan was banned at MT. sounds like a thread that might be worth reading...

Hehehe, it absolutely is a very good read

See Umbra why I keep this kind of stuff? I will find it and post it asap.

 

[danb]

read my comments on wilders , im tired to type the same here.

you just failed to understand that the endgame is for the attacker to upload and RUN a malicious file in the target system (not just creating a shell) and AG will surely block it.
it is why BRN doesn't care of this exploit, because it is not supposed to block exploit, but protect the system of what may come after.
For info ,it is a kernel exploit and AG don't touch the kernel.
VS or AG can't manipulate (hence protect) the kernel because of patchguard.

Now if VS can stop the attack one step earlier than AG , good , but the whole purpose of this attack is to do what wanacry does : infect the system not just breach it.

you must know what a product does before criticizing it, and obviously you don't understood what AG does.

DP is the malicious payload that ran as SYSTEM.

AG FAILED TO BLOCK DP.

VS BLOCKED DP.

How do you not understand that?

 

[Deleted member 178]

DP is the malicious payload that ran as SYSTEM.

AG FAILED TO BLOCK DP.

VS BLOCKED DP.

How do you not understand that?

where VS block DP lol ?
lsass.exe was compromised already, you don't even understand your own attack...
DP is only about injecting into lsass.exe , the rest (rundll32.exe + cmd.exe) are the tools it uses after exploiting lsass.exe , this is what VS blocked, not lsass.exe. We can see it in the video !
If VS did, we won't see rundll32.exe trying to execute cmd and VS blocking it !
10 times i explained it to you...10 times you denied it.
you seems to be unwilling to admit VS was also bypassed, that is what is annoying with you, you deny facts when it come to VS...but it is ok when it affects others...you are so biased toward your product...
VS/AG/ERP don't have any pure exploit protection mechanism to protect against kernel exploits unless , they aren't HMPA or MBAE or EMET( unless you decide to add this to VS in the future)

 

[danb]

If it failed to block that malicious payload,

where VS block DP lol, lsass.exe was compromised already, you don't even undertsand your own attack... DP is only about injecting into lsass.exe , the rest (rundll32.exe + cmd.exe) are the tools it uses after exploiting lsass.exe , this is what VS blocked, not lsass.exe. we can see it in the video !
if VS did, we won't see rundll32.exe trying to execute cmd; 10 times i explained it to you...
you seems to be unwilling VS was also bypassed , that is what is annoying with you, you deny facts.

Take a screenshot of either one of my 2 videos and show me where rundll32.exe ran as a child process of lsass.exe, with a memory utilization of 8,000kb or so. Sure, rundll32.exe was temporarily suspended at 88kb while VS / the user decided to run the payload or not... but this is the way VS works. If we had a lockdown mode like ERP, then you would not see rundll32.exe as a child process of lsass at all... but we do not have a "total block everything no matter what, and do not even prompt the user, just block the darn thing" mode .

And cmd.exe? What are you talking about?

In my most recent video, you do realize that there were two tests... first AG then VS, right?

 

[danb]

There really is not point in talking to you about this if you are not willing to test for yourself.

Hopefully CS or MRG can explain to Umbra what is up.

 

[Deleted member 178]

Sure, rundll32.exe was temporarily suspended at 88kb while VS / the user decided to run the payload or not... but this is the way VS works.

so what create it ? the exploit right? so lsass.exe was injected already ? right? lsass.exe doen'st create rundll32.exe (coincidentally at the very same moment when DP was executed) all by itself for no reason? right?

 

[darko999]

Enough! is enough! I love saying that in english even when I barely speak it. I think you guys should drop the ball shake hands and game over. This is not a battle, and it should not be a battle. I think this thread has explained a lot and we all can do our own math and make our own conclusions. I'm none to ask for this but let's keep the good spirit here at MT!.

 

[Deleted member 178]

There really is not point in talking to you about this if you are not willing to test for yourself.
Hopefully CS or MRG can explain to Umbra what is up.

i don't need to test , i saw plenty of videos and read countless articles explaining that DP target is lsass.exe and just need to inject it before doing the other tasks.
you just won' admit it because i make you hurt that VS does nothing to prevent lsass.exe to be exploited. or maybe you just don't want lose face now while realizing you interpreted the attack wrongly from the start...

 

[Deleted member 178]

Enough! is enough! I love saying that in english even when I barely talk it. I think you guys should drop the ball shake hands and game over. This is not a battle, and it should not be a battle. I think this thread has explained a lot and we all can do our own math and make our own conclusions. I'm none to ask for this but let's keep the good spirit here at MT!.

exact. i said all i have to say , if he can't grasp the idea, i can't do much more.
People here know now how he is...and you all know already how i am.

 

[danb]

You are confusing exploits with malicious payloads.

The fact that arbitrary malicious code was allowed to execute (as system), should be indication enough that there is an issue with the mechanism that is supposed to block arbitrary malicious code from running.

 

[Deleted member 178]

You are confusing exploits with malicious payloads.
The fact that arbitrary malicious code was allowed to execute (as system), should be indication enough that there is an issue with the mechanism that is supposed to block arbitrary malicious code from running.

DP runs in the kernel using a non-standard way of running code, so product can't block it ; it is not like DP is run from a file. do you understand?
if DP was ran from an executable, we won't even have this discussion.

Anyway since VS or AG cant avoid lsass.exe to be compromised, all you can do is band aid...so useless to discuss about what it will do next. i rather reformat the system.

if the user has an anti-exploit , it should be protected.