App Review EternalBlue and DoublePulsar application whitelisting test

[danb]

DP runs in the kernel using a non-standard way of running code, so product can't block it ; it is not like DP is run from a file. do you understand?
if DP was ran from an executable, we won't even have this discussion.

Anyway since VS or AG cant avoid lsass.exe to be compromised, all you can do is band aid...so useless to discuss about what it will do next. i rather reformat he system.

But VS blocked DP.

 

[Deleted member 178]

But VS blocked DP.

VS blocked DP to do its nasty job , not DP to exploit the kernel itself (which he can't because it isn't an anti-exploit), do you agree?
(it is why i meant since the beginning )

 

[danb]

This is not a which hunt. ALL security vendors should address this issue. MRG will publish their findings on most of the mainstream AV's, which I am assuming (after testing several) will be dismal. Since I was concerned whether VS blocked this threat or not, I performed the test. Since I went through all of the trouble to perform the test for VS, and since there was so much speculation whether similar products would block this kind of threat or not, I ran a quick test on the other products as well. It really is that simple.

 

[_CyberGhosT_]

exact. i said all i have to say , if he can't grasp the idea, i can't do much more.
People here know now how he is...and you all know already how i am.

we thought we did, but with every post we are learning very much about you, please keep posting

 

[danb]

VS blocked DP to do its nasty job , not DP to exploit the kernel itself (which he can't because it isn't an anti-exploit), do you agree?
(it is why i meant since the beginning )

Not at all... the exploit EB failed to execute the malicious payload DP.

 

[danb]

we thought we did, but with every post we are learning very much about you, please keep posting

My first like on MT .

 

[_CyberGhosT_]

Not at all... the exploit EB failed to execute the malicious payload DP.

Dan your beating a dead horse with a wet spaghetti noodle

 

[_CyberGhosT_]

My first like on MT .

First one ? you must not be reading my posts mister joking

 

[Deleted member 178]

ALL security vendors should address this issue.

not all vendors, only the security products having the purpose of blocking this kind of attacks or suites.
AG Consumer won't (unless they change mind) , however AG business does it already.

Not at all... the exploit EB failed to execute the malicious payload DP.

EB is just the smb abuse. which will provide DP in the targeted system, right?

 

[danb]

Dan your beating a dead horse with a wet spaghetti noodle

We just need CS to chime in.

 

[danb]

First one ? you must not be reading my posts mister joking

Hehehe, I think it was my first like . I am so tired that I might not be remembering correctly .

 

[danb]

not all vendors, only the security products having the purpose of blocking this kind of attacks or suites.
AG Consumer won't (unless they change mind) , however AG business does it already.


EB is just the smb abuse. which will provide DP in the targeted system, right?

Any product that is designed to stop new processes from being created (not to mention running as system), should block this attack.

Actually, about the only security product that should not be concerned about this kind of attack are spam filters.

 

[danb]

Keep in mind, it does not matter how they block the attack... just as long as the attack is somehow blocked.

As I have mentioned a couple of times, in the MRG report, Kaspersky blocked the attack after it was successful...

"Update 2017-05-19: Kaspersky Internet Security can detect the DOUBLEPULSAR in-memory backdoor via memory scan (part of quick scan)."

This is not optimal (as CS would say), but at least it did not allow DP to keep running. This is all according to MRG, please do not sue me Mr. Kaspersky .

 

[Deleted member 178]

Any product that is designed to stop new processes from being created (not to mention running as system), should block this attack.

depending their policy...in the case of AG , AppGuard does not apply a policy to the kernel.
AG Consumer block user-space items to get into system-space items (this is what malware does) . that is it. that is SRP.
so it doesn't care of DP, but what DP will do after in the system like executing downloaded malicious exes, some vulnerable processes exploits (powershell, etc...), etc...

Once you understand the role of AG , you can setup a proper layered setup , adding an AV or like i do an anti-exploit like HMPA.

@Peter2150 im quite sure he will use a application that forbid writing of files in the system , he mentioned about MZwritescanner.

 

[danb]

Okay, let's just wait until CS, Fabian, or someone else explains this to you. I cannot do this anymore.

When we meet in Vegas, I hope you realize that I have fondness for Krug Private Cuvée .

It is time to relinquish my White Cipher name. My new name is Job. And I and not even religious .

 

[Tiny]

I do think back and forth of this discussion is a learning experience

I think so too. So long as it stays civil, everyone can gain from this.

 

[Deleted member 178]

Nothing to explain me, nobody will talk about it anymore, obsolete attack...
Personally i don't care of it, because i won't be affected. You can't get into my system in the first place and if you manage to get in (which i will be curious how) , you won't stay long...
I debated only for the sake of the demonstration, in practice, i really don't care, my system is impervious to it.

And after all this the goal of everyone here.

 

[Andy Ful]

Guys, please, the video can be interpreted in many ways, because we know for sure from it, only that rundll32.exe was blocked after a successful EternalBlue exploit. So, there are three or more scenarios:

1. EternalBlue tried to inject DoublePulsar and failed because the rundll32.exe was used on this stage (Dan).
2. EternalBlue successfully injected DoublePulsar, but DoublePulsar failed to run the payload, because the rundll32.exe was used on this stage.
3. EternalBlue & DoublePulsar successfully executed the payload, but the payload (or its child process) failed, because the rundll32.exe was used to load additional DLL. (Umbra).

The first two scenarios, would be very strange, because Eternal Blue is Ring 0 -> Ring 0 exploit (operating fully on the Kernel level), and DoublePulsar is a kind of Reflective DLL Loader (does not use rundll32.exe).

So, additional information is required to choose the right scenario. The first point verification, can be done easily by reproducing Dan's video, and performing the test for DoublePulsar on the target machine.

Until the test will be made, the discussion is pointless, and annoying.

It would be also fine if Dan could avoid using the word AG (AppGuard) and Umbra the word VS (VoodooShield).

 

[Deleted member 178]

The first two scenarios, would be very strange, because Eternal Blue is Ring 0 -> Ring 0 exploit (operating fully on the Kernel level), and DoublePulsar is a kind of Reflective DLL Loader (does not use rundll32.exe).

That is my understanding of the full attack . Maybe @danb can send his exploit to @Andy Ful , so he can test it and tell us what it really does .

 

[mekelek]

From an outsiders prospective, this whole drama seems like a few Appguard pluggers didn't like someone showing Appguard in a bad light and started going personal on VS/Dan.
sorry @Umbra ..

can't understand why people are arguing which is the best between Appguard and VS, when even Appguard dev @Lockdown said that Appguard is an Enterprise solution, and VS is clearly a Home one.

at the end of the day, as an enduser: Did VS automatically block(without adding every single ##### in a blocklist) any possible damage done through/by EternalBlue? Yes.

who cares how it is done exactly.

Did Appguard do the same? No.

So?