App Review EternalBlue and DoublePulsar application whitelisting test

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
Status
Not open for further replies.

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
DP runs in the kernel using a non-standard way of running code, so product can't block it ; it is not like DP is run from a file. do you understand?
if DP was ran from an executable, we won't even have this discussion.

Anyway since VS or AG cant avoid lsass.exe to be compromised, all you can do is band aid...so useless to discuss about what it will do next. i rather reformat he system.
But VS blocked DP.
 
  • Like
Reactions: askmark and AtlBo
D

Deleted member 178

But VS blocked DP.
VS blocked DP to do its nasty job , not DP to exploit the kernel itself (which he can't because it isn't an anti-exploit), do you agree?
(it is why i meant since the beginning )
 
  • Like
Reactions: AtlBo

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
This is not a which hunt. ALL security vendors should address this issue. MRG will publish their findings on most of the mainstream AV's, which I am assuming (after testing several) will be dismal. Since I was concerned whether VS blocked this threat or not, I performed the test. Since I went through all of the trouble to perform the test for VS, and since there was so much speculation whether similar products would block this kind of threat or not, I ran a quick test on the other products as well. It really is that simple.
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
VS blocked DP to do its nasty job , not DP to exploit the kernel itself (which he can't because it isn't an anti-exploit), do you agree?
(it is why i meant since the beginning )
Not at all... the exploit EB failed to execute the malicious payload DP.
 
  • Like
Reactions: askmark and AtlBo
D

Deleted member 178

ALL security vendors should address this issue.
not all vendors, only the security products having the purpose of blocking this kind of attacks or suites.
AG Consumer won't (unless they change mind) , however AG business does it already.

Not at all... the exploit EB failed to execute the malicious payload DP.
EB is just the smb abuse. which will provide DP in the targeted system, right?
 
  • Like
Reactions: AtlBo

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
not all vendors, only the security products having the purpose of blocking this kind of attacks or suites.
AG Consumer won't (unless they change mind) , however AG business does it already.


EB is just the smb abuse. which will provide DP in the targeted system, right?
Any product that is designed to stop new processes from being created (not to mention running as system), should block this attack.

Actually, about the only security product that should not be concerned about this kind of attack are spam filters. ;)
 

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Keep in mind, it does not matter how they block the attack... just as long as the attack is somehow blocked.

As I have mentioned a couple of times, in the MRG report, Kaspersky blocked the attack after it was successful...

"Update 2017-05-19: Kaspersky Internet Security can detect the DOUBLEPULSAR in-memory backdoor via memory scan (part of quick scan)."

This is not optimal (as CS would say), but at least it did not allow DP to keep running. This is all according to MRG, please do not sue me Mr. Kaspersky ;).
 
D

Deleted member 178

Any product that is designed to stop new processes from being created (not to mention running as system), should block this attack.
depending their policy...in the case of AG , AppGuard does not apply a policy to the kernel.
AG Consumer block user-space items to get into system-space items (this is what malware does) . that is it. that is SRP.
so it doesn't care of DP, but what DP will do after in the system like executing downloaded malicious exes, some vulnerable processes exploits (powershell, etc...), etc...

Once you understand the role of AG , you can setup a proper layered setup , adding an AV or like i do an anti-exploit like HMPA.

@Peter2150 im quite sure he will use a application that forbid writing of files in the system , he mentioned about MZwritescanner.
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top Poster
Developer
Well-known
May 31, 2017
1,742
Okay, let's just wait until CS, Fabian, or someone else explains this to you. I cannot do this anymore.

When we meet in Vegas, I hope you realize that I have fondness for Krug Private Cuvée ;).

It is time to relinquish my White Cipher name. My new name is Job. And I and not even religious ;).
 
D

Deleted member 178

Nothing to explain me, nobody will talk about it anymore, obsolete attack...
Personally i don't care of it, because i won't be affected. You can't get into my system in the first place and if you manage to get in (which i will be curious how) , you won't stay long...
I debated only for the sake of the demonstration, in practice, i really don't care, my system is impervious to it.

And after all this the goal of everyone here.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Guys, please, the video can be interpreted in many ways, because we know for sure from it, only that rundll32.exe was blocked after a successful EternalBlue exploit. So, there are three or more scenarios:
  1. EternalBlue tried to inject DoublePulsar and failed because the rundll32.exe was used on this stage (Dan).
  2. EternalBlue successfully injected DoublePulsar, but DoublePulsar failed to run the payload, because the rundll32.exe was used on this stage.
  3. EternalBlue & DoublePulsar successfully executed the payload, but the payload (or its child process) failed, because the rundll32.exe was used to load additional DLL. (Umbra).
The first two scenarios, would be very strange, because Eternal Blue is Ring 0 -> Ring 0 exploit (operating fully on the Kernel level), and DoublePulsar is a kind of Reflective DLL Loader (does not use rundll32.exe).

So, additional information is required to choose the right scenario. The first point verification, can be done easily by reproducing Dan's video, and performing the test for DoublePulsar on the target machine.

Until the test will be made, the discussion is pointless, and annoying.:(

It would be also fine if Dan could avoid using the word AG (AppGuard) and Umbra the word VS (VoodooShield).:)
 
D

Deleted member 178

The first two scenarios, would be very strange, because Eternal Blue is Ring 0 -> Ring 0 exploit (operating fully on the Kernel level), and DoublePulsar is a kind of Reflective DLL Loader (does not use rundll32.exe).
That is my understanding of the full attack . Maybe @danb can send his exploit to @Andy Ful , so he can test it and tell us what it really does .
 

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
From an outsiders prospective, this whole drama seems like a few Appguard pluggers didn't like someone showing Appguard in a bad light and started going personal on VS/Dan.
sorry @Umbra ..

can't understand why people are arguing which is the best between Appguard and VS, when even Appguard dev @Lockdown said that Appguard is an Enterprise solution, and VS is clearly a Home one.

at the end of the day, as an enduser: Did VS automatically block(without adding every single ##### in a blocklist) any possible damage done through/by EternalBlue? Yes.

who cares how it is done exactly.

Did Appguard do the same? No.

So?
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top