App Review EternalBlue and DoublePulsar application whitelisting test

[Deleted member 178]

From an outsiders prospective, this whole drama seems like a few Appguard pluggers didn't like someone showing Appguard in a bad light and started going personal on VS/Dan.
sorry @Umbra ..

can't understand why people are arguing which is the best between Appguard and VS, when even Appguard dev @Lockdown said that Appguard is an Enterprise solution, and VS is clearly a Home one.

at the end of the day, as an enduser: Did VS automatically block(without adding every single ##### in a blocklist) any possible damage done through/by EternalBlue? Yes.

who cares how it did it exactly.

Did Appguard do the same? No.

So?

Because you have to take the whole attack from start to end in consideration, not a part of it...from breach to the use of malicious executable to encrypt the system (like wanacry does) .
If you do a 4 sprinters 400m relay race, you can't tell the winner by stopping at the 3rd sprinter...when one team best sprinter is the last one... come on...be logic.

if you just talk about only a part so don't mention AG Consumer because it doesn't kicks-in until the last step.
if he doesn't know how works AG , i have to tell him , problem is he doesn't accept my explanation, for him AG Consumer must do like VS , if not it is bad...

Things must be fair. i'm not here to win over Dan, i didnt make a video to prove AG stop an attack or not...because whatever the result, i will still use AG anyway.

 

[Andy Ful]

...
at the end of the day, as an enduser: Did VS automatically block(without adding every single ##### in a blocklist) any possible damage done through/by EternalBlue? Yes.
...
So?

The problem is that this is not proven at all, and many belive that it is. Dan's video proved only that the specific payload (meterpreter) can be blocked by VoodooShield Always ON settings. That is welcome, because meterpreter attacks are popular and dangerous. That is why, I like the Dan's work. Yet, There is no proof that it can stop any other malware which does not use additional Dlls to run.

Guys, please do not make this thread the battle: AppGuard against VoodooShield (and vice versa).
It is like forcing to fight the Apples with VegetableS.

 

[mekelek]

Because you have to take the whole attack from start to end in consideration, not a part of it...from breach to the use of malicious executable to encrypt the system (like wanacry does) .
If you do a 4 sprinters 400m relay race, you can't tell the winner by stopping at the 3rd sprinter...when one team best sprinter is the last one... come on...be logic.

if you just talk about only a part so don't mention AG Consumer because it doesn't kicks-in until the last step.
if he doesn't know how works AG , i have to tell him , problem is he doesn't accept my explanation, for him AG Consumer must do like VS , if not it is bad...

Things must be fair. i'm not here to win over Dan, because whatever the result, i will still use AG anyway.

Your analogy doesn't make sense to me so I use an other one.

Let's say we have a Tree. It's currently growing, has no leaves.
VS cuts down the trunk of the Tree before it can even start growing leaves, while Appguard cuts down the leaves when they appear over and over again.

The first option seems better to me. What if the Tree manages to grow leaves without Appguard being able to cut it down?

Correct me if i'm wrong, I didn't read all the 3 pages of these 10 lines novels.

 

[Andy Ful]

Your analogy doesn't make sense to me so I use an other one.

Let's say we have a Tree. It's currently growing, has no leaves.
VS cuts down the trunk of the Tree before it can even start growing leaves, while Appguard cuts down the leaves when they appear over and over again.

The first option seems better to me. What if the Tree manages to grow leaves without Appguard being able to cut it down?

Correct me if i'm wrong, I didn't read all the 3 pages of these 10 lines novels.

It seems to me that one program could cut down the trunk of oaks (only) and the leaves from many other trees. The other program probably can do it with palm's trunk and the leaves from many other trees.
Believe me, this is the fight of Apples with VegetableS. And worse, the fight is based on the wrong assumptions, followed from only one inconclusive test.

Edit
I omited the names of the programs intentionally.

 

[codswollip]

devastatingly HOT

Pics please, we will judge.

 

[cruelsister]

Oh My! You guys are still talking about this one! As I have to weigh in somewhat on this topic, I'd rather give a historical perspective of the attack instead of making statements that some may take Umbrage with (I'm sensitive and you guys are MEAN!!!).

Specifically let's consider what is meant by targeted malware:

Let's say that I learned through an informer that my favorite Indian Restaurant (Shiva's Revenge) has a new recipe for Chicken 65 that tastes better than mine. As I know Shiva has a number of locations in the city, I would proceed as follows to liberate their recipe (data):

1). Utilize a little beauty that will concentrate on the IP's in the areas where the restaurants are located (think Google Maps for IP's instead of houses),
2). Pulse queries to these IP's, looking for exploitable systems.
3). When found, use the software in #1 to find out exactly where these systems are located.
4). If there is a match to a restaurant system, a demented mind can find a way to utilize the exploit found and lay in a payload to harvest the data wanted.

That's a bunch of work for a (add curse word here)ing recipe, but the Heart wants what the Heart wants... Much easier would have been to Blackmail an employee or just make them an offer that they could not refuse to compromise the system, but on occasion one must make do with being stealthy.

Now- there are more ways to stop stuff like this as there are ways to Skin a cat (although if anyone tries to skin my Ophelia, I'll Kill You). Having system patches in place or utilizing solid security software like VoodooShield or AppGuard will block such threats at various levels (I know there is another really good product that's like a firewall but the name escapes me at present), so with these you are pretty much Golden. Those still using traditional security products have much more Clear and Present Dangers to worry about that crap like this.

But although the basic mechanisms utilized in the DP/EB attacks have branched out from High And Noble purposes (like stealing Chicken 65 recipes) to crap like BitCoin Miners, those with advanced protection in place have little to be concerned about.

 

[Andy Ful]

The discussions about EternalBlue and DoublePulsar remember me the discussions about anti-terrorism security.
In one country, there are more death traffic incidents in one day, than terrorist victims in one year. But, people still prefer to discuss only about terrorism. Why? I do not know. It may be, that terrorism is more interesting?

 

[Handsome Recluse]

As you intimate, topics such as this should be confined to places other than Home User forums (no offense to anyone out there!). The fact that such attacks are not only targeted but must have a number of things in place before being successful is something that is never discussed.
So I'm sure that some vendors (and I DON'T mean VS) will try to tout that they protect against such a specific attack, they will also ignore that they will be breached by a simple Worm coded by some Pre-Pubescent Blackhat Wannabe.

Maybe we'll get to have a non-Home section.

 

[Handsome Recluse]

The discussions about EternalBlue and DoublePulsar remember me the discussions about anti-terrorism security.
In one country, there are more death traffic incidents in one day, than terrorist victims in one year. But, people still prefer to discuss only about terrorism. Why? I do not know. It may be, that terrorism is more interesting?

Yeah probably. The high burst of deaths is more relevant to a person. But what can we do about traffic incidents? Problems might not be too homogeneous making it seem terrorism can be cured easier.

 

[XhenEd]

I think the battle here is about different perspectives. One is about "security products must prioritize blocking first stage attacks because letting those run may be too late to prevent major damage." The other one is about "it's always best to block a first stage attack, but if the attack runs, no matter how successful the attack is in stages, a block in its chain is sufficient, as long as no major damage is done yet."

So, the discussion can be summarized in a short question. Which is more important, blocking the first-stage-attack, or blocking in-any-stage-attack?

 

[S3cur1ty 3nthu5145t]

@cruelsister , your comment on this being not appropriate for home user forums is spot on. There is enough fear mongering going on in cyber space especially concerning home users that will most likely never experience a targeted attack, let alone a good portion of the malware present on the web. Most will generally see adware, shareware, PUP's / PUA's and or of the worst variety social engineering.

What's worse is many are now convinced if they layer several security products instead of learning how to use what they have as well as better/safer habits, that they will be magically protected, as if any security will save a user from themselves.

 

[Winter Soldier]

So, the discussion can be summarized in a short question. Which is more important, blocking the first-stage-attack, or blocking in-any-stage-attack?

Well put! In this case, in my humble opinion it would be important to focus on any phase of the attack: trivial example, is it more important to block a .js downloader or it is better to focus on the core payload, really the evil one?
Obviously, the ideal condition would be to detect both of them because the .js may also download more than one payload at different times.
But at the end, it is the payload that actually infects the machine.

 

[danb]

Guys, please, the video can be interpreted in many ways, because we know for sure from it, only that rundll32.exe was blocked after a successful EternalBlue exploit. So, there are three or more scenarios:

1. EternalBlue tried to inject DoublePulsar and failed because the rundll32.exe was used on this stage (Dan).
2. EternalBlue successfully injected DoublePulsar, but DoublePulsar failed to run the payload, because the rundll32.exe was used on this stage.
3. EternalBlue & DoublePulsar successfully executed the payload, but the payload (or its child process) failed, because the rundll32.exe was used to load additional DLL. (Umbra).

The first two scenarios, would be very strange, because Eternal Blue is Ring 0 -> Ring 0 exploit (operating fully on the Kernel level), and DoublePulsar is a kind of Reflective DLL Loader (does not use rundll32.exe).

So, additional information is required to choose the right scenario. The first point verification, can be done easily by reproducing Dan's video, and performing the test for DoublePulsar on the target machine.

Until the test will be made, the discussion is pointless, and annoying.

It would be also fine if Dan could avoid using the word AG (AppGuard) and Umbra the word VS (VoodooShield).

Correct, DP was blocked in one test and not the other. If people do not feel it is necessary to block a kernel level backdoor payload, that is their decision. End of story.

I am done discussing this. I would try to help the naysayers understand it more, but each time they understand one point, they come up with another silly argument that does not hold water, and I end up having to spend a lot of time explaining even more.

You guys are simply going to have to test for yourselves and decide if it is okay for malicious payloads like DP to have the ability to arbitrarily run on systems or not.

 

[Deleted member 178]

The problem here is DoublePulsar uses unconventional method to exploit a system , if it was only launched via a compromised file, this discussion won't even be here because any product will block the file to execute its payload.
Problem is that once in the network, the attacker just need to map the network , getting the IPs, select a system with the required conditions ( win7 unpatched with SMB1.0/2.0 enabled) and launch the attack remotely.

What all the debate was about is :

"how the softwares mentioned can block attacks ONCE the attacker has a feet inside the network?" the kernel exploit itself is unstoppable by the mentioned softs, however what they can do is stop the other steps of the attack .

The goal isn't to know which one is the fastest to block the chain (which is irrelevant) but does both can break the chain?

to illustrate, the full chain is :

1- infect a machine in a given network via malicious file or infected mail or other method available.
2- use EternalBlue to exploit smb1.0 and compromise other machines in the same network.
3- exploit those other machines' kernel via injecting DoublePulsar into lsass.exe and create a permanent backdoor.
4- create a shell (cmd.exe ) via rundll32.exe run at the highest privileges (aka System), which connect to the attacker metasploit platform (Kali in our case)
5- once attacker get the shell , he can upload and run whatever malware/malicious tools , in wanacry it was a ransomware but it could be a keylogger like minikatz.

Dan's videos start at step 2 and stop at step 4.

From my point of view and what i know of EB-DP, product security will intervene a different stages.

- Anti-exe with command line monitoring like VS or NVT ERP , will kicks-in at step 1 , 4 and 5
- SRP like AG Consumer or Applocker , at step 1 and 5.

Blocking step 3 is not possible because none of the mentioned products manipulate the kernel to protect it or are full-fledge anti-exploit.

if someone believe i'm wrong in the chain or when the product intervene , please give us your point of view.

One important thing is , don't ask a tool to do something it was not designed for and say it is weak.

 

[Visa]

injecting DoublePulsar into lsass.exe

You can actually make lsass.exe (Local Security Authority Subsystem Service) a protected process by changing a value in the registry: The things that are better left unspoken | Security Thoughts: LSASS Protection in Windows 8.1 and Windows Server 2012 R2

I am curious as to whether having lsass.exe ran as a protected process through this modification would protect the system against the attack. I would assume it would mitigate the attack but sadly I am unable to test it out so if anyone is capable of testing it or already knows the answer I would be very grateful!

 

[danb]

Oh My! You guys are still talking about this one! As I have to weigh in somewhat on this topic, I'd rather give a historical perspective of the attack instead of making statements that some may take Umbrage with (I'm sensitive and you guys are MEAN!!!).

Specifically let's consider what is meant by targeted malware:

Let's say that I learned through an informer that my favorite Indian Restaurant (Shiva's Revenge) has a new recipe for Chicken 65 that tastes better than mine. As I know Shiva has a number of locations in the city, I would proceed as follows to liberate their recipe (data):

1). Utilize a little beauty that will concentrate on the IP's in the areas where the restaurants are located (think Google Maps for IP's instead of houses),
2). Pulse queries to these IP's, looking for exploitable systems.
3). When found, use the software in #1 to find out exactly where these systems are located.
4). If there is a match to a restaurant system, a demented mind can find a way to utilize the exploit found and lay in a payload to harvest the data wanted.

That's a bunch of work for a (add curse word here)ing recipe, but the Heart wants what the Heart wants... Much easier would have been to Blackmail an employee or just make them an offer that they could not refuse to compromise the system, but on occasion one must make do with being stealthy.

Now- there are more ways to stop stuff like this as there are ways to Skin a cat (although if anyone tries to skin my Ophelia, I'll Kill You). Having system patches in place or utilizing solid security software like VoodooShield or AppGuard will block such threats at various levels (I know there is another really good product that's like a firewall but the name escapes me at present), so with these you are pretty much Golden. Those still using traditional security products have much more Clear and Present Dangers to worry about that crap like this.

But although the basic mechanisms utilized in the DP/EB attacks have branched out from High And Noble purposes (like stealing Chicken 65 recipes) to crap like BitCoin Miners, those with advanced protection in place have little to be concerned about.

Oh man... this is much worse than I thought. I was concerned about patents and other intellectual property (and other sensitive information)... but when you mention chicken recipes, now we are talking about a serious issue . Just playing CS!

That is a great example, and I think we are going to be finding out more and more about how the attack spread as fast as it did, and which vectors it actually used. The reality is, as the OS becomes more secure, attackers will be discovering and utilizing new methods. Thank you CS!

 

[danb]

You can actually make lsass.exe (Local Security Authority Subsystem Service) a protected process by changing a value in the registry: The things that are better left unspoken | Security Thoughts: LSASS Protection in Windows 8.1 and Windows Server 2012 R2

I am curious as to whether having lsass.exe ran as a protected process through this modification would protect the system against the attack. I would assume it would mitigate the attack but sadly I am unable to test it out so if anyone is capable of testing it or already knows the answer I would be very grateful!

If you can find a similar method for Windows 7, I would be happy to run a quick test. I could be wrong about this, but I do not believe this attack is effective on Windows 8.1 / Windows Server 2012. See, we would first have to test to make sure that this attack is effective on the target system without making lsass a protected process... THEN we can make lsass a protected process (on a new VM of course) and test to see if the patch worked.

If you find a method for 7, I would be happy to run a quick test.

 

[Deleted member 178]

I could be wrong about this, but I do not believe this attack is effective on Windows 8.1 / Windows Server 2012.

on win8/10 , it is protected by Control Flow Guard.

 

[Andy Ful]

You can actually make lsass.exe (Local Security Authority Subsystem Service) a protected process by changing a value in the registry: The things that are better left unspoken | Security Thoughts: LSASS Protection in Windows 8.1 and Windows Server 2012 R2

I am curious as to whether having lsass.exe ran as a protected process through this modification would protect the system against the attack. I would assume it would mitigate the attack but sadly I am unable to test it out so if anyone is capable of testing it or already knows the answer I would be very grateful!

Original EternalBlue & DoublePulsar cannot run with new versions of PatchGuard.
NSA’s DoublePulsar Kernel Exploit In Use Internet-Wide
I did not see any successful attack with target machine on Windows 8.1 (LSASS protection was introduced in Windows 8.1).
But, who knows? The new versions of EternalBlue & DoublePulsar exploits are crawling in blackhats' minds, for sure.

 

[Visa]

If you can find a similar method for Windows 7, I would be happy to run a quick test.

Thank you! I'll see what I can do and get back to you!