App Review EternalBlue and DoublePulsar application whitelisting test

[danb]

Okay, it looks like we agree on those 6 points.

I am truly surprised that you find it acceptable that any security software would allow a kernel level backdoor to be created, that also offers access to some rather dangerous tools. I am also surprised that you would not prefer to just block DP, so that the system remained uninfected... but to each their own I guess.

Keep in mind, DP was originally designed to be a backdoor spy utility that contains a lot of spy tools, but a lot of the built in tools can be used for malicious purposes.

The hacker tools I listed above can do a lot of damage and steal pretty much all of your sensitive data, just with the built in tools.

DP is already malware... but what happens when someone mods DP and transforms it into killer malware... and adds an encryptor and God knows what else? Are you going to be okay with the new variant of DP being installed? Or would you just prefer that the security software blocks DP, so that none of this happens?

 

[Deleted member 178]

I am truly surprised that you find it acceptable that any security software would allow a kernel level backdoor to be created, and to offer access to some rather dangerous tools.

that is not my concern, im not the dev. I use AG Consumer because it does a specific thing i need. and it does it very well.

I am also surprised that you would not prefer to just block DP, so that the system remained uninfected... but to each their own I guess.

i use another tool for that.

Keep in mind, DP was originally designed to be a backdoor spy utility that contains a lot of spy tools, but a lot of the built in tools can be used for malicious purposes.The hacker tools I listed above can do a lot of damage and steal pretty much all of your sensitive data, just with the built in tools.

indeed

DP is already malware... but what happens when someone mods DP and transforms it into killer malware... and adds an encryptor and God knows what else? Are you going to be okay with the new variant of DP being installed? Or would you just prefer that the security software blocks DP, so that none of this happens?

depend what security soft i use.

This is what you have difficulties to understand, a tool is designed to be used in defined way for a defined purpose. tools are not suites. AG isn't a suite, it is only SRP.

I use a helmet on a motorbike to protect my head in case i fall ; of course i can have my legs, arms or worse my spine broken ; if i worry about that , i will wear additional protection to specifically protect those parts.
I can't ask my helmet to protect my legs? understand?

 

[danb]

that is not my concern, im not the dev. I use AG Consumer because it does a specific thing i need. and it does it very well.


i use another tool for that.


indeed


depend what security soft i use.

This is what you have difficulties to understand, a tool is designed to be used in defined way for a defined purpose. tools are not suites. AG isn't a suite, it is only SRP.

I use a helmet on a motorbike to protect my head in case i fall ; of course i can have my legs, arms or worse my spine broken ; if i worry about that , i will wear additional protection to specifically protect those parts.
I can't ask my helmet to protect my legs? understand?

I totally understand... but no offense, I did not spend 20 hours of conversation to give you advice to protect your computer, hehehe .

There are other users that do not have their computer locked down with 30 different security softwares, like Fort Knox... and they need to be informed as well.

BTW, if you were running Windows 7, and a patch was not out for DP, is there any security software on your system that would block such an attack? Having said that... you do realize that there are probably many, many other similar attacks that are unknown and unpatched, right? .

 

[Deleted member 178]

@danb now i understand totally your mindset, and i finally understand why you added the sandbox, the VT rep and the Ai to VS, you want it to block the most attack vector possible...that is good if you want VS to do that.
but don't think other vendors want to do that as you do, they target a specific market and made their product to reflect the said target market.

There are other users that do not have their computer locked down with 30 different security softwares, like Fort Knox... and they need to be informed as well.

Obviously.

BTW, if you were running Windows 7, and a patch was not out for DP, is there any security software on your system that would block such an attack? Having said that... you do realize that there are probably many, many other similar attacks that are unknown and unpatched, right? .

ok let say my network is breached, despite my NAT router , the attacker managed to be inside, find my unpatched Win7 system and can use EB to access it .

What i have:
HMPA will surely block DP , if not AG and ReHips will block executables the hacker may upload via DP and run on my machine.
After some few hours i will rollback my system to a previous state via RX (i do it several time a day).
note that all my sensitive files are encrypted.

I have plenty of tools i can add but use them just for one case isn't worth the shot.

(just to notify you, i disagreed on one point , on your list , it is just because EB is used before DP)

 

[danb]

Very cool... yeah, we might not all be on the same team, but we are on the same side.

 

[Deleted member 178]

Very cool... yeah, we might not all be on the same team, but we are on the same side.

i decide to run tools instaed of suite because , tools are generally more focused on what they do , adding several tools is better to me than a generalist suite.
Also tools can be replaced, if one of them become useless, it can be replaced without disturbing my security setup too much. can't say the same for a suite.

The only suite i will ever use is Comodo , it offer almost the same as my tools.

 

[Andy Ful]

Guys, please, both of you have got some authority here on MalwareTips forum. Apparently, you cannot agree each other, and it seems that such an agreement is hardly possible on this topic. So maybe, everybody could agree with the below statements:

1. Generally, no one proved that malware, using remote kernel exploit (EternalBlue & DoublePulsar as example), will be fully stopped by SRP or anti-exe security solutions.
2. There is a test, that shows the fact of stopping that kind of malware by some anti-exe solutions (VoodooShield, NVT ERP) when the attacker is using Metasploit with meterpreter payload.
3. There is another test with FuzzBunch showing that SRP and anti-exe may fail to stop EternalBlue & DoublePulsar part of the malware.
4. It is still possible that SRP and anti-exe security solutions can stop many payloads, even when the system is infected by EternalBlue & DoublePulsar. But, in many cases SRP and anti-exe can fail, too.
5. Windows native SRP can hardly stop such malware, because the infection follows with the System Rights. Such security requires frequent system patching.
6. The best protection against remote kernel exploits is updating and upgrading the system. The new versions of Windows have significantly stronger protection against remote kernel exploits, and generally against all kinds of exploits.

 

[S3cur1ty 3nthu5145t]

The best protection against remote kernel exploits is updating and upgrading the system. The new versions of Windows have significantly stronger protection against remote kernel exploits, and generally against all kinds of exploits.

Spot on and why I'm not worried about it.

 

[Deleted member 178]

Guys, please, both of you have got some authority here on MalwareTips forum. Apparently, you cannot agree each other, and it seems that such an agreement is hardly possible on this topic. So maybe, everybody could agree with the below statements:

1. Generally, no one proved that malware, using remote kernel exploit (EternalBlue & DoublePulsar as example), will be fully stopped by SRP or anti-exe security solutions.
2. There is a test, that shows the fact of stopping that kind of malware by some anti-exe solutions (VoodooShield, NVT ERP) when the attacker is using Metasploit with meterpreter payload.
3. There is another test with FuzzBunch showing that SRP and anti-exe may fail to stop EternalBlue & DoublePulsar part of the malware.
4. It is still possible that SRP and anti-exe security solutions can stop many payloads, even when the system is infected by EternalBlue & DoublePulsar. But, in many cases SRP and anti-exe can fail, too.
5. Windows native SRP can hardly stop such malware, because the infection follows with the System Rights. Such security requires frequent system patching.
6. The best protection against remote kernel exploits is updating and upgrading the system. The new versions of Windows have significantly stronger protection against remote kernel exploits, and generally against all kinds of exploits.

1- agree
2- yes
3- indeed
4- sure
5-obviously
6- yep

 

[danb]

Guys, please, both of you have got some authority here on MalwareTips forum. Apparently, you cannot agree each other, and it seems that such an agreement is hardly possible on this topic. So maybe, everybody could agree with the below statements:

1. Generally, no one proved that malware, using remote kernel exploit (EternalBlue & DoublePulsar as example), will be fully stopped by SRP or anti-exe security solutions.
2. There is a test, that shows the fact of stopping that kind of malware by some anti-exe solutions (VoodooShield, NVT ERP) when the attacker is using Metasploit with meterpreter payload.
3. There is another test with FuzzBunch showing that SRP and anti-exe may fail to stop EternalBlue & DoublePulsar part of the malware.
4. It is still possible that SRP and anti-exe security solutions can stop many payloads, even when the system is infected by EternalBlue & DoublePulsar. But, in many cases SRP and anti-exe can fail, too.
5. Windows native SRP can hardly stop such malware, because the infection follows with the System Rights. Such security requires frequent system patching.
6. The best protection against remote kernel exploits is updating and upgrading the system. The new versions of Windows have significantly stronger protection against remote kernel exploits, and generally against all kinds of exploits.

What do you mean? Umbra and I finally agree.

He is okay with the fact that some security software allows a kernel level backdoor to be installed on a system.

1. True, but you cannot prove that something does not exist. You can prove that something does exist. For example, if you want to prove that God exists, that is easy… all you have to do is find him / her. If you want to prove that God does not exist… well, that is impossible. So we cannot prove that VS will stop every single exploit and payload, but that is the reason we need to keep testing… and this test is a great indication that our mechanism is sound.

2. Agree… I have tested extensively, and I wish everyone else would do the same so they could see it with their own eyes.

3. Pure speculation… please do not speculate, run the test. I am quite certain that the result would be the same, but we will not know for sure unless we test. And do you really think I am going to spend the time to test with FuzzBench? The test is extremely similar to the one I performed.

4. Sure, in general, they can stop ADDITIONAL payloads, but the initial malicious payload (DP) was allowed to fully execute, which makes the built in tools available, which is an issue. As MRG says “It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.”

5. I had no idea, but that makes sense to me… I have never used it so I would not know.

6. No, the best protection against remote kernel exploits is to make sure that the security software you are using has a mechanism that blocks this kind of attack, and that the mechanism is working properly. You can update and patch the system, and that does fix this issue for known malware, but it does absolutely nothing for zero days.

 

[Andy Ful]

Thanks. Finally, the partial agreement looks like:

1. There is a test, that shows the fact of stopping that kind of malware by some anti-exe solutions (VoodooShield, NVT ERP) when the attacker is using Metasploit with meterpreter payload.
2. It is still possible that SRP and anti-exe security solutions can stop many payloads, even when the system is infected by EternalBlue & DoublePulsar. But, in many cases SRP and anti-exe can fail, too.

I think that it will be hard to agree more than that. So, let us close this thread, even if someone thinks that the opponent is terribly wrong.

 

[danb]

Thanks. Finally, the partial agreement looks like:

1. There is a test, that shows the fact of stopping that kind of malware by some anti-exe solutions (VoodooShield, NVT ERP) when the attacker is using Metasploit with meterpreter payload.
2. It is still possible that SRP and anti-exe security solutions can stop many payloads, even when the system is infected by EternalBlue & DoublePulsar. But, in many cases SRP and anti-exe can fail, too.

I think that it will be hard to agree more than that. So, let us close this thread, even if someone thinks that the opponent is terribly wrong.

Sure, you can block ADDITIONAL malicious payloads... but the most important malicious payload (DP) was not blocked... the system is already infected with DP and all of the built in hacker tools.

DP is a malicious payload that was not blocked.

 

[Visa]

DP is a malicious payload that was not blocked.

If the EternalBlue exploit is not blocked by a product then I assume this means that it can be used to deploy another exploit instead of DoublePulsar which may not necessarily be blocked?

 

[danb]

Exactly... if EB worked the first time, there is no reason to believe that it will not work a second or third time.

 

[Deleted member 178]

If the EternalBlue exploit is not blocked by a product then I assume this means that it can be used to deploy another exploit instead of DoublePulsar which may not necessarily be blocked?

Exactly... if EB worked the first time, there is no reason to believe that it will not work a second or third time.

This is the job of network protection tools. They should block EB to propagate through the network.

Sure, you can block ADDITIONAL malicious payloads... but the most important malicious payload (DP) was not blocked... the system is already infected with DP and all of the built in hacker tools.
DP is a malicious payload that was not blocked.

Because DP was already in a machine ("patient zero") on the network, the point is not letting it get into the network in the first place.
Many products are able to block the execution of the container (if any) that will deliver EB-DP in the network.
If you can block the the container to be executed in the "patient zero" , EB-DP can't infect the machine and the rest of the network. that is very simple.

All infections start from either a container or via a weak network.
During the Wanacry crisis, we have no evidences how DP/Wanacry was able to get in those networks around the world.

All attack start by the same basic patterns :
- via a browser exploit
- via a file being downloaded in a machine (email/torrent/usb)
- via a weakness of the network (open or misconfigured ports, etc...)

if you can mitigate those 3, nothing can get in your machine. So you won't care of any malware.

That is my belief, it is why i use SRP/Anti-exe/sandboxes/anti-exploits, a FW + NAT router ; to prevent all my machines to be the Patient Zero.
Unfortunately , Average Joe can't say the same...

 

[erreale]

I think this thread (along with those of CS) is one of those where I've learned more. The "quarrels", if constructive as in this case, teach many more things than other threads. So thanks Umbra and Dan. Really!

 

[Tiny]

I think this thread (along with those of CS) is one of those where I've learned more. The "quarrels", if constructive as in this case, teach many more things than other threads. So thanks Umbra and Dan. Really!

Agreed. Rational discourse between more knowledgeable users gives end user security minnows such as myself a lot of learning and research material. I have certainly learnt a lot more from this particular thread about how EB & DP work, than I would have by simply reading articles. Over here, I can actually communicate with people that have run tests, have prior experience with similar attacks and get direct answers.
Any heated discussion that does not degenerate into infantile abusiveness or have parties being deliberately obtuse, will always benefit those listening in.

 

[Av Gurus]

I would love to see that same test (that Dan did) on machine with Comodo Firewall @cruelsister settings.
Please...

 

[darko999]

I would love to see that same test (that Dan did) on machine with Comodo Firewall @cruelsister settings.
Please...

With HIPS set to paranoid that's the real deal

 

[Av Gurus]

With HIPS set to paranoid that's the real deal

That is Umbra Paranoid setup

Here are settings: