Video EternalBlue and DoublePulsar application whitelisting test

Status
Not open for further replies.

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
This is the job of network protection tools. They should block EB to propagate through the network.

Because DP was already in a machine ("patient zero") on the network, the point is not letting it get into the network in the first place.
Many products are able to block the execution of the container (if any) that will deliver EB-DP in the network.
If you can block the the container to be executed in the "patient zero" , EB-DP can't infect the machine and the rest of the network. that is very simple.

All infections start from either a container or via a weak network.
During the Wanacry crisis, we have no evidences how DP/Wanacry was able to get in those networks around the world.

All attack start by the same basic patterns :
- via a browser exploit
- via a file being downloaded in a machine (email/torrent/usb)
- via a weakness of the network (open or misconfigured ports, etc...)

if you can mitigate those 3, nothing can get in your machine. So you won't care of any malware.

That is my belief, it is why i use SRP/Anti-exe/sandboxes/anti-exploits, a FW + NAT router ; to prevent all my machines to be the Patient Zero.
Unfortunately , Average Joe can't say the same...
Close enough for me ;).

Yeah, I agree the attack vector is extremely important to consider. But at this point, no one knows what all really happened, and all we know is that it spread like wildfire.

Besides, if the definition of SRP is: Software Restriction Policies (SRP) is Group Policy-based feature that identifies software programs running on computers in a domain, and controls the ability of those programs to run.

If DP was allowed to execute, then SRP did not control the ability for it to run, correct?

Or to put is another way, you would prefer that any given SRP solution blocks DP and its hacker tools, correct?

I think this thread (along with those of CS) is one of those where I've learned more. The "quarrels", if constructive as in this case, teach many more things than other threads. So thanks Umbra and Dan. Really!
I'll drink to that (and to Tiny's response ;)). Thank you guys!

I would love to see that same test (that Dan did) on machine with Comodo Firewall @cruelsister settings.
Please...
I ran a lot of test, and approximately 70-80% failed to stop the DP installation... no matter how I adjusted the settings, so overall the results were dismal.

In the interest of limiting the drama as much as possible, it is best to wait for the final MRG report.

If it is made crystal clear that this is an issue that all security vendors should address immediately, then I might consider releasing the other results from my tests. But please keep in mind, VS is not a testing lab.

Basically, the discussion got way out of hand as it was, and I do not want to start a holy war ;).

I just wanted people to be aware of the issue, and to be as concerned as MRG obviously is.
 
Last edited by a moderator:

_CyberGhosT_

Level 53
Verified
Helper
Top poster
Content Creator
Well-known
Aug 2, 2015
4,301
I ran a lot of test, and approximately 70-80% failed to stop the DP installation... no matter how I adjusted the settings, so overall the results were dismal.

In the interest of limiting the drama as much as possible, it is best to wait for the final MRG report.

If it is made crystal clear that this is an issue that all security vendors should address immediately, then I might consider releasing the other results from my tests. But please keep in mind, VS is not a testing lab.

Basically, the discussion got way out of hand as it was, and I do not want to start a holy war ;).

I just wanted people to be aware of the issue, and to be as concerned as MRG obviously is.
Very good point, and great summary Dan.
I have something to say too, I would like to apologize to you Dan, you have your own mouth and are not afraid to use it.
I had no place interjecting (sticking up for you) earlier in the thread, it was inappropriate of me to do so in that manner as you are a grown man. Forgive me for the intrusion brother.
 

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
Very good point, and great summary Dan.
I have something to say too, I would like to apologize to you Dan, you have your own mouth and are not afraid to use it.
I had no place interjecting (sticking up for you) earlier in the thread, it was inappropriate of me to do so in that manner as you are a grown man. Forgive me for the intrusion brother.
I appreciate your guys support, thank you!
 

AtlBo

Level 28
Verified
Top poster
Content Creator
Well-known
Dec 29, 2014
1,723
calc.exe is not new to being exploited it's one of the exe's I blacklist using Process Lasso and block from internet access.
If I need a calculator I have one on my desk, or on my LG phone ;)

I have experienced several attempts over the years where something was attempting to use the internet via calc.exe. As much as I have tried to buckle down on MS app connections, I am sure systems are still vulnerable here.

EDIT: Just a word for @Umbra here. VS blocked the worst of the EB/DP attack, so that is important. However, Umbra is 100% correct about one thing that I don't think Dan is the one to debate about. The compromise alone was too close. OK, so MS patches a vulnerability and the company is God again? W7 is still being supported (so MS says), but these avenues of attack don't seem to me to be the specialty of VS, and who knows how many there are.

If MS isn't going to provide access to updated security methods for W7, the company should not feign its claim to supporting the OS. At any rate, security companies will have to step in, since obviously MS isn't going to do this. VS was there with a block of the worst. The devs deserve the credit for that. However, I feel like the next one might get by everyone after reading more details about this one, so I hope the security industry doesn't lose this opportunity for a wake up call. EB/DP is the root of the ultimate malware nastiness, and whoever created it should be tracked down and held accountable. That's one thing, but the spread of the malware also should not have been possible.
 
Last edited:

_CyberGhosT_

Level 53
Verified
Helper
Top poster
Content Creator
Well-known
Aug 2, 2015
4,301
I have experienced several attempts over the years where something was attempting to use the internet via calc.exe. As much as I have tried to buckle down on MS app connections, I am sure systems are still vulnerable here.
I agree that it is very hard to keep some MS components from the internet, but keep in mind that if it can't start it can't get online, and Process Lasso will keep it from starting, blocking it with WFC just makes me feel better :) lol
 
  • Like
Reactions: erreale

AtlBo

Level 28
Verified
Top poster
Content Creator
Well-known
Dec 29, 2014
1,723
I agree that it is very hard to keep some MS components from the internet, but keep in mind that if it can't start it can't get online, and Process Lasso will keep it from starting, blocking it with WFC just makes me feel better :) lol

100% true @_CyberGhosT_. Being able to block the payload is the absolute critical point in the chain. Vulnerabilities shouldn't exist though. :)

Speaking of firewalling, I scour through firewall settings to see what's being allowed from time to time. I'm using PF for its net connection controls on one PC, and that is interesting, because I am not using the trust list. I have learned alot about MS processes being used in strange ways such as this, although I know it's only a drop in the bucket of everything there is to know. Funny, but it's not as bad as it seems to train a trustless system, but it does expose the frailty of trust and the difficulty of making HIPs and connection control user friendly. Thank God for script monitoring and that it happens independently of trust in at least the best apps. Also, btw, ReHIPs is on the right track I feel with HIPs.

If every PC had the capability of VS to block the payload launch of EB/DP (really the actual ransomware and not those two) and if user error (allow/block) could be to a satisfactory degree eliminated from the equation, there would be no incentive to try an attack of this type on a PC ever again, via any MS application. It would be a waste of time. This is where we need to be, and I am confident security will be there in 5 to 8 or so years. I think the industry seems to me to be reaching for another level of protection and communication with clients and with IT. For me, that will be the key I think.
 

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
I would agree with what umbra and others said this test is pointless and has no relation to real world scenario.
There are 300,000+ endpoints that were infected with WannaCry that would highly suggest otherwise.

If only approximately 20% of security software (even to this day) block the DoublePulsar installation, how many kernel level backdoors are STILL lurking around on systems?

Remember, just because WannaCry is blocked, that does not mean that DoublePulsar is blocked from installing... in fact, most likely other computers on the network are becoming infected.

You do the math. It is a big problem.

100% true @_CyberGhosT_. Being able to block the payload is the absolute critical point in the chain. Vulnerabilities shouldn't exist though. :)

Speaking of firewalling, I scour through firewall settings to see what's being allowed from time to time. I'm using PF for its net connection controls on one PC, and that is interesting, because I am not using the trust list. I have learned alot about MS processes being used in strange ways such as this, although I know it's only a drop in the bucket of everything there is to know. Funny, but it's not as bad as it seems to train a trustless system, but it does expose the frailty of trust and the difficulty of making HIPs and connection control user friendly. Thank God for script monitoring and that it happens independently of trust in at least the best apps. Also, btw, ReHIPs is on the right track I feel with HIPs.

If every PC had the capability of VS to block the payload launch of EB/DP (really the actual ransomware and not those two) and if user error (allow/block) could be to a satisfactory degree eliminated from the equation, there would be no incentive to try an attack of this type on a PC ever again, via any MS application. It would be a waste of time. This is where we need to be, and I am confident security will be there in 5 to 8 or so years. I think the industry seems to me to be reaching for another level of protection and communication with clients and with IT. For me, that will be the key I think.
Exactly. The people who always complain that there is too much fear, uncertainty and doubt in the security world, completely ignore the fact that 6 years ago, there were 15,000 new pieces of malware a day, and now there are around 300,000.

Apparently some people do not understand the simple concept of supply and demand.

Thank you for the insight AtlBo!
 
Last edited by a moderator:

_CyberGhosT_

Level 53
Verified
Helper
Top poster
Content Creator
Well-known
Aug 2, 2015
4,301
Atlbo- an excellent and critical point regarding the payload. I'll be doing something later on adylkuzz, a much more insidious type of malware, that was initially spread through DB/EternalBlue.
Looking forward to it CS, I am sure it will be as entertaining as it is educational.
 
  • Like
Reactions: Schank873 and AtlBo

_CyberGhosT_

Level 53
Verified
Helper
Top poster
Content Creator
Well-known
Aug 2, 2015
4,301
100% true @_CyberGhosT_. Being able to block the payload is the absolute critical point in the chain. Vulnerabilities shouldn't exist though. :)

Speaking of firewalling, I scour through firewall settings to see what's being allowed from time to time. I'm using PF for its net connection controls on one PC, and that is interesting, because I am not using the trust list. I have learned alot about MS processes being used in strange ways such as this, although I know it's only a drop in the bucket of everything there is to know. Funny, but it's not as bad as it seems to train a trustless system, but it does expose the frailty of trust and the difficulty of making HIPs and connection control user friendly. Thank God for script monitoring and that it happens independently of trust in at least the best apps. Also, btw, ReHIPs is on the right track I feel with HIPs.

If every PC had the capability of VS to block the payload launch of EB/DP (really the actual ransomware and not those two) and if user error (allow/block) could be to a satisfactory degree eliminated from the equation, there would be no incentive to try an attack of this type on a PC ever again, via any MS application. It would be a waste of time. This is where we need to be, and I am confident security will be there in 5 to 8 or so years. I think the industry seems to me to be reaching for another level of protection and communication with clients and with IT. For me, that will be the key I think.
Very nice AtlBo, agreed ;)
 
  • Like
Reactions: Schank873 and AtlBo

AtlBo

Level 28
Verified
Top poster
Content Creator
Well-known
Dec 29, 2014
1,723
Atlbo- an excellent and critical point regarding the payload. I'll be doing something later on adylkuzz, a much more insidious type of malware, that was initially spread through DB/EternalBlue.

Can't understand why adylkuzz is being buried in the EB/DP ransomware attack. Seems like they should be mentioned together and studied together. Looking forward to whatever you are planning.
 

Orion

Level 2
Apr 8, 2016
83
There are 300,000+ endpoints that were infected with WannaCry that would highly suggest otherwise.

If only approximately 20% of security software (even to this day) block the DoublePulsar installation, how many kernel level backdoors are STILL lurking around on systems?

Remember, just because WannaCry is blocked, that does not mean that DoublePulsar is blocked from installing... in fact, most likely other computers on the network are becoming infected.

You do the math. It is a big problem.

Sorry but the exploit was patched already by MS in march before even the exploit was leaked.Patch your systems!

Speaking of unknown exploits lets not start the debate on zero day stuff there is no real zero day for the regular users.The CIA,NSA has these ones that are being used for nation state spying this is not for regular users.

This is why wannacry wasn't targeting home users that much but IT based computers.What security do you recommend? There may more exploits like these which spread over a random port that the industry is unware of.

The only reason this exploit was used was to spread the malware on the network not to spy.Regular malware writers are more interested in getting money out of people not spying on them unless its banker malware which is a completely different story.

I understand these agences are even out to listen to our calls and other things in the name of anti-terrorism but again what is going to stop them? There is software or OS that does not have holes in it.The more robust and compatible a OS is the more vulnerable it will be.
 
Last edited:
  • Like
Reactions: AtlBo

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
Sorry but the exploit was patched already by MS in march before even the exploit was leaked.Patch your systems!

Speaking of unknown exploits lets not start the debate on zero day stuff there is no real zero day for the regular users.The CIA,NSA has these ones that are being used for nation state spying this is not for regular users.

This is why wannacry wasn't targeting home users that much but IT based computers.What security do you recommend? There may more exploits like these which spread a random port that the industry is unware.

The only reason this exploit was used to spread the malware on the network not to spy.Regular malware writers are more interested in getting money out of people not spying on them unless its banker malware which is a completely different story.
Are you saying that since a patch exists for EB/DP, that it is no longer a concern? I do not think CS would have made a new video if she thought that all of the 55%+ (netmarketshare / XP and 7) of the world's PC's were patched and/or properly protected.

Video Review - Comodo Firewall vs A CryptoCurrency Miner

Adylkuzz, the new virus that follows in WannaCry's footsteps - Panda Security

Please do not piss CS off, or she will never release a pic of her in the Palo Alto T-Shirt ;).

The EB/DP combo was originally a spy tool... it has been adapted into something much more malicious, and will continue to be enhanced.

I do agree... most of the big zero days are not intended to affect the home user, but for some reason, they always seem to trickle down.

I have actually done quite a bit more testing... and the results are scary, but we will wait for the MRG report.

A lot of people seem to keep forgetting that this was a single attack... there are (and will be) countless others.

And if the existing mechanisms failed to properly protect in this attack, there is no reason to believe that they will stop the next attack.
 
May 22, 2017
251
@S3cur1ty 3nthu5145t I don't think people commenting on this thread are your typical home user. It's also in a convenient place for other types of people to look at.
EternalBlue and DoublePulsar application whitelisting test: what's that?
My post was relevant considering the distinction between those that have cause for concern is blurred in this thread. As it is a home user based forum and a large portion of guests reading are home users.
 
Status
Not open for further replies.