Video EternalBlue and DoublePulsar application whitelisting test

Status
Not open for further replies.

Visa

Level 1
May 31, 2017
42
C'mon guys who cares let's all just agree to disagree and move on! This isn't the end of the world. This was a nasty attack and there will be plenty more to come, and besides, VoodooShield is great at what it does (mainly anti-exe) and I recommend people to use it for good protection if they use it properly

VS + UAC + SmartScreen = great
VS + WD + UAC + SmartScreen = great
WD + UAC + SS = great too
VS + HMP.A + UAC + SC = great

Who cares!

It doesn't even matter if VS missed the exploit execution, exploits are designed to bypass security solutions. If you block one there will be others that will succeed. Just watch what you do and don't be click happy, problem is pretty much solved. I guarantee you that anything WannaCry related was due to employees in enterprises like NHS just blatantly clicking links to attachments, that is usually how infections are spread (e-mail) or just blatantly downloading and running new apps

@danb VoodooShield is a great product, keep doing what you are doing.

Lets all move on from this storm about EP/DB and let @danb have a rest now :)
 

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
C'mon guys who cares let's all just agree to disagree and move on! This isn't the end of the world. This was a nasty attack and there will be plenty more to come, and besides, VoodooShield is great at what it does (mainly anti-exe) and I recommend people to use it for good protection if they use it properly

VS + UAC + SmartScreen = great
VS + WD + UAC + SmartScreen = great
WD + UAC + SS = great too
VS + HMP.A + UAC + SC = great

Who cares!

It doesn't even matter if VS missed the exploit execution, exploits are designed to bypass security solutions. If you block one there will be others that will succeed. Just watch what you do and don't be click happy, problem is pretty much solved. I guarantee you that anything WannaCry related was due to employees in enterprises like NHS just blatantly clicking links to attachments, that is usually how infections are spread (e-mail) or just blatantly downloading and running new apps

@danb VoodooShield is a great product, keep doing what you are doing.

Lets all move on from this storm about EP/DB and let @danb have a rest now :)
I'll drink to that ;).

BTW, has anyone seen any stats on how many home computers were infected with WC compared to SMB / enterprise?

That would be interesting.
 

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
It appears this argument has reached its conclusion, sorry it was so painful (yet exciting) for everyone.

AppGuard 4.x 32/64 Bit

On a side note... if any vendor would like me to test their software with specified settings adjustments or patched mechanisms, to ensure that this type of attack is mitigated, I would be happy to do so, privately.
 

Orion

Level 2
Apr 8, 2016
83
Are you saying that since a patch exists for EB/DP, that it is no longer a concern? I do not think CS would have made a new video if she thought that all of the 55%+ (netmarketshare / XP and 7) of the world's PC's were patched and/or properly protected.

Video Review - Comodo Firewall vs A CryptoCurrency Miner

Adylkuzz, the new virus that follows in WannaCry's footsteps - Panda Security

Please do not piss CS off, or she will never release a pic of her in the Palo Alto T-Shirt ;).

The EB/DP combo was originally a spy tool... it has been adapted into something much more malicious, and will continue to be enhanced.

I do agree... most of the big zero days are not intended to affect the home user, but for some reason, they always seem to trickle down.

I have actually done quite a bit more testing... and the results are scary, but we will wait for the MRG report.

A lot of people seem to keep forgetting that this was a single attack... there are (and will be) countless others.

And if the existing mechanisms failed to properly protect in this attack, there is no reason to believe that they will stop the next attack.

The exploit was never released by the agencies in the first place it was leaked.It doesn't mean that the problem doesn't exist or affect.I am suprised endpoints still running XP or any old OS's their IT department must be really bad.

The talk is never about what it trickles down to.This is not something that is for the regular user to worry most AV's even win defender will detect the malware dropper thats all that matters for the home user malware writers have no fetish for spying on users or maybe they will have one soon ;)

Everything created by humans will have a flaw and someone will find it eventually doesn't mean security programs are useless.If there is anyone to blame its these agences.Heck! the taliban was a creation of the CIA and then people call muslims terrorists.

The only reason it ever trickled down to the user was because it was leaked and really privacy is a joke these days.

All we have been reading before was about how they spy and we never knew it would be leaked but this is what happens when our own people don't want to report problems.In this day and age its not secure to use outdated windows.

Also if you are speaking about XP/vista and its market share,remember they have more exploits that haven't been leaked and its not out yet.Just think what havoc it would wreck if it were to be released.

Malware writers will use these exploits to their adantage and you can't blame them but our own government who claim to work for our safety by violating our privacy.

If this continues on even home users will be affected its a early wake up call for the agencies since it wouldn't take much time for the regular writers to use em.

PS. I would love to CS's pic :)

Best,
True Indian
 
Last edited:

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
The exploit was never released by the agencies in the first place it was leaked.It doesn't mean that the problem doesn't exist or affect.I am suprised endpoints still running XP or any old OS's their IT department must be really bad.

The talk is never about what it trickles down to.This is not something that is for the regular user to worry most AV's even win defender will detect the malware dropper thats all that matters for the home user malware writers have no fetish for spying on users or maybe they will have one soon ;)

Everything created by humans will have a flaw and someone will find it eventually doesn't mean security programs are useless.If there is anyone to blame its these agences.Heck! the taliban was a creation of the CIA and then people call muslims terrorists.

The only reason it ever trickled down to the user was because it was leaked and really privacy is a joke these days.

All we have been reading before was about how they spy and we never knew it would be leaked but this is what happens when our own people don't want to report problems.In this day and age its not secure to use outdated windows.

Also if you are speaking about XP/vista and its market share,remember they have more exploits that haven't been leaked and its not out yet.Just think what havoc it would wreck if it were to be released.

Malware writers will use these exploits to their adantage and you can't blame them but our own government who claim to work for our safety by violating our privacy.

If this continues on even home users will be affected its a early wake up call for the agencies since it wouldn't take much time for the regular writers to use em.

PS. I would love to CS's pic :)

Best,
True Indian
Cool, we are on same page then (especially on the CS point ;)).

I have no idea how far an exploit like this trickles down. The only thing that is important is that if you are going to target SMB's and enterprise customers for marketing, this is certainly an attack that should be stopped. Thank you!
 

Orion

Level 2
Apr 8, 2016
83
Cool, we are on same page then (especially on the CS point ;)).

I have no idea how far an exploit like this trickles down. The only thing that is important is that if you are going to target SMB's and enterprise customers, this is certainly an attack that should be stopped. Thank you!

Even if it is targeting normal users they wouldn't get much out of it (assuming screenlockers and emotet were to use this) most home users format their computers and move on.

Av vendors will have to start paying attention to detect what's underneath which they are already doing.So we should be good atleast for now.

Also I am not sure what "sort" of enterprise people you want to target using this exploit considering wannacry didn't get much of it.It would make more sense to be used in nations state attack.

Don't forget flame/stuxnet hype.
 
  • Like
Reactions: AtlBo

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
Even if it is targeting normal users they wouldn't get much out of it (assuming screenlockers and emotet were to use this) most home users format their computers and move on.

Av vendors will have to start paying attention to detect what's underneath which they are already doing.So we should be good atleast for now.

Also I am not sure what "sort" of enterprise people you want to target using this exploit considering wannacry didn't get much of it.It would make more sense to be used in nations state attack.

Don't forget flame/stuxnet hype.
For me personally (and obviously for VS), it makes zero difference whether we are protecting a home or business computer. So while I would be curious on the distribution ratio of home / business attacks in the WannaCry outbreak (just for the heck of it), in the end it makes no difference... all computers should be adequately protected.

I am not convinced that stuxnet was hype, and keep in mind, this was a worm as well. Obviously, the people who crafted EB and DP were seasoned malware authors, and one could safely assume that they at some point at least reviewed the malware reference manual known as the stuxnet source code.
 

Orion

Level 2
Apr 8, 2016
83
How come stuxnet/flame wasn't like this? They were also specifically designed to bypass normal measures ;)
 

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
How come stuxnet/flame wasn't like this? They were also specifically designed to bypass normal measures ;)
Keep in mind, Stuxnet was delivered on a thumbdrive and was designed for one specific purpose, but even then, it spread like wildfire.
 

Andy Ful

From Hard_Configurator Tools
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,081
Guys, please, both of you have got some authority here on MalwareTips forum. Apparently, you cannot agree each other, and it seems that such an agreement is hardly possible on this topic. So maybe, everybody could agree with the below statements:
  1. Generally, no one proved that malware, using remote kernel exploit (EternalBlue & DoublePulsar as example), will be fully stopped by SRP or anti-exe security solutions.
  2. There is a test, that shows the fact of stopping that kind of malware by some anti-exe solutions (VoodooShield, NVT ERP) when the attacker is using Metasploit with meterpreter payload.
  3. There is another test with FuzzBunch showing that SRP and anti-exe may fail to stop EternalBlue & DoublePulsar part of the malware.
  4. It is still possible that SRP and anti-exe security solutions can stop many payloads, even when the system is infected by EternalBlue & DoublePulsar. But, in many cases SRP and anti-exe can fail, too.
  5. Windows native SRP can hardly stop such malware, because the infection follows with the System Rights. Such security requires frequent system patching.
  6. The best protection against remote kernel exploits is updating and upgrading the system. The new versions of Windows have significantly stronger protection against remote kernel exploits, and generally against all kinds of exploits.

I wrote this over two weeks ago. But, now it seems, that Zoltan from MRG Effitas has already tested EternalBlue & DoublePulsar against VoodooShield, and VoodooShield failed. So, I should update my previous post, as follows:
  1. Generally, the malware attack using remote kernel exploit (EternalBlue & DoublePulsar as example), cannot be fully stopped by SRP or anti-exe security solutions.
  2. It is still possible that SRP and anti-exe security solutions can stop many post-exploit payloads, even when the system is infected with EternalBlue & DoublePulsar. But, in many cases SRP and anti-exe can fail, too.
  3. The best protection against remote kernel exploits is updating and upgrading the system. The new versions of Windows have significantly stronger protection against remote kernel exploits, and generally against all kinds of exploits.
 

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
Hehehe, we will see ;). Keep reading the above thread that Umbra posted until the end ;).

VS successfully blocked the attack in the metasploit port test... this has been proven beyond any doubt. If you do not believe me, have MRG run the test with the four products I tested and tell you the results.





In the end... in the metasploit VS test, VS blocked the DP hacker tools and the data exfiltration, and that is all that matters. Keep in mind, only a very small handful of security products could block the attack as well or better than VS did. A lot of products with R & D budgets of hundreds of millions of dollars, and teams of 400 devs, missed the attack completely.

That being the case... I think Molly and I did pretty well. If you guys think you can do better, then you are free to start your own cybersecurity company.

As far as the MRG Fuzzbench port test goes... I will let MRG tell you the final results ;). It would be beneficial for MRG to run both the metasploit and the fuzzbench ports on all 4 of the original products.

If an attack is outside the scope of application control, then NO application control product will stop the attack.
 
  • Like
Reactions: erreale and AtlBo

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
And Umbra, for the last time, DoublePulsar is not an exploit ;).
 
  • Like
Reactions: AtlBo
D

Deleted member 178

danb said:
VS successfully blocked the attack in the metasploit port test... this has been proven beyond any doubt.
You pretended from the start : "VS stop the installation of DP" and injection in lsass.exe , i proved you wrong; now you try to save your face by playing on words; we all can see that.
I claim since the very start VS just blocked the reverse TCP you said "no no , VS stopped the installation of DP" we have plenty of post showing your statement.

Zoltan of MRG acknowledge all my statements about EB-DP and VS , here : WannaCry Exploit Could Infect Windows 10

So just admit it.

In the end... in the metasploit VS test, VS blocked the DP hacker tools and the data exfiltration, and that is all that matters. Keep in mind, only a very small handful of security products could block the attack as well or better than VS did. A lot of products with R & D budgets of hundreds of millions of dollars, and teams of 400 devs, missed the attack completely.
"VS blocked the DP hacker tools" , yes better your change your statement, before it was "VS block DP installation" "or VS block kernel exploits" ...how funny you are...changing your wording when it benefit you...unbelievable...
Me? i never changed my statement , i always said "VS block the reverse-TCP connection" ... unlike you when i'm wrong , i have the balls to admit it.
i thought AG Consumer can blocked it, i was shown i was wrong, i stopped stating it. But you?....even an expert say it clearly , you can't admit it!

As far as the MRG Fuzzbench port test goes... I will let MRG tell you the final results ;). It would be beneficial for MRG to run both the metasploit and the fuzzbench ports on all 4 of the original products.
You made a video to promote VS and discredit AG, because you cant handle the fact that some people say AG is better than VS....you miserably failed because you didn't even understood SRP purpose and the attack you are demonstrating! hilarious !!!.

If an attack is outside the scope of application control, then NO application control product will stop the attack.
it is outside , we know it from the start ! EB-DP is an in-memory kernel exploit based attack , so of course out of the scope , VS , ERP, AG Consumer or whatever can 't block it.
It is why in the beginning when i started to learn about EB-DP, i had a doubt, and i asked you to try 2 settings in AG, and it didn't work (based on your feedback) and then i was told it will be unsafe for the system to apply those tweaks anyway...

More you talk now, more the members can see your true color, a deceptive dev that just promote his "baby beloved" soft by whatever means he can even hijacking other devs threads... ; it is why i stopped recommending VS to people , it is a good soft but brought down by your fanboy attitude.
A dev should focus on his products, not debating on every post forum's members may say , and even less to make video comparing products he doesn't understand with attacks he doesn't understand.

And for your info, i know what is an exploit, everybody here knows that i know, don't even dare to try mocking me by twisting my words, because here you are not at Wilders...if you do, be ready to face the consequences ...got it?
 
Last edited by a moderator:

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
You pretended from the start : "VS stop the installation of DP" and injection in lsass.exe , i proved you wrong; now you try to save your face by playing on words; we all can see that.
I claim since the very start VS just blocked the reverse TCP you said "no no , VS stopped the installation of DP" we have plenty of post showing your statement.

Zoltan of MRG acknowledge all my statements about EB-DP and VS , here : WannaCry Exploit Could Infect Windows 10

So just admit it.


"VS blocked the DP hacker tools" , yes better your change your statement, before it was "VS block DP installation" "or VS block kernel exploits" ...how funny you are...changing your wording when it benefit you...unbelievable...
Me? i never changed my statement , i always said "VS block the reverse-TCP connection" ... unlike you when i'm wrong , i have the balls to admit it.
i thought AG Consumer can blocked it, i was shown i was wrong, i stopped stating it. But you?....even an expert say it clearly , you can't admit it!


You made a video to promote VS and discredit AG, because you cant handle the fact that some people say AG is better than VS....you miserably failed because you didn't even understood SRP purpose and the attack you are demonstrating! hilarious !!!.


it is outside , we know it from the start ! EB-DP is an in-memory kernel exploit , so of course out of the scope , VS , ERP, AG Consumer or whatever can 't block it.
It is why in the beginning when i started to learn about EB-DP, i had a doubt, and i asked you to try 2 settings in AG, and it didn't work (based on your feedback) and then i was told it will be unsafe for the system to apply those tweaks anyway...

More you talk now, more the members can see your true color, a deceptive and lying dev that just promote his "baby beloved" soft by whatever means he can ; it is why i stopped recommending VS to people , it is a good soft but brought down by your fanboy attitude.
A dev should focus on his products, not debating on every post forum's members may say , and even less to make video comparing products he doesn't understand with attacks he doesn't understand.

And for your info, i know what is an exploit, everybody here knows that i know, don't even dare to try mocking me by twisting my words, because here you are not at Wilders...if you do , be ready to face the consequences ...got it?
All I wanted to do was to perform the test, using the same method that Sophos used, and post the video... because no one else was testing, they were simply speculating. Do not blame me for keeping the argument going, especially when your argument is completely dependent on the definition of the word "Install".

You said this VERY clearly in the following post when you said "If you said "DP didn't connect" , i wont say a word, and all that "debate" won't even exist."

WannaCry Exploit Could Infect Windows 10

The problem is that the definition of "Install" is "to place in position or connect for service or use".

Zoltan_MRG agrees with your following statements... and I do for the most part as well except for when you misuse the word install, and where otherwise noted in red below.

- EB is a kernel exploit, EB just implement DP (the backdoor).
- EB doesn't run rundll32 or calc, you are confused about all of it, that is DP job by exploiting lsass.exe.
- if lsass.exe is able to spawn rundll, calc, or any other process , means DP is running. Umbra, if lsass.exe is not able to spawn rundll, does that mean that the opposite is true? Logic! And actually, sure, it might be running, but the fact that it cannot spawn rundll32 proves that it is restricted.
- however VS and ERP prevented DP to fully run any additional payloads. AND THE HACKER TOOLS ARE NOT AVAILABLE... along with preventing data exfiltration...this is very important.
- those rundll32, calc, etc... would be in suspended mode because of VS/ERP, means they were created but cant fully execute. Kind of... technically they are suspended while VS decides whether to allow the process or not. If the process is denied from being created, it is completely denied.

so don't say "VS block DP to be installed", it can't , however VS can prevent DP to do further malicious tasks. which is a good thing.
It is all i say, but you seems not to (or refuse to) understand what i mean.




So really, it all comes down to the definition of install, and I believe the definition of install is "to place in position or connect for service or use".

BTW, I never implied that you were stupid or ignorant... I just simply wanted you to run the test for yourself, so you can see how the attack works in real time.

 
Last edited:
D

Deleted member 178

All I wanted to do was to perform the test, using the same method that Sophos used, and post the video... because no one else was testing, they were simply speculating. Do not blame me for keeping the argument going, especially when your argument is completely dependent on the definition of the word "Install".
So really, it all comes down to the definition of install, and I believe the definition of install is "to place in position or connect for service or use".
@danb your problem is your interpretation , installing doesn't mean connecting . those are 2 different actions.
I can install a commercial keylogger , it is installed on the system , the files are here, but if the firewall block it to call home , it is about "connecting" not "installing"
VS block the connection , not the installation.
You install a printer driver , the driver is there, now if you dont have the printer turned on, it doesn't mean the driver doesn't exist anymore.
Words are powerful , in demonstrations they must be weighted and used properly. No room for vagueness especially from a dev.

- if lsass.exe is able to spawn rundll, calc, or any other process , means DP is running. Umbra, if lsass.exe is not able to spawn rundll, does that mean that the opposite is true? Logic! And actually, sure, it might be running, but the fact that it cannot spawn rundll32 proves that it is restricted.
no , there is a difference between executing a task and completing it.
lsass.exe attempted the connection via rundll32.exe, but was unable to complete it because of VS and ERP.
Means DP was there, that is all that matters. DP task by default is injecting code into lsass.exe. if lsaas.exe spawn something means the code is injected successfully.
Blocking DP installation can only be done by blocking EB exploit, which isn't possible for any SRP/antiexe.

If the DP backdoor is there, blocking the backdoor to connect , doesn't mean the backdoor doesn't exist.
If i throw a knife to you , my knife is thrown, but you intercepted it, doesn't mean my throw didn't happen and i don't exist. understand?

- however VS and ERP prevented DP to fully run any additional payloads. AND THE HACKER TOOLS ARE NOT AVAILABLE... along with preventing data exfiltration...this is very important.
yes i never said the opposite, i said it from the start ! VS blocked the connection attempt .
If the reverse connection fails , the tools can't be used, exfiltration of datas won't happen, that doesn't means the backdoor doesn't exist and can't be used in the future if the attacker manage to find a way to reconnect to it. (let say disabling VS for example or using a method VS can't block)

- those rundll32, calc, etc... would be in suspended mode because of VS/ERP, means they were created but cant fully execute. No, they are suspended while VS decides whether to allow the process or not. If the process is denied from being created, it is completely denied.
Yes that is all that matter: suspended or blocked task = means task already created = DP is installed and running.
VS block the connection, not the installation. simple and proven fact. no denying possible on this.


BTW, I never implied that you were stupid or ignorant... I just simply wanted you to run the test for yourself, so you can see how the attack works in real time.
You kept saying i was wrong , i dont run the test so i can't understand, i dont know what is an exploit from a payload, i am an agent of Appguard, etc...etc...come on..
You throw tons of personal attacks , it is why i didn't let you get away with it without retaliation. no one will ruin my name or step on me as you tried to do (intentionally or not) ; mark my words !

i dont need to test it to get infos, i have enough knowledge to deduct fact from your video, then i did my researches to learn more... and at the end, after all my researches, i was correct on my statements. that is simple as that.
How many times i demonstrated faulty or biased video, like Black Cypher ones. i dont have to test to found out clues.
 
Last edited by a moderator:
  • Like
Reactions: Huchim

danb

From VoodooShield
Verified
Top poster
Developer
Well-known
May 31, 2017
1,284
@danb your problem is your interpretation , installing doesn't mean connecting . those are 2 different actions.
I can install a commercial keylogger , it is installed on the system , the files are here, but if the firewall block it to call home , it is about "connecting" not "installing"
VS block the connection , not the installation.
You install a printer driver , the driver is there, now if you dont have the printer turned on, it doesn't mean the driver doesn't exist anymore.
Words are powerful , in demonstrations they must be weighted and used properly. No room for vagueness especially from a dev.


no , there is a difference between executing a task and completing it.
lsass.exe attempted the connection via rundll32.exe, but was unable to complete it because of VS and ERP. Means DP was there, that is all that matters.
If the backdoor is there (lsass.exe being injected by DP ), blocking the backdoor to connect , doesn't mean the backdoor doesn't exist.
If i throw a knife to you , my knife is thrown, but you intercepted it, doesn't mean my throw didn't happen and i don't exist. understand?


yes i never said the opposite, i said it from the start ! VS blocked the connection attempt .
If the reverse connection fails , the tools can't be used, exfiltration of datas won't happen, that doesn't means the backdoor doesn't exist and can't be used in the future if the attacker manage to find a way to reconnect to it. (let say disabling VS for example or using a method VS can't block)


Yes that is all that matter: suspended = means created = DP is installed.
VS block the connection, not the installation. simple and proven fact.


You kept saying i was wrong , i dont run the test so i can't understand, i dont know what is an exploit from a payload, i am an agent of Appguard, etc...etc...come on..
You throw tons of personal attacks , it is why i didn't let you get away with it without retaliation. no one will ruin my name or step on me as you tried to do (intentionally or not) ; mark my words !

i dont need to test it to get infos, i have enough knowledge to deduct fact from your video, then i did my researches to learn more... and at the end, after all my researches, i was correct on my statements. that is simple as that.
How many times i demonstrated faulty or biased video, like Black Cypher ones. i dont have to test to found out clues.
Umbra, the literal definition of Install is: to place in position or connect for service or use. In fact, it has the exact word, connect, that you are arguing it does not mean.

the definition of install

I think we can sum this up with one sentence.

While VoodooShield is not an anti-exploit utility, its application control mechanisms performed properly in the EB / DP metasploit test, and the attack was effectively stopped from loading the DP hacker tools and exfiltrating data. Fair enough?

BTW, I am going to PM you on here... I have something funny to send you, and something you will find be be quite interesting.
 
  • Like
Reactions: Deleted member 178
D

Deleted member 178

I think we can sum this up with one sentence.

While VoodooShield is not an anti-exploit utility, its application control mechanisms performed properly in the EB / DP metasploit test, and the attack was effectively stopped from loading the DP hacker tools and exfiltrating data. Fair enough?
YES

you know exactly that in computing installing and connecting are separate actions.

i install a browser, it is present on the system, if i shut down internet , it cant connect but it is still installed. You can't argue with that...
 
Last edited by a moderator:
Status
Not open for further replies.