[MRG] ETERNALBLUE vs Internet Security Suites and nextgen protections

[Evjl's Rain]

Due to the recent #wannacry ransomware events, we initiated a quick test in our lab.

Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010).

Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)!

We don’t want to disclose our test results until a fair amount of time is given to vendors to patch their product, but meanwhile we feel that we have to inform the public about the risks.

The following 3 products protected the system against the ETERNALBLUE exploit installing the DOUBLEPULSAR backdoor:

1. ESET Smart Security
2. F-Secure SAFE – but no log/alert on the console
3. Kaspersky Internet Security

ESET Smart Security Blocking ETERNALBLUE




FSecure SAFE blocking ETERNALBLUE




Kaspersky Internet Security protecting against ETERNALBLUE

Two product used network filtering to detect the exploit, and block it before kernel code level execution happens. We have not played with how these techniques can be bypassed (e.g. via obfuscating the exploit to bypass signatures), but that could be the content of another blog post.

The BSOD
So far, we have one endpoint protection product where DOUBLEPULSAR installation failed due to Blue Screen of Death. Point 1 for integrity (hopefully) and -1 point for availability.



The FAILS
At the moment, we have tested 9 home Internet Security Suite products, 1 Next-gen endpoint protection and 1 EDR which can’t protect (or alert) users against ETERNALBLUE exploit installing the DOUBLEPULSAR backdoor. All vendors claim to protect against #Wannacry and some claim to protect against ETERNALBLUE. But here is the thing, protecting against the payload does not mean users are fully protected against malicious code running in kernel mode.



Our focus of test were mostly home products (internet security suites), and whenever the default firewall policy was set to public, we changed the policy to home/work. All products were used with default settings. Some products for example have intrusion prevention turned off by default – and enabling it blocks ETERNALBLUE. But not many home users tweak default settings.

Conclusion
It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.

Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.

If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this

We are in the middle of contacting all AV vendors about the issue. Although we guess they already know this, they only forgot to notify the marketing department to check their communication.

 

[mekelek]

F-Secure surprising more and more, hmm, maybe it's not only an other AV trying to live off BD's engine after all.

 

[kamla5abi]

lol i can see all AV companies other than the first 3 hating this post lots
i wonder if those companies marketing departments will be playing the blame game now too
(Senior Execs: WHO TOLD YOU TO WRITE WE PROTECT AGAINST THE EXPLOIT!?!?! JUST THE DAMN RANSOMWARE!! F$@#&@#&&@&$&@#&!!!"

hahaha

 

[Evjl's Rain]

what I can see from this article
- those 3 products have good and effective exploit protection
- users from the 3 products would be safe from wannacry attacks infected from other computers
- not sure which products failed or were not tested. There should have been avast, BD, Avira,... They didn't have an effective exploit protection or they don't have the module
- I would like to see HMPA, EIS, MBAM exploit protection in action
- this is just a exploit protection test. If users run the files from the desktop, they would be infected anyway

 

[Parsh]

F-Secure surprising more and more, hmm, maybe it's not only an other AV trying to live off BD's engine after all.

Engines

• BitDefender Aquarius (licensed, fingerprint based, heavy, knows most malware since antiquity)
• Hydra (in-house, probably fingerprint based, lighter weight, but only against new, modern malware)
• Gemini (in-house developed heuristics)
• Deepguard (in-house system and program behaviour watch and control technology, quite famous)
• A-Spam (licensed junk mail filter)

FSecure has a serious R&D department and their own technology for advanced malware scanning, network interception and behavior analysis (DeepGuard) that's infamous for FPs but provides nice protection against 0-days.

 

[Winter Soldier]

EternalBlue/DoublePulsar was analyzed here.
I think before to be exploited by criminals now.

zerosum0x0: DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis

 

[zh4ck]

- I would like to see HMPA, EIS, Malwarebytes Anti-Malware exploit protection in action

Author here. Although not tested yet, I believe none of these products will protect against ETERNALBLUE at the moment.
Here I have an explanation why EMET is not protecting against ETERNALBLUE. HMPA and MBAE are very similar to EMET. I don't know EIS.

 

[Solarquest]

what I can see from this article
- those 3 products have good and effective exploit protection
- users from the 3 products would be safe from wannacry attacks infected from other computers
- not sure which products failed or were not tested. There should have been avast, BD, Avira,... They didn't have an effective exploit protection or they don't have the module
- I would like to see HMPA, EIS, Malwarebytes Anti-Malware exploit protection in action
- this is just a exploit protection test. If users run the files from the desktop, they would be infected anyway

I don't understand why they don't say what product didn't protect against the exploit!
Users should know!!.... AV company already know they missed it (if they still don't, they are very bad)!

 

[Azure]

what I can see from this article
- those 3 products have good and effective exploit protection
- users from the 3 products would be safe from wannacry attacks infected from other computers
- not sure which products failed or were not tested. There should have been avast, BD, Avira,... They didn't have an effective exploit protection or they don't have the module
- I would like to see HMPA, EIS, Malwarebytes Anti-Malware exploit protection in action
- this is just a exploit protection test. If users run the files from the desktop, they would be infected anyway

In regards to EIS

WannaCry Ransomware: Interview with Emsisoft’s ransomware experts
Emsisoft customers were not affected by the attack. Can you explain how, and why in other cases, security software was not able to detect the threat?

1. Firewall: If you are using Emsisoft Internet Security, the firewall inside it would have prevented someone from the outside accessing your port 445, which is the port the vulnerable SMB protocol listens to by default and that the WannaCry worm contacts to exploit. If the port can’t be accessed, no exploitation takes place, so your system is completely protected from the malware.

 

[Windows Defender Shill]

So would a unpactched windows 7 computer connected to a modern (up to date) router be protected from random exploitation?

Because of the SPI firewall?

 

[zh4ck]

I don't understand why they don't say what product didn't protect against the exploit!
Users should know!!.... AV company already know they missed it (if they still don't, they are very bad)!

It takes time to coordinate with all the vendors. Public shaming is not going to help. It rarely happens, but it happens that something is not blocked in our lab, but it is blocked for the rest of the world. When we have confirmations from everyone, we will publish,

In regards to EIS

WannaCry Ransomware: Interview with Emsisoft’s ransomware experts
Emsisoft customers were not affected by the attack. Can you explain how, and why in other cases, security software was not able to detect the threat?

1. Firewall: If you are using Emsisoft Internet Security, the firewall inside it would have prevented someone from the outside accessing your port 445, which is the port the vulnerable SMB protocol listens to by default and that the WannaCry worm contacts to exploit. If the port can’t be accessed, no exploitation takes place, so your system is completely protected from the malware.

This is a bullshit defense. If you are working in a home or corporate environment, chances are you have to enable port 445. And don't forget, you can do this with Windows firewall, you don't have to buy anything to do that.

So would a unpactched windows 7 computer connected to a modern (up to date) router be protected from random exploitation?

Because of the SPI firewall?

If you are behind NAT (which is the case with home routers), and port 445 is not forwarded to your machine, you are safe from OUTSIDE infection. If someone connects an infected computer to your home network, you are screwed.

 

[FleischmannTV]

Thank you @zh4ck for a detailed examination of which product protects at which stage. It is surely one of the more interesting and informative reads.

 

[kamla5abi]

i have been using BD TS for the past little while, heres what i've noticed.
I have turned on the "ransomware protection" module inside BD (turned off by default) and enabled "protection at boot" and AutoPilot turned On.
then the usual folders are all automatically added by default to protection (c:\users\<username>\desktop, documents, music, pictures, videos, Onedrive) and you can add others too (like downloads, etc).

Next:
I downloaded and installed an image processing software to try it, and loaded it up. Chose an image inside my pictures folder and started playing around with stuff. The entire time, it was fine and let me make changes to image, even save a copy of it, etc. But then i clicked something in the picture software that would rename the current file to append a few letters to the end of the file name. So it would change "Picture 012.jpg" to "Picture 012.jpg.xxx" (where xxx represents appended file extension, whatever letters the program was trying to append to the end of it, i dont remember what exactly it was...) From looking at it, i think the picture software was trying to add those letters to the end temporarily to mark it as a different type of file, i am not sure why, maybe the picture software does that while the image is still being worked on when you enable that option of the software

Anyways, BD TS actually alerted me to that and blocked it automatically. If the BD TS alert didn't pop up, i would have no idea the extension was being changed/appended by the picture software. So in this case, BD TS let me edit/save/copy picture file no problem. But when the software tried to change the file extension, it detected that behavior and alerted me (+ blocked it automatically). My point is that ransomware seems to function similarly, where it appends something to the filename extension (or processes it, which ends up appending the file extension) and then deletes the original, leaving you stuck with the encrypted file only. So if that picture software was ransomware, it would have blocked that from happening i think right ?

so in this case, even tho it wasn't ransomware that changed the file name, it was picture software, it still stopped that from happening.
Then i could manually allow that action if the program that made the action was safe.

 

[Solarquest]

Today MRG-Effitas updated the report...now 5 AV protected the system.
MRG – ETERNALBLUE vs Internet Security Suites and nextgen protections

 

[FleischmannTV]

The conclusion is top-notch:

It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.

If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension.

The best part: most of the serious antiviruses, like Kaspersky or ESET, stop this dead in its tracks, whereas the comedy-section whitelisting and virtualization stuff - you know, the tools favored by self-declared system expert professionals on security forums, who are way too smart to use AV - just stand there and do absolutely nothing

 

[_CyberGhosT_]

QUOTE: Update 2017-05-22: The BSOD was on Windows7 64-bit with Symantec Endpoint Protection using VMware. After discussing this with Symantec representatives, it turned out this is not what average users should see. So we tested it on a physical machine with Windows7 32-bit and Norton Internet Security, and the attack was blocked and logged, and there was no BSOD :END
Getting more and more pertinent to test in real world environments & Machines

 

[kamla5abi]

QUOTE: Update 2017-05-22: The BSOD was on Windows7 64-bit with Symantec Endpoint Protection using VMware. After discussing this with Symantec representatives, it turned out this is not what average users should see. So we tested it on a physical machine with Windows7 32-bit and Norton Internet Security, and the attack was blocked and logged, and there was no BSOD :END
Getting more and more pertinent to test in real world environments & Machines

One criticism I just thought of:
1) BSOD system: Windows 7 64bit + Symantec Endpoint Protection (Commercial endpoint software)
2) No BSOD system: Windows 7 32bit + Norton Internet Security (Home software)

- Why not make the physical machine exactly same setup as the VM that BSOD?
- Then, they can repeat the test using other software setup to make sure NIS behaves the same as SEP, right?

But I don't know enough about Norton/Symantec products
Maybe both products are using same base malware protection? If yes, then I can see why it doesn't matter which product you test, since both should behave the same way I guess.

Do you guys expect they will release the names of softwares that didn't pass eventually?
--- I wonder about Bitdefender 2017, Avast 2017, Comodo (depends on setup i guess), Emsisoft, Panda, Qihoo 360 etc (Since they test AV type software only, i don't think HMP/ZAL/ZAM/VS/etc type software would have been tested by them i think)
- I understand they want to talk to the companies first to make sure there wasn't some glitch in their testing method that caused the software to fail the test (like symantec glitch) so they don't tarnish the company name for no reason

//edit
I forgot that AVG and Avast are same company now, so that means Avast should be passed too? or do they still operate differently enough that you can't say if AVG passed then Avast should pass too?

 

[Azure]

The conclusion is top-notch:



The best part: most of the serious antiviruses, like Kaspersky or ESET, stop this dead in its tracks, whereas the comedy-section whitelisting and virtualization stuff - you know, the tools favored by self-declared system expert professionals on security forums, who are way too smart to use AV - just stand there and do absolutely nothing

Isn't that because they are testing the exploit and not the ransomware?

 

[shmu26]

The conclusion is top-notch:



The best part: most of the serious antiviruses, like Kaspersky or ESET, stop this dead in its tracks, whereas the comedy-section whitelisting and virtualization stuff - you know, the tools favored by self-declared system expert professionals on security forums, who are way too smart to use AV - just stand there and do absolutely nothing

I am afraid you are right. Default/deny won't protect you from worms, if another computer on your network is not using default/deny. But if you live alone in your castle, you should be safe and sound.