Supposed Voodooshield bypass

[Lucent Warrior]

I am making a Thread in the now present subforum of Voodooshield to address this once and for all. It has appeared in too many other topics, derailing them, im guilty of climbing aboard that train.

Information i have on this incident..

The website was Master-Lee and also Dardivan - or some such Italian website.

User @qftest brought it MT and Wilders. He has multiple threads here, but they got taken down.

This is what remains:

https://malwaretips.com/threads/how...ld-anti-exploit-protection.53428/#post-452982

He submitted all infos with my English help to NVT, VS and Datpol (SpyShelter). From what infos were submitted, Andreas from NVT was able to determine what was up... but he was busy with a private Smart Object Blocker build for a large vendor and at that time said he didn't have time for it.

To get the exploit to work you had to use Chinese Windows with Internet Explorer. They were using Socks proxy. The malware was active around 11 AM and 11 PM. Every few hours a new variant was pushed.

Yes that is the way I understood (I may be wrong, need to find again the post to verity)

Edited:
1x .tmp file : unkown => "blocked" => 2x .tmp : other files => "blocked" => "abnormal" system process started / found in memory

Spoiler: link

https://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u= http://bbs.kafan.cn/thread-1936040-1-1.html&sandbox=1

A lot of work have been done since this time by the dev

You have "never got a ransomware attack", you mean "always stopped" by your security tools, or "never" reached you PC ?
(in the second case, I will just hire you to use the PC of one neighbor )

The video:


This supposed breach was done with version 2.50 of Voodooshield, VoodooAi was not yet incorporated into the product at that time.

The Developer does not believe his product to be completely bullet proof "have to give him credit for facing a reality that many Vendors ignore" and is always willing to listen to someone that may have found a bypass, so that he can correct it.

With this particular case, not enough information is available as the author of the video refused to cooperate, the video is cut short during the test on VS not allowing anyone to see what transpires past that point, and as read above, you would only be in trouble if you were using a Chinese version of windows and Internet Explorer

It is hard to take this seriously when the Author refused to share what he claimed to be a bypass and also did not finish the test in its entirety.

If you have any final words on this, please post them here, as to not derail any more topics. I personally am not putting any stock into it with the given circumstances. Unless the Author is willing to reproduce the test correctly, and or hand me the samples to produce a test with, im going to chalk it up as BS and move on.

 

[ExoGen CyberSecurity]

That's an old bypass technique, top kek if it's still works.

BTW, a lot of people don't share exploits (some companies will pay you) they just wanna show off or sell them on black market with a lot of money.

 

[DardiM]

Like I already said, there has been a lot of work done since this period, that also why I use VoodooShield Pro version (paid)

 

[Lucent Warrior]

That's an old bypass technique, top kek if it's still works.

BTW, a lot of people don't share exploits (some companies will pay you) they just wanna show off or sell them on black market with a lot of money.

Again, i call BS. When i test a product and bypass, i gladly hand the samples over to the Developer to fix it, i also do not cut a video during the test, i show the whole process. If this Author is not willing to do so, then his test means nothing.

 

[ExoGen CyberSecurity]

VoodooShield will block hollow processes by default so it's a small chance that will work now. It's the same thing with Comodo

Some DLL infection can bypass Comodo so everything is possible.

I would love to see the files from this test.

 

[DardiM]

I am making a Thread in the now present subforum of Voodooshield to address this once and for all. It has appeared in too many other topics, derailing them, im guilty of climbing aboard that train.

Information i have on this incident..

The video:


This supposed breach was done with version 2.50 of Voodooshield, VoodooAi was not yet incorporated into the product at that time.

The Developer does not believe his product to be completely bullet proof "have to give him credit for facing a reality that many Vendors ignore" and is always willing to listen to someone that may have found a bypass, so that he can correct it.

With this particular case, not enough information is available as the author of the video refused to cooperate, the video is cut short during the test on VS not allowing anyone to see what transpires past that point, and as read above, you would only be in trouble if you were using a Chinese version of windows and Internet Explorer

It is hard to take this seriously when the Author refused to share what he claimed to be a bypass and also did not finish the test in its entirety.

If you have any final words on this, please post them here, as to not derail any more topics. I personally am not putting any stock into it with the given circumstances. Unless the Author is willing to reproduce the test correctly, and or hand me the samples to produce a test with, im going to chalk it up as BS and move on.

In fact the link I posted is with tests from January, 25
and the video from April,1

 

[Lucent Warrior]

In fact the link I posted are with tests from January, 25
and in the video April,1

It does not matter, either test proves nothing really without its entirety, screenshots of Process Hacker are not enough to prove anything, matter of fact, i did not see VS processes in any of them, even though the first 3 clearly show pop ups of VS, the bottom screenshots could be from any test or product, which is why a full test needs to be completed correctly. Unless the Author learns of this debate and is willing to provide any of the required aspects to reproduce this correctly, i place no stock in it.

 

[DardiM]

It does not matter, either test proves nothing really without its entirety, screenshots of Process Hacker are not enough to prove anything, matter of fact, i did not see VS processes in any of them, even though the first 3 clearly show pop ups of VS, the bottom screenshots could be from any test or product, which is why a full test needs to be completed correctly. Unless the Author learns of this debate and is willing to provide any of the required aspects to reproduce this correctly, i place no stock in it.

Too many times have past since this period, if they had really been a problem (hard to be sure), I think all is good currently

 

[Lucent Warrior]

Too many times have past since this period, if they had really been a problem (hard to be sure), I think all is good presently

I agree as well, and wonder why this seems to keep popping up all over MT in other Topics. It is why i created this thread, it is a "Either put up or shut up" thread.

 

[hjlbx]

Again, i call BS. When i test a product and bypass, i gladly hand the samples over to the Developer to fix it, i also do not cut a video during the test, i show the whole process. If this Author is not willing to do so, then his test means nothing.

The infos were provided to the developer. Samples were provided - because I obtained copies and provided them to each of the vendors - but the samples are a moot point since the TMPXXX.tmps provided were not executables; the whole process needed to be obtained through the active webpage exploit.

It is up to each developer to do what it takes to replicate the issue - if that means installing Chinese WIndows and IE - and spend a lot of time on it - then that is what it takes. If the vendor does nothing with the infos, then they do nothing. The infos were submitted, and summarily dismissed. You can see it for yourself on Wilders.

It's certainly not the video author's fault that the exploit was only working on Chinese Windows... after all, malc0ders routinely exclude entire top domains from their attacks - for example, excluding all Russian IPs. And it certainly is not the author's fault that they weren't very good video-makers.

If a vendor is only willing to accept, and concede to, professional-grade reports, then they need to spend the money, and submit their wares to professional pen-testers - instead of gimmick contests using home testers. And therein, again lies the rub, if a home tester reports something, then the fact that they are home testers will almost certainly be snubbed because they are a home tester.

It's funny that the other two vendors reacted quite differently... but I expected that...

I have a friendship with @Lucent Warrior - and so he and I will agree to disagree. Of course he always has the option to meet-up and knuck me in the head - take my lumps (I'm more decrepit than he is...), get up and shake hands. Maybe try to scare him off first with my cane - but I think it won't work...

I understand the objections put forth by the vendor, people who love VS, and all that sort of thing. However, I got involved in it more in-depth and know what was said, not said, done and not done.

At this point it's really not worth my time-and-effort, because once again it is a fruitless situation. Pointing out something that someone should really have taken more seriously and put forth more effort - well I guess it just is what it is. Running user @qftest off certainly was one solution - and an established pattern of behavior.

VS is a good product. I recommend it. I've used it and probably will use it again at some point.

 

[Lucent Warrior]

The infos were provided to the developer. Samples were provided - because I obtained copies and provided them to each of the vendors - but the samples are a moot point since the TMPXXX.tmps provided were not executables; the whole process needed to be obtained through the active webpage exploit.

It is up to each developer to do what it takes to replicate the issue - if that means installing Chinese WIndows and IE - and spend a lot of time on it - then that is what it takes. If the vendor does nothing with the infos, then they do nothing. The infos were submitted, and summarily dismissed. You can see it for yourself on Wilders.

It's certainly not the video author's fault that the exploit was only working on Chinese Windows... after all, malc0ders routinely exclude entire top domains from their attacks - for example, excluding all Russian IPs. And it certainly is not the author's fault that they weren't very good video-makers.

If a vendor is only willing to accept, and concede to, professional-grade reports, then they need to spend the money, and submit their wares to professional pen-testers - instead of gimmick contests using home testers. And therein, again lies the rub, if a home tester reports something, then the fact that they are home testers will almost certainly be snubbed because they are a home tester.

It's funny that the other two vendors reacted quite differently... but I expected that...

Without the URL website and exploit, only having the payloads, the test can not be created exactly. My point to this thread, is, not only is this old, but obviously not done correctly, and every other mention of VS in this forum comes to an end with it can be bypassed by this above joke of a test. Unless someone can show me a REAL COMPLETE bypass, and or give me what they have found so i can produce it, then stating the Product CAN be bypassed in every thread on it needs to come to an end, because it does appear to be only Product bashing if those conditions can not be met.

 

[LabZero]

Difficult to consider the fully reliability of the video, but in my opinion, an exploit executing code that "could" bypass VS (by admitting that we well know how VS runs at the code level ) should use a buffer overflow vulnerability, based on a errors in the programming code, in which a buffer or an array, that is too much filled... and its content "falls" in a portions of the memory below it, then going to overwrite part of the code to be injected schellcode (hexadecimal code specifically designed to perform certain operations).

Technically, a vulnerability to which I am referring should have as requirements: the ability to use any byte (including NULL bytes), it must be caused by the non-controlled reading of bytes from a file
Or it could be a buffer overflow of char strings where it is not possible to use NULL bytes or, still worse, when the portion of code that is loaded in memory is too small.
These are just hypothesis, and I agree with @Lucent Warrior, because in this case it would be necessary to prove that the vulnerability actually exists and the exploit would be a proof of concept.

 

[askmark]

Personally, I don't understand how Dan (author of VS) is supposed to mitigate VS against a bypass that no one can reproduce. Having participated in the thread on WS I have absolutely no doubt that Dan would take any proven bypass very seriously and do everything he could to prevent it happening again.

 

[_CyberGhosT_]

Again, i call BS. When i test a product and bypass, i gladly hand the samples over to the Developer to fix it, i also do not cut a video during the test, i show the whole process. If this Author is not willing to do so, then his test means nothing.

It means nothing "if" you know what to look for, the video being made public in that condition didn't set off mental alarms
for those "wanting" to believe, but hey such is life.
I agree L'dub

 

[Windows_Security]

Personally, I don't understand how Dan (author of VS) is supposed to mitigate VS against a bypass that no one can reproduce.

Great answer

 

[Terry Ganzi]

People know Dan (author of VS) even if they wanted to believe what is being said, Dan work ethics alone should tell them that it is highly unlikely. All a person has to do is just mention a problem and Dan goes extra hard at finding and correcting it, just take a look over at WS and you would see this guy don't play. FACTS