Take caution! VoodooShield and WinRAR

[TheMalwareMaster]

This morning, a Facebook user alerted me about a possible security problem about VoodooShield free, because parent process is on by default. This was made using WinRAR. Since it's a popular software, I decided to share the results with you. This could be a huge problem, since most of the ransomware is usually delivered by email, using Archives, and a lot of people use WinRAR
Steps done in the test:
1) installed winrar
2)installed VoodooShield on Autopilot
3) tested VoodooShield against CDBurnerXP, using the version bundled with adware

Here are the results:

1) I launched the main EXE to check is VoodooShield was working, and it blocked it successfully

2) I created a WinRAR archive and run the file directly inside the archive, exactly how a beginner would do and... No alerts!

3) I created a zip archive, then removed WinRAR and tried to open it with the default Windows option. Blocked


Let me known your thoughts. Regards,
TheMalwareMaster

 

[Wave]

.... but why post this before consulting the developer...

 

[SHvFl]

It's not a bypass. It's known fact on how VS works and we talked about it a millions times. You have whitelist by parent on. Winrar is whitelisted, when you double click on the program within a rar it launches as child so it automatically gets whitelisted. It runs, the end.
Go in settings and change the mentioned setting if you don't want it to act like this.

 

[Wave]

If the process is being executed as a child to winrar then ofc it isn't gonna do anything because WinRAR is trusted...

@SHvFl is right

 

[TheMalwareMaster]

I expressed myself badly. Yeah, it's not a bypass, but it can be risky using VS free, if running WinRAR

 

[SHvFl]

I expressed myself badly. Yeah, it's not a bypass, but it can be risky using VS free, if running WinRAR

But it's not just winrar. If malware that force legit application to launch them are a thing again it will be worse. That setting in VS needs to be off by default and maybe Dan will do it one day.
He probably doesn't atm to minimize alerts.

 

[_CyberGhosT_]

I expressed myself badly. Yeah, it's not a bypass, but it can be risky using VS free, if running WinRAR

Just disable, auto allow for that and files in AppData location

 

[Wingman]

I have notified Dan about this workaround and he confirmed that this will be fixed in the next version (exclude the .rar extension from the parent process feature). He will also investigate other compression filetypes

 

[enaph]

Good finding @TheMalwareMaster although I would rather change the thread subject and change "bypass" for "bug" as this can be a bit misleading

 

[Wave]

I have notified Dan about this workaround and he confirmed that this will be fixed in the next version (exclude the .rar extension from the parent process feature). He will also investigate other compression filetypes

Probably *.7z as well, although I am not sure if it runs as child or not, I'd have to check

 

[Deleted member 178]

In fact it is not a bypass, nor a bug, it is a vulnerability by design.

 

[TheMalwareMaster]

Probably *.7z as well, although I am not sure if it runs as child or not, I'd have to check

For 7zip you are forced to extract the file, so there are no issues

 

[TheMalwareMaster]

Good finding @TheMalwareMaster although I would rather change the thread subject and change "bypass" for "bug" as this can be a bit misleading

Yeah, I wrote this post fast the first time... I changed it to "security problem"

 

[TheMalwareMaster]

I have notified Dan about this workaround and he confirmed that this will be fixed in the next version (exclude the .rar extension from the parent process feature). He will also investigate other compression filetypes

Thanks a lot for you help. He said the issue will be fixed. The irony is that I can't still post on that forum for no reason VoodooShield ?

 

[codswollip]

I have notified Dan about this workaround and he confirmed that this will be fixed in the next version (exclude the .rar extension from the parent process feature). He will also investigate other compression filetypes

If I understand correctly this involves parent/child relationship. The zip archive created for step 3 (in OP) would have done the same had WinRAR been used to open the zip. This is about excluding "safe" apps from the parent/child inheritance.

Excluding the *.rar extension is just treating the symptoms. Either uncheck the parent/child option or else create an exclusion feature for that option. I'm sure Dan will figure out an even better solution once he's had time to soak on it.

 

[enaph]

If I understand correctly this involves parent/child relationship. The zip archive created for step 3 (in OP) would have done the same had WinRAR been used to open the zip. This is about excluding "safe" apps from the parent/child inheritance.

Excluding the *.rar extension is just treating the symptoms. Either uncheck the parent/child option or else create an exclusion feature for that option. I'm sure Dan will figure out an even better solution once he's had time to soak on it.

Archives should never be considered as applications in case of whitelisting.

 

[reboot]

Archives should never be considered as applications in case of whitelisting.

To clarify... you are agreeing with what Telos is saying correct?

 

[reboot]

It's not a bypass. It's known fact on how VS works and we talked about it a millions times. You have whitelist by parent on. Winrar is whitelisted, when you double click on the program within a rar it launches as child so it automatically gets whitelisted. It runs, the end.
Go in settings and change the mentioned setting if you don't want it to act like this.

So as an example (and for clarification) one could be using a download manager like IDM and strike the same problem. It is not just archive software.

 

[Wave]

So as an example (and for clarification) one could be using a download manager like IDM and strike the same problem. It is not just archive software.

It applies only for programs that are trusted that execute another program as a child process.

 

[reboot]

It applies only for programs that are trusted that execute another program as a child process.

Sorry in the example I gave I assumed that IDM was trusted. If I execute a program within or with IDM could one consider that to be a child process?