Malware Hub Report VoodooShield 6 - December 2020 Report

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,449
68,736
  • Thread starter
  • Moderator
  • #41
I still don't know, the truth is that VS tagged them as Safe in static scan, so when executed seems it let do them "almost" everything...
I said "almost everything", because in the cases of the others 2 signed exes, VS blocked something but in the case of 1st sample I did not get any warning from VS, and got system encrypted...
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
Yeah, it looks like tretg45 blew right past everything, including SS. Like I was saying in post #9, signed files that are valid and verified are extremely difficult to detect as malware pre-execution. Especially if you are running VS on AutoPilot, it really needs to be paired with a robust AV with post-execution mitigations. This file probably would have bypassed AutoPilot even on the Aggressive security posture. If you guys happen to test this as well, please let me know.

The good news is... at least this confirms that malware detection has not sufficiently advanced to the point to where we do not need to lock our computers (with an initial non-affirmative mini prompt of course) ;).

We could test VS in the default aggressive modes and security postures, but how much fun would that be? ;). I imagine most people are curious how well VS does when set to the least aggressive modes and security postures, but if this is not the case, maybe users can suggest how they would like to see VS configured while testing. Thank you guys for testing! If anyone testing needs a Pro license, please PM me.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
Even with relaxed mode the file has to be labeled from whitelist cloud as safe. Atleast thats what the "relaxed mode" discription says. And since whitelist cloud should only allow known safe files im curious what happened :)
Yeah, I hear you ;). WLC is super cautious and conservative, but it will never be absolutely perfect, especially with valid and verified signed files that bypass SS. And remember, WLC is a work in progress ;).
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
Similar result with AutoPilot + Aggressive (Default), no warnings:

View attachment 250841
Yeah, tretg45 was signed with an EV cert, and overcoming this with static detection would be extremely difficult. The good news is that EV signed malware is extremely uncommon because no one is going to waste the money on an EV cert to sign malware, especially when the cert is going to be terminated and everyone will know exactly who created the malware. After researching the file, I am guessing this was some kind of POC malware or something created and signed by OOO Inversum, and apparently they created at least two other EV signed malware samples. Do you guys know anything else about this file? Also, do you guys have any other EV signed malware you can try? Thank you!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
Sure, the hash I have for the file is: 1a11f48cbdd0a8f256f4940d8e8dcf0ead80cbfdb6d6dd87c8b9b945c4051631 as well.

Thanks for the info, that is very helpful!

Certum issued the EV cert... I wonder if this is an ongoing issue with them or just an isolated incident. If this is an ongoing issue, we can invalidate anything signed with a Certum cert.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
I went to Certum website to see how difficult it is to order an EV cert and compared it with DigiCert. From the looks of it, I think it is easier to order an EV cert from Certum. BTW, WLC already distinguishes between EV and standard code signing certs, but VS does not. I am thinking of how we might be able to mitigate this in VS and WLC, just in case EV certs become easy to obtain.

Anyway, you guys might find this to be funny...

digicert.PNG
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
I just tested tretg45.exe in ON / Aggressive and it was blocked. It shows up in Process Explorer as a suspended process, but VS denies process creation and blocks the file. Is this what you are seeing?
 

silversurfer

Level 76
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,588
71,542

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,483
46,131
This is the actual sample that bypassed VS and encrypted the system ( Nemty ransomware, Not Bazarloader ) :


Another thing! Avoid derail from the actual main topic of this thread. Start speculating on countries/buildings etc, works better in another thread of it's own and will be cleaned out of if don't stop. The Hubs report threads are created to help, not confuse.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
Just to make another point more clear to everyone who may didn't know or seen on this test:
https://malwaretips.com/threads/age...-sload-trickbot-11-12-2020.105652/post-918298

eddr45.exe #Nempty Ransomware (signed) was the first bypass on VoodoShield: some files got encrypted... but it's signed without "Extended Validation Certificate"

This is odd, here is what I am seeing on my end. The pink items were detected as Not Safe by WLC, so they should have been blocked, even if VS was on AutoPilot / Relaxed. Either way I would like to figure this out so that we can ensure the Relaxed security posture code segment is working properly. I have not been able to find a sample for eddr45.exe, can someone please pm me one? Thank you!

results.PNG
 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,449
68,736
  • Thread starter
  • Moderator
  • #57
Ok, I re tested eddr45.exe: Always On + Aggressive:

I started the clean-snap shot, changed to On + Aggressive and Reset WhiteList, I had to unlock Process Explorer and TCPView because VS blocked them on execution :D

1607879180212.png

I don't know why, but the other day I did the same and VS did not block it, I even disabled some "Allow settings" trying to get VS even more strict, but in all got the same result, maybe the VM was unstable or VS, don't know 🤔
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
Just to make another point more clear to everyone who may didn't know or seen on this test:
https://malwaretips.com/threads/age...-sload-trickbot-11-12-2020.105652/post-918298

eddr45.exe #Nempty Ransomware (signed) was the first bypass on VoodoShield: some files got encrypted... but it's signed without "Extended Validation Certificate"

I reviewed the VS code and figured out why eddr45.exe was allowed on AutoPilot. Basically, there is an old hardcoded rule in VS when it is on AutoPilot where if the sig is verified and VoodooAi is < 0.3333, then it will be allowed... this is another bug left over from when we replaced VT with WLC. Thank you guys for finding this, I am fixing it right now!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
1,102
6,463
Ok, I re tested eddr45.exe: Always On + Aggressive:

I started the clean-snap shot, changed to On + Aggressive and Reset WhiteList, I had to unlock Process Explorer and TCPView because VS blocked them on execution :D

View attachment 250980

I don't know why, but the other day I did the same and VS did not block it, I even disabled some "Allow settings" trying to get VS even more strict, but in all got the same result, maybe the VM was unstable or VS, don't know 🤔
Very cool, thank you for letting me know! I know what you mean, odd things happen when testing. Either way, I am super happy that you guys are finding things for me to fix... I was not kidding when I was saying that VS was overdue for a good workout ;), especially with all of the changes that have been made recently (especially the VT to WLC conversion). Thanks again!
 
Top