- Apr 28, 2015
- 8,916
I said "almost everything", because in the cases of the others 2 signed exes, VS blocked something but in the case of 1st sample I did not get any warning from VS, and got system encrypted...
VoodooShield 6 - December 2020 Report
- Thread starter harlan4096
- Start date
- May 31, 2017
- 1,725
Yeah, it looks like tretg45 blew right past everything, including SS. Like I was saying in post #9, signed files that are valid and verified are extremely difficult to detect as malware pre-execution. Especially if you are running VS on AutoPilot, it really needs to be paired with a robust AV with post-execution mitigations. This file probably would have bypassed AutoPilot even on the Aggressive security posture. If you guys happen to test this as well, please let me know.
The good news is... at least this confirms that malware detection has not sufficiently advanced to the point to where we do not need to lock our computers (with an initial non-affirmative mini prompt of course)
.
We could test VS in the default aggressive modes and security postures, but how much fun would that be?. I imagine most people are curious how well VS does when set to the least aggressive modes and security postures, but if this is not the case, maybe users can suggest how they would like to see VS configured while testing. Thank you guys for testing! If anyone testing needs a Pro license, please PM me.
The good news is... at least this confirms that malware detection has not sufficiently advanced to the point to where we do not need to lock our computers (with an initial non-affirmative mini prompt of course)
.We could test VS in the default aggressive modes and security postures, but how much fun would that be?
. I imagine most people are curious how well VS does when set to the least aggressive modes and security postures, but if this is not the case, maybe users can suggest how they would like to see VS configured while testing. Thank you guys for testing! If anyone testing needs a Pro license, please PM me.
- Apr 28, 2015
- 8,916
I will try later in Agressive Mode...
- May 31, 2017
- 1,725
Yeah, I hear youEven with relaxed mode the file has to be labeled from whitelist cloud as safe. Atleast thats what the "relaxed mode" discription says. And since whitelist cloud should only allow known safe files im curious what happened
. WLC is super cautious and conservative, but it will never be absolutely perfect, especially with valid and verified signed files that bypass SS. And remember, WLC is a work in progress .
- Mar 29, 2018
- 7,625
If it were you would have retired to Bali after the $$$$$$$$$$$$$$$$$ buyout by MegaCorp!
- May 31, 2017
- 1,725
Yeah, I would sell all of my computers and tech and run a nice little hot dog stand on the beachIf it were you would have retired to Bali after the $$$$$$$$$$$$$$$$$ buyout by MegaCorp!
.
- Apr 28, 2015
- 8,916
Similar result with AutoPilot + Aggressive (Default), no warnings:
Last edited:
- May 31, 2017
- 1,725
Yeah, tretg45 was signed with an EV cert, and overcoming this with static detection would be extremely difficult. The good news is that EV signed malware is extremely uncommon because no one is going to waste the money on an EV cert to sign malware, especially when the cert is going to be terminated and everyone will know exactly who created the malware. After researching the file, I am guessing this was some kind of POC malware or something created and signed by OOO Inversum, and apparently they created at least two other EV signed malware samples. Do you guys know anything else about this file? Also, do you guys have any other EV signed malware you can try? Thank you!
- May 31, 2017
- 1,725
Sure, the hash I have for the file is: 1a11f48cbdd0a8f256f4940d8e8dcf0ead80cbfdb6d6dd87c8b9b945c4051631 as well.
Thanks for the info, that is very helpful!
Certum issued the EV cert... I wonder if this is an ongoing issue with them or just an isolated incident. If this is an ongoing issue, we can invalidate anything signed with a Certum cert.
Thanks for the info, that is very helpful!
Certum issued the EV cert... I wonder if this is an ongoing issue with them or just an isolated incident. If this is an ongoing issue, we can invalidate anything signed with a Certum cert.
- May 31, 2017
- 1,725
I went to Certum website to see how difficult it is to order an EV cert and compared it with DigiCert. From the looks of it, I think it is easier to order an EV cert from Certum. BTW, WLC already distinguishes between EV and standard code signing certs, but VS does not. I am thinking of how we might be able to mitigate this in VS and WLC, just in case EV certs become easy to obtain.
Anyway, you guys might find this to be funny...
Anyway, you guys might find this to be funny...
- Apr 28, 2015
- 8,916
Hum I tested in Always On with Agressive and also bypassed 
- May 31, 2017
- 1,725
Something is not right, when VS is ON / Aggressive it should block tretg45.exe. Did you reset the whitelist between tests?Hum I tested in Always On with Agressive and also bypassed
- May 31, 2017
- 1,725
I just tested tretg45.exe in ON / Aggressive and it was blocked. It shows up in Process Explorer as a suspended process, but VS denies process creation and blocks the file. Is this what you are seeing?
- Aug 17, 2014
- 11,130
Just to make another point more clear to everyone who may didn't know or seen on this test:
https://malwaretips.com/threads/age...-sload-trickbot-11-12-2020.105652/post-918298
eddr45.exe #Nempty Ransomware (signed) was the first bypass on VoodoShield: some files got encrypted... but it's signed without "Extended Validation Certificate"
https://malwaretips.com/threads/age...-sload-trickbot-11-12-2020.105652/post-918298
eddr45.exe #Nempty Ransomware (signed) was the first bypass on VoodoShield: some files got encrypted... but it's signed without "Extended Validation Certificate"
- Jul 27, 2015
- 5,458
This is the actual sample that bypassed VS and encrypted the system ( Nemty ransomware, Not Bazarloader ) :
Another thing! Avoid derail from the actual main topic of this thread. Start speculating on countries/buildings etc, works better in another thread of it's own and will be cleaned out of if don't stop. The Hubs report threads are created to help, not confuse.
Another thing! Avoid derail from the actual main topic of this thread. Start speculating on countries/buildings etc, works better in another thread of it's own and will be cleaned out of if don't stop. The Hubs report threads are created to help, not confuse.
- May 31, 2017
- 1,725
This is odd, here is what I am seeing on my end. The pink items were detected as Not Safe by WLC, so they should have been blocked, even if VS was on AutoPilot / Relaxed. Either way I would like to figure this out so that we can ensure the Relaxed security posture code segment is working properly. I have not been able to find a sample for eddr45.exe, can someone please pm me one? Thank you!Just to make another point more clear to everyone who may didn't know or seen on this test:
https://malwaretips.com/threads/age...-sload-trickbot-11-12-2020.105652/post-918298
eddr45.exe #Nempty Ransomware (signed) was the first bypass on VoodoShield: some files got encrypted... but it's signed without "Extended Validation Certificate"
- Apr 28, 2015
- 8,916
Ok, I re tested eddr45.exe: Always On + Aggressive:
I started the clean-snap shot, changed to On + Aggressive and Reset WhiteList, I had to unlock Process Explorer and TCPView because VS blocked them on execution
I don't know why, but the other day I did the same and VS did not block it, I even disabled some "Allow settings" trying to get VS even more strict, but in all got the same result, maybe the VM was unstable or VS, don't know
I started the clean-snap shot, changed to On + Aggressive and Reset WhiteList, I had to unlock Process Explorer and TCPView because VS blocked them on execution
I don't know why, but the other day I did the same and VS did not block it, I even disabled some "Allow settings" trying to get VS even more strict, but in all got the same result, maybe the VM was unstable or VS, don't know
- May 31, 2017
- 1,725
I reviewed the VS code and figured out why eddr45.exe was allowed on AutoPilot. Basically, there is an old hardcoded rule in VS when it is on AutoPilot where if the sig is verified and VoodooAi is < 0.3333, then it will be allowed... this is another bug left over from when we replaced VT with WLC. Thank you guys for finding this, I am fixing it right now!Just to make another point more clear to everyone who may didn't know or seen on this test:
https://malwaretips.com/threads/age...-sload-trickbot-11-12-2020.105652/post-918298
eddr45.exe #Nempty Ransomware (signed) was the first bypass on VoodoShield: some files got encrypted... but it's signed without "Extended Validation Certificate"
- May 31, 2017
- 1,725
Very cool, thank you for letting me know! I know what you mean, odd things happen when testing. Either way, I am super happy that you guys are finding things for me to fix... I was not kidding when I was saying that VS was overdue for a good workoutOk, I re tested eddr45.exe: Always On + Aggressive:
I started the clean-snap shot, changed to On + Aggressive and Reset WhiteList, I had to unlock Process Explorer and TCPView because VS blocked them on execution
View attachment 250980
I don't know why, but the other day I did the same and VS did not block it, I even disabled some "Allow settings" trying to get VS even more strict, but in all got the same result, maybe the VM was unstable or VS, don't know
, especially with all of the changes that have been made recently (especially the VT to WLC conversion). Thanks again!
- Apr 28, 2015
- 8,916
Another test (Always On + Aggressive), old signed exe (Fake Chrome), "even safer", provided by @silversurfer:
Similar threads
