Malware Hub Report VoodooShield 6 - December 2020 Report

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Another test (Always On + Aggressive), old signed exe (Fake Chrome), "even safer", provided by @silversurfer:

View attachment 250985View attachment 250986
It is even safer ;).


SS thought it was safe as well ;).
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Joking aside, you guys will find instances where WLC returns a false negative, but I can assure everyone that it is quite uncommon simply because WLC is so cautious and conservative. The reason I know this is because I check often with the WLC monitor app, and I can immediately tell when someone is testing and how well WLC is doing. I can actually tighten WLC a bit more, but that would significantly increase the false positives. Either way, I keep a close eye on it and adjust it as required.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Thank you guys! The version with the AutoPilot tweaks is ready, I will post it soon. But that is not going to completely fix the issue with digitally signed malware. For example, even with the new AutoPilot tweaks, merrychristmas.exe would have been blocked but happynewyear.exe would not have been. However, I think there might be a way to fix the issue, basically by only auto allowing files (when on AutoPilot) if the certificate authority is reputable. There might be other ways to fix this as well, I just have to figure out the best way to fix this issue.

This used to not be that big of an issue, but from what I understand, digitally signed malware is on the rise...

 

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Just a quick update on the certificate, it's now revoked.
View attachment 251245

View attachment 251246
The more research I do on signed malware, the more shocked I am. For example, the link in post #78 explains that roughly only 21% of abused sigs are revoked. I am confused as to why the industry as a whole has ignored this problem and have not revoked a much higher percentage of abused sigs. Then again, I was not aware that signed malware was becoming a big issue either, so I guess I understand why.

Anyway, I have started working on a permanent fix for this issue, and it should be ready in a few days. Please save a few really mean signed malware samples so we can test once this is implemented ;).
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,125
The more research I do on signed malware, the more shocked I am. For example, the link in post #78 explains that roughly only 21% of abused sigs are revoked. I am confused as to why the industry as a whole has ignored this problem and have not revoked a much higher percentage of abused sigs. Then again, I was not aware that signed malware was becoming a big issue either, so I guess I understand why.

Anyway, I have started working on a permanent fix for this issue, and it should be ready in a few days. Please save a few really mean signed malware samples so we can test once this is implemented ;).
Dan,

When I understand correctly, VoodooShield allows programs of same signer of already installed programs. For each individual VS user this is a tiny signature based whitelist which should have a small statistical chance of having signed malware. Espeacially when people combine VS with Microsoft Defender set on high with Configure Defender (the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion") the chance of already being infected with signed malware is near zero.

Paid user have the advantage of the larger based cloud whitelist of VS. I assume you have some sort of evaluation process before adding executables to teh cloud whitelist.

With this in mind you could replace the signed software option in your evaluation to a limited VS determined list and let your AI do the rest. With the tiny local signatire based white list and the 'moderated' cloud whitelist and a small VS trusted vendors list, I would say your AI engine could treat signed as just a data point in stead of the special (overweighed?) importance it gets in your AI-model right now.

When you would treat the "all other signatures" (meaning not on my tiny local list, not on your limited trusted vendors list and not on the cured/moderated large cloud whitelist) as just a data point, what could go wrong in terms of false positives? Treating "all other signatures"as just a data point, would probably result in bad VS-AI scores of signed malware (what I understood of signed malware, because it is signed, it uses few other obfuscation to hide it is malware)

Regards

Len
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Thank you guys... I will respond to the above posts asap, but I wanted to post the latest version for now.

 

harlan4096

Moderator
Verified
Staff member
Malware Hunter
Apr 28, 2015
7,398
@danb: I tried with the new build VS 6.07e the 2 rsw missed from small malware pack of 15/12/2020, I reset Whlisting and also cleared FireWall rules before testing, and still sample happynewyear.exe is missed (files encrypted, no warnings from VS) in AutoPilot + Relaxed Security Posture, the other one merrychristmas.exe this time is finally blocked...
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
@danb: I tried with the new build VS 6.07e the 2 rsw missed from small malware pack of 15/12/2020, I reset Whlisting and also cleared FireWall rules before testing, and still sample happynewyear.exe is missed (files encrypted, no warnings from VS) in AutoPilot + Relaxed Security Posture, the other one merrychristmas.exe this time is finally blocked...
Thank you for checking! When you get a chance can you please send me the sample? There must be a simple explanation, and once I see the sample it should be pretty obvious. Thanks again!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Here is a version that fixes that last rule bug, thank you guys!

 

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Dan,

When I understand correctly, VoodooShield allows programs of same signer of already installed programs. For each individual VS user this is a tiny signature based whitelist which should have a small statistical chance of having signed malware. Espeacially when people combine VS with Microsoft Defender set on high with Configure Defender (the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion") the chance of already being infected with signed malware is near zero.

Paid user have the advantage of the larger based cloud whitelist of VS. I assume you have some sort of evaluation process before adding executables to teh cloud whitelist.

With this in mind you could replace the signed software option in your evaluation to a limited VS determined list and let your AI do the rest. With the tiny local signatire based white list and the 'moderated' cloud whitelist and a small VS trusted vendors list, I would say your AI engine could treat signed as just a data point in stead of the special (overweighed?) importance it gets in your AI-model right now.

When you would treat the "all other signatures" (meaning not on my tiny local list, not on your limited trusted vendors list and not on the cured/moderated large cloud whitelist) as just a data point, what could go wrong in terms of false positives? Treating "all other signatures"as just a data point, would probably result in bad VS-AI scores of signed malware (what I understood of signed malware, because it is signed, it uses few other obfuscation to hide it is malware)

Regards

Len
Sorry for the late replies, I have been tied up. Thank you for the info and suggestions, that helps a lot! What you suggested is similar to the way it works. When I get a chance, I will document how the new features work so we can all be on the same page. It will be a while before I get a chance to do so though.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
I see one very easy work-around, that won't increase VS false positives at all. Since Certum, the free Let's Encrypt! and the ex-Comodo CA, now Sectigo are most abused, VS can change the alerts. It can display something like "This file's digital signature is from a frequently-abused issuer. We highly recommend that you get a second opinion on VirusTotal".
Or "Safety of this file can't be guaranteed, as we've seen malicious software signed with certificate from <issuerName>. We highly recommend that you get a second opinion on VirusTotal."
In that case most users probably will click on that option and will see on VirusTotal that the file has detections already.
I would also add "Learn More" link, which will guide users to a web-page displaying why these digital signatures can't be fully trusted. These statistics from post 78 can be summarised on that page. This will increase user awareness and will eliminate frustration from seeing the alert.

A setting “Protect against digital signatures that might not be trustworthy” can be implemented for users to choose whether they want this alert.

On the backend, other procedures can be implemented to auto-report everything. User doesn't have to be involved in all that.
Thank you as well for the suggestions! I will probably implement the additional warning you suggested and possibly make this feature optional. We need to look at the numbers better though because while Sectigo has a high number of signed malware, it is my understanding that they are the largest cert provider. So we might want to look at the ratio of clean vs malicious signed files. Either way, when I have time, I will look closer at yours and Len's suggestions and see if we can optimize these new features a little better. Thank you guys!
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
990

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Hey guys, here is the latest... the user prompt for unsigned files is fixed as well ;).

 

danb

From VoodooShield
Verified
Developer
May 31, 2017
990
Oops, sorry, I forgot to mention... 6.10 still has a VoodooAi threshold of .75 for unsigned files when VS is in the Relaxed Security Posture. I have since changed it to .5, and that will be included in all new releases. The .5 threshold will block these samples, but I imagine you guys would be able to find samples that are not over the .5 threshold ;), so those would not be blocked. These samples would be extremely difficult to find, but I am certain they exist somewhere ;).

You guys have helped tremendously to harden the Relaxed security posture, because it need hardening after implementing WLC and all of the VS 6.0 changes, so I wanted to say thank you very much! VS really has always been about the locked modes, and I never got around to hardening the lower security postures, so this all worked out really, really well!

I hope that everyone understands that even though the lower security postures are now hardened and fine tuned now, there is still a possibility to bypass VS in the lower security postures. That is just the way malware detection is ;). Otherwise, everyone would just run VS in the relaxed security posture ;).

We will probably do one more release before the public release, just to double check the last bypass. I hope to have that version in the next day or so... I am right in the middle of the code conversion and things are going to get really confusing if I am not careful ;). Thanks again for all of your help!
 
Top