Malware Hub Report VoodooShield 6 - December 2020 Report

[danb]

Another test (Always On + Aggressive), old signed exe (Fake Chrome), "even safer", provided by @silversurfer:

View attachment 250985View attachment 250986

It is even safer .

Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'https://bitbucket.org/example123321/download/downloads/foldingathomeapp.exe'

Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

www.hybrid-analysis.com

SS thought it was safe as well .

 

[danb]

Joking aside, you guys will find instances where WLC returns a false negative, but I can assure everyone that it is quite uncommon simply because WLC is so cautious and conservative. The reason I know this is because I check often with the WLC monitor app, and I can immediately tell when someone is testing and how well WLC is doing. I can actually tighten WLC a bit more, but that would significantly increase the false positives. Either way, I keep a close eye on it and adjust it as required.

 

[danb]

Thank you guys! The version with the AutoPilot tweaks is ready, I will post it soon. But that is not going to completely fix the issue with digitally signed malware. For example, even with the new AutoPilot tweaks, merrychristmas.exe would have been blocked but happynewyear.exe would not have been. However, I think there might be a way to fix the issue, basically by only auto allowing files (when on AutoPilot) if the certificate authority is reputable. There might be other ways to fix this as well, I just have to figure out the best way to fix this issue.

This used to not be that big of an issue, but from what I understand, digitally signed malware is on the rise...

Attackers Are Signing Malware With Valid Certificates

There used to be a time when malware signed with a legitimate certificate was the mark of a sophisticated, nation-state-backed attacker. Now anyone can have signed malware.

duo.com

 

[danb]

VoodooShield Latest

@danb does VS alert user to new Not Safe items detected on WLC scans without tray icon running? :unsure: i.e. with "Show WhitelistCloud try icon" > Off and "Notify me when new Not Safe items are detected on scans" > On? I've never seen a notification other than WLC tray icon.

malwaretips.com

 

[danb]

Just a quick update on the certificate, it's now revoked.
View attachment 251245

View attachment 251246

The more research I do on signed malware, the more shocked I am. For example, the link in post #78 explains that roughly only 21% of abused sigs are revoked. I am confused as to why the industry as a whole has ignored this problem and have not revoked a much higher percentage of abused sigs. Then again, I was not aware that signed malware was becoming a big issue either, so I guess I understand why.

Anyway, I have started working on a permanent fix for this issue, and it should be ready in a few days. Please save a few really mean signed malware samples so we can test once this is implemented .

 

[Lenny_Fox]

The more research I do on signed malware, the more shocked I am. For example, the link in post #78 explains that roughly only 21% of abused sigs are revoked. I am confused as to why the industry as a whole has ignored this problem and have not revoked a much higher percentage of abused sigs. Then again, I was not aware that signed malware was becoming a big issue either, so I guess I understand why.

Anyway, I have started working on a permanent fix for this issue, and it should be ready in a few days. Please save a few really mean signed malware samples so we can test once this is implemented .

Dan,

When I understand correctly, VoodooShield allows programs of same signer of already installed programs. For each individual VS user this is a tiny signature based whitelist which should have a small statistical chance of having signed malware. Espeacially when people combine VS with Microsoft Defender set on high with Configure Defender (the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion") the chance of already being infected with signed malware is near zero.

Paid user have the advantage of the larger based cloud whitelist of VS. I assume you have some sort of evaluation process before adding executables to teh cloud whitelist.

With this in mind you could replace the signed software option in your evaluation to a limited VS determined list and let your AI do the rest. With the tiny local signatire based white list and the 'moderated' cloud whitelist and a small VS trusted vendors list, I would say your AI engine could treat signed as just a data point in stead of the special (overweighed?) importance it gets in your AI-model right now.

When you would treat the "all other signatures" (meaning not on my tiny local list, not on your limited trusted vendors list and not on the cured/moderated large cloud whitelist) as just a data point, what could go wrong in terms of false positives? Treating "all other signatures"as just a data point, would probably result in bad VS-AI scores of signed malware (what I understood of signed malware, because it is signed, it uses few other obfuscation to hide it is malware)

Regards

Len

 

[Andy Ful]

I am not sure if this will help much. It is easy to buy the EV or another certificate on the Deep Web. In fact, the Comodo and Thafte are probably most abused:
Understanding Code Signing Abuse in Malware Campaigns (trendmicro.com)
Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates (arxiv.org)
Black Market of Code signings certs (owasp.org)

 

[danb]

Thank you guys for the info and suggestions, as soon as I wrap up this version we can figure this stuff out. It should be ready within a day or two, it is turning out pretty cool.

 

[danb]

Thank you guys... I will respond to the above posts asap, but I wanted to post the latest version for now.

VoodooShield Latest

@danb does VS alert user to new Not Safe items detected on WLC scans without tray icon running? :unsure: i.e. with "Show WhitelistCloud try icon" > Off and "Notify me when new Not Safe items are detected on scans" > On? I've never seen a notification other than WLC tray icon.

malwaretips.com

 

[danb]

VoodooShield Latest

@danb does VS alert user to new Not Safe items detected on WLC scans without tray icon running? :unsure: i.e. with "Show WhitelistCloud try icon" > Off and "Notify me when new Not Safe items are detected on scans" > On? I've never seen a notification other than WLC tray icon.

malwaretips.com

 

[harlan4096]

@danb: I tried with the new build VS 6.07e the 2 rsw missed from small malware pack of 15/12/2020, I reset Whlisting and also cleared FireWall rules before testing, and still sample happynewyear.exe is missed (files encrypted, no warnings from VS) in AutoPilot + Relaxed Security Posture, the other one merrychristmas.exe this time is finally blocked...

 

[danb]

@danb: I tried with the new build VS 6.07e the 2 rsw missed from small malware pack of 15/12/2020, I reset Whlisting and also cleared FireWall rules before testing, and still sample happynewyear.exe is missed (files encrypted, no warnings from VS) in AutoPilot + Relaxed Security Posture, the other one merrychristmas.exe this time is finally blocked...

Thank you for checking! When you get a chance can you please send me the sample? There must be a simple explanation, and once I see the sample it should be pretty obvious. Thanks again!

 

[danb]

BTW, I tested the happynewyear.exe sample and I see what the issue is... the default VoodooShield Rule for AutoPilot allows this item, so I need to fix that! Thank you for catching this!

 

[danb]

Here is a version that fixes that last rule bug, thank you guys!

VoodooShield Latest

@danb does VS alert user to new Not Safe items detected on WLC scans without tray icon running? :unsure: i.e. with "Show WhitelistCloud try icon" > Off and "Notify me when new Not Safe items are detected on scans" > On? I've never seen a notification other than WLC tray icon.

malwaretips.com

 

[danb]

Dan,

When I understand correctly, VoodooShield allows programs of same signer of already installed programs. For each individual VS user this is a tiny signature based whitelist which should have a small statistical chance of having signed malware. Espeacially when people combine VS with Microsoft Defender set on high with Configure Defender (the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion") the chance of already being infected with signed malware is near zero.

Paid user have the advantage of the larger based cloud whitelist of VS. I assume you have some sort of evaluation process before adding executables to teh cloud whitelist.

With this in mind you could replace the signed software option in your evaluation to a limited VS determined list and let your AI do the rest. With the tiny local signatire based white list and the 'moderated' cloud whitelist and a small VS trusted vendors list, I would say your AI engine could treat signed as just a data point in stead of the special (overweighed?) importance it gets in your AI-model right now.

When you would treat the "all other signatures" (meaning not on my tiny local list, not on your limited trusted vendors list and not on the cured/moderated large cloud whitelist) as just a data point, what could go wrong in terms of false positives? Treating "all other signatures"as just a data point, would probably result in bad VS-AI scores of signed malware (what I understood of signed malware, because it is signed, it uses few other obfuscation to hide it is malware)

Regards

Len

Sorry for the late replies, I have been tied up. Thank you for the info and suggestions, that helps a lot! What you suggested is similar to the way it works. When I get a chance, I will document how the new features work so we can all be on the same page. It will be a while before I get a chance to do so though.

 

[danb]

I see one very easy work-around, that won't increase VS false positives at all. Since Certum, the free Let's Encrypt! and the ex-Comodo CA, now Sectigo are most abused, VS can change the alerts. It can display something like "This file's digital signature is from a frequently-abused issuer. We highly recommend that you get a second opinion on VirusTotal".
Or "Safety of this file can't be guaranteed, as we've seen malicious software signed with certificate from <issuerName>. We highly recommend that you get a second opinion on VirusTotal."
In that case most users probably will click on that option and will see on VirusTotal that the file has detections already.
I would also add "Learn More" link, which will guide users to a web-page displaying why these digital signatures can't be fully trusted. These statistics from post 78 can be summarised on that page. This will increase user awareness and will eliminate frustration from seeing the alert.

A setting “Protect against digital signatures that might not be trustworthy” can be implemented for users to choose whether they want this alert.

On the backend, other procedures can be implemented to auto-report everything. User doesn't have to be involved in all that.

Thank you as well for the suggestions! I will probably implement the additional warning you suggested and possibly make this feature optional. We need to look at the numbers better though because while Sectigo has a high number of signed malware, it is my understanding that they are the largest cert provider. So we might want to look at the ratio of clean vs malicious signed files. Either way, when I have time, I will look closer at yours and Len's suggestions and see if we can optimize these new features a little better. Thank you guys!

 

[danb]

I am not sure if this will help much. It is easy to buy the EV or another certificate on the Deep Web. In fact, the Comodo and Thafte are probably most abused:
Understanding Code Signing Abuse in Malware Campaigns (trendmicro.com)
Issued for Abuse: Measuring the Underground Trade in Code Signing Certificates (arxiv.org)
Black Market of Code signings certs (owasp.org)

That certainly makes sense... thanks for the info!

 

[danb]

Hey guys, here is the latest... the user prompt for unsigned files is fixed as well .

VoodooShield Latest

@danb I can verify the WLC notification is working in the situation I described above. When I inspected WLC component the unsafe files firewall inbound/outbound rules were both checked. Is this supposed to happen when I have "Create FW rules for unsafe items" unchecked? :unsure: If so, why?

malwaretips.com

 

[harlan4096]

@danb:

I've just re-tested the rsw malware (not signed) missed yesterday in AutoPilot (Relaxed + Aggressive), with new build VS 6.10, and I got same results:

Blocked -> Always ON (Aggressive + Relaxed).

Missed -> AutoPilot (Aggressive + Relaxed).

 

[danb]

Oops, sorry, I forgot to mention... 6.10 still has a VoodooAi threshold of .75 for unsigned files when VS is in the Relaxed Security Posture. I have since changed it to .5, and that will be included in all new releases. The .5 threshold will block these samples, but I imagine you guys would be able to find samples that are not over the .5 threshold , so those would not be blocked. These samples would be extremely difficult to find, but I am certain they exist somewhere .

You guys have helped tremendously to harden the Relaxed security posture, because it need hardening after implementing WLC and all of the VS 6.0 changes, so I wanted to say thank you very much! VS really has always been about the locked modes, and I never got around to hardening the lower security postures, so this all worked out really, really well!

I hope that everyone understands that even though the lower security postures are now hardened and fine tuned now, there is still a possibility to bypass VS in the lower security postures. That is just the way malware detection is . Otherwise, everyone would just run VS in the relaxed security posture .

We will probably do one more release before the public release, just to double check the last bypass. I hope to have that version in the next day or so... I am right in the middle of the code conversion and things are going to get really confusing if I am not careful . Thanks again for all of your help!