voodooshield and malware without files

Status
Not open for further replies.
F

ForgottenSeer 58943

I believe he meant, Is Voodooshield stopping Fileless malware?

I don't know though.

I assume one of the malware focused pros will chime in. But in theory, I would guess VS would stop them because it should close off the attack methods they use. <looks around nervously>
 
  • Like
Reactions: vtqhtr413
D

Deleted member 65228

1. VoodooShield is an anti-executable therefore it will intercept process start-up. Therefore, VoodooShield is capable of blocking malicious software from executing code as long as a process is used -> block the process and now the malicious code doesn't run. It has an Ai score which can help you when responding to start-up alerts, but it doesn't actually know whether the program starting up is malicious or not so it isn't like an AV which may know if a sample is really malicious from signatures and what-not.

2. VoodooShield does watch for specific command lines which can be used by payload of some malicious software (e.g. post-exploitation). It isn't an "anti-exploit" but it can do the command line checks for some things.

A truly file-less attack? No it won't stop it, because it'd be truly file-less. There would be no additional process spawns, the malicious code would be executing in-memory of other processes which were already running at the time of the exploit deployment. So that would be out of VoodooShield scope, but this type of attack is exceptionally rare for Home users.

"file-less" malware in the sense that the payload will execute without its own process but will still spawn additional processes? Yes VoodooShield should be capable of blocking features of the payload which required those processes to be started up as long as the programs started up by the payload are not white-listed/trusted (e.g. depends on configuration).

So here are two scenarios. The first example one is 99% unrealistic for a normal scenario because we are not businesses who are high value targets (and malware in the wild for average users is usually made by people who just copy-paste probably), whereas the second one is 90% unrealistic for average home users.

1. You click a link. The browser is exploited for remote code execution. The attacker is now executing malicious shell-code within the context of the web browser - bypassed the Data Execution Prevention restriction by somehow getting the browser to call NtProtectVirtualMemory to provide PAGE_EXECUTE_READWRITE flags so the shell-code inserted can actually be executed, or alike. The malicious shell-code now work-arounds Address Space Layout Randomisation with a pattern scan to find a routine address containing code in the browser executable which has a vulnerability, and now the malicious shell-code exploits that vulnerability to escape the sandbox for privilege escalation. Now the malicious shell-code sets up a remote connection for backdoor functionality without needing to spawn any other programs or dropping to disk during the process. ->>>>> (UNREALISTIC 99%)

2. Same as #1 but a new process was spawned during the process. ->>>> STILL UNREALISTIC however in this case, VoodooShield may be able to intervene and block the payload either at the start, middle or end -> still potentially reducing attack damage from the post-exploitation

VoodooShield is well-used and well-liked on this forum so many people here will be able to help you if you use it and have any issues, and there's a free version so you can test it out any-time by downloading it from here: VoodooShield™ - The User-Friendly Toggling Computer Lock.

It works well for what it is supposed to do and it can definitely keep you safe if you use it properly, it isn't very hard to learn how to use it.
 
D

Deleted member 65228

On the contrary as an addition, it depends what "file-less" means to you. If you're talking about malicious documents, then I do not know how VoodooShield will handle them. If I recall, it is not very good with macro's, but you should disable those anyway and Microsoft Office is insecure on its own so best not use it in the first place in my opinion. Problem solved

If you download an image which actually has a double extension of *.exe, well VoodooShield would pick that up too because a new process would be spawned (hence really being an *.exe).

It does close attack vectors, I think it can be quite useful if it works for you.
 

boredog

Level 9
Verified
Jul 5, 2016
416
Voodooshield also uses all Virus Total scanners on each new file. The sensitivity can be changed so that is VT is set to say 2, it is most likely a false possitive.
 
  • Like
Reactions: HarborFront
F

ForgottenSeer 58943

Voodooshield also uses all Virus Total scanners on each new file. The sensitivity can be changed so that is VT is set to say 2, it is most likely a false possitive.

What do you recommend we set this to? I know on VT a lot of innocent things get hit by a couple of the scanners. What's a good number?
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
A truly file-less attack
What does that mean?? where that malware come from if there is no file ?how can I protect myself from such malware?
@rancis de lorraine Rehips is better than vs! give it a try! it has an app control which limits the program's actions.even if you run the malware it cant reach cmd, PowerShell or other critical places... because Rehips will alert you.or you can even sandbox the program from the start(like your browser)!but like vs it will not defend you against injections!
 
Last edited:
D

Deleted member 65228

What does that mean?? where that mawlare come from if there is no file ?how can I protect myself from such malware?
It means no file exists at all. No initial file to be executed in-memory (e.g. Portable Executable) and no files being dropped to disk by the payload - this is my definition of a "true" file-less attack however there are different meanings. An example of such attack would be exploiting of a web-browser via malicious JavaScript, as an attempt to execute native shell-code in the address space of the web-browser process responsible for processing the web-page (in which local files such as HTML and JS are downloaded locally for the browser to interpret the files contents -> JavaScript executes for web-page functionality but it's on the local-side, nor server-side like PHP). In that example, no file exists in the sense that the user had to download and execute a binary - the JavaScript file containing the malicious JavaScript code still existed though, but it's a different context. The malicious shell-code now runs under an existent process, instead of under its own process, without requiring independent code execution on the local system to inject the shell-code into the vulnerable process.

If a webpage activates some sort of "plug-in" for functionality, this could lead to exploitation of that plug-in/browser as well.

The malicious shell-code would face issues with modern browsers though; due to code executing under the context of the browser processes by security solutions for various mitigations (if performed by the security solution) and the default built-in sandbox container which is present in Microsoft Edge, and Google Chrome (as two examples).

Anyway, the attacker would need to gain persistence. So they'll likely be looking for exploitation of the registry for code execution, or similar. Since patching binaries on the local system counts touching disk. Otherwise, after the session ends (shutdown) and the system starts back up, exploitation would have to re-occur for the attacker to gain code execution again (e.g. victim visits the malicious web-page again -> exploit the browser again).

That's nothing more than an example though. And it's very unrealistic because of the expertise required. However, try looking into web browser sandboxing/anti-exploit utilities for enhancing protection against such.
 

Sunshine-boy

Level 28
Verified
Top Poster
Well-known
Apr 1, 2017
1,759
Thnks for the explanations.so there is smth but we cant see it.
What if I sandbox browser?! will those attack only come from the browser? can malware magically get to my pc if I don't run anything and sandbox the browser?
 
  • Like
Reactions: vtqhtr413
D

Deleted member 65228

What if I sandbox browser?! will those attack only come from the browser? can malware magically get to my pc if I don't run anything and sandbox the browser?
Well no because 99.9% of the time user-interaction is always required. How did the exploit deploy in the first place? In the example of a malicious webpage which deploys a zero-day exploit, you still navigated to that malicious web-page, or another web-page which redirected you there. A different example would be software you're using which connects to somewhere, but the destination has been compromised and this may be possibly abused as an attack vector to gain control of the victims machine if it can be done by the attacker - we saw something similar to this with the initial spread of Petya. It didn't deploy a "file-less" attack, however the company providing banking software was compromised and this led to a rogue update which contained malicious software, even though that isn't a "file-less" attack, it might help you understand better.

You can sandbox your browser, it'll improve protection, but it isn't impossible for that to be bypassed as well, hahaha. It's all possible, just extremely unrealistic to happen. Vulnerabilities like this are usually identified by good security researchers and submitted for bug bounty/credits, leading to a patch, before a black-hat identifies it and is capable of exploiting found said vulnerability with malicious intent most of the time.

Malware won't magically arrive on your PC 99.9% of the time. An exception would be a compromised network (e.g. as we already know of Metasploit attacks coming from a compromised Local Area Network, or after port forwarding, etc.). You still have to ask yourself though, how did this happen if you have a properly secured network?
 
F

ForgottenSeer 58943

I've seen more fileless malware in the last few months than I care to admit. It's frightening.

Especially when products known to be good against exploits and zero days like Symantec/Norton can't even seem to cope with fileless malware. Trend Micro Office Scan, we've found the same thing. The good thing is, layered security often prevents the occurrences of it - layered as in a good UTM on the gateway, a good AV on the endpoint, then possibly some lockdowns. Malware isn't my specialty, but lately it's sort of frightening out there.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top