VS (and anti-exe) Discussion

[DardiM]

The sample distributed wasn't static; the malc0der(s) distributed new, undetected variants every few hours...

I just mean that on the report I've seen in this period it was this file on the screenshot (TMPA1F5.tmp) for VoodooShield (for some other app & tests, the name has changed, like you say, new variant regularly)
The exploit / method used was the same.

And even the famous option "Enable voodooshield anti-exploit protection ..." already existed, but failed (or my memory isn't as good as I think)

 

[hjlbx]

And even the famous option "anti exploit...." already existed, but failed (or my memory isn't as good as I think)

Anti-exploit functionality did not prevent infection...

 

[DardiM]

Anti-exploit functionality did not prevent infection...

Yes that is the way I understood (I may be wrong, need to find again the post to verity)

Edited:
1x .tmp file : unkown => "blocked" => 2x .tmp : other files => "blocked" => "abnormal" system process started / found in memory

Spoiler: link

https://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u= http://bbs.kafan.cn/thread-1936040-1-1.html&sandbox=1

A lot of work have been done since this time by the dev

Never got a ransomeware attack EVER. Haven't really used an adblocker and not really going to start. I shouldn't be worried about ransomware but more inexperienced people should.

You have "never got a ransomware attack", you mean "always stopped" by your security tools, or "never" reached you PC ?
(in the second case, I will just hire you to use the PC of one neighbor )

 

[hjlbx]

Yes that is the way I understood (I may be wrong, need to find again the post to verity)

Edited:
1x .tmp file : unkown => "blocked" => 2x .tmp : other files => "blocked" => "abnormal" system process started / found in memory

Spoiler: link

https://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u= http://bbs.kafan.cn/thread-1936040-1-1.html&sandbox=1

A lot of work have been done since this time by the dev

You have "never got a ransomware attack", you mean "always stopped" by your security tools, or "never" reached you PC ?
(in the second case, I will just hire you to use the PC of one neighbor )

That's it ! It's all right there in the screen shots... the evidence is indisputable.

 

[DJ Panda]

You have "never got a ransomware attack", you mean "always stopped" by your security tools, or "never" reached you PC ?
(in the second case, I will just hire you to use the PC of one neighbor )

Basically both pretty confident that if ransomeware attempted to get into my PC ZAL or Avast could take care of it.
@Lucent Warrior Although hackers are getting smarter by the time the "new" malware attempts to hit me my software should take care of it. I backup all my files pretty often and even my most important files aren't very important. Infected = HD Format refresh.

 

[hjlbx]

Log after log off:
01/25/16 13:44:05 Protection level is set to <medium>.

01/25/16 13:44:09 Prevented process <msvcp60.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {f0d3befc-0e6a-49b1-b6ee- B40707328827}.

01/25/16 13:44:10 Prevented process <scksp.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {0a57af4b-2092-4aab-9e6c- 5f79fd148666}.

01/25/16 13:44:19 Prevented process <cnvfat.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {49b9a045-a749-43de-afba- 0d25ebefe36b}>.

01/25/16 13:44:23 Prevented process <tmp13e2.tmp | c: \ windows \ explorer.exe> from launching from <c: \ users \ AA \ appdata \ local \ temp \ {df907dca-1f42-4b8f- Ab0e-e42a8424f8ae}>.

01/25/16 13:44:38 Prevented process <dhcpcsvc.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {248a4374-c0ba-4e72-bf07- 277a3369ce88}.

01/25/16 13:45:07 Prevented process <clfsw32.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {f41df4e1-6f46-4272-a6b8- 4645c4a95bbb}>.

01/25/16 13:45:44 Prevented process <keymgr.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {55c5c478-3608-4801-b3fc- D3feb3417cab}.

01/25/16 13:46:02 Prevented process <eqossnap.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {735696d8-0d94-43f0-85d9- 02a5f85ff4f9}>.

01/25/16 13:46:41 Prevented process <mpr.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {2fc7cf8f-f0a9-4af8-9c5e- D707f1f7bb7a}.

01/25/16 13:46:59 Prevented process <appmgr.dll | C: \ Windows \ System32 \ regsvr32.exe> from launching from <c: \ programdata \ windows genuine advantage \ {82b0c380-211c-403d-91c8- 368c2318b9e5}>.

 

[Lucent Warrior]

Yes that is the way I understood (I may be wrong, need to find again the post to verity)

Edited:
1x .tmp file : unkown => "blocked" => 2x .tmp : other files => "blocked" => "abnormal" system process started / found in memory

Spoiler: link

https://translate.google.com/translate?hl=en&sl=zh-CN&tl=en&u= http://bbs.kafan.cn/thread-1936040-1-1.html&sandbox=1

A lot of work have been done since this time by the dev

You have "never got a ransomware attack", you mean "always stopped" by your security tools, or "never" reached you PC ?
(in the second case, I will just hire you to use the PC of one neighbor )

Here is the Video on the test




P.S. is it just me or did we just derail this whole thread with these conversations

 

[hjlbx]

Here is the Video on the test




P.S. is it just me or did we just derail this whole thread with these conversations

Unfortunately... it doesn't break the the post-TMPXXXX.tmp run-sequence.

The video author cut it short, but the run sequence keeps going just as shown initially.

What you gonna do... the people aren't professional video publishers.

 

[Lucent Warrior]

Unfortunately... it doesn't break the the post-TMPXXXX.tmp run-sequence.

The video author cut it short, but the run sequence keeps going just as shown initially.

What you gonna do... the people aren't professional video publishers.

Exactly what i was just thinking. Until i see it done and done correctly and thoroughly, i put no stock into it. VS may have very well intercepted the sequence again had the Author let the test continue.

 

[hjlbx]

Exactly what i was just thinking. Until i see it done and done correctly and thoroughly, i put no stock into it. VS may have very well intercepted the sequence again had the Author let the test continue.

He didn't cut the run sequence short, but instead edited out all the end-visuals in his video.

 

[Lucent Warrior]

He didn't cut the run sequence short, but instead edited out all the end-visuals in his video.

I will have to look again, but it looked to me as the video was fading the sequence was still trying to run. The main point though was no payload i seen was dropped. Without the samples and the URL for the website exploit it is futile to sit and figure out exactly what would happen.

I still state, until i see someone bypass it, and or hand me the samples they say will bypass it so i can test and show it, then it is time to drop this and move on.

 

[hjlbx]

I will have to look again, but it looked to me as the video was fading the sequence was still trying to run. The main point though was no payload i seen was dropped. Without the samples and the URL for the website exploit it is futile to sit and figure out exactly what would happen.

I still state, until i see someone bypass it, and or hand me the samples they say will bypass it so i can test and show it, then it is time to drop this and move on.

Having the *.tmp itself is no good; you need the active webpage along with an actual browser exploit.

 

[hjlbx]

I will have to look again, but it looked to me as the video was fading the sequence was still trying to run. The main point though was no payload i seen was dropped. Without the samples and the URL for the website exploit it is futile to sit and figure out exactly what would happen.

I still state, until i see someone bypass it, and or hand me the samples they say will bypass it so i can test and show it, then it is time to drop this and move on.

Check it again. Next time get a pencil and paper. Stop the vid after every new process starts and write it down. All those Windows processes popping up after TMPXXX.tmp terminates are a continuation of the run sequence. You're expecting and looking for A > B > C >...> N all within the same parent > child tree, but in this case it doesn't work that way...

 

[XxX Legolas XxX]

It was with this sample, 5/53 at this moment ( and 40/54 now)
https://www.virustotal.com/en/file/...34f271da8432c338fa446d9c/analysis/1453695171/

This is only tmpYou can delete this with cclener.Did this sample run on memory?Voodoo don t have real-time it block sample wen you run.
Test in VM secureaplus.If tmp in tmp it is OK but if it in windows folder it is big infection.For this video what
Lucent fine it is from China.

 

[DardiM]

This is only tmpYou can delete this with cclener.Did this sample run on memory?Voodoo don t have real-time it block sample wen you run.
Test in VM secureaplus.If tmp in tmp it is OK but if it in windows folder it is big infection.For this video what
Lucent fine it is from China.

a .tmp file with exe structure ran from a parent process , certainly with parameters, localized on an important windows folder.
I didn't find the original file / link that certainly have put this .tmp on folder (..appdata/local/temp...)

 

[Lucent Warrior]

In fact the link I posted are with tests from January, 25
and in the video April,1

There is now a thread on this in the Voodooshield Subforum, please direct any further statements questions of Voodooshield to it.

@Umbra, i believe the Video Reviews to be your Domain? Can you please clean up this derailed thread?