Profile cover photo
Profile photo
Eset Bangladesh
3 followers
3 followers
About
Posts

AVG blocking the exploit attempt via network filter driver

Two product used network filtering to detect the exploit, and block it before kernel code level execution happens. We have not played with how these techniques can be bypassed (e.g. via obfuscating the exploit to bypass signatures), but that could be the content of another blog post.

Update 2017-05-19: Kaspersky Internet Security can detect the DOUBLEPULSAR
in-memory backdoor via memory scan (part of quick scan).
The FAILS

At the moment (with the latest updates), we have tested 10 home Internet Security Suite products, 1 2 Next-gen endpoint protection (Updated on 2017-06-14), 1 EDR and (UPDATE 2017-05-22) 1 micro-virtualization based solution which can’t protect (or alert) users against ETERNALBLUE exploit installing the DOUBLEPULSAR backdoor. All vendors claim to protect against #Wannacry and some claim to protect against ETERNALBLUE. But here is the thing, protecting against the payload does not mean users are fully protected against malicious code running in kernel mode.
Our focus of test were mostly home products (internet security suites), and whenever the default firewall policy was set to public, we changed the policy to home/work. All products were used with default settings. Some products for example have intrusion prevention turned off by default – and enabling it blocks ETERNALBLUE. But not many home users tweak default settings.

All the tests were done between 15th May 2017 and 1 June.

CylancePROTECT marketing claims [updated on 2017.06.17]
Cylance has created and shared online a video attempting to demonstrate how their product CylancePROTECT protects against WannaCry:
The interesting part of the video starts at 5:00. The Doublepulsar backdoor is already installed and this means the system is already compromised and it would appear that Cylance did not realise this.

There are YouTube tutorials on how one can drop Peddlecheap in-memory payloads with Eternalblue and Doublepulsar. We recommend to test this scenario for yourself on an endpoint protected with CylancePROTECT.
Update 2017-06-20: We got a feedback that this part of the post is not easy to understand. The key point here is that whenever you can see that Cylance blocks the malware payload on the protected machine, this means malicious code was already running on the machine, and this code successfully downloaded malware, and tried to start it, but it was blocked. Now let’s imagine a case when the machine is infected with a code which is not written to the disk, and this code starts in a way which is not detected by Cylance. This means it can bypass Cylance completely.
Conclusion

It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.

Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.

If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this 😉

We are in the middle of contacting all AV vendors about the issue. Although we guess they already know this, they only forgot to notify the marketing department to check their communication.
Add a comment...
Wait while more posts are being loaded