查看: 6260|回复: 37
收起左侧

[砖头] MRG-Effitas:ETERNALBLUE vs Internet Security Suites and nextgen protections

[复制链接]
petr0vic
发表于 2017-5-19 02:49:18 | 显示全部楼层 |阅读模式
本帖最后由 petr0vic 于 2017-5-19 02:56 编辑

Due to the recent #wannacry ransomware events, we initiated a quick test in our lab.
Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010).
Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)!
We don’t want to disclose our test results until a fair amount of time is given to vendors to patch their product, but meanwhile we feel that we have to inform the public about the risks.
The following 3 products protected the system against the ETERNALBLUE exploit installing the DOUBLEPULSAR backdoor:
  • ESET Smart Security
  • F-Secure SAFE – but no log/alert on the console
  • Kaspersky Internet Security
ESET Smart Security Blocking ETERNALBLUE


FSecure SAFE blocking ETERNALBLUE


Kaspersky Internet Security protecting against ETERNALBLUE

Two product used network filtering to detect the exploit, and block it before kernel code level execution happens. We have not played with how these techniques can be bypassed (e.g. via obfuscating the exploit to bypass signatures), but that could be the content of another blog post.
The BSOD
So far, we have one endpoint protection product where DOUBLEPULSAR installation failed due to Blue Screen of Death. Point 1 for integrity (hopefully) and -1 point for availability.
The FAILS
At the moment, we have tested 9 home Internet Security Suite products, 1 Next-gen endpoint protection and 1 EDR which can’t protect (or alert) users against ETERNALBLUE exploit installing the DOUBLEPULSAR backdoor. All vendors claim to protect against #Wannacry and some claim to protect against ETERNALBLUE. But here is the thing, protecting against the payload does not mean users are fully protected against malicious code running in kernel mode.
Our focus of test were mostly home products (internet security suites), and whenever the default firewall policy was set to public, we changed the policy to home/work. All products were used with default settings. Some products for example have intrusion prevention turned off by default – and enabling it blocks ETERNALBLUE. But not many home users tweak default settings.
Conclusion
It is nice that all the AV vendors claim to protect against the ransomware payload, but in case there is a backdoor running on your machine in the kernel level, things are not that great.
Please note the ETERNALBLUE exploit was published basically 2 months before Wannacry and this blog post.
If anyone creates an in-memory ransomware which can work with the ETERNALBLUE exploit, the number of ransomwared systems would skyrocket. ETERNALBLUE can be linked with Meterpreter easily, and we have an in-memory Meterpreter ransomware extension. We are sure we are not the only ones having this capability … If there will be an in-memory Meterpreter ransomware in-the-wild soon, we reserve the right to remove this section from the blogpost, and pretend we never wrote this 😉
We are in the middle of contacting all AV vendors about the issue. Although we guess they already know this, they only forgot to notify the marketing department to check their communication.


驭龙
发表于 2017-5-19 07:12:47 | 显示全部楼层
@pal家族  
快了看,卡巴的Network Attack防御终于发挥威力了

评分

参与人数 1人气 +1 收起 理由
pal家族 + 1 感谢支持,欢迎常来: )

查看全部评分

houtiancheng
发表于 2017-5-19 08:35:03 | 显示全部楼层
本帖最后由 houtiancheng 于 2017-5-19 12:42 编辑

看开头还以为是ESET自己做的测试……
虽然卡巴和FS还是拦下来了,不过其他厂商的结果还是很惨,也就是用最新版本杀软还是抵御不了ETERNALBLUE的攻击?
有木有搞错……

我猜蓝屏的是SEP
pal家族
发表于 2017-5-19 10:04:29 | 显示全部楼层
这个测试很有意义!
pal家族
发表于 2017-5-19 10:04:58 | 显示全部楼层
本帖最后由 pal家族 于 2017-5-19 10:42 编辑
houtiancheng 发表于 2017-5-19 08:35
看开头还以为是ESET自己做的测试……
虽然卡巴和FS还是拦下来了,不过结果还是很惨,也就是用最新版本杀软 ...

你在哪里看的,貌似这没这个意思啊!。
houtiancheng
发表于 2017-5-19 10:31:52 | 显示全部楼层
pal家族 发表于 2017-5-19 10:04
你在哪里看的,貌似这有这个意思啊!。

啥……文章里不是写了么?
pal家族
发表于 2017-5-19 10:42:13 | 显示全部楼层
houtiancheng 发表于 2017-5-19 10:31
啥……文章里不是写了么?

你不懂我的意思吗,我觉得我的理解没有错,所以你的依据在哪里呢?
这样我好反驳你啊,一起来做一下阅读理解题嘛
pal家族
发表于 2017-5-19 10:51:09 | 显示全部楼层
根据我的理解,该测试只测试了exploit和backdoor,完全不涉及ransomware。快速测试,不想给厂商过多机会来完善、
测试很多杀软,放出拦截exploit成功的例子。但是测试中9家的解决方案不能拦截exploit释放backboor。
很高心所以杀软都可以杀这个毒了,但不是所有杀软可以拦截exploit@houtiancheng 所以你是如何理解的呢?????
houtiancheng
发表于 2017-5-19 12:06:02 | 显示全部楼层
本帖最后由 houtiancheng 于 2017-5-19 12:42 编辑
pal家族 发表于 2017-5-19 10:51
根据我的理解,该测试只测试了exploit和backdoor,完全不涉及ransomware。快速测试,不想给厂商过多机会来 ...

没错呀,所以我说根据它的测试,时至今日仍有9家(著名)杀软不能拦截通过ETERNALBLUE攻击的exploit。这是要打屁股的
pal家族
发表于 2017-5-19 12:10:37 | 显示全部楼层
houtiancheng 发表于 2017-5-19 12:06
没错呀,所以我说根据它的测试,时至今日仍有9家(著名)杀软不能拦截通过ETERNALBLUE攻击的exploit。这 ...

你的3L
我理解为了:卡巴和fs虽然拦截了exploit,但是不能拦截ransomware,很惨。。。。。
是我没弄清楚你那句话到底表达的是什么。。。。。
您需要登录后才可以回帖 登录 | 快速注册

本版积分规则

手机版|杀毒软件|软件论坛| 卡饭论坛

Copyright © KaFan  KaFan.cn All Rights Reserved.

Powered by Discuz! X3.4( 沪ICP备2020031077号-2 ) GMT+8, 2024-11-24 22:52 , Processed in 0.125928 second(s), 18 queries .

卡饭网所发布的一切软件、样本、工具、文章等仅限用于学习和研究,不得将上述内容用于商业或者其他非法用途,否则产生的一切后果自负,本站信息来自网络,版权争议问题与本站无关,您必须在下载后的24小时之内从您的电脑中彻底删除上述信息,如有问题请通过邮件与我们联系。

快速回复 客服 返回顶部 返回列表