ETERNALBLUE vs Internet Security Suites and nextgen protections

Discussion in '0-day Release' started by RGiskardR, Jun 20, 2017.

  1. RGiskardR

    RGiskardR Malware Tester Silver Member

    Due to the recent #wannacry ransomware events, we initiated a quick test in our lab.

    Most vendors claim to protect against the WannaDecrypt ransomware, and some even claims they protect against ETERNALBLUE exploit (MS17-010).

    Unfortunately, our tests shows otherwise. Warning: We only tested the exploit and the backdoor, but not the payload (Wannacry)!

    We don’t want to disclose our test results until a fair amount of time is given to vendors to patch their product, but meanwhile we feel that we have to inform the public about the risks.

    The following 3 5 products protected the system against the ETERNALBLUE exploit installing the DOUBLEPULSAR backdoor and dropping a payload/executing a shellcode:

    1. ESET Smart Security – blocks the attack before DoublePulsar is installed
    2. F-Secure SAFE – but no log/alert on the console (Update 2017-05-29) F-Secure confirmed that they do not protect against the exploit or the backdoor. What makes things more interesting is that Doublepulsar is already installed, and RunDLL just runs fine. This seems to be a bug in Fuzzbunch/Eternalblue.
    3. Kaspersky Internet Security – blocks the attack before DoublePulsar is installed
    4. Norton Internet Security- blocks the attack before DoublePulsar is installed (Update 2017-05-22)
    5. AVG Internet Security – but no log/alert on the console (Update 2017-05-22)
    6. HitmanPro.Alert build 601 with anti-DoublePulsar (APC mitigation) was able to block every malicious payload DLL or shellcode introduced to the system via the Eternalblue exploit. Both original Eternalblue with Doublepulsar and Metasploit port was tested. (Update 2017-06-01)
    7. SentinelOne 1.8.4.6202 was able to block every malicious payload DLL or shellcode introduced to the system via the Eternalblue exploit, by blocking it in a generic way. Both original Eternalblue with Doublepulsar and Metasploit port was tested. (Update 2017-06-01) SentinelOne not only blocks the Meterpreter payload, but the original Peddlecheap payload as well. As more and more tests were ongoing, we have seen that multiple (typically next-gen) products were able to block the Meterpreter payload loading in a generic way, but not the Peddlecheap one. (Update 2017-06-14)
    Full report: https://www.mrg-effitas.com/eternalblue-vs-internet-security-suites-and-nextgen-protections/
     
    wwd, Der.Reisende and silversurfer like this.
  2. Google Adsense

Share This Page