Fileless Infections from Exploit Kit: An Overview

https://www.wilderssecurity.com/thr...xperience-toolkit.344631/page-31#post-2419097 lists an academic paper that tested EMET against various exploits, and also gives the specific mitigation that stopped each exploit that was stopped.

 

Well, to be honest, I'm not sure what your point exactly is. MBAE is not even open source, and their code is probably already being audited by experts. It's also a cat and mouse game, EMET and PatchGuard have been bypassed numerous of times, so developers fix these flaws, until new ones are found. So nothing new here.

Also, these developers are a lot smarter than us, so I'm sure they will add new anti-ROP (and other) techniques if new attacks are discovered. But the ones that are currently used, are apparently quite effective as seen in certain exploits tests. Better yet, MBAE and HMPA have even added certain methods that can stop payloads from running, even when memory exploit mitigations are bypassed.

 

Yes I know, I'm just saying that based on the info that I could find about anti-exploit tools (like kBouncer, ROPecker, and ROPGuard) it's very unlikely that tools like MBAE and HMPA have implemented exploit mitigations in a different way than EMET has done.

Of course Malwarebytes has indeed not given any clarity about which exploit mitigations MBAE provides, I have even asked for this info in the MBAE thread. But that is not what this discussion was about. You asked for implementation details.

But IMO, there's no reason to act all skeptical about their products. Just because you don't understand how the product works (in full detail) does not mean it's probably not secure and easy to bypass.

 

Now that I think of it, when you say stuff like this, the question that arises is: can you perhaps tell us which new exploit mitigations need to be added, and can you also tell how they should be implemented? That would be really productive.

 

Great find, will do some reading.

 

Thanks . It's the only EMET test paper that I found on Google Scholar with a title search.

 

@Rasheed187

I would hope they do something different, otherwise, why use them?

Seems by saying that they implement some mitigation techniques like EMET they must implicitly implement techniques unlike EMET.

No, I'm asking for techniques. Implementation details are nice, but I care more about how the mitigation works than how it is built.

It means it has no value - if I give you a bottle of some liquid and I say "this will help you, but I won't tell you how or what's in it" will you drink it? Hey, it might be fine... or it might be water.

How can anyone measure the true efficacy of a product while knowing nothing about it?

I have no input for what they should implement, I am only curious as to what they have already implemented.

 

@ Hungry Man

OK, I got your point. I will not respond to your last post, to avoid running in circles.

I think I have already explained my point of view quite clearly.

 

@Rasheed187: In case you miss it, I just posted about a few more anti-exploit papers in the recent "Anti-exploit testing" thread.

 

Yes I know, I posted some of them in this thread. Even though I only understood about 70% about what was written (most stuff is too technical), you can still get an idea about how anti-exploit tools work, that was the point I was trying to make.

I was being silly, it was even mentioned in the HMPA "Exploit Test Tool Manual":

"Besides a performance advantage, employing hardware traced records has a security benefit over software stack-based approaches. Stack-based solutions, like Microsoft EMET, rely on stack data, which is (especially in case of a ROP attack) in control of the attacker, who in turn can affect or control the defender as well."

 

I think there's clearly some confusion - do you think that there are only a few antiexploit techniques, and they are all shared across every product?

 

I will not respond to questions that I've already answered in this thread.

See post:

https://www.wilderssecurity.com/thre...it-kit-an-overview.369239/page-2#post-2419466

 

BTW, I've been thinking about this discussion (or whatever you want to call it) and I think I misunderstood Hungry Man.

When he asked "how does MBAE block this exploit", he probably meant which "exploit mitigation" blocked it. So the answer could have been: "It was blocked with the "Stack Pivot" mitigation". Am I correct? If so, I have to say, my bad.

@ Hungry Man, it would be nice if in the future, you could be less vague about what info you're exactly after.

 

My point is I hope Malwarebytes (and all other AV/AM vendor!) clarify how their product works, at least as an overview.
As to audit, I just wanted to avoid saying same thing with Hangry Man.

Well, EMET isn't open source too. I'm not mentioning peer code review for vulnerability or coding error.
Do you know when MS published EAF there were quick response from researcher including possible weakness?
Well, even if MS haven't disclosed EMET's mitigation, some resercher finally would examine and find weakness, but it would take long and less resercher would be attracted.

Year, cat & mouse I agree but I still feel you don't fully understand that there're numerous options for attacker to use on exploit.
There're several way, or rather tools for secure-coding which protects writer's code from being exploited.
But almost all can be bypassable by several methods, and in some case one method can bypass several protection.
Like this, most EMET's mitigation basically focuses on blocking specific way or technique so if attacker choose another way it doesn't come in.
MS itself says "this is a pseudo mitigation designed to break current exploit techniques. It is not designed to break future exploit as well".
Maybe you can compare it with behavior signature in AV, not entirely reactive but nor 100% proactive.
I'm not saying this is bad, but want to know what each products cover and don't cover, then I can make informed decision.

I believe, or want to believe MBAE uses some unique technique (other than layer3) EMET doesn't have.
Remember MBAE could block some ROP bofore they add anti-ROP, though I don't know which layer blocked it.

Blocking current threats is great, but I don't want to use product which can be trivially bypassed.
I'm not saying MBAE is that, it's just 'unknown' for all of us and this is somewhat uncomfortable.

Also note, one big advantage if they reveal how it works is we can imagine possible conflict even before using products.

 

@ 142395

I understand, and your point of view is interesting, but you're not saying anything new.

About the MBAE issue, the only thing that the developer has not done, is to clarify which exploit mitigations are used. Developers of EMET and HMPA have done this. But according to Malwarebytes, it's not smart to disclose all details, and they do have a point IMO, even though as a user it would be nice to know.

And the reason why current "known" mitigations are used, is because exploits are "known" to make use of certain attack vectors. If new ones are found, then new mitigations will be added, this is a no brainer.

And don't forget that a "zero day" refers to a newly found hole in some app (or OS), but hackers still need to exploit that hole. And most of the time they will use known exploitation methods, so tools like MBAE/HMPA/EMET will probably also stop quite a few zero day exploits that are used in targeted attacks.

 

I have enjoyed this discourse, however, I think think the uncertainty here is strictly the implementation details. Hungary Man's curiosity is of understanding of how things work, and why, considering his knowledge on the subject, it is reasonable. Whether or not MBAE will disclose details is somewhat besides the point, it more a matter of can you ultimately trust something when you do not know how and/or why it works, regardless, of whether it appears to be effective currently. Seems to be more of an academic versus commercial paradox, or something to the effect. Nonetheless, implementation details would be interesting.

 

Just wondering if Hitman Pro. Alert 3 with exploit mitigations will be able to protect all web browsers (Chrome, Firefox, Internet Explorer and all other web browsers) that run under Sandboxie's supervision?