Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    It requires a user to double click on the embedded file.
    So it is not a remote exploit, it always requires two steps:
    1. Opening an rtf/docx/etc.
    2. Clicking on the embedded file.
     
  2. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  3. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    Happy to run MBAE! :)
     
  4. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
  5. haakon

    haakon Guest

    :thumb:
    I'm also happy to not run Flash.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Thanks, the reason why I asked is because he tested it against MBAE, and it stayed quite. But it's indeed outside of MBAE's scope, because it's not an automated exploit. I wonder why he overlooked this.
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    If you don't have WinRAR installed it requires 4 steps:

    1. Opening the xlsx.
    2. Clicking on the embedded file which opens a zip.
    3. Clicking on the script inside the zip.
    4. Accepting the Windows prompt that warns about executing scripts.

    This could be called social engineering, but it's surely not an exploit.

    What's interesting is that WinRAR is auto-executing the script from within a zip without it being a self-extracting exe archive. If there is an issue with all this its more likely to be with WinRAR and not with Office.
     
  8. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    1,340
    Location:
    Québec, Canada
    MBAE now at built 1011, Pedro?
    Didn't see any announcement. (yet) :)
     
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    +1 Thanks!
    Didn't notice this before!!!
     
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    1.07.1.1010 on XP
    Minor thing: Quite often there is no popup and no entry in the log, yet the .dll file is inside the applications as seen in Process explorer. I think it often drops out after the standby, having worked fine before, but I'm not sure, as it's not consistent.
     
  11. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Did you enable the "Log protection events" checkbox under Settings?
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Yes.
     
  13. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    I think it's related to Outlook. The shield count stays at 1 even after Outlook is closed. It started ok, but since then, several hours back, it's not logging. Once that count is 1, Outlook popup and log don't happen.
    I ran SeaMonkey, count became 2, ProcExpl showed only System and SeaMonkey injection, no Outlook anywhere in sight.
    I wonder if Outlook (2003) continues to hold something that makes MBAE think it still runs.
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Update after marathon testing (1.07.1.1010, XP) through more applications:
    Outlook isn't the only one. Other apps can lock the flag as well though less frequently. Something is not releasing the state of the current shield. Once set for an application, you do not get further popups or log entries for that application. Until something eventually releases it. What causes the first occurence of no popup and bad shield count - I don't yet see any connection to anything.
     
  15. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Do you have a custom shield for Outlook?

    Can you please send me your MBAE data directory in a ZIP (C:\ProgramData\Malwarebytes Anti-Exploit).
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I agree -- sort of...

    At what point does a situation become an exploit?

    This particular PoC uses the OLE Packager to launch the attack. Using the RTF file, I can see the Package and the embedded ZIP file:

    ole_2.jpg

    The author could have made it more interesting by placing the script itself as the package. (This would eliminate the ZIP file which would behave differently depending on the user's ZIP program.) Then, the user clicks and the script immediately attempts to launch. Wouldn't this be an exploit?

    This trick has been in the wild for years, targeting businesses mostly, and the payload file is usually an executable, and as soon as the user clicks, it runs (or not, depending on the user's security).

    Yes, social engineering is involved, but still an exploit, it seems to me.

    Unless you are thinking of something else!

    ----
    rich
     
    Last edited: Jul 10, 2015
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Whether a script or executable is embedded, it would still be detected by MBAE's Layer3 (Application Behavior Protection) which is designed to prevent these types of behavior seen in non-memory corruption attacks or kernel exploits that go back to usermode to execute their payload code (i.e. Duqu).

    However how is this case different than a script or executable inside a ZIP file that gets spammed around as an email attachment? Conceptually it is the same; executable code packaged inside a container where the user needs to double-click it to become infected. We've all been calling that social engineering for years as it requires user interaction.
     
  18. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Yes, Outlook, Access, Sumatra are custom shields.
    See PM for the logs.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I was looking for a Flash Player Alternative, and saw Unity Web Player. I have seen UWP installed on a few machines I have worked on for family, and friends. It seems a lot of them play games on their computer, and UWP is needed for their games. I see their was a zero day exploit found for UWP earlier this year, and many other vulnerabilities showing up in a Google Search. Pbust, do you think it would be worth adding UWP to the list of default shields? I doubt a lot of UWP users use MBAE, but that could change over time. Does anyone here use UWP?
     
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,795
    Location:
    .
    I do for my family pcs as well, so I back up your proposal. :thumb:
     
  21. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    SpyShelter is always blocking network hooks for firefox.exe, and plugin-container.exe. Does MBAE use any network hooks for firefox.exe, or plugin-container.exe that may be getting blocked. I want to make sure SpyShelter is not impeding MBAE from doing it's job.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I have never played a computer game other than some of the old Nintendo games using an emulator, and joystick so I have never installed UWP. Apparently they suck at responding to reported security vulnerabilities. One security researcher sent them bug reports over a 6 month period disclosing security vulnerabilities including a zero day which he supposedly received no reply. It was not until he released the vulnerabilities that they took action.

    I'm looking for a good Adobe Flash Player alternative for Firefox that is actively being developed. Do you have any suggestions? Flash Player has been hacked to death for the past several years, and I would prefer not to use it at all anymore. It seems like gnash, UWP, and Silverlight are the only alternatives for Windows users. It seems like development for Gnash has been stagnated for a long time, and I don't want to use UWP either. Silverlight has it's own problems with vulnerabilities. It seems like LightSpark is the only good alternative, and it's only for Linux.
     
  23. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    MBAE does hook a few different APIs, so if SpyShelter does block hooking in the browser then it is likely it might be interfering with MBAE, but it really depends on the methods used. But if they really do that they would have problems with practically every security solution out there. Maybe they whitelist some vendors?
     
  24. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    SpyShelter is constantly blocking the hooks in the browser that I mentioned. I think the only way to know for sure is if you, and the developers of SpyShelter corresponded. I don't know how you could verify that SpyShelter does not impede MBAE without giving away trade secrets. I will bring it up to them myself, and get back with you.
     
  25. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, it was silly to think that MBAE should have protected against this, and this attack vector isn't really new at all.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.