Best protection against zero day exploits

Hi users! recent ANI exploit has produced a lot of stirr and many sites used this exploit just after its discovery, even before a good etection was ofered by some AVs and any patches were available.

I wonder what is the best defence against zero day exploits of windows and other windows applications like browsers etc. See the Symantec report here about how many exploits they have found in windows and browsers etc.

https://www.wilderssecurity.com/showthread.php?t=170896

I will review the possible defence options which I can think of.

1- Well, first of all, I can think of AVs,.....hmmm, not a good defence as they will add detection after a lag and even then detection might be partial( also it,s a separate discussion that whether protection against exploits is the job of the AV or not?)

2- Second ption, updates and official patches like MS patches-- obviously the might be so late or even not available in some cases.

3- Third option-- 3rd part patches/ work around-- well they might come earlier than MS but again there might be a significant lag period and also I am not sure how good is to use 3rd part patches for windows. There might be unknown problems and also later on you might ned to uninstall these patches before applying MS patches for same exploit/ vulnerability. Also to keep urself updated on new exploits, their severity, availibility of 3rd party patches and the choice between various 3rd part patches, all of this rather seems a cumbersome job to me.
This option ususally does not exist in case of browser exploits etc.

4- Safe surfing- ofcourse many legit site might harbour the exploits when compromised. Don,t forget that Asus.com was compromised with latest ani. exploit.

5- Hardening/ Use of NoScript- Not useful all the time. NoScript will not prevent some exploits( latest ani. exploit is an example). Moreover some trusted site where you are using java script might be compromised again putting you on risk. Recently I read such exploits to be present on trusted mozilla sites where a user will not turn off java script as he thinks such sites safe.( See release notes of lates NoScript, they advised to turn off java script even for mozilla sites due to these issues).
Moreover ystem hardening might result in loss of functionality and some times give rise to issues that wil be really annoying and dificult to address as user might not be aware that these issues arose due to system hardening/ he might even forgot what tweaks he has made in his system long ago.
6- Use of Non MS applications/ Alternate brrowsers etc-- they might have less exploits/ vulnerabilities but two things are inportant. Firstly, inspite of being safer they do have vulnerabilities( see vulnerabilites of Mozilla versus IE in above mentioned report, 40 V 54, its, a big number). Secondly, an interesting point is that sometimes they might be more vulnerable than MS aplications. For example, FireFox is more vulnerable to recent ani. exploit in Vista as compared to IE7, due to low priviliges mode of IE 7 in Vista.

7- Special scanners for exploits-- the only such application I can think of is LinkScanner. It,s really unique that it will scan sites in real time for latest exploits and will prevent them. Again updates here might be much fatser than traditional AV but still it might be too late for a user. Secondly, it will not support all bowsers and might not cover all type of exploits/ vulnerabilities.

8- Classical HIPS and Behavioral Blockers, seem to be the viable option but I am not sure how effective they can be in real life exploits/ vulnerabilities, especially windows and browser exploits. They might have their own weakness and there are no significant real life experiences.

8- Last option that I can think of is Snadboxing software. It also seems to be a good viable option to me but I can,t be sure as these applications are still in its infancy as far as their development is concerned. They might results in loss of functionality, there might be conflicts with other aplications and components of OS itself ad some of them might not be user friendly.

Pls let me know of ur thoughts on this. Let me know what I have missed. I am not an expert at all, I might have written some wrong info as well and will be happy if u correct me.

Thanks

 

honestly aigle i think the first (and best line of defense) are anti-executable programs and sandboxes.

as we've seen with geswall, even though the IE crashes because of the ani exploit, the system isnt' compromised (haven't tested with sandboxie or bufferzone yet). geswall has yet to let me down.

anti-executables are almost as good because if the exploit can't execute, it can't do any damage. if just requires a little more user vigilance. things like processguard, ssm, prosecurity, and EQSecure are awesome and they all have freeware versions available.

 

Hi, folks: If we can not stop them from sneaking in. Our viable defense mechanism, perhaps among few others, is sandbox/virtualization and white listed anti-executable. We can contain them and then make them useless. I am using Deepfreeze and is thinking of adding Faronics's anti-executable (white list). Wish me luck.

 

Hi zopzop and Perman! thanks for ur thoughts. As u can see from my post above, I agree the best defence for these are classical hips( anti-executables) and sandboxes/ virtualization etc. Persoanlly I will prefer a combo of these, and will recommend sanbox approach for novice.

 

There's no simple answer for this question. It depends greatly on just what is being exploited, whether it's a system component, a single application, an application that's used by many other programs on your system, or something outside of your system. The big problem is time, the short amount of time that elapses between the discovery of a vulnerability and its becoming widespread. With botnets responsible for much of the rapid distribution of exploit code, it's becoming a very short time period. Those who release this exploit code have capitalized on the reactive security measures we've relied on for years by building rapid distribution networks for the malicious code, botnets. They've also made home PCs the primary target, usually for the purpose of gaining control of them and adding them to these bot networks. By the time, patches are released or AVs detect the exploit code, they've already harvested a large percentage of the PCs they wanted. They're counting on this time lag. Regarding 3rd party patches, every system is different. I haven't had any problems with the ones I use. Others have had problems. Then again, the same can be said for "official" patches. More than a few times, M$ has had to patch their patches. Since such patches are usually in response to some spreading exploit, they're developed as fast as possible. Things happen when stuff is rushed. That won't change.

The question becomes, what pro-active measures can we use? Alternate applications like FF help some. The problem here is that the more popular the alternate apps become, the more they're targeted. IMO, getting away from M$ apps helps as they're the most often targeted. While Vista and IE7 appear to be less vulnerable at present, give it time. They'll be exploited like everything else that's Microsoft.

HIPS can offset many such exploits, if the application rules are restrictive enough and the user isn't tricked into a bad decision. Code has to run to infect or compromise your system. Tight control over parent-child dependencies will stop many (not all) exploits.

Sandboxing and virtualization also help, as long as the user is aware that these apps are also being targeted and will eventually be exploited or defeated to some degree. The more popular they get, the more they'll be targeted. These apps should be treated as part of a layered package, not used as an only defense. IMO, allowing untrusted code to run and relying on other software to contain it is playing with fire, and eventually the malware writers will burn thru containment software.

You can also lower your risk by shutting down services and apps you aren't using. The less that's running, the fewer entry points on your system, and the less there is to attack. A process that isn't running isn't as easy to exploit, especially if its parent processes are limited to only what's necessary.

As you've already noted, safe surfing only helps some. If the exploiting of legit sites becomes more commonplace, trusted site lists in different apps could actually become a liability. If a site you use and trust is compromised, the results could be much worse than visiting a compromised but restricted site. All web filtering helps. I'm partial to Proxomitron instead of NoScript as its filtering abilities are stronger and much more configurable. With a large percentage of exploits targeting browsers and their support software (Java, JS, etc), it also helps if your browser doesn't give out any extra information. While attacks on Java affect all browsers, others are browser specific. Apps like Proxomitron and browser extensions like User Agent Switcher can be used to send mis-information to potentially malicious sites. Some malicious sites contain multiple exploits and are designed to utilize the one that's effective against whatever browser is being used. With this extension, the site can be tricked into using the wrong exploit for your browser or operating system, letting you escape unharmed.

The best you can really do is to combine the different methods, security apps, and strategies, and close as many attack vectors as possible. Instead of concentrating on individual exploits, look at your system as a collection of targets. Common targets include browsers, mail handlers, media players, office apps, image viewers, system services, and apps that need to receive unsolicited traffic from the net. Limit the activities of these apps as much as possible, using HIPS, sandboxes, VM, etc. Filter the content they receive. Control access to them, especially incoming. No one app, practice, or configuration can protect you from new exploits. A layered package, tightly configured and well thought out, combined with safe habits will limit your exposure to them and help neutralize many.

One more item you didn't mention should be on everyones list. If everything you do falls short and your system is compromised, system backups are a life saver. Get backup software and make a copy of your system you can restore from.
Rick

 

Thanks for dertailed reply.
User Agent Switcher is a new idea to me. Can it really fool the malware/ exploited site?

 

You are absolutely correct but it,s the cure and I was duscussing prevention mainly.

 

I have to heavily favor this #8 selection (SSM), although it is always wisest to apply the classic layered approach to make up those differences you suspect of.

What can't run can't harm a system and any program, malicious or not, must "FIRST!" communicate it's intentions to the operating system. That's where Classical HIPS enter the picture as the middleman and filter incoming calls to the system for your convenience & safety. Problem is though, just like you hint at, is they do also have their own inherent weakness but not so much as you might expect, but still all it takes is a single shutdown of it too and malware has a clear path to execution and who knows what all else after that. Hence, my suggest to layered approach serves a very worthy purpose in keeping such occurences to at the very least a bare minimum if at all.

 

Correct but not layers of HIPS over HIPS over HIPS .... like u!

 

As long as the aim of these exploits is to install a trojan (executable) the White List solutions mentioned already, are the best defense.

For me, fcukdat's comment in the ProcessGuard thread remains the classic response:

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

I strongly agree with the fcukdat's statement.
However, I wonder if it's possible for a file to execute without triggering a prompt from the execution interceptor (SSM, PG Free, Anti-Executable, Prevx, etc).
What about memory-only threats (SQL Slammer)?
What about code executed by a trusted/whitelisted app (like Java applets) which don't involve downloading more malware?

 

You know aigle, that my methods are always more an exception then the rule. Besides it's a fun learning experience to boot, that is so long as the machine doesn't burp up a BSOD.

 

If it is an executable file, then no, as far as can be determined by what is known presently.

The slammer only infects computers running Microsoft SQL Server 2000 or MSDE 2000, using ports 1433-34, so is prevented by the firewall.:

http://www.urs2.net/rsj/computing/imgs/1433.gif

It's true that Execution Protection doesn't flag scripts, yet all examples of embedded scripts I've seen eventually attempt to download a trojan (that's where the money is!)

I good example was the ACER vulnerability script which TNT posted last year. See his example Number 8 in the following post.Note that tftp.exe installs and connects out to download an executable.

https://www.wilderssecurity.com/showthread.php?p=912072#post912072

In another thread we discussed how PG (or any White List protection) would block that:

https://www.wilderssecurity.com/showthread.php?p=923172#post923172

Even the *.ani exploit first caches a file (*ani, *jpg, etc) which is really code that exploits the buffer overflow vulnerability, but whose intent is to download a trojan (that's where the money is) - note the last line of the code:

http://www.urs2.net/rsj/computing/imgs/jpg.gif

I posted that the PoC was misleading, because

• 1) people focussed on their AV flagging the file itself, rather than the payload. This myth should have been dispelled back with the *.wmf exploit, where no AV caught the .wmf file the first day, and not all detected it even on the 3rd day, while anyone with Execution Protection blocked the .wmf code downloading the trojan executable on day-Zero. (I'll try to find my old test of that)
  
  
• 2) there was really no payload - just a DoS simulation. You might have noticed the comment on the web site that posted a video of this PoC running, to the effect that the "real" exploit downloaded xx.exe silently in the background (assuming no Execution Protection).
  

I say misleading, because while the code could have wrecked havoc with the user's system rather than downloading a trojan,

• 1) there is no money to be made by the malware writer
  
  
• 2) what person here, if something like that happened, couldn't quicky restore the system to previous good state?
  

This implies that something has been permitted to install and then become White Listed; this is outside of the topic of Zero-day exploits that Aigle is referring to.

But this is an important consideration: everyone at some point disables security to install a program. We all have our own ways of deciding what to trust.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

About this issue

I was thinking more in the line of misuse of apps like RUNDLL32 and CMD than Java applets but I've rethought about this and it's obvious that something must execute first to invoke them.
So, anti-execs that look for executable content everywhere inside a file can't be fooled/bypassed, right?

What about a SQL Slammer threat which targets a app whose network traffic is allowed thru the firewall?

As always, thanks for your detailed and informative post

 

Hi Aigle,

I agree with most an anti-executable combined with a sandbox, although I just degraded my defense from ant-executable to behavior blocker (EQSecure in stead of SSM). Still with those active there is overlap

Access: Your firewall (inbound + outbound)

Treathgate (Sandbox):
Only focusses om my entry point programs of your PC (Chat, Mail, P2P, Browser, DVD/Floppy/USB, Unzip program and recently my wife's Nokia73 phone manager, etc). It does not allow untrusted sources to change trusted sources (scope Registry, processes and files).

Trigger level (HIPS/Behavior):
HIPS
Obviously an anti-executable only allows whitelisted. So when something drop's through it either are "shoot in the foot" errors or program errors. HIPS protect registry, processes some have file protection also. I like the SSM UI disconnected, because it reduces the "shoot in the foot" weakness.
Behavior
I fancy NeoavaGuard and EQSecure over CyberHawk, because you can configure them to never allow certain anomolies, reducing the "shoot in the foot" mistakes to zero. They offer the user some more freedom. Point is because they only block anomoly triggers their weakness is their protection strenght. Their scope is something different than sandboxes (sandbox dows not allow anomolies of untrusted, behavior does not allow all).

All in all most Anti-Executables and behavior blockers overlap with Sanboxes

Datalevel
Not much used (SensiveGuard, CoreForce, R-guard, DriveSentry, Paradorfileprotection) it provides an extra layer, e.g:
A) Only user initiated programs are allowed to read the user's data files and directories
B) treath gate programs are not allowed to change executable like files when not initiated by the user and warn (or block) when they try to save such a program on your harddisk. Leaving th eoption still open to doenload music, info and movies (which your AV deals with for known treaths).

Although Sandbox have a simular feature (confidential files), it is as good as useless, because your mail is an untrusted program, but you would like to keep your e-mials confidential. As long as this can not be set on program and directory level (allowing your e-mail access to confidential e-mails only, but your P2P or Chat program not) it is a useless option.

Regards K

 

Of course you missed something . You described 8+ not so important things and never mentioned the most important => CoMMoN SeNsE

Our head is what can protect us and cure if necessasry

 

Hello,

I think the hype over zero-day exploits is overrated.

Most such exploits work only for specific MS products - and if you do not use them, problem solved. Furthermore, common sense will go a very long way, much further than any set of tools, and this applies for all situations.

Finally, the best way to handle anything suspicious is via sandboxing / virtualization.

Mrk

 

Yes, this is the most important and should be our first protection...

 

I don't even use common sense. If zero day exploits cause changes on my harddisk, FDISR will remove them after reboot, like all the other bad changes, even when they bypassed my security softwares.

I can't entrust my computer to security softwares, they fail all the time and the bad guys will send us even more sophisticated malware in the future.
Rollback is the only sufficient method to fight against malware and doesn't require any knowledge or TIME of the user.
Rollback, whitelists and isolation are the methods of the future.

 

Eric has a point with security software to which some part I subscribe.

I really believe in preventing things before it enters and does any damage. I try to block as much as I can at the gateway by firewall, filtering, zero-day patching, antimalware and there are paid and free ways to do it. This appliance looks after my side of the network without me adding alot of security software onto the machines. I run VMWare and FD-ISR anyway which means I can get outta trouble and reverse the problem.

 

I thought computers are for sensible use anyway.
BTW what common sense will do if you go to a legit site having a zero day exploit that infects ur systrem. Just a Q of common sense!!

 

One idea hasn't been discussed too much, which I mention from time to time: what is the likelihood that you will encounter a zero-day exploit? Even the recent *.ani vulnerability: look how hard aigle has tried to find a site that is still working - did anyone send you a link?

The one I found on the first day would not execute on my machine (Win2K). Supposedly, it requires WinXP, and by the time I got my laptop set up with security to test it, that site was pulled.

By most accounts in articles, most of those who encountered the exploit were redirected to a site after clicking on an infected email. Look at the list of sites posted the first day at sans.org. These aren't the common everyday legitimate sites one would go to directly; most are arrived at by redirection in an email, secondly, by redirection from crack and porn sites.

In looking at sites that fcukdat has found in his work, most of the nasties are on keygen and crack sites - again, not the normal legitimate sites that most people would encounter in regular work.

IE is much maligned because so many exploits target IE vulnerabilities, but I know many people who like and have used IE for years, and they have never had a problem.

To test the above two points - last year a friend and I each spent several hours on weekends using IE in low security setting...

http://www.urs2.net/rsj/computing/imgs/ie_low.gif
_________________________________________________________

...just doing our normal research work, searching for sites in Google. Neither of us ever had a security alert. None of the popups redirected to anything.

Our conclusion was that just because some have had bad experiences with IE, that shouldn't keep others from using it. How one uses a piece of software is probably the most important part of the equation.

So, while I enjoy testing these zero-day sites to see how easily these exploits are blocked, I agree with Mrk that the hype is over-rated, and most of it is based on fear of the unknown that spreads as soon as the first news story released. Then, a predictable set of responses follows, to include

• the usual snip at Microsoft,
  
• the statistics about how many URls have been logged,
  
• the AV virus scans with each company rushing to be the first to detect the exploit, customers complaining that their AV didn't get it fast enough (look at the .ani post in the NOD AV forum),
  
• the big names in security adding fuel to the fire in their blogs.
  

*Rarely* is there a complete analysis of the exploit code, which would reveal how easily they can be blocked w/o a patch.

Meanwhile, those with proper security in place and understanding how all of this works together, sit back with a big yawn and continue on as usual.


regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​

 

Sometimes, the line that separates fear from a rational preoccupation is very thin.
People practicing everyday computing with common sense is very unlikely to encounter a zero-day exploit. This doesn't mean that I shouldn't have countermeasures installed.

 

Rmus, you can add me to the list of people who have used IE for years without any problems what so ever.
From the time I had windows 98 to now, running XP.
I have never had a virus, keylogger, trojan or any malware.
In the last 5 yrs., the only constants running on my computer have been BOClean, SpywareBlaster and SpywareGuard.
Have always ran an av and firewall but now use KIS6.
More out of curiosity, Prevx for the last 2 months or so and WinPatrol Plus for the last yr.
Have tried other OS's but always come back to IE6.
For me, works the best and plain and simple, I like it.

 

Agreed, which is why I advocate replacing 'fear' with 'Cool Assessments.' If one becomes afraid, then she/he is not likely to think coherently, and may make irrational decisions.

Agreed again! And my countermeasures suggested were the White List solutions mentioned already by others in the thread.

To quote again from one of my favorite articles,

For 'emergency', read 'fear.'

Example using the recent *ani exploit [zero-day, remote code execution]: It took some digging, but finally seeing/assessing the exploit code revealed that it attempted to download a trojan - easily blocked by existing protection. No need to take extra steps; just calmly await the patch.

regards,

-rich

________________________________________________________________
"Talking About Security Can Lead To Anxiety, Panic, And Dread...
Or Cool Assessments, Common Sense And Practical Planning..."

--Bruce Schneier​