An insight I wanted to share

First thanks to Mr Brian for pointing a link to a study of Attacktrends and Boombastik for attending me on AVG Linkscanner and Compu KTed for a trend confirmation, with a link to the most exploited plug-ins of 2013

So thousends of malicious URL's, using the top 15 exploit kits, 'only' used 27 published exploits.
According to this study, this information indicates that two groups are at work: First a few exploit producers (the 27 disclosed and explained in detail by security researchers), Second many exploit pack authors (re-using these exploits in packs and selling them). The third group are the thousends of exploit pack criminals using (combinations and variants of) exploitkits in malicious URL's.

URL-filter against third group
So it makes sense to stay away from trouble and use an URL-filter of the most used browsers (Internet Explorer, Chrome) and or the most used consumer AV's (MSE, Avast and Bitdefender) and largest DNS-networks. Because protection is in the herd (cloud). So a URL blacklist protects you against the exploit pack users (third category). Based on real world phising test, these a combined set of two URL filters (e.g. DNS and Browser or Browser and AV) will catch 75% of these (rapidly morphing) bad-URL's

Exploit script-filter against second group
Looking at it as a numbers game it is much smarter to focus on second category: the re-used code of the exploit pack. AVG-Linkscanner for instance take this angle: just look at the code sniplits of these exploit packs and create a fingerprint blacklist for it. AVG Linkscanner intercepts scripts in real time, looks for blacklisted code sniplits typical to exploit behaviour and sanatizes the script or blocks it. Other AV's also have simular mechanism's like Avast's script filter in the webshield. Microsoft Nozzle studies have also shown that script sanatizion is a very effective exploit protection approach. So a script interpretor (like AVG Linkscanner) protects you against the malware pack authors (re-using the published exploits), the second category. My guess is that an updated system with script-filter will block 95% of these exploit kits.

Exploit code excution-filter against first group
Allthough small in numbers (only 27 exploits applied in last two years), average user still has little protection against those unknown exploits (the first category of hackers finding exploits and using them secretly). Typically MBAE will provide you protection against those type of attacks. Don't want to sound as an add for MBAE, but looking at this study it surely makes sence to develop an application for the average user by simply focussing on Memory Corruption/Logic breach -> code drop -> dropped code execution. Other security programs have alternative mechanisms to establish simular smart protection (e.g. AppGuard's memory protection + deny execute code of user space + deny access to admin space objects). When EMET is able to stop 95% of these 'new' exploited vulnerabilities, my guess is that MBAE or similar will have higher success rates.

Regards Kees

 

Thank you.

How EMET is useful here?

 

Very usefull, although it is "only" stage 1 protection. With some Windows knowledge you can craft your own category 1 protection. I am using EMET (stage 1: memory corruption protection) with 1806 trick (stage 2: deny download/drop of code) with ACL (stage 3: deny file execution/traverse folder in drive-by folders) as my DIY protection against category ONE

 

Thanks Windows_Security for the nice analysis .

This thread contains a newer list of exploits that exploit kits are using.

This study may also be of interest.

 

Am I right saying that HIPS prevents these exploits?

 

Depends, memory corruption techniques (buffer / stack / heap overflow) often dive under the radar of sandboxing and HIPS applications, because they misuse the mechanisms of the OS, see HIPS and Sandboxes

Sandboxing and HIPS are with an updated system and OS-hardening, the best defenses IMO to minimize the effects of the intrusion and increase the chance of intercepting one of the steps of the flow of events of an intrusion, see study of F-secure (thx Mr. Brian)

I am just applauding the availability of mechanisms which can be used by a less security educated user population (as easy to use as an AV, like AVG Linkscanner and MBAE).

I am also applauding Microsoft, Chrome and Adobe to implement application containers/sandboxes in regular, every day, applications to reduce the attack surface (and reduce the chance of a vulnerability to be exploited with a predictable outcome).

Regards Kees

 

Now just if Oracle thinks the same...

 

My take on this is if you do the following:
1) use a newer Windows OS and keep it up to date
2) keep the relatively few apps and plugins that are commonly attacked up to date
3) keep Java away from the browser
4) use EMET on all processes of commonly attacked apps and plugins

then you're probably quite unlikely to be infected by a drive-by attack, unless you're a high value target.

 

With the following addition I would agree:
5. Use a browser which facilitates LOW RIGHTS CONTAINERS (IE's protected mode, Chrome's sandbox) with build-in powerfull URL-FILTER (IE's smartscreen and Chrome's safe browsing).

Only for the average user, best practice 2, 3 and 4 are the weak spot (Achilles heel) of this approach, therefore I would:

6. Add an AV which contains a script-filter (with AVG Linkscanner like capabilities) for average PC users (of the other free AV's I am sure Avast has one, Panda implemented alternative technology to MBAE and has since free version 2.2 shown an increase in "in the wild" protection, so Panda free probably also has one).

The importance of exploit protection, compare Panda free at AV-Comparatives 2012 March with 2013 December real world tests, or compare Windows 7 Panda IS at AV-Test zero day from Q2 2010 with Panda Free jul/aug 2013. Explanation Panda blog http://blog.cloudantivirus.com/2013/06/13/new-panda-cloud-antivirus-2-2-the-community-version/