Hi aigle, Yes I'm aware of that. It wouldn't if the victim had a reboot-to-restore program, where nothing written to C:\ would survive a reboot. But my question is about the initial triggering methods: what starts the attack in the first place? thanks, -rich
Hi again, aigle, Faronics AE will also fail against true fileless malware. A bit of history: An early type of in-memory exploit was demonstrated almost five years ago with Didier Steven's PoC: Quickpost: Shellcode to Load a DLL From Memory Thursday 28 January 2010 http://blog.didierstevens.com/2010/01/28/quickpost-shellcode-to-load-a-dll-from-memory/ A year later: Attack Using CVE-2011-0609 https://www.f-secure.com/weblog/archives/00002127.html Wednesday, March 23, 2011 So, fileless malware is nothing new -- today's versions are just more sophisticated and will become more prevalent as they are picked up by other exploit kits. Anti-malware software companies have had plenty of time to prepare for this. ---- rich
Thank you. I tried EMET, but to manage it with Defence+ was boring. I read in Wilders that EMET doesn't work at kernel level, is it ? HPA is it Hard Drive Host Protected Area ? How set it ? What about CIS sandbox against fileless malwares?
@CoolWebSearch I find better example than crypt vuln. Within your 50+ vuln in Chrome, there's a vuln which allows malicious extension to display fake permission popup. This can have great security impact (I know many people don't care about permission when they install new extension, quite bad habit), but do you think any anti-exploit can prevent this? Definitely no, it's a kind of design flow vuln which no anti-exploit can prevent. BTW, I found a document which show Chrome has a kind of memory protection called 'partitoning' that mitigate use-after-free vuln. It's still not anti-ROP or anti-heap spray and don't change the discussion, but better than just DEP + ASLR. And Sentinel Anti-exploit, Reseau Protector, Trusteer Apex (for coporate user) I think EMET works in userland as I can't find its driver though it has its service, but might be wrong. HPA means Hitman Pro.Alert, another anti-exploit software by Surfright. As I explained, well configured HIPS or sandbox is good to prevent known fileless malware, but there's a hole which can not be filled by HIPS or sandbox approach. That is information theft against browser or plugin.
Do you mean sth like this? http://www.zdnet.com/article/kaspersky-finds-bot-that-resides-in-memory/ https://www.fireeye.com/blog/threat...linked-to-deputydog-uses-diskless-method.html (This above one abuses IE vuln (and to enhance it, also flash IIRC) so might not be sth you're looking for) https://www.fireeye.com/blog/threat...-that-observes-for-multiple-mouse-clicks.html I agree if you say nothing new, but isn't it also true to most of current attacks? I think the roots of most current infection technique are found in the first decade of malware history.
@ aigle My post was to highlight that some of the infection vectors still rely on running a file = .exe so my setup would prevent it. Another way i would be covered, PG & Zemana both prevent Injection, in my case it was into explore.exe MZ = .exe which would be blocked by PG. Registry entries would be blocked by PG, as i have included Regedit etc for moitoring/blocking.
Okay other vulnerability or attack against them I can write down or could quickly find are, 1. vuln/bug in web site/web app 1-1. both of server-side and client-side problem: XSS, CSRF, http header injection, click jacking, DNS rebinding 1-2. mainly server-side: SQL injection, OS command injection, directory traversal, enforced browsing, parameter modification, http response splitting, improper session management including session fixation 2. DoS/DDos attack, including land attack, smurf attack, ping flood, SYN flood, F5 attack, ping of death, SSPING, teardrop, octopus, finger attack, OOB, UDP storm, mail bomb, DNS amp, NTP amp 3. vuln in DNS: DNS cache poisoning, zone transfer attack 4. vuln in crypt 4-1: side-channel attack: timing attack, fault analysis attack, SPA, DPA, electromagnetic attack, cache attack, acoustic analysis attack, data remanence including cold boot attack 4-2 other: KPA, CPA, CCA, CCA2, Related-key attack, padding oracle attack, linear cryptanalysis, differential cryptanalysis, meet-in-the-middile attack, copy-and-paste attack, bit-flip attack, replay attack, 4-3 SSL/TLS: BEAST, CRIME, TIME, BREACH, Lucky13, RC4 biases, POODLE, Heartbleed, 3Shake 5. application design flaw: fake UI, UI modification, improper permission setting, improper access control, improper info management, improper data verification, improper sig/cert verification, improper key management, arbitrary file manipuration, write-what-where-condition, arbitrary query execution, authorization bypass, same origine bypass 6. vuln in protocol: some vuln in SMTP, UPnP remember it is not meant complete list, it is just meant to show you some other vuln or exploit other than RCE (remote code execution). Not all of them affect you. I understand your worry as I'm in similar situation. My girl friend often use my PC, and strangely enough while she is more techy than me (she can build application), she don't have even common sense security! Of course she complained my setup, so I made her browser which is less secure but usable. At first it was SBIEed firefox but SBIE troubled her so next I made her Chrome profile. Currently it works, with layered system protection and LUA. I think virtualization (toolwiz) or rollback is another answer, but currently yet done. One reason is it causes some performance delay, another is simply not convenient as I often change system or app config. At least always use virtualization is currently out of my scope, and it is impossible that use virtualizaion only when she use the PC as she can come in my home when I'm not. If she made unacceptable changes to my system, though it has only occurred once so far, I can easily restore previous OS image. Sorry I don't know much about AppGuard, so can't comment on this.
OK, big thanks for everything (including that exploit list), but one small question: What is your security setup? How do you find compromise between computer security and your family/girlfriend? Your security setup would help me to decide what and how deal with my family, so I don't have fix every single thing on the computer, when they are on the net, especially net banking/shopping-it's risky and I trust none and nothing. The good thing is that they tolerate at least for now Sandboxie, but since I also like multi-layered system protection, what else should I do? That's all.
Appguard doesn't protect against DLL's, or protect them. What it does is stop applications from running from user areas and also prevents Guarded apps from writing to the system areas. Explanation of what these terms mean can be found in PEGR's guide in post 5 of the Appguard thread.
Big thank you, Peter for this explanation and I will look at post #5 in AppGuard thread! Big thanks, again!
Yes, but these mention the same infection techniques I've already found: browser plug-in vulnerability IE vulnerability email attachment trickery (MS Office Document) Agreed! Thanks for your input, Yuki. -rich
In theory this could be loaded by some exploit-kit to make it really file-less. The question is if HIPS will then still be able to block code injection done from inside browser memory, so not from a separate "phase.exe" process. I'm guessing that HIPS (sandboxes/behavior blockers) are indeed able to block this, so I think this threat is a bit over hyped. The only thing that is a bit worrying is data protection against info-stealing trojans. Some HIPS do offer this, but it can sometimes be a pain to make it work smoothly without it becoming intrusive.
I think I failed to explain it. PG, Zemana and any other HIPS doesn't and ca't detect the injection by this fileless malware.
Your guess is wrong. HIPS fail here, ands sandboxes although keep the system clean but they can,t stop data theft.
Ok, got it. BTW I want to ask a question about AE. Does its latest version( just like the older ersion) intercepts dlls?
Yes, but the user has to enable DLL protection. BTW, Kafeine, in his analysis of Angler EK, notes that AE did not alert (no suprise). ---- rich
@142395 Respective to post #85-- wish you would consider posting same on the thread "What is your security setup these days?" I'll concede an unbridled admiration in following your posts at length..
Would Software Policy block DLL's? MrBrian posted that it has that option.. "SRP has an option for whether to include DLLs or not. This program doesn't seem to expose that option, and my test reveals that the program sets it to not include DLLs."
I think you misunderstood. I'm not saying that HIPS can stop file-less malware triggered by exploits from running. You need specialized anti-exploit tools like EMET/HMPA/MBAE for that. But let's say that this file-less/in-memory malware is running inside the browser process. It will only have as much access rights as the browser has. If configured correctly, HIPS/sandbox will restrict browsers and other vulnerable apps, so this means that it can not inject code into other processes, it can not install services/drivers, it can not accept incoming connections et cetera. If the HIPS has data protection it can even restrict access to important data. For example, if you use a password manager, you can restrict the browser from having access to your password database.
Software Policy has an option to block DLLs, yes. However, it has notable performance issues with that enabled. Code: ; Control where dynamic link libraries can be launched from, as well as executables: ; Note that this has a performance hit, therefore only use where max security is needed. IncludeDLLs=0 Simply change the 0 to 1. But if you are wondering if SRP would block fileless malware, not very likely. EMET together with a well planned SRP rule set is a great combination though.
