When we tested the standard Duqu 1 against the old ZVL ExploitShield, it prevented the infection thanks to Layer3. The TTF kernel exploit of course still got through, but at least the payload's malicious action was blocked. But of course there's ways around that.
There is no way to prevent attacks on the Windows OS kernel AFAIK, so that's always a problem. On the other hand, I can't imagine that it's easy to bypass HIPS and HIDS (Intrusion Detection), and if so, they should step up their game. Because at one point, HIPS/HIDS will probably notify you of suspicious behavior, although it's harder to detect in-memory malware. That's nice to know. I guess most malware writers will not put much effort in trying to bypass standard exploit mitigations.
Well, actually I took the piece of advise to disable the embedding of fonts from the MS14-058 advisory (The cve-2014-4148 patch) itself. https://technet.microsoft.com/en-us/library/security/ms14-058.aspx --> Look at the 'Workarounds' section for CVE-2014-4148. Denying access to t2embed.dll seems to prevent the embedding of fonts and thus prevents an exploitation attempt in the first place. But indeed, there are no easy ways to mitigate other kernel vulnerabilities. (Although KASLR, SMEP and Null Deference Protection present in Windows 8.1 make exploiting kernel vulnerabilities quite a bit harder) I cannot comment on the HIPS part. Most vulnerabilities and exploits are not developed by malware writers themselves, but by 3rd party suppliers. One of the most notorious one was the Elderwood project.
A followup on ARS says that the malware that infected Kasperky's network was in part delivered by stolen/replicated Foxconn certificates. http://arstechnica.com/security/201...ky-using-stolen-foxconn-digital-certificates/
Yes correct, I meant exploit writers. HIPS and HIDS are big business, and everyone claiming they are able to stop and detect the most sophisticated attacks. So I really wonder what type of software Kaspersky was using. Just take a look at this list: http://cybersecurityventures.com/cybersecurity-500/
Well, of course every company is going to say that they protect against the most sophisticated threats, but in reality it would be very hard to test such claims. It's not about what you've found (Kaspersky is great at publishing reports about APTs for example) but about what you've missed and it will always be a battle between independent testers and PR when it comes done to the verification of these kind of claims.
True, only we don't know what we miss, so like black hole researchers have to look at other events to get clues. Therefore I decided to do a small field test, everone can replicate, I googled on "exploit" "Advanced Persistent Threat" and Surfed to the CERT-EU news monitor and searched using the same keywords. This non-scientific scan of resulting pages gave me the impresssion that Google, FireEye, Kapersky and Trend Micro dominate news items relating to exploit/APT scoops found in other software, not their own. When they reveal more scoops, it is reasonable to assume they put more effort into it (and this circumstantial evidence builds a case that to assume they are also better at protecting against those threats). Is this congruent with the opinion/impression of forum members?
FireEye, Kaspersky and TM release a lot of news and analysis of APTs. IMO it's a marketing thing more than anything else. Also who decides what is APT and what "regular" infection/intrusion?
Fileless malware is sort of self explaining, but APT (advanced persistent threat) is both mentioned in targetted cyber attacks and advanced staged (multi step) intrusions of context aware exploit kits, so I don't know
