Malwarebytes Anti-Exploit

I didn't see him mentioning anything about a file-less payload, so it would be interesting to know why Faronics was bypassed.

 

It depends. If you use a sandbox only, then the exploit/malware can run, but can't infect the system. But it's better if there is no malicious activity inside the sandbox either. If you run with MBAE only, then you're out of luck when it gets bypassed. So it's best to use anti-exploit + sandbox. HMPA can work together with Sandboxie, but I'm still not sure if MBAE can do the same.

 

Hi Rasheed,

I asked Kafeine about this in the Comments, and he replied,

Bedep is the fileless malware that injects itself into an explore.exe process. From last year:

Cyber-criminals quickly adopt critical Flash Player vulnerability
October 22, 2014
https://blog.malwarebytes.org/explo...ly-adopt-critical-flash-player-vulnerability/

I also asked Kafeine in the Comments about the earlier bedep malware in an Angler EK, and he replied,

I contacted with Faronics about this, and they tested his sample and confirmed it does alert when a call is made to download malware to disk.

Kafeine's reference to Poweliks is that fileless malware which writes to the Registry. Emisoft described this last year:

http://blog.emsisoft.com/2014/08/06/poweliks-the-file-less-little-malware-that-could/
August 6, 2014

Note that reboot-to-restore products would discard anything written to the Registry in that circumstance.

----
rich

 

I tried what ZVL told me, I tried what other posters told me on other forums and pretty much everything else, but I still cannot have MBAE protect sandboxed web-browsers inside Sandboxie, I even gave full access to Malwarebytes Anti-Exploit inside Sandboxie, but still no luck.

 

Hopefully, Sandboxie does contain and protect against these Bedep and Poweliks fileless malwares, even though I always have HMPA3 as well.

 

Keep in mind that the attack vectors for fileless malware are the same as for the more common malware:

• drive-by attacks: browser plug-in vulnerabilities

• email attachment trickery (MS Office Document)

References

http://www.pcworld.com/article/2601...acks-stealthier-with-fileless-infections.html
Sep 2, 2014

http://www.pcworld.com/article/2461...poweliks-resides-only-in-system-registry.html
Aug 4, 2014

----
rich

 

OK, I see, that means Sandboxie does actually protect against these file-less malware as well, since my plugins and e-mail and my Microsoft Office documents are always sandboxed by Sandboxie, however, I will keep Sandboxie, AppGuard, HMPA3 for my protection.
Big thanks, Rmus, for clearing this up.
Just one quick question, which you don't have to answer at all, if you don't want to:
you said more common malware, than what are considered less common malware, I didn't even know there is such thing as less common malware, I guess it directly means that there are less common exploits, but which one, the only ones I have on my mind are kernel exploits-and there is nothing that can protect you from kernel exploits.

 

I was not attempting to rank malware, just to say that fileless malware, and malware that writes to disk, both have the same intrusion methods at the moment.

Consider that kernel exploits, like any other, have to be triggered by something. That is where your initial protection is.

References

Duqu Malware Exploits Windows Zero-Day Kernel Bug, Attacks Via Microsoft Word Document
Nov 2, 2011

Of TrueType Font Vulnerabilities and the Windows Kernel
http://threatpost.com/of-truetype-font-vulnerabilities-and-the-windows-kernel/101263
July 11, 2013

----
rich

 

While kernel exploits such as Duqu are not detected by typical exploit mitigations, in the case of MBAE (and maybe even HMPA) can block the malicious action of the payload with the application behavior layer.

 

That is nice to know!

Can MBAE anticipate unknown (at the time) application behavior, or does it analyze based on all currently known behavior?

thanks,

-rich

 

Unfortunately Malwarebytes isn't giving a list of mitigations present in MBAE, so you would have to rely on:

1) Reverse engineering MBAE
2) Slicing through each layer of defense in order to find out which protective measurements are implemented (You'll likely miss quite a few)
3) Hoping that a tiny bit of information can be given by pbust

 

How can you suggest such a thing!

I asked a simple question about the behavior analysis. If the developer can not comment on that, he will say so!

regards,

-rich

 

It monitors for a set of known bad behaviors on a per family basis as behavior is defined per family. Bad behaviors are very generic in nature, so they can protect against a wide variety of payload actions (ex. winword.exe downloading and executing a PE file).

 

Thanks for the explanation!

----
rich

 

Malware ≠ Exploit (Theoretically an exploit may use any malware as payload).
There're more common and less common. In 2011, reportedly Blackhole exploit kit infected millions of machines and hundreds of millions attack are detected. OTOH, one exploit ESET reported put a limits that it can only infects 1,000 machine a day. This seems to aimed at delaying detection by AV vendor or experts.

 

Thanks for checking. So did Faronics stop it or not?

 

I think I'm starting to understand the "application lockdown" feature a bit better now, it always has been a bit vague.

 

Can you give some more info, where can I find these settings?

 

(Sorry for my English)

I can give you a more in-depth example of the application lockdown feature.

The following description will focus on some of the lockdown features with regard to Java.

An attacker is able to drop malicious files in a number of ways, just to name a few:
- Downloading executables via Java (https://stackoverflow.com/questions/921262/how-to-download-and-save-a-file-from-internet-using-java)
- Using PowerShell (A bypass was fixed in 0.10 Beta: http://j3rge.blogspot.com/2014/10/anti-exploit-bypass-javapowershell.html)

Application Lockdown will prevent downloaded executables from running (probably by comparing hashes of files which are being downloaded through Java applets)
Furthermore, access to cmd.exe and powershell.exe is not allowed and will also result in triggering an alert.

Please note that these conclusions are based on witnessed behavior of MBAE and might be incomplete.

 

Yes thanks, so it's not just about trying to stop memory corruption techniques, but also about blocking suspicious behavior. This is what sets HMPA and MBAE apart from EMET, if I'm correct.

 

You're correct, application lockdown is a major addition to MBAE/HMPA over EMET. It should also prevent the exploitation of some logical flaws (haven't yet tested this though) and I also don't know what the impact of diskless malware is on the application lockdown feature. But EMET still contains a mitigation that I really like: EAF+. It basically prevents an exploit from reading/locating the PE header, so that mitigation would kill *any* exploit that relies on dynamically locating gadgets and functions. But it makes EMET just too slow to be usable. MBAE is quite a bit faster

 

I installed HMPA 3.0RC and the install broke SBoxie. Only way I found to revive SBoxie was to un-install HMPA and clean install SBoxie. Sorry Off Topic

 

Posted in Thread on SBoxie Forum <<if you installed v4.x.x when browsing MBAE needs to be stop then restart it's protection in order for it to work>> same author prompts << Add Malwarebytes Anti-exploit(pro would be best) as it give you a warning of possible exploits, it works best with SBIE v3.76 >>
I came here looking for MBAE users running SBoxie....guess, I'll have to test for myself. Wonder if MBAE shows PID in Default SBox.
Hope this is not Off Topic. Apology to all...if it is.