MRG Effitas – Real World Exploit Prevention – March 2015 (sponsored by Surfright)

Discussion in 'other anti-malware software' started by FleischmannTV, Apr 7, 2015.

  1. 142395

    142395 Guest

    I understand it is blocked by HW-assisted CFI which have great advantage against CALL-proceeded ROP attack. I don't disregard this advantage, but to prove your genuine intention the best way will be to raise bypass challenge from researcher or any skilled person. Even if HMPA was bypassed, still they may find bypassing it is not easy, and such bypass challenge itself makes HMPA more bullet-proof.
     
  2. 142395

    142395 Guest

    URL of the PoC code is in the paper. Maybe you have to compile and build it.
    Actually you don't need to compile, it includes exe and how-to guide.
     
    Last edited by a moderator: Apr 8, 2015
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    5,285
    Now, you are getting to technical for me...So, I won't be able to evaluate that claim by Mark Loman.
     
  4. 142395

    142395 Guest

    I was wrong, actually it seem easier.
    Go to hxxps://blog.mrg-effitas.com/wp-content/uploads/2015/04/MRG_Effitas_Artificial_Zero_Day_Exploit.zip and extract it (your AV may detect it).
    It includes shellcodetounicode.exe, and how-to guide which is:
     
  5. metmichallica

    metmichallica Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    183
    Okay I am confused I use the free version of Malwarebytes Anti-Exploit and I also run Norton Security Suite which is actually last year's version along with Malwarebytes Premium. Do you think I am protected or do you think I should upgrade?
     
  6. 142395

    142395 Guest

    It totally depends on from WHAT you want to be protected. By using Norton, you're fairly well protected from most known exploit and a bit protected from some non-sophisticated unknown exploit. MBAM do nothing against exploit, but may block following malware.
    BUT I don't think it is proper place to ask such question.
     
    Last edited by a moderator: Apr 8, 2015
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Of the 6 fails shown for MBAE 1.05, at least 5 of them should be blocked by MBAE 1.06 which has been final for over a week now and publicly available since mid March.
     
  8. metmichallica

    metmichallica Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    183
    Thank you, I was thinking of upgrading to Malwarebytes Anti-Exploit Premium. I wish they still offered those lifetime licenses. Sorry for it not being the correct place. I don't know if I will or not. Thank you for answering my question though.
     
  9. 142395

    142395 Guest

    Woops, I thought you metioned about MBAM, but sorry it was MBAE. My bad.
    As the test was conducted using browser, you're faily well protected as MBAE-free protects browser and plugins. But some vuln used are about Windows OLE, which are exploited on Office document. So Premium version offer more comprehensive protection.
     
    Last edited by a moderator: Apr 8, 2015
  10. metmichallica

    metmichallica Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    183
    It's okay, I did. I have that too and I also run Zemana Antilogger free along with Malwarebytes Anti-Exploit free.
     
  11. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I'd upgrade to Norton 2015. You can buy a license from them on sale, then open a web chat, ask 'nicely' for 50% off, then ask them to combine licenses. Norton 2015 has some of the tech from SEP integrated into it now, and is very strong with IPS and Exploits. I am not sure if MBAE adds anything to Norton in that respect - I doubt it...
     
  12. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Did you find other ways of bypassing HMPA besides the famous 'pop-copy' to the stack?
     
  13. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    HW-assisted CFI bypasses still exist, although it requires quite some debugging and hours of work. HMPA, MBAE and EMET are just meant to make it more difficult to exploit software vulnerabilities, but they are not watertight. Compare it to a bulletproof vest. Such a vest is able to stop a 9 mm, but not a .50 caliber round.
     
  14. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    The ROP-chain was specifically created for the test to expose tools that rely heavily on the simple stack-pivot detection. You cannot bypass HMPA (or MBAE for that matter) with just a 'pop-copy' to the stack. It takes quite a bit more effort ;)
     
    Last edited: Apr 8, 2015
  15. metmichallica

    metmichallica Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    183

    I'm waiting for the free upgrade from Comcast which we will probably get in the summer. It will come eventually though.

    http://constantguard.comcast.net/norton-security-suite (for Comcast internet subscribers)

    Norton wouldn't want me to pay. They were actually giving refunds to Comcast Internet Customers who purchased Norton the other year.

    So you are saying Malwarebytes Anti-Exploit I don't need?
     
  16. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    At least your provider keeps up.. Mine provides F-Secure Lifetime for all household devices, but they are 3 years back on the versions, and I refuse to use it as a result. I'd say Norton 2015 dialed up would provide more than enough protection. It routinely scores in the top quadrants for IPS/Script, and Exploit Protection. It looks like 2015 put some focus into exploit protection, and really strong IPS based on SEP. I'd be fully confident running Norton as a single source - personally speaking. But that's my opinion, and experience in it.

    Here's a test from last year showing Norton blocking 100% of the tested exploits, just for more evidence, plenty of that out there.

    http://www.av-test.org/fileadmin/pdf/reports/AV-TEST_XP_Exploit_Test_April_2014.pdf
     
  17. metmichallica

    metmichallica Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    183

    I think Comcast makes them with all the money Comcast is paying them. Comcast use to use Mcafee and they never updated programs to new versions. Now Comcast users would be screaming if Symantec didn't update to new versions.
    Symantec has been very good when it comes to that. One of the things I have been worried about is Norton is no longer on av-comparatives and when the last time they were their detection rating was slipping so I was wondering if it is still good enough to use. That's the thing that bothers me most about Symantec. They are no longer on av-comparatives.
     
  18. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    I wouldn't put any stock in them not being on AVC, and it has nothing to do with slipping detection's from what I have been told, more related to a disagreement in test methods. Symantec scores highly at other testing locations, and most reputable Youtube testers that don't use flawed testing. Symantec is very holistic, and utilizes multiple technologies and engines at the same time to determine your threat, and deal with it. Similar to how an enterprise solution works. For example Sophos UTM uses ATP, IPS, AV, and WAF all synergistic-ally to deal with threats. Testing one aspect won't portray the whole picture.

    To fully test Norton you need a stable internet connection, and all of the aspects installed and running.

    URL Filtration->IPS->Download Insight->Reputation/DNA->Signature Scan->Sonar/Heuristics

    Combined, the technologies present a remarkably good level of security. Individually? None of them are going to be perfect. We should probably carry this over to the Norton thread if you want to continue. But many 'pros' here really like Norton 2015 and SEP, and there are good reasons for this. Norton isn't the whipping boy it used to be.
     
  19. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    The answer is always 'it depends'. Although my last attempt to launch a calculator with a pop-copy chain and HMPA was with build 120 (iirc). pop-copy chains are an interesting concept, but extracting the necessary gadgets dynamically seems to be an impossible task when using AS. And yes, afaik you cannot run shellcode from the stack or heap when dealing with HMPA or MBAE, EMET is another story.
     
  20. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,741
    Location:
    UK
    Are you saying you can't run the two together, or have you excluded HMP.A in EIS?
     
  21. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,094
    Location:
    Germany
    No, he probably meant that he had to disable EIS in order for HMP.A anti-malware to stop malware from doing its job, because otherwise EIS would have stopped it first. Yet I think this is rather related to crypto ransomware and not exploits. EIS would have killed the crypto ransomware with signatures or behavior blocker / cloud before HMP.A's cryptoguard could have detected anything.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Tony FleishmanTV is correct. While it's interesting to see how stuff works, bottom line is it doesn't run. This would appear to be another low quality test. Great for verifying HMPA, but why pit software that makes no claim to blocking exploits against it.

    Even if a client requests it where is MRG's ethics to say this isn't valid.
     
  23. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    We agree..

    1) Synthetic, fake exploit = Questionable?
    2) Pitting 'focused' products against ones that NEVER purported to be specialists in that area = Questionable?

    Norton I can see.. Norton will smash the face of most antivirus products for exploit prevention, and even some specialized Anti-Exploit software. Nobody disagrees there - Norton invests a lot of resources in stopping/preventing exploits with their software. Anyone with SEP experience can vouch for that. But tossing in random products that never claim, nor will they likely ever be good at exploit prevent seems to make me feel they want to 'elevate' one product over the others? At the very least, the test might serve as a detriment because it shows lowly, low cost, light impact Norton 2015 will do the job almost as good? :isay:
     
    Last edited: Apr 8, 2015
  24. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    It even doesn't matter whether you use a one-day or a zero-day that both use the same exploitation techniques.
    performing a stack pivot and/or marking memory as executable is something that can be done using quite some vulnerabilities.

    (Okay, logic flaws are a very different story, but they are still quite rare)
     
  25. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    There is no difference between Meterpreter exploits and the exploits used in the MRG test. You can supply custom exploits in Meterpreter (besides the standard exploits developed by Rapid7) just as you can supply them to the ExploitMe plugin that was used in the test.

    Since you use the term 'fake exploit', you apparently do not know how vulnerabilities, exploits and payload are related. There is no such thing as a fake exploit as there is no such thing as fake malware. An exploit is just a combination of techniques to abuse a vulnerability in order to drop payload on the system.

    The MRG test uses a fictive vulnerability in order to run an exploit on the system. This to test the various exploit mitigation features in a security product.

    All AVs in the test were treated equally. If the payload process got executed, the exploit worked. I believe a tool like ProcessMonitor was used to verify the payload got executed.
     
    Last edited: Apr 8, 2015
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.