Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    I've found this funny thing at VT, according to Kaspersky it's the new version of Zeus, Chthonic - © Malwarebytes Corporation. All rights reserved:

    *Removed as per forum TOS
     
    Last edited by a moderator: Dec 28, 2014
  2. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,469
    Location:
    Hollow Earth - Telos
    I had to deactivate the shield for Chrome because of a lot of problems. I get some kind of exception message when i first launch Chrome sometimes and seem to have some problems with new tabs and slowing down of bringing up new web sites. I don't seem to have the same problems with Comodo Dragon and other browsers. All i know is that Chrome seems to be faster and better when the shield is off.
     
  3. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    It probably conflicts with HMPA.
     
  4. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    Any hope of MBAE getting to the point where Sandboxie detects it and adds it to the list of compatible products... where you can just tick the box beside it and viola... it's done and they're working harmoniously together? That's the day I'm waiting/hoping for. When it comes I'll not only purchase a key for the paid version, but also for every box that I work on and add it to my arsenal.
     
  5. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes there was a rash of malware using the Malwarebytes and MBAE information in its resources. There's a few hundred variants of it making the rounds. The ones we monitored we being dropped from Word exploits.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  7. guest

    guest Guest

    UAC does not prevent the exploitation of vulnerabilities, it only prevents processes from directly gaining admin/system rights. Furthermore, if you can run a process, then it's already game over.
     
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    +1 what he said.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Strange, just running a process means you're screwed? It's as if the level of user rights that UAC limits is ignored altogether.

    Although I'm pretty sure you guys meant run as admin, please don't rely on assumptions and make it clear for the readers.
     
  10. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Totally screwed: "Unfortunately, there is a lot of malware that runs with Standard User privileges. Even though it cannot corrupt the whole system, it can damage user files and spy on users." For me this is more a lot more dangerous than 'corrupting the whole system', something that can be remediated with a good backup policy.

    http://technet.microsoft.com/en-us/security/jj643316.aspx
     
  11. guest

    guest Guest

    Okay, let me clarify it a bit: In most cases that a vulnerability is being exploited an executable (like a RAT or backdoor) is started by the attacker. (This executable can be written to disk and then be executed or it is directly injected into memory.) An attacker doesn't have to gain admin/system rights in order to steal sensitive information or lock all your personal files.
     
  12. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    There are also known UAC bypasses, workarounds such as using TaskScheduler to run without UAC prompts, as well as tricks that exploit use such as launching the payload hundreds of times which cause hundreds of UAC prompts that the end user ends up accepting to get rid of the annoying popups.
     
  13. abels

    abels Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    103
    Location:
    Danang, VN
    I've just installed MBAE Premium and added Palemoon.exe to shields. Do I need to add plugin-container.exe ? ( I think It's already in rule "Mozilla Firefox (and plug-ins)")
     
  14. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes, plugin-container.exe is shielded by default in MBAE Free and Premium, no need to add a custom shield for it.

    You can verify from Process Explorer by searching for mbae.dll when Palemoon and its plugin-container.exe are running.
     
  15. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    556
    Location:
    Sonoran Desert
    I'm seeing a huge number of page faults for mbae64.exe in task manager, much more than any other process. Everything is working smoothly so there's no real problem. Just wondered if this is a known issue.
     
  16. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    About the first bypass, doesn't the attacker still need to gain admin rights beforehand? Although I'm not sure how that'll work with the default auto-elevate of Microsoft processes.
     
  17. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Both good points. I do wonder what the Avecto company has to say about this. They make it sound like UAC is the cure to almost all problems.
     
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, that link has been posted several times on this forum. What I mostly wonder about is how UAC would protect against exploits. Can it silently protect against it, or it will it always pop up an alert? And do exploit-kits try to bypass UAC, or are they not focused on that?
     
  21. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    I also see a large number of page faults but it has never worried me. The runner up on my system is appguard which also has a lot of page faults. I always shrugged it off as something to do with log keeping as I've yet to see any ill effects but it would be nice to get confirmation that these are expected rather than a bug.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Hi Pbust, I have been getting random crashes of my VPN software, Explorer.exe, and rundll32.exe recently. I'm using a trial version of MBAE on Windows 7X64 Ultimate SP1. Just after Windows completed booting I received a prompt from MBAE informing me I had 4 days left on my trial. I think that's how many days it was anyways. The GUI has never shown me how many days the trial has left. It use to inform me the number of days remaining on the trial in the past, but the only way I can tell now is by hovering the mouse pointer over the tray icon. Unfortunately the tray icon disappeared after Explorer.exe, and Rundll32.exe crashed. mbae.exe32, mbae64.exe, and mbae-svc.exe32 are running in the task manager so I think the protection is running even though the tray icon is missing. I think MBAE may be causing the application crashes I have been experiencing. I tried to report this at Malwarebytes forum, but my login ID is not working right now for some reason. I sent you a pm with the link to my log files. If you need any other logs then just let me know. Thank You!
     
  23. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Have you asked for a new password? If I'm not mistaken they had to reset all passwords after an attack some weeks ago.
     
  24. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Thanks for the logs Cutting_Edgetech. The crash logs don't seem to be related to mbae in any way. Are you still getting crashes without MBAE installed?

    As for the trial, simply hover over the traybar icon and it will tell you how many days are left. Also after reboot it should tell you how many days are left in a balloon notification.
     
  25. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    vojta, I thought I changed my password after they sent out that notification, but maybe it was a different forum I changed my password for. I will send them an email if I still can't log in. Thank You!
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.