BLADE: New Tool for Stopping Stealthy Downloads

Discussion in 'malware problems & news' started by G1111, Feb 23, 2010.

Thread Status:
Not open for further replies.
  1. FiOS Dan

    FiOS Dan Registered Member

    Joined:
    May 24, 2006
    Posts:
    89
    Location:
    Boynton Beach. FL
    Which is why I am considering adding Sandboxie to the HIPS protection in Spyware Terminator. That should keep my PC safe.
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I take this to mean you refer to the cybercriminal hosting the exploit code itself on the compromised website. This is certainly possible, so your HIPS or the like, or a Sandbox would stop the malware payload from installing, just as it would from a redirected site.

    But it's more common for cybercriminals to use simple code injection or Search Engine poisoning to redirect traffic to their website. From their own site, they can easily control and modify their exploit packages.

    Does this cover what you are thinking?

    ----
    rich
     
  3. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    This project sounds very interesting! Especially for free!

    Will it support 64-bit systems?

    It will be interesting to see how it performs on real PCs due to the fact of FalsePositives...
     
    Last edited: Mar 1, 2010
  4. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    It does indeed. Thanks very much for the information!

    I will admit that I find it striking that so many people get stung by these threats. Particularly recently, I've seen many folks I know get infected by these drive-by downloads, and it makes me wonder if the malware is being hosted locally on the compromised domains. Most of these people know better than to consent to the download, use some variety of script blocking, and keep their software up to date - so I'm forced to surmise that the familiar domains are actually dolling out the nasties.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    The most reliable solution is to keep the system locked down to prevent anything from sneaking by. But this is not always a favored solution, as BlueZannetti notes in his thread here:

    Approaches to maintaining a clean system
    https://www.wilderssecurity.com/showthread.php?t=252253
    There are always trade-offs between ease of use and security, the most recent and sensational example being the Aurora exploit against organizations. A simple Default-Deny rule in Software Restriction Policies would have blocked this 0-day exploit at the gate. However, such a restriction means that only the Administrator can install software, a situation that would make for a very unhappy workforce, as some IT personnel have told me.

    Again, it's always a trade-off between security and ease of use!

    ----
    rich
     
  6. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    IE allready has this just use these reg files in this post

    https://www.wilderssecurity.com/showpost.php?p=1603237&postcount=1


    pretty tough business case to set up, when a simple registry tweak provides the same functionality. May be I should make an execytable of it and sell it, so people start to use this. Same with the icacls.exe trick on Vista and Windows7 to force drop my rights even under UAC. It does not degrade your functionality, so why not use it? May be becasue it is to easy (using something you allready paid for with the OS)
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yeah, don´t see what all the fuss is about, if I´m correct every HIPS with process/executable control is able to stop drive by downloadS, but then again, most people are not running HIPS. :rolleyes:
     
  8. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    At work, I always remind the user that their special configuration protects them from infections. In the end, they are very grateful.
     
  9. Threedog

    Threedog Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    1,125
    Location:
    Nova Scotia, Canada
    Make an exe and put it on giveaway of the day.
     
  10. dcrowe0050

    dcrowe0050 Registered Member

    Joined:
    Sep 1, 2009
    Posts:
    378
    Location:
    NC
    Why not indeed, Kees? In my experience with some of my clients and from what I read in forums, a lot of users just plain do not want to mess with anything that does not have a shiny GUI with blinking buttons. And messing with the registry is strictly forbidden with a lot of people. But you are right, if you created an executable of that same tweak people would use it because they just want to be protected with a couple of mouse clicks. Of course if you tell a firefox user that you have a way to make IE the most secure browser and show them proof of it, they will most likely continue using Firefox simply because it is there favorite or they are used to it.
     
  11. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,063
    Location:
    New Delhi Metallo β-Lactamase 1
    @Kees
    But i guess with your registry tweaks it is nearly impossible to download exe files even with Firefox and other browsers. This has been already discussed, but i guess it was not yet solved....May be i am wrong, so please lemme know if that issue has been sorted out or not?
     
  12. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Does anyone know if this will x64 systems?

    I searched for any contact i could ask but didn't found anything...
     
  13. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    RMUS,

    Thx for your always detailed and comprehensible explanations.

    There are so many options which streghten the security which are not used by default, see http://msdn.microsoft.com/en-us/library/ms537169(VS.85).aspx

    Some goodies:
    - FEATURE_OBJECT_CACHING
    - FEATURE_ZONE_ELEVATION
    - FEATURE_MIME_HANDLING
    - FEATURE_MIME_SNIFFING
    - FEATURE_WINDOW_RESTRICTIONS

    Regards Kees
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    No Chrome allows the download, only explorer blocks execution with this tweak. So I am using chrome now for this reason (which is not a punishment when you romove session ID, add click&clean, Siteadvisor for Chrome, Adsweep and Flashblock).

    To switch it on and off (for use with FF and IE) I have added reg files see https://www.wilderssecurity.com/showpost.php?p=1603237&postcount=1

    Regards Kees
     
  15. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Hm, new informations on their homepage:
    I hope that does not implicit that the final version won't be free... :doubt:

    And i hope i will be working for x64 systems.!. :doubt:
     
  16. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    New informations and a video on the homepage: http://www.blade-defender.org/

    But i am waiting for any contact or forum. I am interested in facts like: Will it run on x64 systems? And will it be free for ever?
     
  17. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,557
    I'm sooo waiting for this.:)
     
  18. Habakuck

    Habakuck Registered Member

    Joined:
    May 24, 2009
    Posts:
    544
    Me too! :)
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @Habakuck

    Thanks for the update :thumb:

    BLADE Demo against Real-world Drive-by Download Site

    http://www.youtube.com/watch?v=9emHejh8hWE

    bl1.gif

    Several frames before you can see what appears to be Flash trying to load, so i guess the exploit might be related to that, and or Scripting running ?

    That's with IE8 running :D no mention of it's settings though. And of course no AV etc, but the test is just to show how drive bys can still penetrate in 2010 with the latest browser.

    Even if there was AV, unless it had the defs for the nasty it would still get through. I'm leaving out mentioning other types of security software which might have prevented this, as it's a browser test.

    Looking good so far, can't wait for the release to test it myself :)
     
  20. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    No, that's not how ASLR works. ASLR is what the acronym says -- it randomizes the address space of an application in memory. Some exploits require prior knowledge of the location of the heap, stack, etc. Without this knowledge the exploit is dead in the water. ASLR randomizes this address space to make it next to impossible to exploit (at least on 64 bit systems -- not so much on 32 bit). It was invented in 2001 and first implemented in OpenBSD and the Linux kernel. Microsoft jumped on board with Vista.

    ASLR is important because it can stop zero-days, whereas SRP sometimes will not if the vulnerable app is acting within its pre-defined accepted behavior.

    By the way, ASLR is available on XP with 3rd party add-ons like WehnTrust. However, unless you are using XP 64 bit, the implementation is pretty weak.
     
  21. Less

    Less Registered Member

    Joined:
    Dec 24, 2008
    Posts:
    288
    any news on the release?
    waiting .....
     
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    No news about a release as yet :( but noticed this which i didn't before :thumb:

    BLADE MALWARE URL ANALYSIS RESULTS
    NOTICE: This page is 100% auto-generated.
    Wed May 5 20:45:04 2010



    .

    http://www.blade-defender.org/eval-lab/

    See chart for full details ;)
     
  23. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    Hola:
    Been watching this thread with interest.
    Took an interesting turn.

    Very good reading: a veritable Book chapter in itself. Very very nice.
    Thx to those posting.
    :thumb: :thumb:

    As an aside
    OOI IIRC, the now discontinued 'samurai' tool included all those Reg hooks that Kees mentioned. Somewhat moot now.
    Good hardening tool for XP
    Samurai is still there: http://www.turbotramp.fre3.com/
    Not sure how relevant it is now: W7 and Vista need admin rights.
    Interesting implementation.
    Some references
    https://www.wilderssecurity.com/showthread.php?t=167309
    http://gladiator-antivirus.com/forum/index.php?showtopic=49247
    http://kareldjag.over-blog.com/article-1232530.html
    http://www.brighthub.com/computing/smb-security/reviews/58646.aspx

    The "32steps.doc" file on the home page is a nice little "primer" on hardening.

    Not sure if it offers anything over whitelisting and anti .exe apps.

    **It can screw down the box so effectively that it could interfere with other "real time" apps.

    EDIT: see the post below :)
    This tool is likely ood by now: just an example of 'hardening', not really to be regarded as a current useable complete solution in any way.
     
    Last edited: May 11, 2010
  24. Samurai's hardening is decent but the HIPS component is really woefully obsolete at this point, and will not prevent most drivers from loading.
     
  25. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    Ya
    Sorry if that was not clear..see above edit :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.