Anti-exploit testing

Discussion in 'other anti-malware software' started by Windows_Security, Oct 3, 2014.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Untitled.png

    Exploit kits

    In terms of economy it costs a lot of research time by highly capable hackers to develop new unknown zero days. Zero-days are provided as exploit kits for criminals to misuse. So you typically see that 95% of all exploits is caused by top 20 exploits. Those criminals are skilled, but not as skilled as the innovative zero day malware developers.

    Linkscanner
    Linkscanner was bought from Explot prevention labs by AVG. Exploit Labs tried to fingerprint exploits, with the obvious rational that the same exploit kits are used over and over again.

    Achilles heel of Linkscanner
    Newer solutions like HPMA and MBAE tell that The rational against Linkscanner is that it is relatively easy to change/obscufate exploit kits with javascript, so it is a weak and rather useless defense against real hackers.

    Testing paradox
    AVG Linkscanner catches all (100%) of the exploitkits javascripts I can find on the internet. The depth of this test is heavily limited by my skills to find obfuscated exploitkits examples on live websites. The attached example should be double obscufated to avoid ALL AV scanners, but it actually evaded only three out of six free AVs I tried.

    Food for thought
    When I am not capable of bring myself into trouble, what is the real world value of the "Javascripts can be easily altered, making Linkscanner useless?

    Challenge

    Could the experts (e.g. loman brother) test AVG linkscanner with some own crafted examples using exploit kits? Since Linkscanner checks javascript, it should be triggered by javascript code execution in for instance Chrome/chromium.

    Thanks

    Kees
     
    Last edited: Oct 3, 2014
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Wow, I'm surprised. Any conflict or necessary with Avast Web Shield, Bitdefender TrafficLight, WOT, uBlock, and FoolDNS?
     
  3. Antimalware18

    Antimalware18 Registered Member

    Joined:
    Dec 12, 2008
    Posts:
    417
    A few quick questions, I now installed this shield in AVG free 2015 but I left out the toolbar during the installation and I would also like to note
    that my main browser is Opera. Does AVG linkscanner still work under these two "Conditions"?
     
  4. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,171
    Location:
    USA
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Not with uBlock, I tested BD TL, Avira and Avast to see whether dectections increased. I run uBlock with anti-adblock and easylist only. BD, AVIRA, AVAST did not seem to add much
     
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Try the test page http://www.explabs.com/test/ I only have surfshield installed
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Pedro,

    I applaud MBAE making available a free solution for the general public. This action will have impact on the exploit-kit economy, since it again raises the bar for these 'script kiddies' level hackers (reducing the chance for average joe/jane to be exploited).

    I started testing AVG Linkscanner against malwaredomain with the browser's URL filtering switched off (browser seems to block all these known URL's by itself). Next I went for trying new malware links available in other public available sources. Still 100% score. Then I started hunting down samples available at hacking forums/sources: again 100% block rate.

    What argues against my personal observation is
    1. Specialists tell and proof that those Javascript fingerprints are tiny bits of code samples which can easily be avoided or obfuscated (like the link you posted)
    2. My search is heavily flawed by my limited access and insights to specialized hacking sources (I had a friend who worked as malware reverse engineer, but he got a job in Singapore, so I have no access anymore to fresh samples of his honeypot).

    What argues in favor of AVG_Linkscanner is that
    1. I believe business is 'the eating (hence the prooof) of the pudding's quality'. Why would exploitkits be advertised as "evades AV detection, double obfuscated", et cetera. This is a strong indication that the people using these exploits kits, simply lack the skills to obfuscate detection of javascript code sniplets.
    2. When the criminals with deep hacking skills were pirating for prey on open web-waters, their links should be available on the public domain URL sources. So AVG LS not being bypassed with those public knowledge sources, is a strong indication that these deep knowledge hackers problably target companies and not the general public.

    Here is my dilemma
    I do not argue that it can't be easily evaded by experts, I heavenly doubt that the type of malware-criminals attacking average joe/jane have the skills to obfuscate/evade javascript. That is the reason I asked (semi)experts/skilled hobbyists on Wilders to falsify my hypothesis by crafting a javascript using a public available exploitkit (which is not detected by Linkscanner).
     
    Last edited: Oct 4, 2014
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,171
    Location:
    USA
    The reason is mentioned by yourself: you are testing known URLs from public sources. Most companies know those public sources and have automated processes to create sigs for them as soon as they are published. They key here is to test without sigs (or old sigs) against future exploits.
     
  9. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Thanks for answering. This I can verify.

    I have just switched off AVG-Linkscanner's update and blocked the updater to go outbound.

    What time (days/weeks/months) do I have to wait to test AVG LS with old sigs against a fresh malware domain list?
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,171
    Location:
    USA
    That's not really very scientific. For one thing how do you know that the URL being blocked is really an exploit? Could have been an exploit at some previous time, for some other geo, for certain browser version, for certain plugin version, for certain IP, for certain referrer only, etc. All these techniques (and more) are used by exploit kits nowadays for evasion of researchers. Could also be that AVG is blocking the exploit by its URL blocker and not a script analysis. You'd need to verify that it is consistently serving an exploit and then test and re-test with various configurations. A good approach is to replicate the exploit in action and record it in Fiddler. Then you can easily replay the exploit at will with different configurations. Also Metasploit is your best friend for anything exploit-testing related.
     
  11. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
  12. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Well, downloaded AVG Linkscanner 2013 (see picture 1), did not allow it to update.

    Tested 4 pages of Malwaredomainlist for exploitkits and javascript exploits

    Result: stopped 75 % of all exploits (see examples at picture 2).

    When the people using exploit-kits were skilled enough to adopt javascript so it woud not be detected anymore, Linkscanner should have failed dramatically. Yet it stopped 15 out of the 20 websites I tested.

    AVG_2013.png AVG_2.png
     
    Last edited: Oct 4, 2014
  13. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    From my view those tools are waste of time for the most of common users. exploiting is just useful where to grab money (banking) or spreading trojans in environments of money (eg unsecure computers of employees which use usb-sticks in business) grabbing and selling emails is too simple. a minor reason for me seems botting (zombies, botnet). all software has a security whole, either by design or by compiler. it is neccessary to have a complete view about to develope a secure environment and not to secure or scan afterwards - if the ball already has touched ground.

    this is just the way for making fast money with the simplicity of users - boo, the evil web.
     
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Guess I'll try it out. Never knew LinkScanner specifically targets JavaScript exploits as well.
     
  15. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Yes I realize that, but I check all the sites at VT and do a Securi site check. Initially Linkscanner blocked 15 out of 20. According to Securi site check three of them were blacklisted but did not contain javsciptpayloads.

    I tested the remaining two with AVG LS 2015, EMET and MBAE and they all did not react, so fair chance this website is already cleaned up.
     
    Last edited: Oct 4, 2014
  16. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    From my view this is very real:

    https://barracudalabs.com/2014/09/s...ributed-via-widespread-malvertising-campaign/
     
  17. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Thank you noted
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Are you saying that both EMET and MBAE could not stop the exploit? Makes me wonder if there was a real exploit running on the site in the first place.
     
  19. FleischmannTV

    FleischmannTV Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,071
    Location:
    Germany
    The way I see it there is no exploit happening for EMET or MBAE to stop because there are no exploits happening (they possibly don't work with Chrome). Traffic scanners on the other hand detect exploit code in the traffic, no matter if the stuff can affect the browser or not.
     
  20. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    No I doubted that it was an exploit, since it was on page 3 (is the fourth page), so the owners could have taken counter measures. Thanks for posting, I re-wrote that post to make that more clear.
     
    Last edited: Oct 4, 2014
  21. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Thread recap:

    Weakness of Linkscanner like solutions (A)
    Experts tell and show with PoC's that alterations can be made to java-script to obfuscate usage of exploits kits.

    Stronghold of Linkscanner like solutions (B)
    Research shows that 95% of the live malware intrusions are based on twenty most used exploits. Experts tell us there are top-experts crafting exploit-kits (using these exploits) and selling them to lesser skilled web-criminals who use these exploit-kits. Because those exploit-kits are marketed as "double obfuscated" and "evades AV detection", it looks like those web-criminals lack the ability to alter/obfuscate/hide these java and java-script triggered exploit-kits.

    Test-result-paradox
    As said and shown in the first post, Linkscanner scored 100% So I assumed it was my glawed access and knowledge to real-life resources and asked for help from more elobarated wilders members.

    A-B-test suggestion
    An expert explained that most AV's check all those 'open to public' sources every night to add them to their fingerprint or URL database. So the key was to test with old sigs So I downloaded Linkscanner 2013, denied it go outbound, and did a quick malware domain only test. When A was true, Linkscanner would fail miserably, when B would be true Linkscanner would have to block a substantial percentage of the exploits.

    Result A-B test
    Linkscanner blocked 15 out of 20 javascript/exploitkit based entries of MalwateDomains (tried the latest four pages). Since the passes happened on page 3 (the fourth page), the chance of the website owner being informed and have taken counter measures is plausible. There fore I scanned the misses with Securi webscan service. Three were only blacklisted, did not contain any payloads anymore.
    Two remaining did contain javascript triggering an exploit kit (according to Securi site check). SO I tested those two with updated AVG Linkscanner 2015, EMET and MBAE and they all kept quiet. Fair chance the exploit was removed or not triggered in Chrome.

    My conclusion
    Linkscanner with an 1.5 year old data base blocking a substantial percentage (90% at least) of the published javascript exploits, builds a strong case for thesis B (most web criminals targeting general public lack the knowledge to obfuscate the javascript triggering an exploit-kit). So for the home user AVG Linkscanner is an extra layer to consider (since it has little impact on browser launch time and surfing speed).
     
    Last edited: Oct 4, 2014
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,171
    Location:
    USA
  23. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    Desktop setup (win7 Ultimate)
    1. UAC set to deny elevation of unsigned (e.g. Chromium)
    2. Chromium without flash, group policy allow pdf.dll (plug-in) and uBlock (extension)
    3. Allow's javascript from NL and COM in Chromium, AVG Linkscanner Free filters on exploits
    4. Software Restriction Policy deny basic users to execute binaries outside UAC protected folders


    Transformer setup (win 8.1 Home)
    1. Run as local (LUA) user with parental control
    2. Use IE11 with Adblock plus TPL and hardened IE Zone settings
    3. MBAE for anti-exploit protection protecting browser and (flash) plug-in
     
    Last edited: Oct 5, 2014
  24. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    a descent ad-filter or HOSTS file can prevent such bad ads - not the first time.
    http://en.wikipedia.org/wiki/Hosts_(file)

    http://www.mvps.org/winhelp2002/hosts.htm
    http://www.hosts-file.net/

    my browser has additional ad-and script filter - obfuscated scripts are not allowed.

    furthermore - who is acting on piratebay and similar without any prevention, sorry, no mercy.

    and as vojta pointed out even a cert can not prevent malware. and again comodo as a cheap cert distributor is involved.
     
  25. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,082
    Location:
    Netherlands
    @Brummelchen

    First: when you posted
    I thought you did not think it made sense to focus on just one source of rich content. Now you post a wiki page explaining HOST page (as a reply to a post of a security expert :eek:), besides that I completely miss your point (don't bother to explain, I am lost): do you really think that safe browsing features of IE and Chrome won't include the "bad" URL's (it is a numbers game with Microsoft and Google leading).

    Secondly: Unless I missed the invention of a javascript cloaking device :doubt: I assume you mean with obfuscated scripts, obfuscating code which triggers exploits in javascript. Would be really helpful when you showed the name and source of these intelligent script filters (at poker, I would like to see you cards)
     
    Last edited: Oct 5, 2014
Loading...