BLADE: New Tool for Stopping Stealthy Downloads

Discussion in 'malware problems & news' started by G1111, Feb 23, 2010.

Thread Status:
Not open for further replies.
  1. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    628
    Location:
    Terre Haute, IN
    Anyone hear anything regarding the available date of the Blade product? I just visited their Website but did not see any available date mentioned.

    John
     
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    the web site should be taken down. I am so sick of going to it just to see the preverbial "Coming Soon" at the top.

    It is either going to happen or not and I think the latter.:thumbd:
     
  3. jpcummins

    jpcummins Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    628
    Location:
    Terre Haute, IN
    trjam,

    I agree with you. I finally quit visiting the site as I too tired of seeing the "Coming Soon". Very unfortunate as I for one sure could use such a program.

    John
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    It's disappointing that the site stopped updating the Empirical Daily Evaluation on Malware URL Lists on July 3. It was a good source of information.

    ----
    rich
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    @trjam and jpcummins

    I think it's a bit extreme to say it should be taken down :D Coming Soon means different things to different people. It must be sooner now than it was before :D I hope. I too want to see it released and test it and wished it was released already.

    @Rmus

    They must have heard you :D

    Fri Jul 23 18:22:27 2010

    pan.gif

    2.gif

    ppdf.gif
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, I see they've updated their database! Unfortunately, the PDF exploits show just the resulting file, rather than the exploit that triggers it.

    But the Exploit Kits are much more interesting. Curiously, the old MS06-014 (MADC) exploit, patched for almost 4 years, is present in almost all of the Kits, and is still highly successful as a remote code execution (drive-by) exploit.

    This particular one is triggered by an i-frame. The main page, ccc.html has the i-frame that redirects to another site that serves up the exploit according to the browser.

    blade_1.gif

    These are the important files that cache:


    blade_0.gif


    And the triggering of the attempted download:

    blade_2.gif

    Note that whether the triggering mechanism is this old IE exploit, or a PDf plugin exploit, or the current Microsoft shortcut link exploit -- it is of no consequence if the resulting payload is a malware executable: the exploit goes nowhere with proper protection in place.

    ----
    rich
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Blade refers specifically to the " drive-by download infection," or " drive-by malware infections."

    The drive-by download, as I've mentioned many times, just one type of remote code execution exploit that comes through the browser, whether a direct browser exploit, or one triggered by a Plug-in, such as a Flash or PDF plug-in. In these cases, the exploit is not against a vulnerability in the browser code, rather, the browser just is the means to start the exploit. Thus, the latest Adobe PDF exploit can work in any browser where plug-ins are enabled.

    I mention this because Blade's protection is limited to the drive-by download, and as such, I wouldn't find it so useful to install in a home, family environment. I don't know how others feel about this.

    Note that the Microsoft Advisories use the phrase, "Remote Code Execution" which covers all bases.

    Other types of remote code execution exploits include Autorun.inf files on external media (such as the Conficker worm), or opening an infected PDF/SWF or other infected media file, or infected Microsoft Office document, that has been downloaded to disk or received as an email attachment.

    My assumption is that Blade will not protect against these types of exploits, rather, just exploits that come through the browser, but you can read their PDF file and check my assumption:

    BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections
    http://www.blade-defender.org/BLADE-ACM-CCS-2010.pdf

    My assumption based on this explanation is that Blade would not protect against MS10-064, or any similar remote code execution exploit involving a vulnerable application:

    Microsoft Security Bulletin MS10-064 - Critical
    Vulnerability in Microsoft Outlook Could Allow Remote Code Execution
    http://www.microsoft.com/technet/security/Bulletin/MS10-064.mspx
    I would rather have an anti-execution product that blocked unauthorized executables from any source.

    ----
    rich
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    I get the feeling BLADE was a nice idea at the time, but as it hasn't appeared, either they have found problems with it thereby delaying the release, or it's in mothballs.

    I would have expected them to give out progress updates from time to time, but nothing ?

    The live exploits page was nice whilst it lasted, then stopped, and suddenly restarted for a day last month, and hasn't moved since !

    ?
     
  9. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Have you now joined with trjam and jpcummins, CloneRanger?
    Will our patience be rewarded?
    Will asking a question answer it?
     
  10. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    I especially like the part on the bottom of the web site that says,
    BLADE is funded through grants from the National Science Foundation, the U.S. Army Research Office, and the Office of Naval Research.

    More taxpayers dollars put to good use.:cautious:
     
  11. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    We will take him.;)
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I rather enjoyed the part that says:

    ;)
     
  13. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Help i've been taken :D

    Well i've answered yours anyway :p
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.