Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  2. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    You can add WinRAR to MBAE and even use the office or pdfreader if you want to be a bit stricter with WinRAR. But it won't stop this kind of vulnerability as it is not a traditional RCE. It simply changes the local file headers within the archive to show EXEs as non-EXEs. The actual operation of reading/opening of a file is the same as if you would open any other file compressed with WinRAR.
     
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,130
    Location:
    Saudi Arabia/ Pakistan
  4. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
    Thanks for clarifying.
    Even so, there's other vulnerability history on some archiver programs, so I stand by my conclusion.
     
  5. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    106
    I'm testing MBAE on one of my computers and I have discovered some incompatibilities (false alerts) with some programs that work by injecting (hook) a DLL into processes protected by MBAE :

    AdFender www.adfender.com
    AltDesk www.astonshell.com/altdesk/
    AutoSizer www.southbaypc.com/autosizer/
    Listary www.listary.com/
    PS Tray Factory www.pssoftlab.com/
    Quick Macros www.quickmacros.com/
    Unlocker www.emptyloop.com/unlocker/
    WindowSpace www.ntwind.com/software/windowspace.html

    I don't know exactly which of these programs are responsible of the false alerts, I will investigate by doing some tests when I will have time for that. :eek:
     
  6. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    106
    After doing some test the programs listed in my previous post seems to not being involved in the false alerts.

    Here what I get with various browsers :

    Comodo Dragon 31 portable and 36 portable (Chromium) with customized shield: false alerts and the process is terminate
    CyberDragon (Chromium) with customized shield: OK
    JonfoFox (Firefox) with default shield for Firefox: OK
    SlimBoat (Safari) with customized shield: OK
    Opera 11 and Opera 20: false alerts and the process is terminate
    SRWare Iron 36 portable (Chromium) with customized shield: false alerts and the process is terminate
    Internet Explorer 8: false alerts and the process is terminate

    The OS is Windows XP Pro SP3

    To be honest, I don't have any idea from where come the false alerts.
    The computer I used wasn't connected to internet and was checked just before with Emsisoft Emergency Kit (0 virus).
    The logs of MBAE doesn't help me... :'(
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Can you please PM me our MBAE user-data directory (ZIP of C:\ProgramData\Malwarebytes Anti-Exploit) as well as the logs from FRST @qenieautravail?
     
  8. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    106
  9. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    2,839
    those programs have remote control of windows - either resize or kick/kill access on files (like unlocker). adfender is an anti-ad filter and can manipulate websites. each one is harmless but its general behavior is not.
     
  10. genieautravail

    genieautravail Registered Member

    Joined:
    May 6, 2012
    Posts:
    106
    AdFender was my previous anti-ads software, I'm using now AdBlock Plus extension for Chrome or Opera.
    The other programs doesn't have access to internet (access blocked for them). ;)
     
  11. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    4,684
    Hi ZV,

    I haven't abandoned MBAE. I am just in another snapshot testing HMPA.
     
  12. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,717
    Location:
    Zagreb, Croatia
  13. guest

    guest Guest

    afaik the last time that zero-days were used in a blind mass attack was in 2013 when BlackHole included a Java 0day (http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html ?).

    Zero-days are normally only used in targeted attacks against for example governments, research institutions and other 'high value targets'.
    But we have seen that Flash Player patches can be reverse engineered within just a few days. So if you've not yet installed an update at that moment and you're not running any mitigation software, then you're still toast.
    And do not forget the use of malicious macro's in mass spam runs. The dropped executable should still be prevented from running with MBAE/HMPA.
     
  14. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
    Fabian is definitely right at least so far (nobody knows future), there haven't been many 0day exploit against home user and even in some actual case which were just copied or leaked attack from targeted attack, user could avoid them if they paid enough attention for security news as workaround were available before official patch.
    Also there's no complete alternative for patch, some vulnerability can only be blocked by patching e.g. application design flaw.
    I believe even those anti-exploit devs shouldn't over-emphasize the risk of 0day for home user. But at the same time it's true targeted attack can occur in some home user when they have a reason to be targeted, and for such rare user anti-exploit will at least put another obstacle.

    Oh, and I forgot to mention, most AV/IS have network-based IPS and this can prevent known but not patched exploit. It's not 100% but IBK confirmed most major AV can block those attack well as long as they are not highly obfuscated, though probably those 0day attack are well obfuscated.
     
  15. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
  16. guest

    guest Guest

    Actually, most zero-days do not employ high level of obfuscation.

    Just to name a few:
    CVE-2013-3893/CVE-2013-3897/CVE-2014-0322/CVE-2014-1815 had 0 obfuscation.
     
    Last edited by a moderator: Dec 23, 2014
  17. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    1,730
    Location:
    Hollow Earth - Telos
    MBAE Premium might be causing some Frozen Chrome Extension Icons and opening new tab problems that seem to be better after i stopped protection and started it back on again.
     
  18. WigglyTheGreat

    WigglyTheGreat Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    144
    I just installed MBAE on my Surface Pro tablet running Win 8.1 Pro 64 bit. It's running so far without issue
    along with Trend Micro Internet Security 2015. Thanks
     
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I don't quite agree with these comments for a few reasons:
    • In the past users have been exposed to zero-days numerous times.
    • Lately users have been exposed to IE and PowerPoint zero-days for a number of days/weeks.
    • A zero-day does not give advanced early warning. By its very own definition by the time you find out about it may be too late. Who's to say users are not being infected by a zero-day as we speak? This is like saying there's no more corporate breaches like the Sony breach as nothing has been disclosed in the news today. More likely, many more companies are breached as we speak and they still don't know about it.
    • An old exploit for an old vulnerability is still a zero-day for some user or company that is not up-to-date and patched against that vulnerability.
    • Even though patching is the best approach, many a times users wait to make sure that the patch will not hose their systems (like has happened multiple times this year with Microsoft updates).
    • There is a HUGE difference between the Wilders and similar technical/security oriented users and non-technical users (i.e. the vast majority) in terms of keeping up-to-date with the latest patches.
    • Many companies simply cannot keep up-to-date with the latest patches. Many times they only have 1 or 2 opportunities per year to update endpoints and even more often their internal applications rely on heavily outdated software. In the last few months I've seen HUGE companies that still require their employees to use IE6 or Java5 for example.
    • The Flash example of the patch being reversed and in 1 week seeing the exploit integrated into Exploit Kits is for a reason: most users are affected by this. Otherwise they would not take the time to reverse the patch. We are going to be seeing much more of this type of quick turn-around from patch to exploit in the future for the very simple reason that it is effective.
    • I've seen backend stats from hacked Exploit Kits control panels and the data supports my arguments: the infection rate is VERY high from EKs. This means regular Joe Blow users (not technical Wilders users of course) are very much affected by this problem.
    • Last but not least, about 40% of the signatures that the MBAM team used to add earlier this year were for exploit-delivered malware payloads. Nowadays that number is closer to 60%.
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,130
    Location:
    Saudi Arabia/ Pakistan
    I totally agree! A non-signature bares anti-exploit tool is a must. It should be an integral part of any good Antimalware.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,247
    Don't forget EIS has a non behavior compenent in it's Behavior Blocker
     
  22. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
    Are you serious? Can you give us the list of that numerous 0days which attacked common home user in this or last yeah? Even part of the list you can provide soon is welcome as long as it can be regarded as numerous, but I bet you can't simply because there're not so many. I could find some, but far from numerous.
    I know and posted about IE one, but didn't know PowerPoint one also affected home user, could you give me a link? And IIRC, nether EMET nor MBAE could block this exploit previously/proactively as it was a kind of design flaw vuln so those anti-exploit needed to add protection (ASR for EMET, update for MBAE).
    There may be and would be undiscovered 0day victims, but we can't speak about them for sure, and the scenario many common home user are affected by such 0day which no security vendor/experts could find is quite unlikely at least in popular platform such as Windows. Even if it's true, I somewhat doubt anti-exploit tool really could block such stealth attack.
    These are quite valid point, but out of the scope of the discussion. Please only focus on real 0day i.e. there's no patch available, especially unknown one because for known one AV/IS can block them pretty well at least within 48h (some vender within 24h) and this is the reason MBAM don't actually scan contents files (docs, pics, movies etc.), Malwarebytes' representative himself said. But of course those known but not yet patched vulnerability are also okay because if the exploit is obfuscated, AV may fail.

    I don't disregard those serious problems, most user don't patch immediately, but then what we should first recommend to them is Secunia or UpdateChecker, not anti-exploit. And for those who postpone patching, I say and said it's still not good practice for home user (not for coporate user!) unless that patch surely causes issue, and even in that case he should apply workaround/mitigation which are often (yes, not always) available. However, I think the most important role for anti-exploit in practical context is those cases.
    Again, please focus only on common home user who won't be targeted, does Fabian mentioned about corporate user?
    Please focus only on current state and real 0day.

    Overall, the risk is not a damage, but product of possibility and damage. We all know even possibility that we come across common exploit is quite low. And when it comes to 0day, it's much less. I've heard many question "Does anyone have experience that EMET/MBAE actually saved you from exploit?" in other forums and never found positive answer. That is the real.
     
    Last edited: Dec 23, 2014
  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,643
    Thanks, but I wonder why they don't obfuscate it because obfuscation can be done quite easily, maybe they want to avoid being regarded as suspicious? And because, as these are 0day, anyway they won't be detected even w/out obfuscation?
     
  24. guest

    guest Guest

    Just a real world example:
    CVE-2013-3897 was not obfuscated and had a detecting rate of 20/50 on VirusTotal before the patch. Simply because of the use of a generic heap spray, although Suricata was also able to detect it based on generic rules for shellcode detection. That vulnerability was found by a certain 'Hoodie22' on jsunpack.jeek.org, at that time it was already being used for 2 weeks against japanese and korean users.
     
  25. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    Your post is a complete nonsense because you insist over and over again on focusing in real world scenarios and common users and the reality is that common users DON'T UPDATE THEIR SYSTEMS. I can convince my brother to update his laptop once (rarely), but it's impossible that I get him to update every program day after day as I do. That's the real world, not the world of people who read security forums.

    You cited Secunia, here is some data from Secunia. Only five percent of computers are up to date:
    http://www.enterprisenetworkingplan...rm-Only-Five-Percent-of-PCs-Fully-Patched.htm

    One year later, less than two percent:
    http://secunia.com/blog/191-of-all-pcs-are-fully-patched-37
     
Loading...
Similar Threads
  1. XenMan
    Replies:
    10
    Views:
    1,225
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.