Malwarebytes Anti-Exploit

i am new to MBAE - any kind of (harmless) test available?

 

https://helpdesk.malwarebytes.org/h...lwarebytes-Anti-Exploit-is-working-correctly-

 

Hi, vojta! Have you read the siketa's post #1462 & his link?
I have never denied what you said, and this is why I wrote "These are quite valid point, but out of the scope of the discussion.", "I don't disregard those serious problems, most user don't patch immediately", and "I think the most important role for anti-exploit in practical context is those cases." in #1472 but I'll apologize if what I wrote gave you false or wrong intention as I know my English is far from perfect, especially when it comes to nuances, shade of meaning, metaphor, colloquial expression etc.

What Fabian argued was not about that things, but real 0day exploit for home user. So if simple update can prevent exploit, it is out of scope for this discussion. So these points can't be reason to disagree with him. See HitmanPro.Alert Thread if you have time, markloman admitted users hardly need anti-exploit when they keep up-to-date, though also said it is in theory―I'm also well aware of fact that it can't be always possible even for us security aware people.

What I was somewhat shocked to hear was Pedro's post #1469 can be interpreted, at least for me, as if there're many 0day exploit which affects common home user. It's definitely not true, well, if you define 0day exploit as one which is already patched but user don't patch for some reason then what he said is not necessary wrong, but I believe that is not common use of the word "0day exploit". If my interpretation of #1469 is completely wrong and it can't be interpreted as such in real English, sorry its my fault and I'll appreciated if anyone can point out why it is so.

Lastly this thing don't harm my trust on MBAE, but I still had somewhat shocked personally.

 

Well, though VT don't includes IPS signature for most products it includes, I know it isn't much matter because most IPS sigs can only protect against known vuln.
But what you wrote puzzles me, if generic detection or heuristics can detect 0day even though to some extent, attacker should employ obfuscation.

 

Well, when you use a seperate heap spray using for example Flash Player, than the detection of the html component will be 0-5/50 and for the flash component roughly 5/50.
At least, that is what I experienced myself. Normally I don't really on AV/IDS in order to identify CVE's being exploited. Having a collection of PoC's and Google might be a better idea.

 

thank you. reasen was this list (#1455) --> https://www.wilderssecurity.com/threads/malwarebytes-anti-exploit.354641/page-59#post-2439242
i have autosizer and unlocker running but mbae did not moan about, maybe not the right actions. mbae-test is working as expected.

 

Well, I noticed that you mentioned just CVE numbers, so when you say obfuscation is not employed, do you mean a kind of prototype (sorry, I can't think of better expression)?
IOW, actual attack code usind those exploit can be obfuscated?

 

I do not fully understand what you mean with "prototype". When I referred to those CVE's I meant the exploit code targeting a specific 0day vulnerability that would have been deployed for the very first time. (The first occurence)
But yes, exploit code can just be obfuscated. This was for example used in the original CVE-2013-3163 exploit code. the first layer would have been decoded with String.fromCharCode() and after this quite some string obfuscation was being used.

(Due to the rules of Wilderssecurity.com I'm not able to post links to original samples)

 

I find the summary from VRT for the Microsoft monthly updates to be very insightful. Many times they mention which of the patches apply to vulnerabilities which have been seen in attacks prior to the patch becoming available. There's a few entries for 0days this year: http://vrt-blog.snort.org/feeds/posts/default?alt=rss.

Of course vendors also publish big blogs when zero-days are disclosed. The better coverage normally comes from FireEye, iSightPartners, Lastline, AlienVault, TrendMicro, Kaspersky, etc.

Also Packetstorm has some good feed of 0day news at http://rss.packetstormsecurity.com/news/tags/zero_day/.

But of course as others have mentioned, the reality is that most users and companies are either not up-to-date or update too late which is enough time for attackers to reverse the patch and release an exploit. This is the real problem in the real world and where the vast majority of attacks happen with older, already patched vulnerabilities. Obviously I do agree that users who keep all their software up-to-date are much less at risk of being infected by an exploit, zero-day or known. But as everybody already knows this is not the case in real life.

 

Sorry, I know "prototype" is bad word and am sure there's better word in English, it's my language skill limitation.
But Your answer is good enough for me, that is what I wanted to confirm.
So there can be different forms of same exploit, by "same" I mean attack exactly the same CVE number vulnerability, and one might not be obfuscated but another might be obfuscated, right?
I don't have deep knowledge about those thing, but at least if an attack is leveraged by javascript, there should be enough room to obfuscate the attack code.
I thought PC tools once mentioned technique that splitting exploit code into 2 or more parts and later combine them.

 

I also keep checking VRT, FireEye, TM, and Kasp though not frequently, but they are nearly all about corporate and targeted attacks (yes, TM & Kasp are also much about home user, but I'm sure when they published article about 0day against home user I'll notice/find them).
Some 0day may affect home user, but most often were not confirmed and no such exploit kit for mass attack were found.
I wonder why people can't understand Fabian was taking about home user, not corporate user or targeted attacks at all, and also only talking about not-yet-patched vuln. He didn't denied what vojta or you said unless you meant there're many (many means many) 0day exploits (exact and commonly used meaning) which attacks common home user (not corporate user or rare people who has reason to be targeted).
So IMO there's no valid reason to disagree with him, if you do you're reading too much into beyond what he said or expanded discussion beyond original one.

Simple fact is there're not many 0day exploits against home user reported so far (still there're some, and nobody knows future).
Sure, there may be undiscovered 0day exploits which undergoing and escaped all prying eyes but we can't speak about it for sure, and because we know nothing about them there're no guarantee that anti-exploit can or can't block them while other solution can't. Whereof we cannot speak, thereof we must be silent.

Yes, that's the valid point.

 

So, who care if they are attacks against only corporations? I'd rather have that MBAE protects me from attacks that target corporations, because you simply never know, when hackers will attack home users with the same attacks that hackers use to attack corporations.
Keep on good job, ZVL.

 

Not only we don't know future, but actually there're a few cases where criminals copied exploit from targeted attacks and began to attack home user.
So finally it comes down to your way of thinking, but don't say "every home user definitely must care about 0day exploit as there're many cases!". However, it's okay to say "Home user should consider adding anti-exploit seriously because always keeping up-to-date is quite hard, and though not often, sometimes 0day exploit affects even home user"

 

When an exploit lands on the heap, performs a stackpivot, calls a function like VirtualProtect and tries to execute shellcode, for sure that it will be blocked in that situation.
But if someone burns a TrueType font parsing 0day against you, then you're still toast. And remember: If an exploit is able to bypass EMET it will probably also bypass the mitigations present in MBAE/HMPA. Although EMET does not contain Application Lockdown

If I have some spare time in the upcoming days, I will test MBAE with a sample of a former VUPEN 0day.

 

The known EMET bypasses either use CALL gadgets and/or IAT disclosed addresses.

Both are mitigated by HMPA using hardware-assisted ROP mitigations and IAT filtering.

Still I am confident that with enough effort, you can bypass anything.

 

The exploit does not care if you're a home user or big corporation. As an example the IE 0day found (by a 6-month old version of MBAE in an exploit-crawler) in the US Department of Labor website was theoretically targeting visitors to nuclear related content, although this is just theory as it could just be that it was hosted in a specific sub-domain that they were able to breach because they could not breach the main homepage. Regardless, with 2.8M monthly visits according to SimilarWeb, I think you'll agree that the potential of this particular 0day is not just a handful of theoretically targeted individuals or organizations.

Looking at it from a different perspective, why utilize 0days to infect home users when older exploits are still extremely effective? I'm sure when or if older exploits stop being so effective because all or most users are always up-to-date then the situation would be different. But of course this is all just theoretical and a waste of time continuing discussing over it, just as the position that "home users shouldn't worry about 0days".

As Erik says, with enough time, effort and dedication anything can be bypassed. Anti-exploit is about raising the bar.

 

Theoretically home user can be involved by waterhole attack, though actually in most waterhole attack attacker strictly choose victim by IP, cookie, OS version, launguage, installed programs, etc. because if they attack general mass it will be more quickly found that is disadvantageous for them. So basically it doesn't affect my conclusion, as I never said there's no chance home user can be victim of 0day, but saying the possibility is extremely low and there've not been many cases found.

However, I agree, continuing this discussion will be waste of time so I'll stop here. And don't misunderstand me, I'm comfortable by using MBAE and not intended to diminish it's value.

 

TTF one is kernel exploit which can only be blocked by patch or NIPS of course after it became known. Originally it was 0day, so there's almost no measure, except not using Windows (Linux with GRSecurity is one of preferred in this forum) or use VM/USB booted OS and always restore to previous state, but if attacker is aware of those (often the case in targeted attack) he might change attack, exploit hypervisor (in VM case) and theoretically might infect victim with BIOS rootkit...well, better to stop here.

I'm looking forward to your test!

 

Just wondering, what happens when hypervisor is exploited and than you get infected with BIOS rootkit, than what?
Is there any way you can protect yourself from that?
If not what can you do, nothing buy new Windows system (XP, Vista, 7, 8, 8.1 whatever Windows system you used)?

 

First of all: afaik BIOS rootkits do not exist in the wild (Additional information is welcome)
But a BIOS rootkit would make a really persistent and probably undetectable backdoor. Flashing your BIOS might be a solution in case of.

 

I'm not sure what do you mean by "in the wild", but there're some actual BIOS rootkit other than Absolute Computrace.
http://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
http://news.drweb.com/?i=1879&c=23&lng=en&p=2
http://securelist.com/analysis/36421/mybios-is-bios-infection-a-reality/

 

I think hypervisor is not relevant to you because major VMs you can use for free are not hypervisor-based, but they're host-guest type of VM. Attack against hypervosior is more of matter in corporate environment. However, still there can be attack against VM itself in this type of VM too, but AFAIK ITW attack is not reported so far.
As to BIOS rootkit, basically same thing as usual security measure, but once you get infected, detection is quite hard (McAfee Deep Safe can be one possible counter measure, another way is monitoring network traffic), and disinfection need to flash BIOS.

 

Sorry, for my english, but what do you mean by flash BIOS? Like total re-install from zero?

 

Basically yes.　Usually requires special tool.

 

That's how you update your bios is by "flashing it" or installing it, or re installing bios.