Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Yep, not an exploit at all.
     
  2. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ ZeroVulnLabs

    Can you please answer this? I'm trying to understand the way that kernel exploits work.
     
  3. haakon

    haakon Guest

    @ pbust

    Windows 7 HP SP1 x64 - MBAE Premium 1.07.1.1015, all Advanced items checked.

    I've been using Thunderbird for a decade. It just works, so it's been a long time since I scrutinized its development and evolution.

    To the best of my recollection, under the hood it's a Mozilla browser and in a default configuration will, with reckless abandonment, render Web content (webmail and links and scripts embedded therein). While it's comforting to know there are no public exploits targeting Thunderbird, one might consider it is otherwise vulnerable to browser exploits and yet unknown exploits.

    I also have two Web facing browser powered apps, a QtWebKit (v5.4.2.0) RSS reader and a simple email monitor using the Microsoft HTML Viewer (mshtml.dll, ieframe.dll, iertutil.dll, et al) for rendering webmail - Browsers shields for both.

    And PDF Readers shields added for PDF-XChange Viewer and SumatraPDF.

    I have Other shields for about a dozen Internet facing apps, some of them connecting to the developer's servers, some vigorously to the major cloud services. For content as well as manual "check for updates."

    Would it be correct to conclude that public exploit targeting is the primary criteria in the selection of popular applications bundled in the free version? And the shields added by users of Premium are not an exercise in futility?

    Thank you for your time.
     
  4. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    MBAE just informed me there was a new version available, and asked me if I wanted to upgrade. I chose yes. I was using 1.07.1.1015, and after upgrading it says i'm still using 1.07.1.1015. MZWriteScanner captured all this from the upgrade. MZWriteScanner captures anytime an executable file is written to the disk.

    C:\Windows\Temp\mbae-setup-1.07.1.1015.exe
    C:\Windows\Temp\is-03AM6.tmp\mbae-setup-1.07.1.1015.tmp
    C:\Windows\Temp\is-BUB16.tmp\_isetup\_setup64.tmp
    C:\Windows\Temp\is-BUB16.tmp\_isetup\_shfoldr.dll
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-OM45C.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-HMA0I.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-VJO7M.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-TSS7L.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-DS8KP.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-I78OK.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-MERN4.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-5QU7P.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-LM5KD.tmp
    C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-RPOHO.tmp
    C:\Windows\Temp\UDDBD31.tmp
     

    Attached Files:

  5. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Maybe I was mistaken. I just checked the last installer I have for MBAE, and it says build 1014. If build 1015 was just released today then disregard my last post. I could have sworn the build I was already using was 1015. Sorry!
     
  6. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    What's the status with MBAE and the newest versions of Tor? (4.5.3, and 5.0.3)

    As soon as I install either one I am almost always met with either BottomUp or HeapSpraying blocks. If I totally delete the folder and reinstall, it works until I restart.

    Any ideas?
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Auto-upgrade to 1.07.1.1015 was released a few hours ago.
     
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Yes that's a pretty safe assumption. Our 3-point criteria has always been the same (as explained above) so it is pretty transparent.
     
  9. Tyrizian

    Tyrizian Registered Member

    Joined:
    Apr 26, 2012
    Posts:
    2,839
    Yeah, I just see these thing's happen way too often, either reported on the internet or real life friends.

    It's just best to leave Steam alone.
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    The exploit itself is just the first stage of the attack. In order to infect a machine you'll also need to download or drop something and execute it, and many times that happens via user-land APIs which offer more granular control.
     
  11. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    177
    Location:
    Czech Republic

    you do realize VAC is completely unrelated to steam.exe which is the STEAM client?
    VAC protect game binaries (and only those which opt-in, not every game on STEAM use it)

    STEAM.exe is for content delivery and execution of games / software or movie/audio playback
    (games and user generated content), IM, chat and browser application)
    it contains web browser based off Chromium which is core of the STORE / web services
    it has own API (steamworks) for other stuff too

    there are also additional services for elevated rights
    in short perfect ground for target exploitation on multiple levels

    and no MBAE, EMET will not get you banned as far I know
    I had STEAM.exe on EMET list for years and next to crashes I've yet to see single ban

    yes I'm working for company which released multiple games on STEAM
    and overseen several products deliveries to customers via this distribution platform in past 7 years

    anyway don't ask me to reveal something , I'm bound by NDAs and other agreements ...

    just don't think that if you never heard about something ....
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Rasheed187,
    I'm interested in this too and have been waiting for an answer.
    In the meantime, discussion in this ancient thread started by Kees (Windows_Security)
    https://www.wilderssecurity.com/threads/anti-executables-are-useless-overtime.177597/
    is food for thought and might address what you asked. Post#20 by Herbalist is really neat.
    I'm not 100% sure it answers your last question (I'm in the learning mode), though I think it does and the answer will be Yes.
     
  13. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Which folder?
     
  14. haakon

    haakon Guest

    Thanks for the reply. I'll presume the shields added by users of Premium are not an exercise in futility as the answer to the second question. :thumb:
     
  15. reyes

    reyes Registered Member

    Joined:
    Dec 8, 2013
    Posts:
    48
    Location:
    INDIA
    With the latest version of MBAE these lines aren't needed to make MBAE work with SBIE
    InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
    InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
    Edit: Firefox 32bit and IE are protected but firefox 64 bit Palemoon 64 bit doesn't seem to be protected if i remove these lines
     

    Attached Files:

    Last edited: Jul 28, 2015
  16. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    The Tor Browser install folder. I should have clarified, if I delete that folder after I get an alert, then reinstall the program, it then works. Happens with both the new 4.5.3 and the 5.0.3 versions.
     
  17. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    I am able to replicate the issue by:

    1. Installing the Tor Browser Bundle
    2. It installs, runs, and I am able to use it as expected. I don't even have to visit any other page than the home page.
    3. Sign out of Windows or Restart.
    4. Attempt to run TBB results in "Exploit blocked by Bottom-Up ASLR Enforcement" in "Mozilla Firefox (and add-ons)."

    Very odd. Not sure why the install and first run seems to operate as expected, but then as soon as you log out of windows or restart, it blocks as soon as you attempt to open the application.

    Tried this using fresh downloads of 4.5.3 and 5.0.3, same results. Been deleting the Tor install folder using Privazer's "Delete without a trace" option.

    Any advice?
     
  18. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    I just updated to the latest Premium version of MBAE (1.07.1.1015). Does the "General' Tab of the GUI no longer show the Shields that are active? All mine shows is "Blocked Exploit Attempts' and 'Version.'
     
  19. ky331

    ky331 Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    158
    TomAZ,

    Correct, the General Tab no longer shows the # of shielded applications. This was removed because the count was somehow crashing Chrome users.
     
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    OK, so it all depends on the payload? Let's say if the dropper has system rights, then I assume the payload (banking trojan, ransomware, rootkit) also has high or system rights? So I assume it then would have to actively target other security tools who might interfere with it. So the more advanced the payload (or dropper?), the bigger the chance it might bypass security tools, correct?
     
  21. Just put it on a relatives PC, what a great freebie, on i5 CPU it loads in a blink
     
  22. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Cannot replicate this under Windows7 x64. What OS, architecture and other potential conflicting programs do you have installed that may be causing this?

    Screen_40 2015-07-28 18.49.jpg
     
  23. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Are you using any Firefox add-ons that don't come with Tor?
     
  24. OB1W4N5

    OB1W4N5 Registered Member

    Joined:
    Jul 27, 2015
    Posts:
    29
    Windows 8.1, 64-bit. I also have MBAM running, DNScrypt, and I do connect to a VPN as well.

    If I connect to a bridge in Tor setup, it seems to happen less.

    I Just now ran Tor, got the exploit pop up, closed out, waited a few minutes, attempted to open it again and this time it connected.

    Not using any add-ons to the TBB.

    Is there a way I can submit a more detailed log?
     
    Last edited: Jul 29, 2015
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I kinda had an idea, but you explained it perfectly. :thumb:
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.