Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.
Yep, not an exploit at all.
Can you please answer this? I'm trying to understand the way that kernel exploits work.
Windows 7 HP SP1 x64 - MBAE Premium 1.07.1.1015, all Advanced items checked.
I've been using Thunderbird for a decade. It just works, so it's been a long time since I scrutinized its development and evolution.
To the best of my recollection, under the hood it's a Mozilla browser and in a default configuration will, with reckless abandonment, render Web content (webmail and links and scripts embedded therein). While it's comforting to know there are no public exploits targeting Thunderbird, one might consider it is otherwise vulnerable to browser exploits and yet unknown exploits.
I also have two Web facing browser powered apps, a QtWebKit (v126.96.36.199) RSS reader and a simple email monitor using the Microsoft HTML Viewer (mshtml.dll, ieframe.dll, iertutil.dll, et al) for rendering webmail - Browsers shields for both.
And PDF Readers shields added for PDF-XChange Viewer and SumatraPDF.
I have Other shields for about a dozen Internet facing apps, some of them connecting to the developer's servers, some vigorously to the major cloud services. For content as well as manual "check for updates."
Would it be correct to conclude that public exploit targeting is the primary criteria in the selection of popular applications bundled in the free version? And the shields added by users of Premium are not an exercise in futility?
Thank you for your time.
MBAE just informed me there was a new version available, and asked me if I wanted to upgrade. I chose yes. I was using 1.07.1.1015, and after upgrading it says i'm still using 1.07.1.1015. MZWriteScanner captured all this from the upgrade. MZWriteScanner captures anytime an executable file is written to the disk.
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-OM45C.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-HMA0I.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-VJO7M.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-TSS7L.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-DS8KP.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-I78OK.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-MERN4.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-5QU7P.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-LM5KD.tmp
C:\Program Files (x86)\Malwarebytes Anti-Exploit\is-RPOHO.tmp
Maybe I was mistaken. I just checked the last installer I have for MBAE, and it says build 1014. If build 1015 was just released today then disregard my last post. I could have sworn the build I was already using was 1015. Sorry!
What's the status with MBAE and the newest versions of Tor? (4.5.3, and 5.0.3)
As soon as I install either one I am almost always met with either BottomUp or HeapSpraying blocks. If I totally delete the folder and reinstall, it works until I restart.
Auto-upgrade to 1.07.1.1015 was released a few hours ago.
Yes that's a pretty safe assumption. Our 3-point criteria has always been the same (as explained above) so it is pretty transparent.
Yeah, I just see these thing's happen way too often, either reported on the internet or real life friends.
It's just best to leave Steam alone.
The exploit itself is just the first stage of the attack. In order to infect a machine you'll also need to download or drop something and execute it, and many times that happens via user-land APIs which offer more granular control.
you do realize VAC is completely unrelated to steam.exe which is the STEAM client?
VAC protect game binaries (and only those which opt-in, not every game on STEAM use it)
STEAM.exe is for content delivery and execution of games / software or movie/audio playback
(games and user generated content), IM, chat and browser application)
it contains web browser based off Chromium which is core of the STORE / web services
it has own API (steamworks) for other stuff too
there are also additional services for elevated rights
in short perfect ground for target exploitation on multiple levels
and no MBAE, EMET will not get you banned as far I know
I had STEAM.exe on EMET list for years and next to crashes I've yet to see single ban
yes I'm working for company which released multiple games on STEAM
and overseen several products deliveries to customers via this distribution platform in past 7 years
anyway don't ask me to reveal something , I'm bound by NDAs and other agreements ...
just don't think that if you never heard about something ....
I'm interested in this too and have been waiting for an answer.
In the meantime, discussion in this ancient thread started by Kees (Windows_Security)
is food for thought and might address what you asked. Post#20 by Herbalist is really neat.
I'm not 100% sure it answers your last question (I'm in the learning mode), though I think it does and the answer will be Yes.
Thanks for the reply. I'll presume the shields added by users of Premium are not an exercise in futility as the answer to the second question.
With the latest version of MBAE these lines aren't needed to make MBAE work with SBIE
InjectDll=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.dll
InjectDll64=C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.dll
Edit: Firefox 32bit and IE are protected but firefox 64 bit Palemoon 64 bit doesn't seem to be protected if i remove these lines
The Tor Browser install folder. I should have clarified, if I delete that folder after I get an alert, then reinstall the program, it then works. Happens with both the new 4.5.3 and the 5.0.3 versions.
I am able to replicate the issue by:
1. Installing the Tor Browser Bundle
2. It installs, runs, and I am able to use it as expected. I don't even have to visit any other page than the home page.
3. Sign out of Windows or Restart.
4. Attempt to run TBB results in "Exploit blocked by Bottom-Up ASLR Enforcement" in "Mozilla Firefox (and add-ons)."
Very odd. Not sure why the install and first run seems to operate as expected, but then as soon as you log out of windows or restart, it blocks as soon as you attempt to open the application.
Tried this using fresh downloads of 4.5.3 and 5.0.3, same results. Been deleting the Tor install folder using Privazer's "Delete without a trace" option.
I just updated to the latest Premium version of MBAE (1.07.1.1015). Does the "General' Tab of the GUI no longer show the Shields that are active? All mine shows is "Blocked Exploit Attempts' and 'Version.'
Correct, the General Tab no longer shows the # of shielded applications. This was removed because the count was somehow crashing Chrome users.
OK, so it all depends on the payload? Let's say if the dropper has system rights, then I assume the payload (banking trojan, ransomware, rootkit) also has high or system rights? So I assume it then would have to actively target other security tools who might interfere with it. So the more advanced the payload (or dropper?), the bigger the chance it might bypass security tools, correct?
Just put it on a relatives PC, what a great freebie, on i5 CPU it loads in a blink
Cannot replicate this under Windows7 x64. What OS, architecture and other potential conflicting programs do you have installed that may be causing this?
Are you using any Firefox add-ons that don't come with Tor?
Windows 8.1, 64-bit. I also have MBAM running, DNScrypt, and I do connect to a VPN as well.
If I connect to a bridge in Tor setup, it seems to happen less.
I Just now ran Tor, got the exploit pop up, closed out, waited a few minutes, attempted to open it again and this time it connected.
Not using any add-ons to the TBB.
Is there a way I can submit a more detailed log?
I kinda had an idea, but you explained it perfectly.
Separate names with a comma.