New: BLADE (Block All Drive-By Download Exploits)

Discussion in 'other anti-malware software' started by hawki, Oct 8, 2010.

Thread Status:
Not open for further replies.
  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    Researchers today will detail a software package known as Block All Drive-By Download Exploits (BLADE) that has as its main mission in life to eliminate the drive-by malware threat.


    Developed by Georgia Institute of Technology and SRI International researchers, BLADE "thwarts the ability of browser-based exploits to surreptitiously download and execute malicious content by remapping to the filesystem only those browser downloads to which a programmatically inferred user-consent is correlated, BLADE provides its protection without explicit knowledge of any exploits and is thus resilient against code obfuscation and zero-day threats that directly contribute to the pervasiveness of today's drive-by malware, " the researchers state in a paper on BLADE that will be presented at the Association for Computing Machinery's Conference on Computer and Communications Security today.

    Story here: http://www.networkworld.com/community/blog/software-aims-whack-drive-malware-threat?source=nww_rss

    BLADE Website here: http://www.blade-defender.org/
     
  2. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
  3. moontan

    moontan Registered Member

    Joined:
    Sep 11, 2010
    Posts:
    3,931
    Location:
    Québec
    tnx m8!

    if this worked as advertised it'll be a great tool in our arsenal. :)

    looking forward to the release.
     
    Last edited: Oct 8, 2010
  4. Morro

    Morro Registered Member

    Joined:
    Jul 11, 2009
    Posts:
    353
    Location:
    Netherlands
    It looks very interesting indeed, and i saw that v1.0 will be a free to use research project.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    "Drive-by" by definition, refers to web-based attacks. What about other attack vectors where malicious executables can be triggered, such as USB, MSOffice documents, and the like?

    In their paper, the BLADE researchers write:

    BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections
    http://www.blade-defender.org/BLADE-ACM-CCS-2010.pdf

    Nothing about other possible modes of exploit.

    If these other attack vectors are not covered, then BLADE would be of limited use, IMO, where I would set up a security solution on a home system. Other products already cover installation of malicious executables by remote code from any attack vector.

    Several articles present information that is misleading, or at least confusing.

    Stopping Stealthy Downloads
    http://www.technologyreview.com/computing/24632/page1/

    However, the BLADE PDF has this:

    And in this article:

    BLADE: Hacking Away at Drive-By Downloads
    http://krebsonsecurity.com/2010/02/blade-hacking-away-at-drive-by-downloads/

    "Sandbox" has become a term (like White Listing) that needs specific description, for BLADE seems to contradict that above' statement:

    It's possible that both may be correct, each using "sandboxing" in a different way.

    It will be interesting to put BLADE through a series of tests to see how it responds!

    -----
    rich
     
    Last edited: Oct 8, 2010
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    So what? 6 more months of waiting. I personally think that a product like this and Hitman Pro may be very effective and light. I was told it would be released by the end of the year. Ugh..
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    From the article:

    "The researcher noted that while BLADE is successful in thwarting drive-by download attempts, it will not prevent social engineering attacks."


    It already is a failure before it even arrives. Social attacks are the "in thing" now, it's far easier to nail people. And yes, I also agree that this "news" is a bit of a "so what?" at this point. It should have been released long, long ago.
     
  8. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    100% success rate with all the drive-by download attempts tested on FF & IE isn't such a bad thing :thumb: And there's no doubt based on that alone, it will help a lot of people out there, if they get to hear about it, and then install it. As it's supposed to be a hands off app, this should make it a no brainer for everyone :)

    At least they appear to have come up with something nobody else has :thumb:

    I agree though, social engineering attacks via the dummy at the wheel, are the weakest link, and Always will be :(

    The actual release might be akin to looking forward to for eg going to a party etc for ages, which then turns out to be not what you expected :D

    But let's wait and see hey ;) I for one have been waiting to test it for some time :)
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Is this a fair criticism? No security product will prevent social engineering attacks, which, by definition, require the user's permission for the malware to install.

    The article you quoted unfortunately left out the researcher's example. See here:

    BLADE: A New Tool for Stopping Stealthy Downloads
    http://djtechnocrat.blogspot.com/2010/02/blade-new-tool-for-stopping-stealthy.html

    For those who haven't encountered Koobface, here is a typical pop-up that comes when the user is enticed to watch the video:

    [​IMG]


    ----
    rich
     
  10. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Perhaps it's not a "fair criticism", no, but it does, imho, show how ineffective it will end up being. I also have an issue with "100%" claims from any individual or company. But, of course, that's marketing for you. I really don't even want to get into Facebook examples, Facebook IS malware in my eyes, and yep, completely socially engineered.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Well, you can't have it both ways!

    If you look carefully at their statement, the "100%" refers all of the exploits they have tested to date:

    What is BLADE?
    http://www.blade-defender.org/
    That leaves open the possibility that tomorrow, something may get through, although I doubt it.

    In the BLADE PDF document I referenced above, there is one of the best, concise descriptions I've seen of the drive-by attack. It may help to explain BLADE's 100% track record so far. Some members have expressed hesitation about opening unknown PDF files from the internet, so I will quote this pertinent part, saving having to download the file:

    Taking a PDF file as one of their examples, here are some snippets of an analysis of a malicious PDF file.

    The shellcode is the set of instructions referenced above that the malware writers insert into the PDF file to tell the PDF Reader (not the browser, in this case) to call out to the internet and download a file.

    blade_wepawet.gif

    The URL for the malware is in the last box: h t tp://sitesuports.cn/load...

    Looking at the description in the PDF file of how BLADE works, it doesn't seem possible that a binary executable could run/install via a drive-by exploit, which is all that BLADE claims to prevent, and nothing more.

    Nonetheless, many are waiting to test for themselves!


    ----
    rich
     
  12. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    So, other than the fact this prevents writing to storage, what is the benefit over LUA/UAC and SRP? With LUA/UAC and SRP, the malware gets written to storage, but still can't execute, so still you don't get burned, unless you see an unknown executable and decide to go execute it with surun or something, which you would be unlikely to do.

    Also, what about scripts? From a browser, does javascript even need to get written to disk? So what would BLADE do then?

    re: social engineering. It sometimes seems we are at the point right now where you can't trust any popup or message of any kind from your browser. I often wonder if it is safe to click the close button on the window. I resisted noscript as a PITA for a long time, but it is running on my browser now.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    On paper, there doesn't seem to be any, and actually, there is less benefit, IMO.

    Both offer security against binary executables. although by different methods.

    In a previous post, I suggested that BLADE is not a complete protection against all remote code execution exploits -- just the drive-by type. This, according to how I interpret the statements in their technical PDF.

    We'll just have to wait for the release of the product to put it through some tests.

    SRP blocks unwanted executables from any source: USB, for example, and not just web-based drive-by attacks.

    By definition, a binary executable is written in binary code (.exe, .dll, .sys, etc).

    A script executable (.vbs, .hta, etc.) is written in ASCII (plain text) code. BLADE does not block script executables. For example, the old LOVE worm arrived as an attachment, as a .vbs file. When the user clicked on it, the file executed.

    I understand that you can set up rules in SRP for script filetypes that would prevent a user from being able to execute a script file like that.

    Browser scripts are different, since those script files are cached (downloaded to disk) and then interpreted (executed) by the browser. Control of web-based javascript, for example, is a browser function (NoScript with Firefox, or White Listing per site in Opera).

    ----
    rich
     
    Last edited: Oct 9, 2010
  14. DasFox

    DasFox Registered Member

    Joined:
    May 5, 2006
    Posts:
    1,825
    Avira Premium has Drive by Protection, so I wonder how it stands up against Blade... Hmm

    Also why not just use a sandbox and be done with it too, afterall a Sandbox is going to provide the drive by protection...
     
    Last edited: Oct 9, 2010
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    When is the thing coming out? Next year o_O :D
     
  16. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    what I like is the following at the bottom of the page.

    BLADE is funded through grants from the National Science Foundation, the U.S. Army Research Office, and the Office of Naval Research

    More U.S. taxpayers money being spent wisely.:cautious:
     
  17. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
  18. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    Tell me about it...:D
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,950
    Location:
    USA
    The last thing i remember reading about the Blade Project was that the developers said they were too busy with other work to continue development at this time. I guess when they get done with what ever they are doing they will get back to working on Blade.
     
Loading...
Thread Status:
Not open for further replies.