Avast WEBforum
Other => General Topics => Topic started by: polonus on October 01, 2012, 12:55:03 PM
-
See: http://www.zerovulnerabilitylabs.com/home/exploitshield/browser-edition/
Solution specially designed to detect attacks and exploits on Java, Internet Explorer en Flash Player. Detected all exploits of Blackhole Exploit-kit 2.0.
Can it be used next to avast (shields)?
polonus
-
Very interesting site polonus as I've never heard ExploitShield browser, however it still only beta stage at the moment I would rather wait until the final release is available.
Thanks for sharing Pal. ;) ;D
-
Can it be used next to avast (shields)?
No idea. Either try it or ask them: http://www.zerovulnerabilitylabs.com/forum/ ;)
-
Well my thoughts can be summed up in the first paragraph of the website:
We are looking for beta testers. Active reporters will receive a complimentary license once the product is released commercially. We are interested in detection and usability testing (see below for detailed information). You can read a list of known issues. Please provide all ExploitShield testing feedback directly to us via our Support Forum.
How it works is obviously a factor in if it is compatible or not, but I have to say I wouldn't pay for it. Since the greatest majority of the exploits in their video are JAVA, remove JAVA and a high degree of exploitation is gone. Not to mention that avast has been pretty hot on exploits, added to that the conventional network and web shields; I can't really see the requirement for this and I certainly wouldn't buy it.
-
I installed it 2 days ago with No apparent issues.
Very silent. :)
Checking it out. If any issues appear I will let you all know 8)
-
@schmidthouse
Yep, it is silently sitting there. Logs say that 46 applications are being protected, for instance VLC Media Player and Google Chrome is now protected.
Just wait and see. I"ll report here about this bit of beta testing, I think this tool wiil be studied from front to end, as it seems a new concept from the developers,
pol
-
@schmidthouse
Yep, it is silently sitting there. Logs say that 46 applications are being protected, for instance VLC Media Player and Google Chrome is now protected.
Just wait and see. I"ll report here about this bit of beta testing, I think this tool wiil be studied from front to end, as it seems a new concept from the developers,
pol
;)
-
Hi schmidthouse,
Protected applications now stand at 99.
Compatible with existing antivirus and Internet security solutions.
ExploitShield Browser Edition is free for home users and non-profit organizations,
polonus
-
Hi schmidthouse,
Protected applications now stand at 99.
Compatible with existing antivirus and Internet security solutions.
ExploitShield Browser Edition is free for home users and non-profit organizations,
polonus
According to the support forum, the upgrade process has not been implemented yet.
So one will have to follow their web site RSS feeds for product updates before the "final" is released ;) :)
-
Hi schmidthouse,
Protected applications now stand at 99.
Compatible with existing antivirus and Internet security solutions.
ExploitShield Browser Edition is free for home users and non-profit organizations,
polonus
99 apps ??? :P
Any screenshot :)
-
Well schmidthouse, it now stands on 120. Found out that you should use supported user agents. So webbug is not supported, and Browzar is not supported either. But as I use Google Chrome and my wife uses fx, I am fine. Now running Fiddler under a browser session and will report of my findings.
See attached image.
The program works mainly on kernel level (129 functions involved), ExploitShi.exe functions as a separate component in the loader, works reading Code Identifiers in the registry, checks on GetProcessImageFileNameW to establish the Process Status, it has OWNZ crypter aboard to catch CPU exceptions such as "access violation, illegal instruction, divide by zero etc"" , and will alert these. All very interesting tool to observe...exception 0xc0000135 at 0x7c96478e found to support thuis assertion,
polonus
-
Known issues with this beta version according to their blog posting, posted by zork
1. Under LOGS, Export button is missing.
2. Uninstallation might not completely delete the %ProgramFiles%\ZeroVulnerabilityLabs\ExploitShield directory and contents as well as the HKLM\SOFTWARE\ZeroVulnerabilityLabs registry key.
3. When clicking on a link from a DOS mode (e.g. a game) and the default browser that opens is Internet Explorer, the link might not load.
4. ExploitShield does not run under a non-admin account under Windows XP.
5. ExploitShield runs under a non-admin account under Windows Vista/7/8 but does not show up as an icon under the traybar nor does it open its GUI.
6. After uninstalling and installing again ExploitShield will run but not protect. After uninstallation you need to perform a reboot before installing again for the ExploitShield library to be released correctly.
7. When blocking certain types of drive-by exploits empty entries in the GUI log might show up under certain circumstances.
8. The ExploitShield alert window may appear unresponsive for a few seconds. This is because exploit kits typically try a few different exploits in a row and the ExploitShield alert window is dynamic in nature and updates the "Application", "Payload" and "Attacker" information in real-time.
9. In the General tab of the interface the counter "Shielded applications" may show an incorrect or negative number under certain circumstances. A workaround solution to this is to simply exit ExploitShield and execute it again.
10. If you stop ExploitShield from the traybar icon and then open the ExploitShield interface, the color label will still show as "Running".
11. When clicking on a torrent link under Firefox (may happen with other browsers) ExploitShield shuts down unexpectedly.
polonus
-
Also discuused at Wilders Security. http://www.wilderssecurity.com/showthread.php?t=333127
-
Also discuused at Wilders Security. http://www.wilderssecurity.com/showthread.php?t=333127
Thanks. (The dev is active there.)
-
Adding to the list:
"An instance of ExploitShield could become unstable during a SAS scan, e.g. become unresponsive". Correction. Computer Update Routine was being protected by Exploit Shield and during the following session completed third phase. I am very satisfied by this behavior of the program, because I had some problems there.
Good schmidthouse convinced me on testing this Californian made tool. Think I am going to like this OS kernel protection tool....
polonus
-
@Polonus, thank you very much for the information you have added.
I appreciate that :)
-
Checked the executable here: http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=166992&GHash=B220FA4722A44827BD4FFBB6756AC074
polonus
-
Interestingly, I am experiencing a lot more BS reaction (set to Ask) since ExploitShield has been installed. ???
And thats OK, it just interesting to see the BS so active when previously performing the same tasks, I hardly had any pop-ups from BS. 8)
For example:
-
Hi schmidthouse,
Yes, the last bs alert was when I opened Resource Hacker. Seems that Z is somehow enhancing or hardening.
From the logfile:
ZeroVulnerabilityLabs Loader <<INFO>> Argument
2012-10-02 10:46:23 C:\Program Files\ZeroVulnerabilityLabs\ExploitShield\ExploitShield.exe
2012-10-02 10:46:23 ZeroVulnerabilityLabs Loader <<INFO>> return TRUE (being evaluated http://systemexplorer.net/file-database/file/loader64-exe )
2012-10-02 10:46:24 ZeroVulnerabilityLabs ExploitShield <<INFO>> Checking OS .....
2012-10-02 10:46:25 ZeroVulnerabilityLabs ExploitShield <<INFO>> Windows XXXX
2012-10-02 10:46:25 ZeroVulnerabilityLabs ExploitShield <<INFO>> Standard xxx Edition
2012-10-02 10:46:26 ExploitShield Driver is already Installed
2012-10-02 10:46:26 ZeroVulnerabilityLabs ExploitShield <<INFO>> Checking OS .....
2012-10-02 10:46:27 ZeroVulnerabilityLabs ExploitShield <<INFO>> Windows XXXXX
2012-10-02 10:46:27 ZeroVulnerabilityLabs ExploitShield <<INFO>> Standard xxx Edition
2012-10-02 10:46:31 Starting Injection with: ExploitShield.dll
2012-10-02 10:46:31 C:\Program Files\ZeroVulnerabilityLabs\ExploitShield\ExploitShield.dll
2012-10-02 11:06:07 ZeroVulnerabilityLabs ExploitShield <<INFO>> Checking OS .....
2012-10-02 11:06:07 ZeroVulnerabilityLabs ExploitShield <<INFO>> Windows XXXXXXX
2012-10-02 11:06:07 ZeroVulnerabilityLabs ExploitShield <<INFO>> Standard xXX Edition
2012-10-02 11:06:11 Google Chrome is now protected......
Interesting blog read: http://www.zerovulnerabilitylabs.com/home/blog/page/2/
See what was found in log data.dat....
polonus
-
Hi schmidthouse,
Yes, the last bs alert was when I opened Resource Hacker. Seems that Z is somehow enhancing or hardening.
From the logfile:
ZeroVulnerabilityLabs Loader <<INFO>> Argument
2012-10-02 10:46:23 C:\Program Files\ZeroVulnerabilityLabs\ExploitShield\ExploitShield.exe
2012-10-02 10:46:23 ZeroVulnerabilityLabs Loader <<INFO>> return TRUE (being evaluated http://systemexplorer.net/file-database/file/loader64-exe )
2012-10-02 10:46:24 ZeroVulnerabilityLabs ExploitShield <<INFO>> Checking OS .....
2012-10-02 10:46:25 ZeroVulnerabilityLabs ExploitShield <<INFO>> Windows XXXX
2012-10-02 10:46:25 ZeroVulnerabilityLabs ExploitShield <<INFO>> Standard xxx Edition
2012-10-02 10:46:26 ExploitShield Driver is already Installed
2012-10-02 10:46:26 ZeroVulnerabilityLabs ExploitShield <<INFO>> Checking OS .....
2012-10-02 10:46:27 ZeroVulnerabilityLabs ExploitShield <<INFO>> Windows XXXXX
2012-10-02 10:46:27 ZeroVulnerabilityLabs ExploitShield <<INFO>> Standard xxx Edition
2012-10-02 10:46:31 Starting Injection with: ExploitShield.dll
2012-10-02 10:46:31 C:\Program Files\ZeroVulnerabilityLabs\ExploitShield\ExploitShield.dll
2012-10-02 11:06:07 ZeroVulnerabilityLabs ExploitShield <<INFO>> Checking OS .....
2012-10-02 11:06:07 ZeroVulnerabilityLabs ExploitShield <<INFO>> Windows XXXXXXX
2012-10-02 11:06:07 ZeroVulnerabilityLabs ExploitShield <<INFO>> Standard xXX Edition
2012-10-02 11:06:11 Google Chrome is now protected......
Interesting blog read: http://www.zerovulnerabilitylabs.com/home/blog/page/2/
See what was found in log data.dat....
polonus
"Seems that Z is somehow enhancing or hardening."
Exactly what I assumed. "somehow" is the interesting addition:> :D
-
What I found strange was the contents of the config.dat file, see attached image.
Worked the Chinese txt found there through Google translate and it is just a Chinese poetical txt about a first annual festivity !?!
Or just an unicode misrepresentation of the code...
What is this? 㜉 Კ 5 븯 knock, Ji-silver carp , Yang Da first birthday of a child ำ Nou tools Ping ꚗ SHYE Hui ᨢ ꈕ 䔀 ⯪ Biao 촙 㰭 ጒ Ben 䌡 돗 h. 鿹 every ᚡ ᭫ 궭 Jiu 㔆 㽴 Cheng 떥 ∓ 뒠 zero Chan 뾳 music ㏄ ┼ 벹 ᗹ public bathhouse Yang??? Wei 꺖??? 컶 䦠 䄼 ꥼ ⡰ 䂛 읤 䘱 䡒 㯻 ঐ heave 쵈뎳 ϋ 퇋 꺈?????? 텫 Ming 䠞 ⾠ ൱ Lou not Ⱌ ꃃ ベtree knot 쨓 ع 곒 묙쵵 Yin 외 넍 ⷌ Tan E ± 첂 TSZ MUI 뒷꾊 ꮵ ᄫ 㓛 걭 㼢 ꉈ ꣪??? ዦ ㅠ Jie Bing 퉯 Kechuanxunzang Wu Inspectors 쟜 퐘뱏 ݨ chromium Vitex ⇓ Kazuhiko ditch ⺽ ꮲ 꼏 the [ 먍 늾뻈??? the ᦜ sound of water 㗞 Tao zinc 멒 dawn ꗄ 뜤 ь 왺 ꖽ 뙁 ㎱??? 솮 સ 㧙 ㏓ ممي Lu Zan Peng 됢틱 Tian 핔휔 Di 쵐 decrease Wei Jie ஐ mystery Dai Mo 䴳 ȍ 띞 bamboo with thin wide leaves 䶤 㠧 traduce Qi Zhu thulium 㼜 meet unexpectedly 솈뿄 boron ் Wo 쑼푑 door of an inner 엙 Sensing 턃 for Previous ో lin 䯡 Intellect 댷 platinum 듐 stern Wei ࣌ 돾 silver carp 䢅 䦘 䁣 servant 䲓 Ṿ ❗ DetailsStyleArtist ꇧ Nie 䝊 salt shy ᩯ ꪆ ॿ 㜼 촲 Alex ⟗ 럴 ꪚ etc. etc. 䲏 䎃
Sys file certification through Issuer: DigiCert High Assurance CA-3, www.digicert.com, DigiCert Inc, US
polonus
-
Well analyzed the loader executable (loader is the full version actually) of this stand-alone application written in Borland Delphi. SetProcessDEPPolicy is being checked against default winlogon, ScDebugPrivilegeWins and v.c tools site.exe, also the ative startup.state is being ascertained and Unknown Runtime check agains stack corruptions. Local writes are found up before being initialized, loss of data ascertained with Data Wsprint, SQuery User token and Output Debug Strings. It gets the Current Process checks Xpt Filter and looks for locks and unlocks with Debugscr. Use of API-hooks are disallowed to enhanced security..
See additional info here: https://www.virustotal.com/file/93b91c37f042f6a1c4a33929e804a0fdb9dfb04b4fafc042f2848453fe92ce60/analysis/1349350811/
and the analysis here: http://anubis.iseclab.org/?action=result&task_id=13fc8b69a988273c4417c8923d685549c&format=html
This last analysis gives Description Times Exception 0xc0000135 at 0x7c96478e 1. Sometimes is used for Anti-Anubis, it was found ON The crypter and the stub. OWNZ crypter being used. But the issue here is that the separate DLL was not found. https://www.virustotal.com/file/5c7114aa44eaa3295208fb86dfa6106722f7936d2ba92ee19a4cb15d4f9a0052/analysis/
But clamav gives a PUP warning for the dll..-> .http://anubis.iseclab.org/?action=result&task_id=14be0edbecfad675469658e01f0ea17bb&format=html
Aimbot like tmp code -> .regsvr32.exe /c /s .\d1.tmp.dll found terminate the d2 process whenever they like it...spyware like code as
Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll, reads the shell folderts to the defaults.
Settings in a device control preset are used during logging, capturing, and output. Device\KsecDD 0x00390008 8 - Memory Mapped Files..
Observations given for what they are worth....later will give some additional binairy.txt viewer conclusions...
polonus
-
Damien,
Can you also explain this in a less technical term for those of us that are not as well versed with code as you but,
are still interested in following your dissection of this new tool ???
Thanks
-
Damien,
Can you also explain this in a less technical term for those of us that are not as well versed with code as you but,
are still interested in following your dissection of this new tool ???
Thanks
+1 We aren't computer wizard or a real nerd ;) ;D
-
Hi bob3160,
Well the clever thing is that the sofware consists of three separate parts in the software folder and is a stand-alone application protection tool for certain third party software applications that could be vulberable to zero day exploits. The three parts are the shield executable, a separate shield dll and the loader executable. The one does not work without the other, so advanced security achieved there. Api's are denied to run for security reasons. The processes that are being protected are constantly being monitored by the software against security breaches deep inside the OS on a kernel level, constantly being checked against the default situation. So when the malcode attempts to perform anything that seems specific performance of 0-day malcode, the ExploitShield software turns red for an alert, blocks and saves logs. Some protection gets locked as it is being protected when active, meaning when process is active. Adobe Reader is being protected, Foxit Reader, Microsoft Office Application, Windows Media Player, also VLC player, Winamp and QuickTime Player, Java, GoogleChrome, Firefox and Safari browsers and off course IE. The software is MS certified. When malware tries to write onto the computer without being initialezed by user intervention (typical gor malware performance) it is found up by the shield tool. Crypting and debugging is going on all of the time. It sits silently on the taskbar, a bit like you experienced with RUBotted. So all is contantly compared to a default situation and if not so alarm bells should ring. In my actual section on the computer 130 applications are being shielded. To early days to give a final verdict, but what I have seen is encouracing to try it out. Keep you all informed. You will sure like it.
Damian
-
@SpeedyPC,
You know how difficult that really is to "translate" and popularize technical terms? This so all can grasp what is meant, more or less. I tried to explain to you and bob what I found out so far about the inner workings of this "amazing, innovative" protection tool. I do that firing the files up in a binairy txt viewer and going through the executables and dll of the software one by one and line after line of code. All that info translated from code is further been investigated with the best friend we all have online and that is Google's search. Then I give the information integrated as I find it and so slowly and surely I come to the analyzing stage I have reached. I had several years here with a lot of good friends in the forums to learn to do this. !Donovan for instance has been a very inspiring friend, and also Pondus came up with a lot of inspiring information, etc. And I also have to mention our good friend schmidthouse who through his enthusiasm made me decide to beta test the tool.
A good searcher could do many times more than the best hacker can ever achieve, remember that lesson from me. Well I hope I have explained a couple of things about this software protection tool and users will get wise by asking. I do not know all the answers, but I try,
pol
-
Been using it for several hours now and all's well, doesn't conflict with anything i have installed, only three items protected here for me IE which is my main reason for this added protection tool, Media Player and foxit but I run my systems very light - no java or unneccesary rubbish.
It's also running quite light at 1.2Mb so other than the icon in the taskbar i dont notice it at all, it's a better (smarter) and simpler solution to Emet imo.
-
Thanks for the dummy's explanation. :) It's greatly appreciated.
I can now tell every one that my computer is protected from a to Z (http://my.jetscreenshot.com/2701/m_20121004-glap-1kb.jpg) (http://my.jetscreenshot.com/2701/20121004-glap-1kb)
I've also added some M and W into the mix (http://my.jetscreenshot.com/2701/m_20121004-n10b-1kb.jpg) (http://my.jetscreenshot.com/2701/20121004-n10b-1kb)
-
Fourth (4th.) day installed with not an issue.
I have also done a XP repair because of unrelated issue and had to Reinstall IE8, SP3 and 107 updates with no interference from 'Z'
Very nice. :o ;) :)
-
I've been following this thread:
http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=51&p=183#p183 (http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=51&p=183#p183)
And have also replicated the issue with the "Help Center".
Z did Block and quarantine the file:OLEAUT32.dll ???
-
I've been following this thread:
http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=51&p=183#p183 (http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=51&p=183#p183)
And have also replicated the issue with the "Help Center".
Z did Block and quarantine the file:OLEAUT32.dll ???
I noticed this yesterday but it was only blocked for me, nothing was quarantined and right clicking the tray icon and stopping the shield allowed access for help support to work - but it all works fine for me today :)
-
I had one occasion that ExploitShield browser started up (as I experiened through Task Manager) but did not show up in the taskbar.
After a reboot everything went back to normal. Exploit Shield is the first to start up...
The log windows says Opera locked, but I have no Opera installed on my OS. Could this mean another user agent is being protected?
The normal logs from the program file does not mention any Opera,
polonus
P.S. Undertand Opera is just an example of what is being protected by the tool in general..
-
I've been following this thread:
http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=51&p=183#p183 (http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=2&t=51&p=183#p183)
And have also replicated the issue with the "Help Center".
Z did Block and quarantine the file:OLEAUT32.dll ???
I noticed this yesterday but it was only blocked for me, nothing was quarantined and right clicking the tray icon and stopping the shield allowed access for help support to work - but it all works fine for me today :)
Thanks craig.
I'm trying to ascertain if there will be noticeable issues from file being quarantined.
Not sure about some 'hanging'. ??? :)
-
I also had one instance of ES not being visable in the task bar polonus, i killed the proccess though taskmanager and re-started it and has been fine ever since ???
schmidthouse i have noticed a few hangs here and there and by removing WinPatrol Plus this morning they seem to have disappeared, no hangs for at least 18 hours so i think iv solved my own hanging problems but wheather the same applies to any of the others ???
I also discovered on my other test system that if Kingsoft free AV is installed with ExploitShield that system will freeze and stay frozen, hard shutdown is all that worked and removed Kingsoft in safe mode.
-
Well you know what 'hangs' are like, sometimes it can just be impatience :-\
Anyway I don't see myself uninstalling Winpatrol +.......I like it ::) ;)
-
Well you know what 'hangs' are like, sometimes it can just be impatience :-\
Anyway I don't see myself uninstalling Winpatrol +.......I like it ::) ;)
I dont usually have to worry about being impatient on my system's, i can sometime have over a hundred and twenty proccesses running with no slow downs ( hangs ) whatsoever, it's purely conflicts causing it.
WinPatrol will go back on it time, just troubleshooting :)
-
Hi folks,
You know what a beta stage is for. Going over the tool to just establish what essential functionality is missing. It is bare bones we are examining now.
If for bugs and fuzzing we have to consider Borland Delphi RTL for that the program-dll was written in. SysUtils is needed to examine the project further.
See: http://www.delphibasics.co.uk/ByUnit.asp?Unit=SysUtils
Madcodehook is being used and unfortunately this has been misused/abused in malware/adware/spyware etc. It is Win32.hooker and sometimes flagged as PUA/PUP. That is why they stopped the commercial version of that software. This could be a nuisance on uninstall for could be worse as to get rid of a virus with drivers removed (so in that phase we might need essexboy, jeffc etc. but it is too early to contemplate such routines), I just go on to report what I grasp from the code, my friends. Microsoft's Detours API could be a good portable replacement if Madcodehook would give persistent problems.
Then we have a DEPprocessPolicy Chromium issue
With MITIGATION_DEP |
- MITIGATION_DEP_NO_ATL_THUNK |
- MITIGATION_SEHOP;
We should have
mitigations = MITIGATION_STRICT_HANDLE_CHECKS |
- MITIGATION_EXTENSION_DLL_DISABLE |
- MITIGATION_DLL_SEARCH_ORDER;
@craigb,
Read on that bug you experienced once and I experienced this : http://borland.newsgroups.archived.at/public.delphi.rtl.win32/200711/0711282085.html
posting on Newsgroup by Anders Balslev, due to an Access violation....
That is all so far,
polonus
-
On anti malware measure taken for malcode hook:
Anti malware misuse tricks
In order to stop malware programmers from misusing madCodeHook, I've added a number of security tricks to madCodeHook 3.0:
(1) You need to sign the kernel mode drivers yourself. Most malware programmers will probably lack a valid Verisign certificate. And even if they have such a certificate, it can be revoked if it's used to create malware. And it can also be easily used as a search criterion for security applications.
(2) The driver strictly refuses to inject any dlls which were not made known to the driver at build/configuration time. This makes sure that a malware programmer can not misuse your driver to inject his own dlls.
(3) When your application tells the driver to inject a specific dll, the driver calculates a hash of your exe file and stores that together with the injection request information. The driver later only accepts a "stop injection" request from a process if the exe file has the same hash as the one which started the injection. This makes sure that a malware process can not simply hack into the application/driver communication to stop your dll from being injected.
(4) Even if you configure your driver to support being stopped (safely), a stopping request is only accepted by the driver if it was issued by the driver injection API. Stopping the driver through the normal service/driver OS APIs is blocked. Furthermore the driver accepts a stop request only if no dll injection requests are active. This should make sure that a malware process can not simply stop your driver behind your back.
quote link: http://help.madshi.net/mchInjDrv.htm author Mathias Rauen
polonus
-
Sys file checks the Microsoft Boot Up Kernel, known to be vulnerable to w32.bolzano malware and variants....
As Panda detects W32/Bolzano.5396.A cleanses this malware (a simple file infector indeed, this is the dropper, and avast detects as Win32:Bolzano-E, but some variants were missed by Nod32 as "probably unknown WIN32 virus"), and we deal here with two former Panda coders, so I could have expected ntosklm.exe to asppear in the proggie.
Yes, my good friends, we will go on with dissecting this stand-alone beta-tool,
yours truly,
polonus
-
more info here
http://www.wilderssecurity.com/showthread.php?t=333127
about it.
-
I've been using it for the last few days, no problems so far.
-
Some of our guys (Polonus maybe) probably have caught these possibilities( flaws) in getting by ES ??? :-\
Apparently fix is in next beta build.
Just interesting 8)
http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=13&t=61 (http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=13&t=61)
-
Hi schmidthouse,
Apparently more development, testing and hardening will be necessary for this standalone tool.
For me it has been clear from the outset that this could only be ab additional tool to the anti-malware tools one combines
I have the following main formula, resident avast av with the avast shields, several on-demands SAS, MBAM, ongoing RUBotted, in-browser security extensions (script blocker, KISS, specific ABP subscription list(s), GoogleSafe Browsing, Bitdefender's TrafficLight, WOT, M86 Secure Browsing, Cookie Manager, malicious sccript detector extension, web beacon detector extension, DNT like extensions, etc. Together with a good updating routine for OS and 3rd party software and additional safehex measures and "sufficient enough grains of common sense", I think browsing could be the pleasant experience as it should be for everyone. So we will follow all development on Z with curiosity,
greets,
polonus
-
Yup. ;) :)
Edited: Wish I knew more about writing 'code'. Just seems like a pretty basic work around to get by ES. I don't know ???
-
Hi schmidthouse,
Yes, fooling ExploitShield in that manner seems to be a bit elementary, to mention it politely, as that circumvention method just bypassing a "static" detection method. Booh, klutz, .....and the coders would say: "Oh my great grandfather's, what is this?....
I have sent you a PM where I explain the various problems and some particulars of "improving" on coding " __CxxFrameHandler3" with dynamic linking in mind which is not being exported, building links from ExportShield.dll to other dll's, should be reading event logs, yes should be....
pol
-
I experienced a PFN_list corrupt error as ExploitShield icon did not show at start up,
polonus
-
To-day I experienced the first time, I was NOT being protected by this stand-alone tool for a zero day XSS attack.
Attack
htxps://serviceweb.solcon.nl/?f_user=%27%20onfocus%3Dalert%28String.fromCharCode%2888%2C83%2C83%2C63%2C32%2C87%2C104%2C97%2C116%2C39%2C115%2C32%2C116%2C104%2C97%2C116%2C63%29%29%20d%3D%27
The message was: You have been protected by
found JavaScript
error: undefined variable document.login
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var document.login = 1;
error: line:1: ....^
Malware Script extension alerted that I was being protected against the attack...
polonus
-
I've been watching/reading the Z forum, interested in beta .8 and how many of the wrinkles get ironed out.
Actually, it appears not overly active there at the moment. 8)
-
FYI
Quote from 'zork' : "We're actually doing a lot of improvements. We hope to have a beta2 out in the next few weeks".
Looking forward to the improvements. 8)
-
To-day I experienced the first time, I was NOT being protected by this stand-alone tool for a zero day XSS attack.
An explanation of which vulnerabilities ExploitShield protects against, and which it doesn't, can be found on our website's technology FAQ:
http://www.zerovulnerabilitylabs.com/home/technology/frequently-asked-questions/
Which vulnerability exploits does ExploitShield protect against?
There are many different types of vulnerabilities which can be exploited in different ways, from local to remote, from simple information disclosure through directory traversals, privilege escalation, cross-site scripting to complete system compromise via arbitrary code execution. ExploitShield protects against the most dangerous types of exploits, the ones that result in complete system compromise by running arbitrary malicious code and which are normally used by cyber criminals to infect users with financial-driven malware, botnet infections or corporate espionage malware. ExploitShield focuses on protecting prevalent applications against attacks which result in system compromise by executing malicious code. ExploitShield will not protect against exploits which take advantage of insufficient or incorrect configuration or information disclosures, XSS, etc.
-
Welcome to the forum..!! :)
-
Hi ZeroVulnLabs,
The link you give is being flagged by Bitdefender's TrafficLight as containg malware. Is this a FP?
Site has some security issues, for instance header security-> The 'X-Content-Type-Options' HTTP header if set to 'nosniff' stops the browser from guessing the MIME type via content sniffing. Without this option set there is an increased risk of cross-site scripting.
polonus
-
The link you give is being flagged by Bitdefender's TrafficLight as containg malware. Is this a FP?
Yes, clearly an FP.
-
Here's some info on the safety of the site in case you're interested:
https://www.virustotal.com/url/121ee25b4a7b68b429310a317b6e108979a915b137249cbc207a85fe6ab72786/analysis/1351211708/
http://sitecheck.sucuri.net/results/www.zerovulnerabilitylabs.com
http://www.webutation.net/go/review/zerovulnerabilitylabs.com
-
Hi and welcome to the forums!
-
Given clean: http://www.quttera.com/detailed_report/www.zerovulnerabilitylabs.com
access-control-allow-origin follows best practices...
polonus
-
Yes welcome to the forum :)
-
Will this be a raw awakening http://blog.trailofbits.com/2012/10/29/ending-the-love-affair-with-exploitshield/ author andrew ruef
polonus
-
Excellent analysis.
-
Excellent analysis.
Agreed.
And this is not the first analysis I've read by someone who has dissected and looked into the code in this little piece of software. :-\ :)
-
Hi bob3160,
And the thorough analysis of the tool also means its downfall before beta testing ended.
Circumvent could consist of an exploit dll payload starting using LoadLibraryA/W to even circumvent ExploitShield blocked APIs...
Dr Fu reports on ROP methods here in his tutorial:
http://fumalwareanalysis.blogspot.nl/2012/02/malware-analysis-tutorial-16-return.html
And by insanitybit: http://insanitybit.wordpress.com/tag/rop/
See also: http://a-twisted-world.blogspot.nl/2008/03/createprocessinternal-function.html
And this from Sebastian Kübeck om when malware started to use ROP in 2010: http://www.jroller.com/sebastianKuebeck/entry/first_exploit_using_return_oriented
Now that the obscured functioning of the ExploitShield is out in the open,
it has lost its usefulness as a protection tool against zero days.
reading the above everyone in the know will understand
what an incredable powerful tool ApiSpy can be in the hands of the savvy malcreant...
There is only one way out. Only patching vulnerabilities in buggy software code will create solutions against zero days.
Security through obscurity only pays as long as obscurity lasts.
Finally again proof of the fact that as a software is presented as "too good to be true", it actually is too good to be true...
ExploitShield browser has scorced feet and seems to have given away its secret..or??????
polonus
-
To say it is early days before we could come with a final verdict on this tool, see ExploitShield's reply here:
http://www.zerovulnerabilitylabs.com/home/the-objective-of-exploitshield-beta/
But with the Vista PatchGuardHack in mind, we just have to wait and see, as always the proof is in the puding
Like you to read FireEye's article: http://blog.fireeye.com/research/2012/06/bypassing-process-monitoring-.html
article authors: Michael Vincent and Abhishek Singh. (reverse-engineering of the implementation of PsSetCreateProcessNotifyRoutine in the Windows ntoskrnl.exe) Conclusion: Bottom line: Any enterprise or consumer security suite that uses this technique for monitoring process activity can be easily circumvented—a big win for the malware authors
quote taken from above article...
So question 1. Is ExploitShield browser tool not vulnerable to such an attack?
Something of an answer can be found here: http://www.kernelmode.info/forum/viewtopic.php?f=10&t=1197#p9160 link from poster EP_X0FF* Global Moderator, leading to the conclusion that all protection on this level is being based on anti-malware hacks and security through obscurity measures.
So if protection methods are out in the open and known to malcreants nothing can protect us at kernel level.
Without IDS and file and dll whitelisting through hash and certification/identification any protection fails i.m.h.o.
So any anti malware tool should reject all that cannot be verified against a whitelist as benign beyond any doubt and that is the way to go.
The other procedure is blocking, see the great success of avast shields recently in additionally protecting our users...
pol
P.S. * EP_X0FF & others was banned later from various forums for being active in controversial activities (website attacks and malcious reverse engineering)
(-> http://greatis.com/security/Warning_Rootkit_Unhooker.htm )
D
-
So now we have an excellent analysis and a just as well written explanation as to the flaw in the initial analysis.
I'd like to hear what Vlk has to say. :)
-
I was running ExploitShield, but now, no more. The reality is, mitigations built into Windows 7 and 8 natively provide some of the protection offered by ES, but sadly, XP's time has passed, and it never can, or will be, be brought up to the level of security provided by the newer OS's.
I did have a spot of trouble uninstalling ES. There was a hang in TMP folders used at the end of the uninstall process that could not be terminated any other way than by Task Manager.
(See attached .jpg below)
Two separate processes stopped running, _ui14D2N.tmp and unins000.exe. This happened even though I granted permission for both to run through Online Armor. Killing _ui14D2N.tmp did close the other process normally. I also used CCleaner to remove registry keys obviously related to ES, but no other keys were deleted.
So, no system damage was done as far as I can tell atm.
Disappointed a little bit here, but, thanks to Polonus, it may be that ES is not all that, and never will be. Only the passage of time will tell, but I am sure this type of thing has happened many times before, as many start-up vendors will have to fail before one actually succeeds.
An additional note: It was very easy to kill the ExploitShield.exe process just by exiting the Z icon in the system tray. Whether this was by design or not, it would seem that some hardening of the running process would need to be made to ensure that it would continue to run in case a system was attacked by malware designed to stop this process.
-
Discovering more in the executable of ExploitShield : fp_opendev kernel service can be called from the process environment only
Return value: 0 Indicates a successful operation.
Specifies the major and minor device number of device driver to open...
More to come on kernel extensions there.
It is too early as I said to give a final verdict, we have to wait what comes after ist beta.
First I will go on with the "infosquitoing" on this tool
Mchain "_ui14d2N.tmp has encountered a problem" is an error one gets also from Gen Variant. Tdss.14 malcode..
Errors also with cXX Framehandler3 in dynamic link library & crt_debugger_hook throwing exeption.....
I have reason to believe the developers used some form of kernel level trap handler performing kernel level diagnostics....
polonus
-
Thanks for the PM Polonus.
I'm not sure yet what to think about these analysis, but I am interested in testing next beta version before I conclude anything. ;) :)
-
Thanks for the PM Polonus.
I'm not sure yet what to think about these analysis, but I am interested in testing next beta version before I conclude anything. ;) :)
I'd appreciate a link to the download of the next beta when it's released. :)
-
Hi bob3160 and schmidthouse, mchain and others,
I did some further inspection of the exploitshield executable and exploitshield.dll and my findings I have attached to this posting.
There seems indeed some new examples of secure bypass code and particular safer registry settings implemented by this tool and dll.
They come from new recent coding practices.
From the code I analyzed it can be deducted that the developers had a background in coding Minecraft and borrowed from that experience.
They also could have studied the so-called BundesPolizei trojan intensively as we find identical code snippets.
Those interested in my evaluation should look at the attached file...
polonus
-
I have to admit I'm always very wary of products like this that purport to effectively end all exploits.
Easy to be wise after the fact also, but I have been following this with interest, but I didn't download or install it.
-
Those interested in my evaluation should look at the attached file...
polonus
Thanks pol. :)
-
Hi DavidR,
This convicted me at least of keeping it on for time of the beta testing period and to be able to analyze it thoroughly: http://www.backgroundtask.eu/Systeemtaken/Taakinfo/166992/ExploitShield.exe/B220FA4722A44827BD4FFBB6756AC074/
Have to also discuss this analysis: http://www.threatexpert.com/report.aspx?md5=3b60d306de299716f17eeb748b5c9886
The tool has CRYPTO/RSA files. These files contain data for the MS Crypto Service Provider. Mostly public/private key information.
The part of the path after RSA is the user SID the keys were generated for. Only that user (or an Admin) have access to the files.
This has been recently moved out of registry to the file system - private key data presented as a crypto blob etc.
LEGACY_PROTECTORDRIVER, the Plug and Play ID for this device is ROOT\LEGACY_PROTECTORDRIVER\0000 has not been made available due to issues.
Mutex a hack like mchMixCache$1001eed8$114 and with mchMixCache$1001eed8$114 these mutexes are used to mark the presence thereof in the program,
some of the mutexes the tool shares with trojanfakealert mutexes (compare with http://www.threatexpert.com/report.aspx?md5=e756229b82ac683d1e9e5bc05b217910 and mutexes given there)
polonus
-
Thanks for the PM Polonus.
I'm not sure yet what to think about these analysis, but I am interested in testing next beta version before I conclude anything. ;) :)
I'd appreciate a link to the download of the next beta when it's released. :)
Absolutely Bob. I know as Polonus has mentioned he also is continuing to use this software as I am and will certainly provide the relevant link when it appears (or someone else who has been testing it may also post it). ;) :)
-
@ Polonus
Do you have any direction for the safe/effective 'uninstalling' of ES for when one wishes to do so, given some problems mentioned earlier in this thread??
Thank you 8)
-
Hi schmidthouse,
I would stop the process in task manager and then uninstall it via the windows configuration for delete programs.
In my opinion that seems the best option. Then you could run freefixer to see whether there are remnants left.
Download freefixer from here: http://www.freefixer.com/static/freefixersetup.exe
polonus
-
Thanks Polonus. :)
-
As I am now scanning for possible Gen:Variant.Tdss14 files, this post will be updated when that is done.
I did kill ExploitShield.exe process before I attempted to uninstall via Add/Remove: I did not use Revo Uninstaller for the very reasons listed above.
An additional note: It was very easy to kill the ExploitShield.exe process just by exiting the Z icon in the system tray. Whether this was by design or not, it would seem that some hardening of the running process would need to be made to ensure that it would continue to run in case a system was attacked by malware designed to stop this process.
Also found a registry key (invalid) pointing to _ui14D2N.tmp found by CCleaner, removed that as well today.
As I am doing an extended search (hidden files/hidden folders) (edit: also system files and folders) for files listed here, it is going to take a bit of time: http://v.tw.virscan.org/Gen:Variant.Tdss.14.html (http://v.tw.virscan.org/Gen:Variant.Tdss.14.html)
EDIT: Yes, virSCAN scan dates are 04/18/2010. No detections by Avast! at that time.
Will report back when search is complete.
EDIT: As MSASCui.exe is a process run by Windows Defender, it is present in certain logs. No other files were found.
More recent detections here: https://www.virustotal.com/file/8850adafa94ed654693ddad951668b668536033d74c5089498f7914700e3872f/analysis/ (https://www.virustotal.com/file/8850adafa94ed654693ddad951668b668536033d74c5089498f7914700e3872f/analysis/)
Pol, thanks for the software link.
-
Wow. lots of activity since my last post. Some clarifications on the triailofbits and other bypass analysis of ExploitShield:
1- There are 2 main parts of ExploitShield: interception and exploit detection algorithms. The objective of beta1 is to proof that the exploit detection algorithms work as expected against exploits in the wild. So we did the interception quickly in user-land so we can proof the concept of ExploitShield in the wild. From what we are seeing every day the exploit detection algorithms work. And they work very well. People however are concentrating on trash-talking and getting publicity by bypassing the interception, which (a) is not important now and (b) will be re-done as it should in a future beta and before final release. So rest assure in a future beta all those "issues" will be fixed. Right now we are not concentrating on that part simply because its not time for it yet.
2- Software will ALWAYS be able to be bypassed. The same or similar techniques that everybody is using to rant about ExploitShield can be used to bypass pretty much any antivirus or any security software. If someone publicizes some bypass technique that's all good and dandy, but most of the bypass techniques that are discovered never get used by malware because they rarely target a single product. That's why a layered approach is always more beneficial.
3- Even in its infancy ExploitShield is able to protect against all exploits which we have tested against, which are quite a few (over 5000 unique in-the-wild exploit kit URLs from all types if Kits as well as hundreds of canned exploits).
4- Even though Win7/8 and EMET offer some exploit mitigation, ExploitShield uses completely different techniques. So its possible that an exploit that bypasses EMET in the future will be caught by ExploitShield.
5- ExploitShield is still beta1 and there are more beta versions to come before final release. Things like interception, uninstaller, etc. are still being worked on.
PS: is there a way to get notified from the forum for replies to a thread? There doesn't seem to be a configuration option for that in this forum. Never mind, found it.
-
I thought this was an Avast forum
-
@ZeroVulnLabs,
Thanks for this reply. I think you will appreciate the serious way in which we started to dissect the first beta of Exploit Shield Browser Tool. What you tell me is no surprise as that was what I also gathered from background info EP_X0FF provided about kernel level protection tools and the way they are being "brewed".
I think it is even better when developers will have this info at an early beta stage to harden the tool better in various ways.
I think tools lkike this could have a place in layered defense next to a resident av solution like avast in this case. It is good it is a stand alone and a fine addition as it can prove itself in the anti-malware arena. It should always come in combination with safe practices like having EMET, working a normal user account and likewise procedures. I hope it does not end as a wallflower tool like RUBotted or SpywareBlaster....
@luisx
This is the general section of the avast forum. Why cannot we discuss standalone tools that come supportive of and are hardening our resident av solution of choice: avast? In your opinion nothing outside avast can be discussed in extension? Do you think about avast like symantec's that took everything aboard and became unworkable for some for that very reason?
@mchain, _ui14D2N.tmp is a URLSearchHook leftover ...the clean up tool did not do the full job here...
Did you send that _ui14D2N.tmp to virus AT avast dot com to be checked?
polonus
-
I thought this was an Avast forum
It is. If you're not interested in further security related discussions, just ignore them. ;)
-
Some questions about the tool?
Is the tool robust against ‘instruction re-ordering’?.
Does it care about the order of instructions?
Is it also robust against ‘junk-instruction insertion’ and against "instruction replacement?"
Does this also count when ‘most frequently used’ instructions are being replaced )
for example by other instructions.
Is it also robust against 'register-renaming and memory re-ordering,location"?
Are these being considered or not?. Are these locations readable or not?
Can they be inserted by junk-code?, Wat locations are reachable at run-time?
Does the disassembly algorithm apply recursive traversal, which is robust to this
kind of obfuscation?
Some proposed methods: http://www.stanford.edu/~stinson/paper_notes/stat_anal/obfus_bins.txt (link article by By: Linn, Debray (AZ) In: CCS 2003)
If we can have some positive answers here to the above questions,
we could have landed at a tool that can detect almost all exploit code...
polonus
-
I am an Avast old timer. I just read these forums usually. I just joined today.
Bh the way i have seen many times avast evenaglist asking people to stop writing about other antivirus or security software many times even though it was to emprove security.
Sounds hipocritcal.
-
I am an Avast old timer. I just read these forums usually. I just joined today.
Bh the way i have seen many times avast evenaglist asking people to stop writing about other antivirus or security software many times even though it was to emprove security.
Sounds hipocritcal.
Antiviruses are not usually discussed on the forum as that would be in direct competition with avast and this is the avast forum though programs such as ExploitShield are not Antiviruses - mearly extra protection layers which can be beneficial to one's security.
-
@ luisx
Since ExploitShield is not a stand alone AV program but is actually designed to work with your current AV to make it
better, it's perfectly suited to be discussed in the general topic.
It's not a product that competes with Avast and is very similar to us discussing the advantages of using such other
products like Malwarebytes, Win Patrol, etc.
-
@ luisx
Since ExploitShield is not a stand alone AV program but is actually designed to work with your current AV to make it
better, it's perfectly suited to be discussed in the general topic.
It's not a product that competes with Avast and is very similar to us discussing the advantages of using such other
products like Malwarebytes, Win Patrol, etc.
+1
-
Hi bob3160,
Thanks for being clear about this. In this thread I just want to come to a conclusion.
Either ExploitShield Browser Tool is a valid addition to be used next to resident avast av solution
or ExploitShield Browser Tool beta can de demasked as at least overhyped
and in the worst scenario as fud snakeoil &"too good to be true".
To achieve that goal I did some explorations and I tried to get insights from comments made here and elsewhere.
So all will be clear when the tool will stand the time.
Either we go thumbs up or go thumbs down on this.
Too early for the final verdict....
The best you can hope for that ExploitShield Browser Tool would be as good a concept as NoScript in browser security.
That works now and it works in the future against existing malcode and against future malcode,
because it blocks and the concept is 100% functionable.
There are also exploit detecting tools as we describe here that work on that basis.
They do inspection and then filter code out and alert -
an example is the DExtor concept and this is rather failproof.
So I think a discussion about these issues can be rather valuable for the avast users,
polonus
-
I have been using ExploitShield for a while now. From the time I read the article on Cnet http://download.cnet.com/8301-2007_4-57521983-12/exploitshield-appears-to-live-up-to-its-name/ thats Sept 28.
I just want to test the next version and ExploitShield Corporate Edition.
The only bug I have come across is when I launch Spotflux, it catches a Java exploit which is a false positive.
www.spotflux.com/
-
Hi bob3160,
Thanks for being clear about this. In this thread I just want to come to a conclusion.
Either ExploitShield Browser Tool is a valid addition to be used next to resident avast av solution
or ExploitShield Browser Tool beta can de demasked as at least overhyped
and in the worst scenario as fud snakeoil &"too good to be true".
To achieve that goal I did some explorations and I tried to get insights from comments made here and elsewhere.
So all will be clear when the tool will stand the time.
Either we go thumbs up or go thumbs down on this.
Too early for the final verdict....
The best you can hope for that ExploitShield Browser Tool would be as good a concept as NoScript in browser security.
That works now and it works in the future against existing malcode and against future malcode,
because it blocks and the concept is 100% functionable.
There are also exploit detecting tools as we describe here that work on that basis.
They do inspection and then filter code out and alert -
an example is the DExtor concept and this is rather failproof.
So I think a discussion about these issues can be rather valuable for the avast users,
polonus
Any time security minded people and users of security software can discuss a software program that can add another layer of protection that is not redundant then this is a good thing.
I also intend to continue my testing/running of this little tool through the beta stages and I agree (in general) with the accounting and explanation provided by ZerovulnLabs. 8)
Edit: I also think the analysis provided be Polonus about the inners of ES is very enlightening and valuable.
-
About the loader executable, considering
asInvoker requested execution level
would
"Replace a process level token"
/SE_ASSIGNPRIMARYTOKEN_NAME/SeAssignPrimaryTokenPrivilege
"Adjust memory quotas for a process"
/SE_INCREASE_QUOTA_NAME/SeIncreaseQuotaPrivilege
will give permission to all of the drive?
polonus
-
Thanks for the comments and for reporting the false positive. We have been working for some time on reducing those false positives and the solution will be integrated either in beta2 or beta3.
As for the techniques you outline polonus, I wouldn't worry about it now. At least for the next version or two we will be focused on engine improvements and won't get to interception improvements until later on. But we will take all your mentions into consideration once we get to that part.
-
Do not know whether this related to the use of the ExploitShield beta but I experienced a pfn_list_corrupt BSD-error twice.
Waiting for the second beta version...
polonus
-
Do not know whether this related to the use of the ExploitShield beta but I experienced a pfn_list_corrupt BSD-error twice.
Waiting for the second beta version...
polonus
I am also waiting for second beta v .8 Holding off on Win8 installation till then. :)
-
Do not know whether this related to the use of the ExploitShield beta but I experienced a pfn_list_corrupt BSD-error twice.
Waiting for the second beta version...
polonus
I am also waiting for second beta v .8 Holding off on Win8 installation till then. :)
What does one have to do with the other ???
Windows 8 works fine with out ExploitShield. :)
-
Hi folks,
The first beta testing phase has ended. I was asked to install version 0.8 over the existing version.
Reporting later on this,
polonus
P.S. What was blocked in version 0.7 -> http://www.zerovulnerabilitylabs.com/webconsole/lv.php
-
Report one crashed application for ExploitShield 0.8.1 to-day. Application had to be closed and info was sent to MS,
polonus
-
Which application crashed? Would be interesting to replicate and troubleshoot this if possible. Can you email me a DDS log of your installed apps? (support at zerovulnerabilitylabs dot com).
-
@ Polonus.
I have also installed latest ES beta on Windows8 64Bit
No issues to date. :)
-
Is this chinese software?
-
Is this chinese software?
The question should be "Is this software any good ?"
Anything else isn't important.
-
Is this chinese software?
http://www.zerovulnerabilitylabs.com/home/about-us/company/
-
Thanks for the replies and it was just a query in regard to country of origin.
I have microsoft EMET installed alongside avast,would i be able to run exploitshield alongside these or do i need to uninstall EMET which at the moment im having trouble doind as my computer does not even recognise it is installed.
-
Thanks for the replies and it was just a query in regard to country of origin.
I have microsoft EMET installed alongside avast,would i be able to run exploitshield alongside these or do i need to uninstall EMET which at the moment im having trouble doind as my computer does not even recognise it is installed.
Edit: I do on my XP OS . :) 8)
-
Thanks for the replies and it was just a query in regard to country of origin.
I have microsoft EMET installed alongside avast,would i be able to run exploitshield alongside these or do i need to uninstall EMET which at the moment im having trouble doind as my computer does not even recognise it is installed.
Edit: I do on my XP OS . :) 8)
Thank you schmidthouse,
Just out of curiosity how would you uninstall EMET as im finding it impossible. :)
-
Hi ZeroVulnLabs
The crash of Exploit Shield was for the browser used. The data.dat log changed as shown below ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ„� 2 0 1 2 - 1 2 - 0 1 0 0 : 2 5 : 4 7 þþþþþþþþþþG o o g l e C h r o m e i s n o w p r o t e c t e d . þþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþþÌÌÌÌ„� 2 0 1 2 - 1 2 - 0 1 0 1 : 0 7 : 4 9 þþþþþþþþþþF i r e f o x i s n o w p r o t e c t e d
polonus
-
Thanks for the replies and it was just a query in regard to country of origin.
I have microsoft EMET installed alongside avast,would i be able to run exploitshield alongside these or do i need to uninstall EMET which at the moment im having trouble doind as my computer does not even recognise it is installed.
Edit: I do on my XP OS . :) 8)
Thank you schmidthouse,
Just out of curiosity how would you uninstall EMET as im finding it impossible. :)
You may wind up damaging your OS.
Try running this command from an elevated prompt. It's a hidden flag that will forcibly create the EMET log source (it has to be run as Administrator).
"EMET_notifier.exe --InitEventViewerSource"
And reboot to see if that fixes your current problem with EMET.
-
I have microsoft EMET installed alongside avast,would i be able to run exploitshield alongside these
Yes you can run ExploitShield and EMET at the same time. In fact we recommend this as it increases very much your level of protection. As both EMET and ExploitShield use totally different anti-exploit techniques, having both installed provides an excellent coverage against exploits.
-
The crash of Exploit Shield was for the browser used.
We are preparing a special version with verbose logging to find out the source of potential bugs or problems. If you would like to test this I can send it to you once it is ready so that you may try to reproduce it and then see the source of the problem in the verbose logs. Just let me know if you can test this in a couple of weeks and I'll send you a PM once its ready.
-
Is there a way of adding programs to be shielded manually in the free browser edition?
-
Not yet, but it's something we want to include in the future.
-
Thanks.
I tried the browser version of exploitshield yesterday and unfortunately it does not in its present form protect any programs that i have installed.
If i can add programs manually then i will certainly give it another go.
Best of luck to you with this interesting program. 8)
-
To those that use and test of ExploidShield 0.8.1 beta next to their resident avast av solution,
Just to revive this thread after using the beta now for quite some time and it closed down just only once in all that time. I could restart it easily. I gave the Exploit Shield executable a run of a nice exploration tool called exeinfoPE power pack and got back some interesting results (to whom it may concern). ExeinfoPE is a great tool for packer determination.
For ExploitShield executable we get EntryPoint 0011C50 oo File Offset 00011050 File Size etc. But interesting is Overlay 000024D8 encoding 0x000024D8 (24d8)
Unpack info try :
Protection_ID.exe from http://pid.gamecopyworld.com , true ep
-only and signature patterm 8B FF 55 8B EC is for Visual C++ 2003 DLL -> Microsoft UPolyX v.0.5 gives ???? so cannot be established but as false
Also interesting would be to perform a walk with dependency walker as seen from the signature pattern we land here: http://www.nirsoft.net/articles/windows_7_kernel_architecture_changes.html (article and info from Nir Sofer, an exellent developer with a list of very helpful tools: hxtp://www.softpedia.com/developer/Nir-Sofer-10197.html) and we see that the executable is all about kernel protection.
Thanks also for !Donovan for inspiring me to test out the ExeinfoPE_PowerPack tool as we both rather like the interesting interface of it.
This while we went over some ins and outs of packer detection....
polonus
-
ExploitShield browser actually prevented javaw.exe from executing through java. Clicked on a file in browser file location ssecurity.java and ExploitShield prevented javaw, with which there exists no associated console. The window isn't necessarily created (for example, when you run from an existing console window or completely in background). If this had been a zero-day it would have been blocked by ExploitShield 0.8.1.......
polonus
-
Yes, ExploitShield blocks all recent Java zero-days.
-
Hi users of ExploitShield 0.8.1 next to avast resident av solution,
ExploitShield blocks an attempt to scan for UPnP-hole with this tool, that is stopped in it's tracks: http://www.rapid7.com/resources/free-security-software-downloads/universal-plug-and-play-jan-2013.jsp (seen in the logs swt-win-3740.dll blocked from executing through java and swt-win-3740.dll sent to Exploit Shield's quarantine folder)...ExploitShield protects against UPnP-hole exploits. Just wanted to let u know...
polonus
-
Hi folks,
News from Exploit Shield. ZeroVulnerabilityLabs and ExploitShield
are now part of the Malwarebytes
family and will be known as
Malwarebytes Anti-Exploit.
It seems it is no fud and snake-oil as ithas now been acquired and incorporated by MBAM.
The new beta can be downloaded here: http://downloads.malwarebytes.org/file/mbae_beta
polonus
-
Quite interesting. Thanks Pol.
-
Hi folks,
News from Exploit Shield. ZeroVulnerabilityLabs and ExploitShield
are now part of the Malwarebytes
family and will be known as
Malwarebytes Anti-Exploit.
It seems it is no fud and snake-oil as ithas now been acquired and incorporated by MBAM.
The new beta can be downloaded here: http://downloads.malwarebytes.org/file/mbae_beta
polonus
Polonus is Malwarebytes Anti-Exploit going to be free when it become a final release ???
-
Polonus is there a link to some information about it, I cant find anything about it at Malwarebytes.
-
Only thing I know that "is available for a limited time" from that link. So download it as a free beta.....
It already has proven itself to me in earlier version by halting 8 zero days or "unexpected" software actions...
Certainly gonna analyze this software and report here.
mbae.exe: http://www.backgroundtask.eu/Systeemtaken/Filereport.php?Hash=7DD519185F1ED7E6AA4400683B367EAD
and http://www.backgroundtask.eu/Systeemtaken/taakinfo/323347/mbae.exe/
and the loader executable: http://www.backgroundtask.eu/Systeemtaken/Filereport.php?Hash=0E810382F0E79AF5E71115DD386A0FD1
http://www.backgroundtask.eu/Systeemtaken/taakinfo/323351/mbaeLoader32.exe/
https://www.virustotal.com/nl/file/f4be45940dea303bd89e82eacd5dbeb95ef80b5290b08311f4c4637ef892e73a/analysis/1371726631/
and
https://www.virustotal.com/nl/file/48036bb9d92a8a889b62ce903d6992cb702cd1732ff3f9b1a928d4cd5a6405f5/analysis/1371726715/
and the dll: http://www.backgroundtask.eu/Systeemtaken/Filereport.php?Hash=903968CB5438284DD1F3B38D796FEAB9
and http://www.backgroundtask.eu/Systeemtaken/taakinfo/323352/mbae.dll/
https://www.virustotal.com/nl/file/e96372cf15064efed686b69365389375eb0f86f283619a41cba364f80b7a6abe/analysis/1371727027/
That for starters, enjoy...Please note that this is a beta and may contain bugs.....
@craigb: Information link: http://www.zerovulnerabilitylabs.com/
polonus
-
Thanks Damian, I eventually found the info at the Malwarebytes press room http://press.malwarebytes.org/2013/06/20/malwarebytes-completes-acquisition-of-zerovulnerabilitylabs/ I'm wondering if this technology will be incorporated into MBAM Pro ???
-
Hi craigb,
Yes that is also what I assume, that they wanted a wide-scale beta test and then incorparate it in their MBAM Pro-flagship.
Well as long as it is available I use it. The crashes of the very early days have now subsided, so it is getting more and more stable...
This was what was quarantined through my earlier beta version:
awt.dll_20130314-150605.zvl & awt.dll_20130314-150842.zvl & swt-win32-3740.dll_20130129-173409.zvl.
swt-win32-3740.dll_20130129-173409.zvl could not be a threat but the action might be based on unexpected activity or was user generated activity...
for awt.dll see: http://www.processlibrary.com/directory/files/awt/80697/ (it was a jawa initiated process that was stopped in it tracks)
polonus
-
We'll just have to wait and see/hope ;)
Thanks for replying Polonus :)
-
I've been using/testing the 'corporate edition'(This edition has many more shielded programs, not just Browser).
I'm not sure how this edition figures into the Malwarebytes Anti Exploit development. I have made inquiries, no response as yet. :)
Edit: My answer.
Re: Malwarebytes Acquires ZeroVulnerabilityLabs
Postby ROCKNROLLKID » Thu Jun 20, 2013 12:01 pm
Currently, there is only one edition and it has all the same features of free and corporate combined. Sorry I missed that part. Once stable versions are released, it will be like MBAM pro and have different editions to it.
-
Hi, the developer has posted a few comments on the plans for this program.
http://www.wilderssecurity.com/showpost.php?p=2243056&postcount=8 (http://www.wilderssecurity.com/showpost.php?p=2243056&postcount=8)
http://www.wilderssecurity.com/showpost.php?p=2243243&postcount=28 (http://www.wilderssecurity.com/showpost.php?p=2243243&postcount=28)
-
Hi folks,
It seems it is no fud and snake-oil as ithas now been acquired and incorporated by MBAM.
The new beta can be downloaded here: http://downloads.malwarebytes.org/file/mbae_beta
polonus
Well I've liked 'Z' right from the beginning; and it did it's job! 8)
After using this little program for many, many months it good to see it's capability confirmed. ;D ;D ;D
-
Yes, schmidthouse, we are users of the first hour (after you came introducing it here).
Analysis Report for mbae.exe: http://anubis.iseclab.org/?action=result&task_id=1e7f68e540ccf0fb4c1a666eac9683ed4&format=html
and for mbaeLoader32.exe: http://anubis.iseclab.org/?action=result&task_id=1bf8cf4c133eea864e546a2e436f5bf86&format=html
Analysis Report for mbae.dll: http://anubis.iseclab.org/?action=result&task_id=11e7403b4a6c46644998e1b86169933d6&format=html
Some characteristics found in the last mentioned analysis -
Program Output Renaming input file to .\d1.tmp.dll see further down attack code also found from Aimbot hack
found dll entry point at 0x1000eaa0 (single entry point is the main()function)
Dll is not a BHO
Invoking regsvr32
calling DllMain
{
This is clever, and we need to evaluate it using http://www.nirsoft.net/utils/dll_export_viewer.html
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemData 0x5eab304f957a49896a006c1c31154015 is shared with something like Buster Sandbox Analyzer code...
Processes Created: Executable Command Line C:\WINDOWS\system32\regsvr32.exe regsvr32.exe /c /s , also found in bot code (AIMBOT)
Control Communication Control Code 0x00090028 as use in NtTrace API is provided by ntdll.dll, and not very well documented (clever choice)
camouflage code Attack code found from Aimbot hack: Command Line:...regsvr32.exe /c /s .\d1.tmp.dll
polonus
-
What is also remarkable about the loader is the windows SEH exeption: Exception 0xc0000135 at 0x7c96478e is an unknown target exception (also anti-analysis measure to Anubis-analysis for example). Execution is suspended because the executable is somewhere else...it requires the execution of code outside the normal flow of control.
Software-enforced DEP does not protect against execution of code in data pages, but instead counters SEH overwrite, another type of attack. Contrasts structured exemption handling with standard C++ exception handling and comes in from the game developer experience, that the developers of Exploit Shield posess from their background, and all sort of protection and tricks from the gamer developer arena were brought into this protection tool. MBAM base must be glad they have acquired also that expertise now.....this is alphagrade code.. SEH is fast, but SEH depends on (a new small) API functions and specialized code. Deallocation code (including its logic) has to be written once per instance. SEH must remain tied to structured programming (that is why the name). SEH is not portable across platforms. Another minus from a security point of view is that SEH uses only an unsigned int value, its value might conflict with exceptions defined by other code
(above evaluation quotes on SEH were taken from info provided and posted by "null-pointer" via gamedev net)....
A further read on another implementation, libseh, to be found here: http://www.programmingunlimited.net/siteexec/content.cgi?page=libseh (link article author = Tom Bramer)
polonus
-
The beta testing phase for MalwareBytes Anti-Exploit goes on, and see that there are still bugs appearing. Here a belated notification of Windows FW cause MBAE.exe had to be closed and a new session to be started manually. Read all of the EventViewer report and analysis here: http://forums.malwarebytes.org/index.php?showtopic=134558 (reported there by "analyzer") -> had to update to version 0.09.3.1000 available here:
http://downloads.malwarebytes.org/file/mbae_beta checked for via -> VT results
https://www.virustotal.com/en/url/8e6bb5032768e0bc23e1e643990956b33b9d6f0b7cc36af1d9a7b49e15195d56/analysis/1381231450/
polonus