Mini Spy

Loading...

Latest Threads

Loading...
 

Exploit Shield

Discussion in 'Malwarebytes Software' started by loveboy_lion, Sep 28, 2012.

  1. loveboy_lion

    loveboy_lion Regular Member

    Joined:
    Feb 23, 2012
    Messages:
    553
    Likes Received:
    5
    Trophy Points:
    62




    A new company called ZeroVulnerabilityLabs says that it has solved the Gordian knot of exploits, slicing through the complicated, Hydra-headed problem with a single stroke from a software weapon it calls ExploitShield.
    Available exclusively today from Download.com, the first ExploitShield Browser Edition beta (download) appears to stop all manner of exploits, from those affecting browsers directly to browser plug-ins like PDF readers, Flash, and Java, to Microsoft Office components, to a handful of media players. The potential for raising the level of computer security here is huge, as a vast number of threats are actually mutations of malware, sold in kits like BlackHole, exploiting the same security holes in the same security programs.
    The Windows-only ExploitShield is freeware for individuals and non-profits, part of ZeroVulnerabilityLabs' attempt to prove that the technology is so important that it's worth giving away. The company is working on a licensed version for businesses, although they don't have a timeline for its release yet.
    Software exploits have long been a thorny software problem, hard to prevent because of source code complexity. For some notorious software, such as Java, Flash, and QuickTime, it can sometimes seem as though two exploits crop up for each one that gets patched. A panacea that cures all exploits, even ones that have yet to be used to breach a program, sounds too good to be true. Several Windows security suites have promised to block browser exploits, with Kaspersky's 2013 Automatic Exploit Prevention feature to be among the strongest offered, but that will set you back $60 retail.
    In terms of features, ZeroVulnerabilityLabs plans on following in the footsteps of other free security programs that offer a paid upgrade. The free version of ExploitShield includes protection against drive-by downloads only, a powerful protection tool, as well as protection against attacks based on document file formats and media file formats. The company hopes to attracts businesses to the corporate upgrade by offering those features, and protection against DLL memory injection attacks, shield management for network deployment, quarantine management, and a centralized reporting portal.
    ExploitShield is Silicon Valley's ZeroVulnerabilityLabs' first release. It's been in development for the past 12 months, according to its two co-founders, both of whom are experienced security researchers. Pedro Bustamante has more than 20 years' experience as a security researcher; the other co-founder is David Sanchez Lavado, a former employee of the security firm S21Sec and Panda Security, and ZeroVulnerabilityLabs' Chief Technical Officer.
    "Ninety-five percent of successful exploits are Java- or PDF-based," said Bustamante in a meeting at CNET's San Francisco offices last June. "ExploitShield protects against exploit-delivered malicious payload," he said. "It's vulnerability-agnostic."
    Because of the potentially implications of a freeware exploit-blocker that protects most major software, CNET insisted on permission from ZeroVulnerabilityLabs to hand off ExploitShield to independent experts to evaluate its efficacy.

    Jeremiah Grossman, Chief Technical Officer of WhiteHat Security, said in an e-mail to CNET requesting comment on ExploitShield that the software offered a "concept and value proposition" that "sounds pretty good, especially in a corporate environment."
    "There are a ton of important and unanswered questions here, but that's a good thing. This could be a strong emerging player that establishes a niche market. I'll be watching them for sure," he said.
    Bustamante was reticent to explain how ExploitShield works, but did offer some insight in an e-mail. "It is not blacklisting, not whitelisting, and not sandboxing. We call it 'application shielding,' and it's basically a pro-active way of preventing vulnerability exploits. It blocks 100 percent of the exploits it protects against, 100 percent of the time. I think it's a new type of security software category, i.e., 'anti-exploits'," he said.
    ZeroVulnerabilityLabs is making some heady claims with ExploitShield that so far appear to be supported by my everyday use of the software. Bustamante said in a subsequent e-mail to CNET that, "this is not an intrusive security technology like antivirus, whitelisting, or sandboxing. It is completely transparent to the user, install-and-forget."
    Bustamante explained that currently known exploit methods against Microsoft's EMET and 32-bit based ASLR, such as ROP and anti-anti-ROP exploits, are blocked by ExploitShield.
    At least on the counts of performance and stability, I have not noticed any appreciable differences in browser behavior. Bustamante did caution, however, that since ExploitShield is in beta, those problems could still crop up.
    Adam J. O'Donnell, Chief Architect for the Cloud Technology Group at Sourcefire, said that the community of security experts will be curious about how ExploitShield works. "Once the thing is put up for download, everyone will be reversing it," he wrote to CNET in an e-mail earlier this week, after looking at ExploitShield. He also vouched for Bustamante's reputation, no small matter in the world of computer security.
    Grossman agreed that ExploitShield could have far-reaching implications. "If this works as advertised, [it] sounds like they could have something very special here. The concept and value proposition sounds pretty good, especially in a corporate environment," he said.


    Source
    CNET

    Main Developer Site
    http://www.zerovulnerabilitylabs.com/home/
    Last edited by a moderator: Dec 10, 2013
  2. InternetChicken

    InternetChicken Regular Member

    Joined:
    Jul 16, 2012
    Messages:
    574
    Likes Received:
    2
    Trophy Points:
    61
    The browser edition only gives drive by download protection
    all the other protections are in the corporate edition

    So the browser edition has limited protection for free ..
    and the corporate edition is still in closed, private beta,

    Still I can try out the The browser edition for a while .
  3. Littlebits

    Littlebits Super Moderator MalwareTips Staff

    Joined:
    May 3, 2011
    Messages:
    3,978
    Media:
    1
    Likes Received:
    2,912
    Trophy Points:
    817
    Drive by downloads still exists with modern day browsers?

    The last time I saw a drive by download was on IE6 using active X controls.
    I would like to see a live example of a drive by download on modern browsers.

    Thanks.:D
  4. bitbizket

    bitbizket Regular Member

    Joined:
    Jul 26, 2011
    Messages:
    158
    Likes Received:
    0
    Trophy Points:
    35
    Just keep your browsers, extensions, addons, Java, PDF Reader, Flash Player updated at all times and you're in a safe zone.

    Not a single hit on my exploits tests, either they are blocked by the browser directly or they're stopped by the blocking element of the antimalwarethat i'm using.

    Maybe this software will be useful in a corporate environment than a home consumer.

    Thanks
  5. ZeroVulnLabs

    ZeroVulnLabs New Member

    Joined:
    Sep 29, 2012
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    12
    Hi, I'm one of the founders of ZeroVulnerabilityLabs.

    ExploitShield Browser Edition is designed to be a free anti-exploit solution for users to tackle the problem of drive-by downloads and exploit kits. So while it does shield major browsers (IE, FF, Chrome and Opera) it also shields browser addons such as Java, Flash, Shockwave as well as other applications when their exploit content is loaded from within the browser (Adobe Reader, Foxit Reader, Windows Media Player, VLC, Quicktime, etc.)

    Oh yes very much so. In fact they are more prevalent today than with IE6. Just check in the last month or so there have been three IE remote code execution zero-day vulnerabilities and a bunch of Java zero-days. In fact right now there are roumors of another IE 0-day and a very srious Java5/6/7 0-day. All those are used by exploit kits in drive-by infections (Blackhole, Sakura, Phoenix, Incognito, etc.). Also a couple of days ago Google released an update which fixed over a dozen vulnerabilities, so no browser is immune from exploits.

    Take a look at the video and you will see some drive-by downloads under IE, FF and Chrome being blocked by ExploitShield.
  6. ZeroVulnLabs

    ZeroVulnLabs New Member

    Joined:
    Sep 29, 2012
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    12
    I'm afraid it's not that simple. As mentioned above there are many 0-days being discovered in a very rapid rate. Read up on the latest Java7 0-day. It took the bad guys literally less than 24 hours to implement the exploit in Blackhole, a good week before Oracle released a patch. In the last two months this very same thing has happened with IE and three separate 0-days.

    Maybe you are an advanced user and have a very tight system, but most users out there, with up-to-date software and up-to-date AV, are still getting infected with drive-by exploits every day. The reason we release ExploitShield Browser Edition for free instead of paid is precisely for all the users out there who are pretty much defenseless against these type of exploit attacks.

    Take a look at the latest attacks table on our homepage to see the detection rates of the exploit payloads we are blocking.
  7. Umbra Polaris

    Umbra Polaris Testing And Review Expert MalwareTips Staff

    Joined:
    May 16, 2011
    Messages:
    10,481
    Likes Received:
    3,782
    Trophy Points:
    1,197
    Thanks to give us some more details and explanations ;)
  8. ZeroVulnLabs

    ZeroVulnLabs New Member

    Joined:
    Sep 29, 2012
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    12
    Btw., here's a list of known* vulnerabilities that ExploitShield Browser Shield blocks:
    http://www.zerovulnerabilitylabs.com/home/technology/success-stories-cve/
    Search that page for Internet Explorer, Firefox, Chrome, Java, Adobe, Flash, Foxit, etc. and you'll get a pretty good idea of the rate of new exploits being developed.

    * In addition to known vulns ExploitShield also blocks unknown 0-day vulnerabilities. During the last few months during internal testing it blocked 3 different IE 0-days, 3 different Java 0-days and the latest Blackhole 2.0.
  9. Syntax

    Syntax Regular Member

    Joined:
    Feb 4, 2012
    Messages:
    263
    Likes Received:
    0
    Trophy Points:
    45
    This may be out-topic but ZeroVulnLabs, are you pbust? I saw a post about you being pbust.

    So this product has a connection with Panda or I am wrong?
  10. Littlebits

    Littlebits Super Moderator MalwareTips Staff

    Joined:
    May 3, 2011
    Messages:
    3,978
    Media:
    1
    Likes Received:
    2,912
    Trophy Points:
    817
    If drive by downloads do still exists, they are not as bad and as common as what they were before in the days of IE6, I used to get drive by downloads all the time when just visiting websites. I haven't got one since about 2006 or before. I'm a daily web user, so if drive by downloads were a problem, then I would notice it.

    I really don't believe that drive by downloads are very common, just because a vulnerable has been discovered in Flash, Java, Iframes, etc. doesn't mean they will be exploited before they get patched.

    In all of the years I have been using the web, not once have I ever be a victim of an exploited vulnerability.

    I have been using the web since 1995, I have watched improvements in web browsers and Windows OS that can block many attacks they wasn't blocked before.

    Believe me the web is much safer than what it used to be.

    The new term "drive by downloads" is not the same meaning as it used to be. A drive by download use to mean a file that could download and execute without any user action or knowledge. Now the term applies to malicious files that are manually downloaded and manually executed by the user because they get tricked into thinking the file is safe while visiting a malicious site that uses fake alerts, fake updates or false pretense, etc. to fool the user into doing the work for them.

    So does the old meaning of the term "drive by download" still exists?

    Thanks.:D
  11. ZeroVulnLabs

    ZeroVulnLabs New Member

    Joined:
    Sep 29, 2012
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    12
    Yes I am but no ZeroVulnLabs has no relation to Panda.
  12. ZeroVulnLabs

    ZeroVulnLabs New Member

    Joined:
    Sep 29, 2012
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    12
    I believe its quite the contrary, its more dangerous as infection vectos have gotten stealthier and more reliable and payload has gotten terribly polymorphic and expert at evading both generic signatures and heuristics. Take a look at some of the posts by AV vendors on exploit kits. Also take a look at the table at our homepage.

    Also launch a VM with your typical end-user setup and go over to our forum (www.zerovulnerabilitylabs.com/forum). If you login as registered user you'll have access to URLs pointing to live exploit kits.

    When I use the term drive-by I'm refering to infections by simply visiting a page, without having to download nor execute anything. It means the infection happens without any user interaction or knowledge of what is happening (ie pretty much all exploit kits nowadays which are responsible for delivering the vast majority of financial malware - Zeus, SpyEye, etc -, rogue antivirus and ransomware.).
  13. InternetChicken

    InternetChicken Regular Member

    Joined:
    Jul 16, 2012
    Messages:
    574
    Likes Received:
    2
    Trophy Points:
    61
    Speaking of your fourm
    Not Found

    The requested URL /forum). was not found on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

    And as for The browser edition I still useing it so far no errors or issue's,
  14. ZeroVulnLabs

    ZeroVulnLabs New Member

    Joined:
    Sep 29, 2012
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    12
    Works here:
    http://www.zerovulnerabilitylabs.com/forum/
  15. loveboy_lion

    loveboy_lion Regular Member

    Joined:
    Feb 23, 2012
    Messages:
    553
    Likes Received:
    5
    Trophy Points:
    62
    Thanks For the Link and Explanation
    Joined Your Forum There are really a lot of links to test will surely test them with my security setup in free time
    Thanks
  16. arsenaloyal

    arsenaloyal Regular Member

    Joined:
    Aug 6, 2012
    Messages:
    331
    Likes Received:
    1
    Trophy Points:
    47
    OK so is this only specifically for browsers or does is also block exploits in apps like MS office suite ? thanks.
  17. Umbra Polaris

    Umbra Polaris Testing And Review Expert MalwareTips Staff

    Joined:
    May 16, 2011
    Messages:
    10,481
    Likes Received:
    3,782
    Trophy Points:
    1,197
    Does ExploitShield works with Comodo Dragon? and how is its resources usage on Win7 x64?
  18. ZeroVulnLabs

    ZeroVulnLabs New Member

    Joined:
    Sep 29, 2012
    Messages:
    16
    Likes Received:
    4
    Trophy Points:
    12
    Haven't tested it. Do you get a "... is now protected by ExploitShield" in the log when you run Comodo Dragon?

    ExploitShield Browser Edition shields browsers and add-ons (Java, PDF, media players, Flash, Shockwave, etc.).
    ExploitShield Corporate Edition does some other things:
    http://www.zerovulnerabilitylabs.com/home/exploitshield/
  19. Littlebits

    Littlebits Super Moderator MalwareTips Staff

    Joined:
    May 3, 2011
    Messages:
    3,978
    Media:
    1
    Likes Received:
    2,912
    Trophy Points:
    817
    ZeroVulnLabs, I registered at the forum and installed Exploit Shield to check it out.

    I went into the forum to test the urls, the latest 120928 Exploit Kit URLs are all already blocked by Avast, most are also blocked by Google Chrome and Firefox.

    Do you know if you have an example of a drive by download url in the forum? Like I said I haven't seen one in over 6 years.

    So far I can't really test Exploit Shield because it doesn't block anything that isn't already blocked by Avast and my browsers.

    When will you have some new malicious urls at the forum?

    Good day.:D
  20. loveboy_lion

    loveboy_lion Regular Member

    Joined:
    Feb 23, 2012
    Messages:
    553
    Likes Received:
    5
    Trophy Points:
    62
    Resource Usage on my Win 7 x64 is always between 500kb - 2mbs

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads: Exploit Shield
Forum Title Date
Kaspersky Software ZETA Shield (ZETA = Zero-day Exploits & Targeted Attacks) Oct 5, 2013
Malwarebytes Software ExploitShield Browser Edition info request Feb 5, 2013
News Section Symantec Endpoint Protection Exploitable Through Privilege Escalation Flaws Yesterday at 1:00 PM
News Section Bromium Labs:Endpoint Exploitation Trends H1 2014 Sunday at 8:42 AM
Malware Archive Exploit Site Friday at 1:03 PM

MalwareTips.com is an independent website.All trademarks mentioned on this page are the property of their respective owners.