Exploit Shield

Status
Not open for further replies.

ZeroVulnLabs

New Member
Sep 29, 2012
15
Littlebits said:
I went into the forum to test the urls, the latest 120928 Exploit Kit URLs are all already blocked by Avast, most are also blocked by Google Chrome and Firefox.
Thanks for testing!

Avast and Chrome are blocking those URLs by blacklisting the URL itself as those URLs are normally already 24 hours or older. One way of testing is to disable the URL blacklisting features of your other security programs so you can allow the browser to hit the exploit. Then you will see how ExploitShield behaves against exploits.

We add new URLs normally on a daily basis but mostly on a "whenever-we-get-some-spare-time" basis which is not very often.


InternetChicken said:
Hi ZeroVulnLabs
Question Any issue with ExploitShield Browser Edition and Sandboxie ?
We haven't tried it, but if you do please post your findings!
 

arsenaloyal

Level 3
Verified
Aug 6, 2012
354
arsenaloyal said:
OK so is this only specifically for browsers or does is also block exploits in apps like MS office suite ? thanks.
ExploitShield Browser Edition shields browsers and add-ons (Java, PDF, media players, Flash, Shockwave, etc.).
ExploitShield Corporate Edition does some other things:
http://www.zerovulnerabilitylabs.com/home/exploitshield/



ok, the corporate shield looks interesting,how do i get a trial version ?
ExploitShield Corporate Edition
This product is currently in closed, private beta. Watch this page or our press releases for announcements regarding the availability of the product. To participate in the beta program please contact us from your corporate email account. Requests from non-corporate addresses will be ignored.

just saw that,too bad,.... so does this mean that its not available for personal and home use ?
 

ZeroVulnLabs

New Member
Sep 29, 2012
15
arsenaloyal said:
just saw that,too bad,.... so does this mean that its not available for personal and home use ?
It might still be a few months until we open the ExploitShield Corporate Edition beta program. Send us an email to info@ from your corporate mailbox if you want to be on the list.
 

arsenaloyal

Level 3
Verified
Aug 6, 2012
354
InternetChicken said:
Hi ZeroVulnLabs
Question Any issue with ExploitShield Browser Edition and Sandboxie ?

i use sandboxie,but using sandboxie would make exploitshield redundant if i am not mistaken as a sandboxed browser would contain that specific exploit.... although not detect or block it.
 

arsenaloyal

Level 3
Verified
Aug 6, 2012
354
ZeroVulnLabs said:
arsenaloyal said:
just saw that,too bad,.... so does this mean that its not available for personal and home use ?
It might still be a few months until we open the ExploitShield Corporate Edition beta program. Send us an email to info@ from your corporate mailbox if you want to be on the list.

okies will do that the next week.
 

Littlebits

Retired Staff
May 3, 2011
3,893
ZeroVulnLabs said:
Littlebits said:
I went into the forum to test the urls, the latest 120928 Exploit Kit URLs are all already blocked by Avast, most are also blocked by Google Chrome and Firefox.
Thanks for testing!

Avast and Chrome are blocking those URLs by blacklisting the URL itself as those URLs are normally already 24 hours or older. One way of testing is to disable the URL blacklisting features of your other security programs so you can allow the browser to hit the exploit. Then you will see how ExploitShield behaves against exploits.

We add new URLs normally on a daily basis but mostly on a "whenever-we-get-some-spare-time" basis which is not very often.


InternetChicken said:
Hi ZeroVulnLabs
Question Any issue with ExploitShield Browser Edition and Sandboxie ?
We haven't tried it, but if you do please post your findings!



The main problem with Exploit Shield is it will have to offer something unique. If your browser and/or AV can already block exploits, there really isn't anything to benefit from using it. Blacklisting urls is very effective actually probably the best option instead of trying to just block the exploit in general.

Google Safe Browsing which is used in both Google Chrome and Mozilla products has a huge blocklist. Microsoft SmartScreen Filter on Internet Explorer has did huge improvements as well. Opera’s Fraud and Malware Protection is also very good. Not to mention all of the available browser extensions which can block exploits.

Unless you can provide urls with exploits not blocked by these other means and can be blocked by Exploit Shield, there really is no proof that it will be beneficial to users.

Good day.:D
 

InternetChicken

New Member
Jul 16, 2012
519
Google Safe Browsing which is used in both Google Chrome and Mozilla products has a huge blocklist. Microsoft SmartScreen Filter on Internet Explorer has did huge improvements as well. Opera’s Fraud and Malware Protection is also very good. Not to mention all of the available browser extensions which can block exploits.

Unless you can provide urls with exploits not blocked by these other means and can be blocked by Exploit Shield, there really is no proof that it will be beneficial to users.

Well Littlebits has put the brick through the window with that one :+1:
having that issue with firefox, had to turn off everything in the security tab and disable all securiry and privacy addons
then went malware hunting , to see it I could get a hit out of Exploit Shield , and no not a peep ,,

:s:s
 

ZeroVulnLabs

New Member
Sep 29, 2012
15
Littlebits said:
The main problem with Exploit Shield is it will have to offer something unique. If your browser and/or AV can already block exploits, there really isn't anything to benefit from using it.
You are mistaken. Neither AV nor browser provides exploit blocking. They provide blacklisting-based URL blocking, which is extremely different. Confusing both would be a big mistake. Blacklisting relies on previous knowledge and analysis of a URL's maliciousness before it is added to the blacklist. This means a few patient zero infections, time wasted on the URL discovery, time wasted on the URL analysis and time wasted on the blacklisting signature being published.

EDIT: it's actually very easy to test if you keep a watch out on MDL or similar sites for new "exploit kit" URLs being published. Als you can use metasploit to test the same exploits that exploit kits such as Blackhole use.
 

Littlebits

Retired Staff
May 3, 2011
3,893
ZeroVulnLabs said:
Littlebits said:
The main problem with Exploit Shield is it will have to offer something unique. If your browser and/or AV can already block exploits, there really isn't anything to benefit from using it.
You are mistaken. Neither AV nor browser provides exploit blocking. They provide blacklisting-based URL blocking, which is extremely different. Confusing both would be a big mistake. Blacklisting relies on previous knowledge and analysis of a URL's maliciousness before it is added to the blacklist. This means a few patient zero infections, time wasted on the URL discovery, time wasted on the URL analysis and time wasted on the blacklisting signature being published.

EDIT: it's actually very easy to test if you keep a watch out on MDL or similar sites for new "exploit kit" URLs being published. Als you can use metasploit to test the same exploits that exploit kits such as Blackhole use.

Well here is another problem, if an advanced user can not find a zero day exploit on a webpage when browsing then what are the odds that a novice user might accidentally visit that site?

Many of the urls on MDL only have direct links to the download not the website from where the files came from. It is unknown if they even exists in the wild other than listed on MDL. Another problem, MDL has a lot of false positives, the malware is not verified. I have download files from there before that were harmless files digitally signed by trusted vendors like Microsoft. I even executed them and they were programs like Microsoft Calculator, Microsoft Games and other trusted programs. A full scan with several scanners revealed no infections after running them. The exe's were renamed to make them look dangerous.

It makes me wonder if users upload the malware links to create paranoia.

So I don't personally trust MDL. Google Chrome and Firefox usually blocks the latest urls anyway. Others are blocked by Avast, I just check the most recent and all are already blocked.

It makes no difference how the exploits get blocked as long as they are blocked. If the website link can not load then exploit can not function.

And yes browsers do have extensions that can disable flash, Java, scripts, iFrames, etc. and provide exploit protection.

Thanks.:D
 

ZeroVulnLabs

New Member
Sep 29, 2012
15
Littlebits said:
Well here is another problem, if an advanced user can not find a zero day exploit on a webpage when browsing then what are the odds that a novice user might accidentally visit that site?
Actually advanced users are less likely to encounter an exploit which bypasses protection since they usually have much more updated software components (less vulnerabilities) and many more security layers.

Littlebits said:
It makes me wonder if users upload the malware links to create paranoia.
Wow, you would think that being in a forum where security-conscious users constantly upload undetected malware and malicious URLs which have low detection by traditional blacklisting security would know better. Ironic isn't it.

Littlebits said:
And yes browsers do have extensions that can disable flash, Java, scripts, iFrames, etc. and provide exploit protection.
Those are not anti-exploit techniques, those are feature/functionality limitations and the vast majority of regular, non computer saavy users, don't use them because they are not install-and-forget.
 

arsenaloyal

Level 3
Verified
Aug 6, 2012
354
I can actually forsee something like this replacing antivirus,the one that protects from app based exploits not just browserbased, just add to this whitelisting capabilities and you will not need an antivirus !

Most of the windows based malware these days are from 3rd party based exploits.
 

ZeroVulnLabs

New Member
Sep 29, 2012
15
Regarding testing with live URLs, we've added a "tips for testing exploit kits" post:
http://www.zerovulnerabilitylabs.com/forum/viewtopic.php?f=14&t=49

Also the latest entry of URLs (121002 Exploit Kit URLs) is the sum total of all active URLs that we have, instead of only the incremental. So you can see quite a lot of URLs here for testing a variety of different exploits, although most of them are Blackhole EK 2.0.
 

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
Found link on MDL:

[attachment=2454]

Paste & Go link into Chrome:

[attachment=2455]

Proceed anyway (1st & 2nd attempt at link showed Chrome: Do you want to install a missing plugin, ie. Java):

[attachment=2456]

PS: This is not a test. I do not have Java installed, but even I were to have Java installed, Google Safe Browsing would have stopped me.

It is an interesting idea, but what about using Secunia PSI to keep software updated to prevent most exploits from occurring?

Is ExploitShield targeted at more for Corporate environments rather than general consumer users? And would ExploitShield protect Mac and Linux users too, say in a future release?

I'm still unsure if I should try ExploitShield. :huh:
 

Attachments

  • Screenshot_1.png
    Screenshot_1.png
    6.6 KB · Views: 434
  • Screenshot_2.png
    Screenshot_2.png
    77.8 KB · Views: 477
  • Screenshot_3.png
    Screenshot_3.png
    39.1 KB · Views: 441

ZeroVulnLabs

New Member
Sep 29, 2012
15
Earth said:
It is an interesting idea, but what about using Secunia PSI to keep software updated to prevent most exploits from occurring?

Is ExploitShield targeted at more for Corporate environments rather than general consumer users? And would ExploitShield protect Mac and Linux users too, say in a future release?
Yes you should use Secunia or something similar to keep all your software up-to-date and also an up-to-date AV to reduce the infection risk. ExploitShield is by no means a replacement for keeping your software up-to-date.

However there are 0-day exploits out there that exploit fully patched and fully up-to-date systems. This is not uncommon at all. Remember the handfull of Internet Explorer and Java zero-day vulnerabilities lately?

Also you might be an advanced users, but regular users don't use Secunia, NoScript and those type of things, and are at a much higher risk of infection.
 

Littlebits

Retired Staff
May 3, 2011
3,893
ExploitShield could be beneficial to users who don't use browser extensions, have disabled their browser protection features or ignore warnings, don't keep their software updated and don't have a good AV installed and updated.

Otherwise users who are more aware of keeping their software updated, using their browser protection features and added extensions plus a good AV, probably would not benefit from using ExploitShield.

Like I said, I have everything updated and my browsers and Avast blocked all of the MLD links. I couldn't find one single exploit that could successfully function after searching all over the web.

Good day.:D
 

arsenaloyal

Level 3
Verified
Aug 6, 2012
354
the problem with traditional AV's is the same it relies on blacklisting,perhaps this version of expoitshield (only browser based) might be blocked by AV,but actual application based exploits are rarely blocked or even detected by traditional AV's.

from my point of view a software like this could actually replace a traditional AV if its coupled with something like an antiexecutable! and perhaps if they throw something like an auto updater for all the softwares on your PC (something like secunia and more recently vipre 2013 !) then i would seriously give them a chance and something worth keeping an eye out for !
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top